One Article Review
| Source |  SecurityWeek |
|---|---|
| Identifiant | 510719 |
| Date de publication | 2018-03-13 15:50:02 (vue: 2018-03-13 15:50:02) |
| Titre | Usual Threats, But More Sophisticated and Faster: Report (Recyclage) |
| Texte | Almost Every Type of Cyber Attack is Increasing in Both Volume and Sophistication Eight new malware samples were recorded every second during the final three months of 2017. The use of fileless attacks, primarily via PowerShell, grew; and there was a surge in cryptocurrency hijacking malware. These were the primary threats outlined in the latest McAfee Lab's Threat Report (PDF) covering Q4 2017. The growth of cryptomining malware coincided with the surge in Bitcoin value, which peaked at just under $20,000 on Dec. 22. With the cost of dedicated mining hardware at upwards of $5,000 per machine, criminals chose to steal users' CPU time via malware. It demonstrates how criminals always follow the money, and choose the least expensive method of acquiring it with the greatest chance of avoiding detection. Since December, Bitcoin's value has fallen to $9,000 (at the time of publishing). Criminals' focus on Bitcoin is likewise being modified, with Ethereum and Monero becoming popular. Last week, Microsoft discovered a major campaign focused on stealing Electroneum. "We currently see discussions in underground forums that suggest moving from Bitcoin to Litecoin because the latter is a safer model with less chance of exposure," comments Raj Samani, chief scientist and McAfee fellow with the Advanced Threat Research Team. The speed with which criminals adapt to their latest market conditions is also seen in the way they maximize their asymmetric advantage. "Adversaries," writes Samani, "have the luxury of access to research done by the technical community, and can download and use opensource tools to support their campaigns, while the defenders' level of insight into cybercriminal activities is considerably more limited, and identifying evolving tactics often must take place after malicious campaigns have begun." Examples of attackers making use of legitimate research include Fancy Bear (APT28) leveraging a Microsoft Office Dynamic Data Exchange technique in November 2017 that had been made public just a few we |
| Envoyé | Oui |
| Condensat | $30 2018 about april articles bay been before best biocatch biometrics birth but ciso columns computer conference contributor current cyber cyberattacks cybercrime different dozens endpointsbehavioral faster: financial firm forum from gone had half has high ics improves industrial industry information institutions issues kevin korea last linked links long magazines malware many microsoft millionnew moon more news north oct optimum: performance practices previous published publishes raises register remains report reportiic reportsoc securing security security; securityweek senior short since singapore sophisticated specialized sponsored tags: target tech thousands threats times townsend townsend:usual usa usual writing years |
| Tags | |
| Stories | NotPetya Equifax APT 28 |
| Notes | |
| Move | 
|
Les reprises de l'article (1):
| Source | SecurityWeek |
|---|---|
| Identifiant | 510601 |
| Date de publication | 2018-03-13 14:10:02 (vue: 2018-03-13 14:10:02) |
| Titre | SOC Performance Improves, But Remains Short of Optimum: Report |
| Texte | The good news is that security operations centers (SOCs) are becoming more efficient. The not-so-good news is that there is still considerable scope for improvement. This is the conclusion of the fifth annual Micro Focus State of Security Operations Report for 2018 (PDF), which draws on the experience of 200 assessments of 144 discreet SOC organizations in 33 countries. In greater detail, there has been an overall 12% improvement in SOC maturity -- the most significant shift yet in the five years of the survey. Despite this, the median SOC maturity level stands at just 1.42 across all industries; significantly below the Micro Focus recommended target of 3.0, The report uses the Micro Focus Security Operations Maturity Model (SOMM) methodology for assessments. This is based on the Carnegie Mellon Software Engineering Institute Capability Maturity Model for Integration (SEI-CMMI), which has been updated by Micro Focus at regular intervals to remain relevant with current information security trends and threat capabilities. SOMM evaluates SOCs on the basis of people and processes, technology, and business capabilities. Despite the remaining room for improvement, this year's results show that organizations are beginning to see a return on their security investments and are seeing more value out of the security solutions they have deployed. “Over the last five years, we have watched organizations attempt to achieve a complete security transformation by applying Band-Aids – such as the purchase of peripheral products or dismantling of solutions – only to find poor results and poor business alignment,” said Matthew Shriner, vice president, Security Professional Services for Micro Focus. “With that in mind, it is refreshing that when it comes to cyber defense capability, Micro Focus is seeing a much higher degree of operational sophistication than ever before. Nearly 25% of organizations assessed are meeting business goals, representing a nearly 10% year-over-year improvement.” The SOMM gives a rating between 0 and 5. '0' represents a complete lack of capability, while '5' is given for a capability that is consistent, repeatable, documented, measured, tracked, and continually improved upon. Micro Focus believes that enterprises should seek a maturity level of 3, while managed security service providers should target a level between 3 and 4. The reliable detection of malicious activity, and a systematic approach to managing that activity are considered to be the most important success criteria for mature cyber defense. Despite the overall improvement in maturity levels, the report notes that "20 percent of cyber defense organizations that were assessed over the past 5 years failed to score a security operations maturity model (SOMM) level 1. These organizations continue to operate in an ad-hoc manner with undocumented processes and significant gaps in security and risk management." Geographically, the top performing areas are South America (SOMM score of 1.89) and the Benelux countries (1.79). In both cases the |
| Envoyé | Oui |
| Condensat | $30 about active ads articles attack been before best biocatch biometrics birth but columns computer contributor current cyberattacks detects different dofoil dozens endpointsbehavioral financial firm found from gone had has high improves incident industrial industry information institutionsmicrosoft issues kevin korea last linked links long magazines many massive microsoft millionnew news north optimum: performance practices previous published publishes raises remains report reportiic response securing security; securityweek senior short since soc specialized sponsored t46 tags: target tech thousands times townsend townsend:soc writing years |
| Tags | |
| Stories | |
| Notes | |
| Move |
|
L'article ressemble à 2 autre(s) article(s):
| Src | Date (GMT) | Titre | Description | Tags | Stories | Notes |
|
2018-03-14 13:01:00 | (Déjà vu) Cyber-Attack Prevention Firm Solebit Raises $11 Million (lien direct) | Tel Aviv-based cyber-attack prevention firm Solebit Labs, currently establishing new global headquarters in Silicon Valley, has announced completion of an $11 million Series A funding round led by ClearSky Security. Solebit was founded in 2014 by Boris Vaynberg, Meni Farjon, and Yossi Sara -- all of whom graduated from Israel's IDF technology units. The funding announced today will be used to accelerate adoption and deployment of the SoleGATE Security Platform from the new headquarters in Silicon Valley. SoleGATE is an attack prevention system that can be used as a replacement or alternative to traditional endpoint protection systems. Such systems typically rely on either malware signatures or malware behavioral analysis engines -- with or without benefit of machine learning AI algorithms-- to detect malware; and both of these approaches can be evaded by zero-day fileless attacks. SoleGATE is an attack prevention system that uses neither signatures nor behavioral analysis to detect malicious code before it enters the network. Instead, it creates a logical 'no code zone' that inspects every data stream for executable code, no matter how encrypted or hidden. By inspecting every data stream, malicious code has nowhere to hide, and cannot evade detection. Solebit claims that it has a false positive rate of less than 0.002%. “Attackers still possess the edge, particularly in zero-day attacks, despite considerable security investment,” said Vaynberg, CEO of Solebit. “DvC (Solebit's patent-pending inspection engine) assumes that there is no legitimate reason for executable code to be present in any data file. DvC also accurately identifies and blocks malicious active content using advanced flow analysis, de-obfuscation techniques and deep content evaluation, to reveal threat intent within any data file covering machine, operating system and application levels, thereby rendering such sandbox-evading malware harmless to the enterprise.” SoleGATE is a virtual appliance that can analyze data streams at high speed. For large companies, "SoleGATE supports both vertical and horizontal scaling," Vaynberg told SecurityWeek. "Each SoleGATE virtual appliance can scan many files concurrently (based on number of CPU cores dedicated to the virtual appliance) and customers can use multiple SoleGATE instances working in Active-Active mode." The technology is closer in concept to Content Disarm and Reconstruct (CDR) solutions than it is to standard malware detection products -- but still has fundamental differences. "The SoleGATE DvC engine analyzes the binary content of each scanned file and reaches a conclusive verdict regarding the file, whether it is malicious or not. It covers a wide range of file formats, does not change anything in the scanned file and, of course, there is no effect on user experience," explained Vaynberg. "CDR, however, is reconstructing the file, assumi | Guideline | ||
|
2018-03-16 13:11:03 | (Déjà vu) Remotely Exploitable Vulnerability Discovered in MikroTik\'s RouterOS (lien direct) | A vulnerability exists in MikroTik's RouterOS in versions prior to the latest 6.41.3, released Monday, March 12, 2018. Details were discovered February and disclosed by Core Security on Thursday. MikroTik is a Latvian manufacturer that develops routers and software used throughout the world. RouterOS is its Linux-based operating system. The vulnerability, a MikroTik RouterOS SMB buffer overflow flaw, allows a remote attacker with access to the service to gain code execution on the system. Since the overflow occurs before authentication, an unauthenticated remote attacker can exploit it. The vulnerability exists because the first byte of the source buffer is read and used as the size for the copy operation to the destination buffer -- but ultimately, no validation is performed to ensure that the data fits into the destination buffer, potentially allowing a stack overflow. Core's vulnerability advisory includes a proof of concept exploit against MikroTik's x86 Cloud Hosted Router. The function is reached by sending a NetBIOS session request message. Data execution prevention (DEP) is bypassed with a return-oriented programming (ROP) chain that calls 'mprotect' to mark a memory region as both writable and executable. Address space layout randomization (ASLR) can be neutralized because the base address of the heap is not randomized. This allows a payload on the heap to jump to a fixed location. "Our testing," says Core's advisory, "showed this approach to be extremely reliable." The reserved CVE number is CVE-2018-7445. Core sent its initial vulnerability notice to MikroTik on February 19, 2018. On the same day, Core noticed the flaw was already scheduled for a fix by MikroTik in a new software release candidate. Core asked for a coordinated publication of the new version and its own advisory. It proposed March 1, 2018, which was confirmed by MikroTik. MikroTik then asked for an extension to Thursday, March 8, 2018, and then told Core it still wouldn't be ready. On Monday, March 12, 2018, it released the new version. It did not inform Core, and there is no apparent mention of the flaw or the fix in its new version announcement to customers -- but it subsequently confirmed that the flaw has been fixed. MikroTik's advice for customers that cannot upgrade is that they should turn off SMB. Last week, Kaspersky Lab released a report on a hacking group it calls Slingshot. It has identified around 100 victims. The attackers gain access by first getting control of MikroTik routers, and using that position to download DLL files to the target computer via MikroTik's Winbox management tool. It is not clear at this point whether the Slingshot group gained access to the MikroTik routers using the CVE-2018-7445 vulnerability, but it is tempting to think so. Kaspers |