Photo Cred: Forbes

Last week, I had the pleasure of speaking at Virus Bulletin on the recent news of iPhone (first reported on by Google Project Zero) and Android (first reported on by Volexity) mobile malware being used to target Tibetans (as reported by Citizen Lab) and Uighur Muslims inside and outside the People’s Republic of China. Lots of great research is linked above and you should definitely read it.

Whenever events like these occur, researchers from many organizations are researching pieces of it. If you are interested in Chinese APT attacks against these groups, certainly take a look.

One of the most interesting things to me when looking into these attacks is the sophistication and persistence of the adversary. As vulnerabilities got patched, they reused what pieces they could from their attacks and discovered new vulnerabilities to maintain their ability to action on the surveillance objectives. Some of the tools used indicate relationships to other Chinese APT groups, and certainly these types of attacks could be used against truly foreign adversaries as well.

The chief problem with cyber security is that most of our tools and workforce is geared to waiting for adverse events, detecting those events (sometimes months after the fact), investigating the breach that has already occurred, and then cleaning up. This slow and reactive process ensures breaches happen and security staff us overwhelmed under the noise.

This talk will focus on automation and machine learning techniques that can proactively identify threats seen in the wild based on the latest academic research. This techniques allow organizations to identify suspect infrastructure before it is used to attack them. The key to making this work is infusing machine learning with knowledge of how actual attacks work and the threat landscape. Machine learning without intelligence is merely gussied up mensa math exercises.

A zero-day remote code execution vulnerability in vBulletin, an extremely popular internet forum software used on more than 100,000 websites, was discovered and exposed this week.

ThreatSTOP is excited to announce a new curated target, TS Curated – File Sharing Services - Domains.

Cloud-based file sharing solutions have become popular and useful both for legitimate companies and for cyber criminals. Oftentimes, threat actors utilize file sharing services to host malicious files and as a destination for data they steal. Meanwhile, many companies depend on these file sharing services to get business done.

Earlier this month, a new variant of the Guildma information stealer was analyzed by the Internet Storm Center (ISC). The malware’s new campaign has been seen targeting various countries in South America, with the highest number of infections recorded in Brazil. It seems that Guildma is spreading quickly, with another recent campaign reaching over 150,000 infection attempts in a matter of weeks.

What was originally designed to be a banking Trojan has now become a versatile malicious code used to deploy a massive botnet, and is considered one of the most dangerous active malware families today.

In an alert published by the U.S. Department of Homeland Security last year, Emotet was described as “among the most costly and destructive malware affecting state, local, tribal, and territorial (SLTT)." Emotet was extremely active in the first half of 2019, until a recent two-month period when the malware family went under the radar (rumor has it that the sudden disappearance was to allow for maintenance and upgrades). Last week, the malware re-emerged with renewed activity spotted by Cofense researchers.

Making connections and finding new indicators is an important part of IOC analysis, and is probably the most enjoyable part as well. Blog posts and reports on new threats will usually mention the indicators seen to be used by the specific malware sample or attack vector analyzed, yet in many cases there is a larger malicious infrastructure behind them just waiting to be uncovered (and blocked!). Sometimes, a whole other malicious infrastructure can be revealed by examining IOCs related to malicious IPs and domains. There are a variety of tools out there that can help analysts investigate indicators of compromise and their infrastructure, and perform enrichment to shed light on related, malicious IOCs.

In this post, we will review some of our Security Research Team’s favorite connection and enrichment platforms.

As mentioned in our previous post on IOC Collection and Sharing, analyzable indicators can be found on a variety of platforms and channels, each with its own level of reliability and information detail. Once an analyst has deemed the collected IOCs suspicious, they can review its background and infrastructure information, such as ASN and passive DNS for IPs, and Whois, resolving IPs, and popularity score for domains. In addition, the analyst can also check if leading security vendors have already deemed the IOC malicious by choosing from a wide array of open-source blacklists. At the end of this process, the analyst will have the information and knowledge required to decide if the inbound and/or outbound traffic to the indicator should be blocked.

In this post we will review free, open-source tools that analysts can use to collect technical and reputation information on IOCs, with a focus on IPs and domains.

The first step in IOC analysis is obtaining the indicators to analyze. Some analysts will opt to stick with one source, and analyze whichever IOCs come their way, while others may search various sources for a specific threat type such as Ransomware, or threat such as Lokibot. Threat exchanges are open and free community platforms for information sharing and collaboration, and are an excellent source for IOCs. Another source for IOC collection which may come off as less intuitive is social media, with Twitter being the best SM platform to find new, relevant IOCs.

In this post, we will describe our Top 5 Free IOC Sources for Analysis.