Information Technology

Coursera and InfoSec are joining forces on a new slate of cybersecurity-focused courses, giving the site’s estimated 82 million users access to classes on cybersecurity management, digital forensics, secure coding and incident response. 

The courses available from InfoSec are available now and include Cyber Incident Response, Credential Access, Discovery, Lateral Movement, and Collection, Python for Command-And-Control, Exfiltration, and Impact, and more. In a statement, InfoSec said it would be rolling out more specialized classes over the next few months. Jack Koziol, Infosec CEO and founder, said it was imperative for the cybersecurity industry to constantly offer new courses and educational opportunities as the threat landscape evolves.”We partnered with Coursera to expand our reach and help individuals, businesses and governments stay ahead of cyber threats,” Koziol said. “We’re excited to help even more professionals develop the knowledge and skills critical to success in any cyber role, while accelerating job-readiness for aspiring cybersecurity professionals.”InfoSec currently has its own platform for technical skills development with more than 1,200 resources covering “hands-on cyber ranges, projects and courses mapped to the NICE Workforce Framework for Cybersecurity and MITRE ATT&CK Framework,” the company said in a release.In addition, the site offers boot camps and certifications for those looking to improve their skills or upskill.  

Coursera chief content officer Betty Vandenbosch said cybersecurity has become an issue that affects everyone, adding that consumers are now demanding better protection of their data from the organizations they frequent. But the demand for more stringent data protection from consumers comes at a time when the cybersecurity industry is facing a severe shortage of talent. Vandenbosch said providing flexible online learning programs from InfoSec would help those looking to break into the industry or stay up to date with the latest cyber threats, technologies and best practices. More

Cyberattackers on average have 11 days after breaching a target network before they’re being detected, according to UK security firm Sophos – and often when they are spotted it’s because they’ve deployed ransomware.As Sophos researchers note in a new report, that’s more than enough time for an attacker get a thorough overview of what a target network looks like, where its weaknesses lie, and for ransomware attackers to wreck it. Sophos’ data, based on its responses to customer incidents, suggests a much shorter “dwell time” for attackers than data from FireEye’s incident response team, Mandiant, recently reported. Mandiant said the median time-to-detection was 24 days, which was an improvement on previous years. Sophos explains the relatively short dwell time in its incident response data is because a whopping 81% of incidents it helped customers with involved ransomware — a noisy attack that immediately triggers alarms for tech departments. So, while shorter dwell times might indicate an improvement in so-called security posture, it might also be just because file-encrypting ransomware is a disruptive attack compared to data theft. “To put this in context, 11 days potentially provide attackers with approximately 264 hours for malicious activity, such as lateral movement, reconnaissance, credential dumping, data exfiltration, and more. Considering that some of these activities can take just minutes or a few hours to implement, 11 days provide attackers with plenty of time to do damage,” notes Sophos in its Active Adversary Playbook 2021 report. The vast majority of incidents Sophos responded to were ransomware attacks, suggesting the scale of the problem. Other attacks include stealing data, cryptominers, banking trojans, data wipers, and the use of penetration testing tools like Cobalt Strike.Another notable point is the widespread use by attackers of Remote Desktop Protocol (RDP) with about 30% of attacks starting with RDP and 69% of subsequent activity being conducted with RDP. Phishing, on the other hand, was the entry point for just 12% of attacks, while 10% of attacks involved exploiting an unpatched system. 

Attacks on RDP endpoints have long been used to initiate ransomware attacks and are far more common than exploits against VPNs. Several security firms ranked RDP as the top intrusion vector for ransomware incidents in 2020. Security firm ESET reported remote working had seen a nearly 800% spike in RDP attacks in 2020.     “RDP played a part in 90% of attacks. However, the way in which attackers used RDP is worth noting. In incidents that involved RDP, it was used for external access only in just 4% of cases. Around a quarter (28%) of attacks showed attackers using RDP for both external access and internal movement, while in 41% of cases, RDP was used only for internal lateral movement within the network,” Sophos threat researchers note. Sophos also compiled a list of the most widely observed ransomware groups. DarkSide, a newish but professional ransomware  service provider that started activity in mid-2020, only accounted for 3% of cases Sophos investigated through 2020. It’s in the spotlight because of the attack on Colonial Pipeline, which reportedly paid $5 million to the group. DarkSide offers its ransomware as a service to other criminal groups who distribute the ransomware, much like the REvil ransomware gang does. REvil was in the spotlight last year because of attacks on government and healthcare targets plus for its high ransom demands that averaged about $260,000.  According to Sophos, REvil (aka Sodinokibi) was the most active ransomware threat in 2020 along with Ryuk, which, according to some estimates, has earned $150 million through ransomware. Other significant ransomware players including Dharma, Maze (defunct), Ragnarok, and Netwalker (defunct).  US president Joe Biden last week said he discussed the Colonial ransomware attack with Moscow, and suggested Russia should take “decisive action” against these attackers. The US believes DarkSide is based in Russia but not connected to the Russian government.  “We have been in direct communication with Moscow about the imperative for responsible countries to take decisive action against these ransomware networks,” said Biden on May 13.      More

A new report from cybersecurity company Vectra highlights the top 10 threats customers face when using Microsoft Azure AD and Office 365. 

The list in the “2021 Q2 Spotlight Report: Top 10 Threat Detections for Microsoft Azure AD and Office 365” is topped by O365 risky exchange operations, Azure AD suspicious operations, and O365 suspicious download activity. Between January and March, Vectra saw a startling increase in detections centered on attackers trying to manipulate Exchange in order to gain access to specific data or further attack progression. More than 70% of Vectra’s customers triggered that detection per week, according to their data. More than 60% of Vectra customers also triggered weekly detections of abnormal Azure AD operations, meaning cyberattackers may be escalating privileges and performing admin-level operations after regular account takeover. O365 accounts downloading unusual numbers of objects was also high on the list of detections caught weekly, followed by other issues with O365 related to suspicious sharing activity and external team access. Other commonly seen detections by Vectra include administrative privileges being assigned to redundant accounts or suspicious mail forwarding.The study notes that many of the functions being targeted are used to share files and access with other users within a company, making it difficult to defend as more people work from home and have no choice but to share files digitally. There were some differences with the kind of detection trends noticed at small, medium, and large companies. While smaller organizations dealt with more O365 risky exchange operations, Azure AD suspicious operations, and O365 suspicious download activity, larger entities had to face more O365 suspicious power automate flow creation detections as well as more suspicious mail forwarding and external team activity in O365. 
Vectra

Overall, larger companies generally triggered fewer detections, and researchers with Vectra surmised that users and administrators from larger companies may “perform Office 365 and Azure AD activity more consistently compared to smaller organizations.”But larger companies also had to face more Office 365 DLL hijacking, Office 365 unusual scripting engine attacks, and Office 365 suspicious eDiscovery exfils, the report notes. The study also includes a detailed breakdown of how the Solarwinds backdoor was being leveraged by attackers. 
Vectra
Cybersecurity experts have attributed much of the report’s findings to the massive shift to remote work that took place in 2020 due to the pandemic. There are over 250 million active Microsoft Office 365 users, and AppOmni CEO Brendan O’Connor said the pandemic exposed how seriously undermanned teams are when it comes to cybersecurity.”When enterprises shifted to a virtual and remote workforce, organizations had to quickly shift business applications and data to the cloud. IT staff can no longer gain the little benefit they had from network segmentation afforded by traditional office networks,” he said. “With traditional security measures completely removed from the equation, IT staff struggled to implement necessary measures to ensure the safety of data in the cloud. The rapid adoption of SaaS exposed not only the lack of general cybersecurity expertise but also the lack of expertise in SaaS to leverage the built-in security measures effectively.” More

It seems that Google has taken inspiration for many of its new privacy features from iOS, introducing several features to Android 12 that will be familiar to iPhone users.Must read: Want to run Android 12 beta? Here’s what you need (you don’t even need an Android smartphone)First up, we have notifications for when the camera or microphone are accessed by apps (this will be made available in the Beta 2 release). A little notification is present at the top of the screen, serving as a visual reminder to users that the camera or mic is hot.Camera and microphone access notificationsThe implementation is similar to how Apple does it, but looks to be less “mystery meat.” I’ve lost count of how many times people have asked me what the green and orange dots at the top of their iPhone mean. The feature is clear once people are made aware of it, but it’s not immediately obvious.Google has also added separate buttons to cut off mic and camera access from all apps, irrespective of permissions. This is a nice move and gives users better control over their privacy. I like this addition.Another privacy feature that will be familiar to iPhone users is the ability to give apps access to approximate location data rather than to pinpoint locations. There are a lot of apps that simply don’t need access to pinpoint location data, so this is a welcomed addition to Android 12.Coarse location dataAnother feature that is already present on iOS that will be present in Beta 2 is clipboard read notifications, which will notify users every time an app reads data from their clipboard that didn’t originate from the app itself. This feature will highlight any apps that might be snooping on the user’s clipboard.

But Android 12 also contains several innovative and much-needed privacy features not present in iOS. One of these features is a locked folder in Google Photos, offering users a place to keep sensitive photos out of the camera reel, shared folders, or search results.Android 12 also features a privacy timeline (available in Beta 2), which will offer the user an overview of the apps that have accessed location data, the microphone, and the camera during the past 24 hours. It’s clear, simple to understand, and offers easy access to manage permissions.Privacy timelineFinally, there’s app hibernation. This will look for apps that have not been used for an extended period of time. For those apps, it will revoke any permissions previously granted by the user, force-stop the app, and reclaim memory and storage, along with all other temporary resources.

Google I/O 2021 More

The Bizarro banking Trojan has targeted customers of at least 70 banks as it moves from its Brazilian base to Europe.

This week, Kaspersky researchers said the Trojan variant, originating in Brazil — as many seem to do — is now striking users in not only in Brazil, but Argentina, Chile, Spain, Portugal, France, and Italy, with customers of banks in these areas being lured into handing over their account credentials for the purposes of financial theft. However, the attack chain isn’t purely digital, as money mules are used at the end of a successful compromise to cash out funds or transfer stolen money. The banking Trojan, likened to the “Tetrade” family of four strains running rampant across Brazil, is distributed via spam emails containing an MSI installer package.  Social engineering is performed to try and fool potential victims into accepting and executing the installer including by way of messages pretending to be tax notifications and alerts.  Once launched, the installer downloads a .ZIP archive fetched from a compromised website or server. The researchers have found Azure and AWS servers that were used to host the malware, alongside hijacked WordPress domains.  The archive contains a malicious .DLL, written in Delphi, a AutoHotkey script runner executable, and a script that calls an exported function from the .DLL. This function, which is obfuscated, contains the malicious code required to trigger the banking Trojan. 

On startup, Bizarro will kill existing browser processes, including any active sessions with online banking services. As soon as the victim restarts their session, bank credentials are quietly captured by the malware and sent to an attacker’s command-and-control (C2) server.  To improve the chances of capturing this valuable data, Bizarro also disables autocomplete functionality in a browser.  Fake pop-ups are also shown to users, some of which are tailored to appear as messages from online banking services warning of security updates or PC compromise. These pop-ups may freeze PCs and hide taskbars, while at the same time, requesting identity checks by the client.  This is where a second-stage attack comes into play. The messages will try and lure victims into submitting two-factor authentication (2FA) codes — when this security measure is enabled — by asking them to download a malicious smartphone app and scanning a QR code for ‘authentication’ purposes.  The malware will capture operating system information and is also able to perform screen captures, keylogging, and will monitor clipboards for cryptocurrency wallet addresses.  If any are detected, wallet addresses are replaced by those owned by the threat actors in the hopes that the victim may unwittingly transfer cryptocurrency.  As a Trojan, Bizarro also contains backdoor functionality that manages the C2 connection.  This is not the only banking Trojan from Brazil that has expanded to other regions. Now joining the likes of Guildma, Javali, Melcoz, and Grandoreiro, the operators are expected to continue striking targets in multiple countries, as well as continue to improve their malware over time. Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Amazon has reportedly extended a ban on US law enforcement using Rekognition until further notice. 

On Tuesday, Amazon said that the one-year ban on US police being permitted to use the facial recognition technology solution would continue to stand, as reported by The Washington Post.The previous one-year moratorium, announced in June 2020, was designed to give Congress time to debate and pass “appropriate rules” for the ethical use of facial recognition technology by law enforcement agencies. At the time, Amazon said: “We’ve advocated that governments should put in place stronger regulations to govern the ethical use of facial recognition technology, and in recent days, Congress appears ready to take on this challenge.” However, despite a handful of federal-level proposals being put on the table, none have been passed.  Amazon’s moratorium will now be in place “indefinitely” until lawmakers addressed issues raised surrounding the use of Rekognition to identify potential suspects in criminal cases.  Rekognition is image and video analysis software that leverages deep learning. Amazon describes the facial recognition aspect of the software as “highly accurate facial analysis and facial search capabilities that you can use to detect, analyze, and compare faces for a wide variety of user verification, people counting, and public safety use cases.”

For example, law enforcement departments could submit an image of a suspect and search for a match with databases containing mugshots or other identification records.  Previously, access to Rekognition was sold to law enforcement agencies. However, there are concerns relating to privacy, ethical use, accuracy, racial discrimination and the technology potentially playing a part in false convictions and injustice when it comes to facial recognition technologies.In 2018, the American Civil Liberties Union (ACLU) published a report revealing Rekognition incorrectly matched 28 members of Congress as individuals who had previously been arrested. Amazon refuted the report. There is also concern that facial recognition technology could be inherently racially biased. Following on from ACLU’s research, studies conducted by organizations including The University of Texas at Dallas, MIT, and Harvard have also questioned the accuracy of algorithms used to identify some groups by facial recognition software — including people of color, women, and particular age brackets — and these misclassifications could have real-world ramifications in criminal cases.  Independently, a number of US cities and states — including San Diego and San Francisco — have implemented their own rules to curtail the use of facial recognition by the police.  Debates are underway in approximately 20 states, and in recent weeks, Virginia imposed the toughest laws against its use to date — law enforcement agencies are now required to obtain permission by the state legislature before purchasing or using facial recognition technologies.  Amazon is not the only provider of such solutions that has tried to distance itself from law enforcement clientele. IBM exited the business over worries that its technology could be abused, and Microsoft says it will not sell facial recognition technology to police departments until appropriate federal laws have been passed.  Update 21.28 BST: Added further clarification and Amazon’s response to ACLU’s research. Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Cybercriminals began searching the web for vulnerable Exchange Servers within five minutes of Microsoft’s security advisory going public, researchers say. 

According to a review of threat data from enterprise companies gathered between January and March this year, compiled in Palo Alto Networks’ 2021 Cortex Xpanse Attack Surface threat report and published on Wednesday, threat actors were quick-off-the-mark to scan for servers ripe to exploit.  When critical vulnerabilities in widely adopted software are made public, this may trigger a race between attackers and IT admins: one to find suitable targets — especially when proof-of-concept (PoC) code is available or a bug is trivial to exploit — and IT staff to perform risk assessments and implement necessary patches.  The report says that in particular, zero-day vulnerabilities can prompt attacker scans within as little as 15 minutes following public disclosure. Palo Alto researchers say that attackers “worked faster” when it came to Microsoft Exchange, however, and scans were detected within no more than five minutes.  On March 2, Microsoft disclosed the existence of four zero-day vulnerabilities in Exchange Server. The four security issues, collectively impacting on-prem Exchange Server 2013, 2016, and 2019, were exploited by the Chinese advanced persistent threat (APT) group Hafnium — and other APTs, including LuckyMouse, Tick, and Winnti Group, quickly followed suit.The security disclosure triggered a wave of attacks, and three weeks later, they were still ongoing. At the time, F-Secure researchers said vulnerable servers were “being hacked faster than we can count.”

Read on: Everything you need to know about the Microsoft Exchange Server hackIt is possible that the general availability of cheap cloud services has helped not only APTs but also smaller cybercriminals groups and individuals to take advantage of new vulnerabilities as they surface.”Computing has become so inexpensive that a would-be attacker need only spend about $10 to rent cloud computing power to do an imprecise scan of the entire internet for vulnerable systems,” the report says. “We know from the surge in successful attacks that adversaries are regularly winning races to patch new vulnerabilities.” The research also highlights Remote Desktop Protocol (RDP) as the most common cause of security weakness among enterprise networks, accounting for 32% of overall security issues, an especially problematic area as many companies made a rapid shift to cloud over the past year in order to allow their employees to work remotely.  “This is troubling because RDP can provide direct admin access to servers, making it one of the most common gateways for ransomware attacks,” the report notes. “They represent low-hanging fruit for attackers, but there is reason for optimism: most of the vulnerabilities we discovered can be easily patched.” Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

New research shows how Cobalt Strike is being weaponized in campaigns deploying malware ranging from the Trickbot banking Trojan to Bazar. 

On Wednesday, Intel 471 published a report exploring the abuse of Cobalt Strike, a commercial penetration testing tool released in 2012 which can be used to deploy beacons on systems to simulate attacks and test network defenses. In January, security analysts said that Cobalt Strike, alongside the Metasploit framework, was used to host over 25% of all malicious command-and-control (C2) servers deployed in 2020.  The popular penetration testing kit, of which source code for version 4.0 was allegedly leaked online in 2020, has been abused by threat actors for years and has become a go-to tool for advanced persistent threat (APT) groups including Carbanak and Cozy Bear.  According to Fox-IT, thousands of instances of Cobalt Strike abuse have been recorded, but most threat actors will use legacy, pirate, or cracked copies of the software.  “Cobalt Strike has become a very common second-stage payload for many malware campaigns across many malware families,” Intel 471 notes. “Access to this powerful and highly flexible tool has been limited by the product’s developers, but leaked versions have long spread across the internet.” The researchers say that the existing abuse of Cobalt Strike has been linked to campaigns ranging from ransomware deployment to surveillance and data exfiltration, but as the tool allows users to create malleable C2 architectures, it can be complicated to trace C2 owners. 

However, the team has conducted an investigation into the use of Cobalt Strike in post-exploitation activities.  Trickbot was chosen as a starting point. Trickbot banking Trojan operators have dropped Cobalt Strike in attacks dating back to 2019 — alongside Meterpreter and PowerShell Empire — as well as in attacks traced by Walmart Global Tech and SentinelLabs. The Hancitor group (MAN1/Moskalvzapoe/TA511), has also now begun using Cobalt Strike. Once linked to the deployment of the Gozi Trojan and Evil Pony information stealer, as noted by Palo Alto Networks, recent infections have shown that these tools have been replaced with Cobalt Strike. During post-exploit activities, Hancitor will then deploy either a Remote Access Trojan (RAT), information stealers, or, in some cases, spambot malware.  “The group setting up the Cobalt Strike team servers related to Hancitor prefer to host their CS beacons on hosts without a domain,” Intel 471 says. “The CS beacons will call home to the same set of IPs. Stagers are downloaded from infrastructure set up via Yalishanda bulletproof hosting service. It’s important to note that Hancitor only drops Cobalt Strike on machines that are connected to a Windows domain. When this condition isn’t met, Hancitor may drop SendSafe (a spambot), the Onliner IMAP checker, or the Ficker information stealer.” The researchers also explore the use of Cobalt Strike by threat actors distributing the Qbot/Qakbot banking Trojan, of which one of the plugins — plugin_cobalt_power3 — enables the pen testing tool.  “The configuration extracted from the Qbot-related Cobalt Strike beacon doesn’t show any links to any other groups that we are aware of,” the report states. “When comparing this activity to samples reported by other researchers, we observed different public Malleable-C2 profiles used, but commonalities in hosting infrastructure.” Operators of SystemBC malware variants, as reported by Proofpoint, utilizes SOCKS5 proxies to mask network traffic and have been included as a payload in both RIG and Fallout exploit kits. According to Intel 471, ransomware operators have also adopted SystemBC, which has dropped Cobalt Strike during campaigns across 2020 and early 2021. However, the team has not attributed these recent campaigns to specific, known threat actors.  Also of note, in early 2021, Bazar campaigns were recorded as sending and distributing Cobalt Strike rather than typical Bazar loaders used by the threat actors in the past.  “Cobalt Strike is a powerful tool that’s being leveraged by people that shouldn’t be leveraging it at all: a growing number of cybercriminals,” the researchers say. “That said, not all deployments of Cobalt Strike are the same. Some deployments demonstrate bad operational security by re-using infrastructure and not changing their malleable-C2 profiles. Additionally, some operators drop Cobalt Strike on many infected systems, while others will only deploy the tool very selectively.” Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More