This is ThreatGeek's Typepad Profile.
Join Typepad and start following ThreatGeek's activity
Join Now!
Already a member? Sign In
Recent Activity
Nviso Labs recently published a fascinating blog post illustrating the use of the Lua programming language over the Suricata DPI engine to detect obfuscations in PDF files. Deep analysis of content seen on networks is a topic close to our heart at Fidelis Cybersecurity. After reading that post, we decided to investigate how we could implement this detection by creating a rule in the Yara content scanning engine within one of our own products. This blog walks you through our logic and shows how trivial it is to apply it to PDF content in network traffic. Analysis First, a bit... Continue reading
Posted yesterday at Threat Geek
Every day, attackers tunnel under, sneak through, go around, go over and squeeze past your security technologies. While you’re armed with more security tools than you can count, most of them are hiding a dirty little secret: They actually create more work for people, not less. Security teams are inundated by alerts indicating potential incidents. These products don't come with job requisitions. They do come with alert overload. Defenders are often unable to quickly validate whether an alert is real or not, mostly because they receive little context – aka useful insight – from each alert. Without context, it’s a... Continue reading
Posted Mar 15, 2017 at Threat Geek
Many research teams have reported on their observations of exploits involving the use of the Apache Struts vulnerability CVE-2017-5638 since Cisco Talos published their post on Wednesday March 8. Fidelis Cybersecurity Threat Research is also seeing widespread activity and contrary to some reporting, we're not seeing any reduction in scanning over the course of the day. Apache Struts 2 is an open-source development framework for Java web applications. It uses and extends the Java Servlet API to encourage developers to adopt a model–view–controller (MVC) architecture. Apache Struts2 is used to build websites by a wide variety of organizations. Even as... Continue reading
Posted Mar 11, 2017 at Threat Geek
There’s a reason why airport security x-rays your bags. It’s because the only way you can tell if something is a true threat is to actually look at the contents. It’s the same with network security. The only way to prevent modern intrusions is to actually inspect the content on your network in real time…which brings us to the first requirement for stopping modern intrusions. Requirement #1: Deep Visibility into Network Content (Not Just Packets) in Real Time As we pointed out in the first blog post in this series (“Would You Re-Hire Your IPS Today?”), the vast majority of... Continue reading
Posted Mar 9, 2017 at Threat Geek
Modern messaging apps, many of which offer end-to-end encryption, are used every day by millions of people. These apps come with the expectation of privacy. However, we recently observed an interesting operational security issue involving one such popular messaging app, Telegram. We're posting our observations to alert users of this app to potential privacy concerns. Changing Scammer Tactics Relentless calls from telemarketing scammers are a bane of existence in modern life. Whether it's the "can you hear me now" scam, fake charity scams, or fake tech support scams, the pace of attacks on consumers is relentless. The problem is particularly... Continue reading
Posted Mar 2, 2017 at Threat Geek
Downloaders and droppers (aka malware that delivers other malware) have been forced to live in the shadow of more famous stages of the exploit kit chain, like landing pages or the malware that's eventually dropped. One reason they are often overlooked and not analyzed as often is because they typically (and conveniently) wipe themselves from compromised hosts once they completely deliver their malicious payload. But don't mistake the lack of attention for lack of importance. Downloaders and droppers play a vital role in the web exploitation ecosystem. They're often used across multiple exploit kits and they are effective at delivering... Continue reading
Posted Feb 9, 2017 at Threat Geek
We're counting down the last few days to RSA 2017. As you pack your suitcase and map out your schedule, plan on joining us for a demo at Booth #933. Stop by and say hello and grab your limited edition t-shirt. Here’s a quick rundown on where you can find us: RSA 2017 EXPO: Join Fidelis Cybersecurity at Booth #933, South Hall, at San Francisco’s Moscone Center, February 14 - 16. See a full listing of Fidelis’ RSA activities. AGC’s 2017 INFORMATION SECURITY & BROADER TECHNOLOGY GROWTH CONFERENCE: At 2:00 pm on February 13, Fidelis President and CEO Peter George... Continue reading
Posted Feb 8, 2017 at Threat Geek
Producers of the 1995 James Bond film “GoldenEye” packed the plot with all the signature elements fans expect from the successful franchise. Over-the-top supervillain – check. Cool spy gadgets – check. Exotic locations – check. And, of course, 007 saves the day. The film was also slightly ahead of its time. The internet, computers and cyberespionage all factor into the plot. In the movie, a criminal element called Janus conspires to steal vast sums of money from the Bank of England. To cover their tracks and spark a global financial meltdown, they plan to knock out the planet’s electronics and... Continue reading
Posted Feb 2, 2017 at Threat Geek
What does 2017 hold for security professionals and the industry as a whole? To answer this question, let’s take a quick look at what has not changed. For one, ransomware continues to be an effective extortion tool for attackers. They’re constantly honing their ability to use backdoors and rootkits to gain access. Across the board, attackers continue to create new variants of the same malware family. When they find an effective approach, they will continue to exploit it until security experts stop them. Only then do attackers move on to something different. Yet the new year also brings new challenges... Continue reading
Posted Jan 26, 2017 at Threat Geek
Earlier this month, security news media reported attackers holding internet-exposed MongoDB and Elasticsearch databases for ransom. Attackers said they’d return the data if they got paid -- otherwise, the data would be erased. In many reported instances, attackers simply deleted the data. Unfortunately, more attacks are underway. Last week, Fidelis Cybersecurity Threat Research observed similar attacks on Internet-facing Hadoop Distributed File System (HDFS) installations. Like the MongoDB and Elasticsearch incidents, attackers would erase all the data on the system. To make matters worse, we confirmed additional attacks on HDFS instances worldwide. For these events, attackers are leveraging a logical blend... Continue reading
Posted Jan 18, 2017 at Threat Geek
Security got the boring end of the stick when names for the generations were handed out. Instead of Millennials, Gen X, Baby Boomers or the Greatest Generation, we're stuck with "Next Gen." What comes after "Next Gen"? And where were the creative minds hiding when we needed them most? In this post, I’m going to focus on a sliver of the next-gen security stack that we get asked about every day. Specifically, where do next-gen firewalls stop and where do next-gen IPSs pick up the baton. But first, to understand next-gen security we need to take a quick trip down... Continue reading
Posted Dec 1, 2016 at Threat Geek
There are two types of runners: long-distance runners and sprinters. Everything about them is different. Sprinters are built for power while marathoners are built for endurance. But what if you could break the mold and find all of those capabilities in a single athlete? Endpoint detection and response (EDR) tools have faced a similar conundrum. Vendors have historically forced users to choose between architectures that were optimized for one activity at the expense of others. In short, the choices have been: Optimize for Speed: These tools generally use a peer-to-peer architecture that enable endpoints to communicate with each other. The... Continue reading
Posted Nov 30, 2016 at Threat Geek
In Part 1 of this series we asked the question: Would you re-hire your IPS if you interviewed it today? But it’s not a totally fair question. Because, before you hire someone (or in this case buy something) it’s pretty obvious that you need a deep and thorough understanding of what the job entails. Otherwise, frustration, handwringing, and assorted HR crises will emerge. So, we pose this question to you: Can you even remember why you bought your IPS in the first place? It seems like a self-answering question for a product whose name, after all, is an Intrusion Prevention... Continue reading
Posted Nov 15, 2016 at Threat Geek
Vawtrak, a.k.a. Neverquest, has been a prominent trojan in the banking world and numerous researchers have reported their findings about this malware. In August 2016, we blogged about the addition of a DGA to the banking trojan known as Vawtrak. The actors behind Vawtrak reacted to this attention by adjusting their tactics - enough to warrant a change in their DGA implementation. On November 9, 2016 the Threat Research Team at Fidelis Cybersecurity noticed a Vawtrak sample that appeared to be using an updated implementation of the DGA routine. The sample we analyzed was delivered by using Hancitor embedded in... Continue reading
Posted Nov 12, 2016 at Threat Geek
Commodity Remote Access Trojans (RATs) -- which are designed, productized and sold to the casual and experienced hacker alike -- put powerful remote access capabilities into the hands of criminals. RATs, such as H-W0rm, njRAT, KilerRAT, DarkComet, Netwire, XtremeRAT, JSocket/AlienSpy/Adwind and others, hold special interest for the Threat Research Team at Fidelis Cybersecurity. We're constantly following, detecting and monitoring the lifecycle of these RATs as they appear, disappear and often reappear under a new moniker. There have been recent reports 1, 2 about a new version of one such commodity RAT, H-W0rm (Hworm), and the various campaigns it is being... Continue reading
Posted Nov 9, 2016 at Threat Geek
Metadata gathered from your network can be a powerful ally in the battle against cyberattacks. In fact, you can do seemingly impossible things with the right metadata. In Part 1, we explored how metadata can help you spot phishing emails, find man-in-the-middle attacks, locate weak encryption and more. In Part 2, we take a look at five more seemingly impossible tasks. If these examples sound interesting, watch the webinar I recently did with Hardik Modi, our VP of Threat Research: 3 Ways to Reduce Detection Time from Months to Minutes. Impossible Task #6. See lateral movement within the network. If... Continue reading
Posted Oct 31, 2016 at Threat Geek
Bloomberg reporter Jordan Robertson recently sat down with Fidelis Cybersecurity Senior VP Mike Buratowski to discuss the malware and other data that attackers used to pull off the breach of the Democratic National Committee’s (DNC) servers. By examining the clues the attackers left behind, Mike explains how it's possible to attribute the attacks to a specific group of nation-state actors. Listen to Bloomberg Technology’s Decrypted Podcast and get the full story. Want to learn more? Read our analysis of the DNC intrusion malware. Continue reading
Posted Oct 27, 2016 at Threat Geek
Network Intrusion Prevention Systems have been a mainstay of the network security stack for well over a decade. When they first entered the mainstream in the early 2000s, the iPhone hadn't been invented. We were still in the age of the PalmPilot (anyone remember using that stylus?). But, at the time, IPSs represented real innovation. They were a welcome departure from the classic firewall, which was limited by its primitive accept-and-deny rules that were inadequate for the more sophisticated attacks to come. IPSs were a breath of fresh air. They came with new detection languages, like Snort. They could operate... Continue reading
Posted Oct 26, 2016 at Threat Geek
Deception and crime go hand in hand. But knowing when you’re being deceived means you need to think like the bad guys and know what to look for. There are three elements of deception. To see these elements in action, we need look no further than a few notable cases -- including the alleged Russian state actors behind the DNC and DCCC breaches as they continue to dump documents intended to influence the upcoming U.S. election. Let’s take a look at the three elements of effective deception. 1. Plan and Prepare The key is to create a storyline that’s mostly... Continue reading
Posted Oct 25, 2016 at Threat Geek
Metadata is data that describes other data. And while it may not sound sexy, metadata gathered from your network can be a powerful ally in the battle against cyberattacks. Continue reading
Posted Oct 17, 2016 at Threat Geek
In November 2015, the Dyre banking trojan seemingly disappeared overnight surprising security researchers worldwide. Months later it was announced that Russian authorities had arrested most of the gang responsible for its operations. Prior to that, it was a relatively rare act for Russian authorities to take action in such matters. Since then, nothing has been heard from those actors but the speculation was that some of programmers and other elements of the criminal operation would be subsumed into other cybercriminal operations. In September 2016, Fidelis Cybersecurity was alerted to a new malware bot calling itself TrickBot that we believe has... Continue reading
Posted Oct 15, 2016 at Threat Geek
For several years now, the Vawtrak trojan has been targeting banking and financial institutions, most recently in Canada as reported last week. The Fidelis Threat Research team recently analyzed a new variant to Vawtrak using HTTPS for C2 communications. Given what we've seen previously with Vawtrak, simply switching to HTTPS is not a major update in terms of development -- but it does show that the threat actors are interested in protecting their C2 communications. Here are some significant updates to Vawtrak: The malware now includes a DGA. Interestingly, it utilizes a pseudorandom number generator (PRNG) used in Vawtrak's loader.... Continue reading
Posted Aug 16, 2016 at Threat Geek
Fidelis Cybersecurity is proud to support the Wall of Sheep (WoS) at Def Con 2016, but this Wall needs to come down. Over the past several years, it's been standing-room only for WoS participants. This year's event promises to be even more spectacular. For those who need background, the 'sheep' on this wall are users whose internet traffic reveals their credentials (user names and passwords) passed in the clear, for prying eyes to see. The exercise starts as users sign on to the conference’s free wireless network. A copy of that traffic is given to participants whose job is to... Continue reading
Posted Aug 2, 2016 at Threat Geek
Following news reports that the Democratic Congressional Campaign Committee (DCCC) was breached via a spoofed donation website, the ThreatConnect Research team and Fidelis Cybersecurity teamed up to collaborate and take a look at the associated domain to ferret out additional details on the activity. The initial indications from the DCCC breach suggest FANCY BEAR pawprints based on the following: First, the registrant - fisterboks@email[.]com - behind the spoofed domain actblues[.]com has registered three other domains, all of which have been linked to FANCY BEAR by German Intelligence (BfV). Second, the timing is consistent with an adversary reacting to heightened focus... Continue reading
Posted Aug 1, 2016 at Threat Geek
We're counting down the last few days to Black Hat USA 2016. As you pack your suitcase and map out your schedule, plan on joining a meetup, seeing a demo or hitting us up for swag at the Fidelis Networking Lounge (aka Booth #1116). We can’t promise unicorns and narwhals, but we will have cool t-shirts, pinball and comfy chairs. Here’s a quick rundown on where you can find us: TECHNOLOGY & FREEWARE: At Black Hat, we’re debuting no-cost tools to help the security community stop attacks and prevent data theft. New resources include the Barncat™ Intelligence Database, the ThreatScanner™... Continue reading
Posted Jul 28, 2016 at Threat Geek