Wednesday, June 21, 2017

Importance of Threat Intelligence



Introduction:
In the cyber security world, threat intelligence become one of the most valuable weapon to fight the attackers, threat actors and part time hackers. Even at the heights of attackers like state sponsored attacks, threat intelligence able to detect and give good time to fight against them. Many usually asked us, what the use of collecting threat intelligence is. We answered them in this way, many attacks are sector based or targeting specific industry on the attackers’ interest. So we can collect those alert from difference sources and maintain the threat intelligence platform. Using that, we can detect attacks in the log monitoring and proceed to block them.

This is how it generally works. But if you go for deeper analysis on threat intelligence we will find more things like types of threat intelligence, how it is helpful in fighting against threat actors. Threat intelligence are categorised in to three types:

  • Strategic Intelligence
  • Operational Intelligence
  • Tactical Intelligence


Strategic Intelligence:

It’s a high-level one. People in the commanding position is required for thorough determination to critically assess threats.

Operational Intelligence:

It’s totally about how the organisation is working on determining the proactive assessment on the future cyber threats which is targeted on the organisation based on the sector based attacks.

Tactical Intelligence:

It’s all about attacker methodologies which is like tools, and tactics, and how dangerous the attacker is.

Conclusion:

Overall, threat intelligence will enhance the cybersecurity posture and holistic risk management policies. So the decision making after the detection of intrusion will be better and lessons learned will be more valuable.

 

Saturday, June 3, 2017

250 Million Computers Infected With FIREBALL - Chinese Malware:

Recently, security researchers from Checkpoint discovered that heavy volume of Chinese threat operation infected over 250 million computers around the globe. Fireball converts the web browser to zombies by hijacking the browser and does fake search engine utility. So, Fireball installs plugins to induce the advertisement and act as a distribution of potentially unwanted application, adware and malware. A large digital marketing company called Rafotech, Beijing based firm, users Fireball to manipulate the victim's browsers and turn it to default home page and fake search engine.

key findings from checkpoint researchers

 
Infection flow created by checkpoint researchers
Malware distribution around the world
According to researchers, over 250 million computers are infected worldwide, 20 percent of them are corporate networks:
·        25.3 million infections in India (10.1%)
·        24.1 million in Brazil (9.6%)
·        16.1 million in Mexico (6.4%)
·        13.1 million in Indonesia (5.2%)
5.5 million In US (2.2%)

INDICATORS OF COMPROMISE

C&C addresses

·        attirerpage[.]com
·        s2s[.]rafotech[.]com
·        trotux[.]com
·        startpageing123[.]com
·        funcionapage[.]com
·        universalsearches[.]com
·        thewebanswers[.]com
·        nicesearches[.]com
·        youndoo[.]com
·        giqepofa[.]com
·        mustang-browser[.]com
·        forestbrowser[.]com
·        luckysearch123[.]com
·        ooxxsearch[.]com
·        search2000s[.]com
·        walasearch[.]com
·        hohosearch[.]com
·        yessearches[.]com
·        d3l4qa0kmel7is[.]cloudfront[.]net
·        d5ou3dytze6uf[.]cloudfront[.]net
·        d1vh0xkmncek4z[.]cloudfront[.]net
·        d26r15y2ken1t9[.]cloudfront[.]net
·        d11eq81k50lwgi[.]cloudfront[.]net
·        ddyv8sl7ewq1w[.]cloudfront[.]net
·        d3i1asoswufp5k[.]cloudfront[.]net
·        dc44qjwal3p07[.]cloudfront[.]net
·        dv2m1uumnsgtu[.]cloudfront[.]net
·        d1mxvenloqrqmu[.]cloudfront[.]net
·        dfrs12kz9qye2[.]cloudfront[.]net
·        dgkytklfjrqkb[.]cloudfront[.]net
·        dgkytklfjrqkb[.]cloudfront[.]net/main/trmz[.]exe

File Hashes

·        FAB40A7BDE5250A6BC8644F4D6B9C28F
·        69FFDF99149D19BE7DC1C52F33AAA651
·        B56D1D35D46630335E03AF9ADD84B488
·        8C61A6937963507DC87D8BF00385C0BC
·        7ADB7F56E81456F3B421C01AB19B1900
·        84DCB96BDD84389D4449F13EAC75098
·        2B307E28CE531157611825EB0854C15F

·        7B2868FAA915A7FC6E2D7CC5A965B1E

Conclusion

It is important to remove the adware plugins and check the default homepage in web browser. If we didn't know about the plugins, extensions installed and unknown homepage in our web browser then it is high chances that the system is infected with hijacker infection of this kinds. Highly recommended to update the anti-malware software with latest update, also use additional adware cleaner from top AV programs. Bringing back the web browser to default settings can fight the browser hijack. Also recommended to block the listed cnc addresses in the firewall to prevent this attacks.

Post by
newWorld



Source: CheckPoint blog

Operating system - Part 1:

 In our blog, we published several articles on OS concepts which mostly on the perspective for malware analysis/security research. In few in...