Research Saturday

Guest Charity Wright, Cyber Threat Intelligence Expert in Recorded Future's Insikt Group, joins Dave to discuss her research "China’s Digital Colonialism: Espionage and Repression Along the Digital Silk Road". Through the Digital Silk Road Initiative (DSR), announced in 2015, the People’s Republic of China (PRC) is building an expansive global data infrastructure and exporting surveillance technologies to dictators and illiberal regimes throughout the developing world, in some cases trading technology for access to sensitive user data and facial recognition intelligence. Domestically, China uses this type of technology to assert authority over its citizens, censor the media, quell protests, and systematically oppress religious minorities. Now, over 80 countries are enabled to do the same with Chinese surveillance technology. The research can be found here: China’s Digital Colonialism: Espionage and Repression Along the Digital Silk Road Learn more about your ad choices. Visit megaphone.fm/adchoices

Guest Christopher Budd, Senior Global Threat Communications Manager at Avast, joins Dave to talk about some research his team did when they looked into a Reddit report saying their Avast folder was empty and other reports like it. The team found a new malware they’re calling “Crackonosh” in part because of some possible indications that the malware author may be Czech. Crackonosh is distributed along with illegal, cracked copies of popular software and searches for and disables many popular antivirus programs as part of its anti-detection and anti-forensics tactics. The research can be found here: Crackonosh: A New Malware Distributed in Cracked Software Learn more about your ad choices. Visit megaphone.fm/adchoices

Guest Nathan Howe, Vice President of Emerging Technology at Zscaler, joins Dave to discuss his team's work, "2021 “Exposed” Report Reveals Corporate and Cloud Infrastructures More at Risk Than Ever From Expanded Attack Surfaces." The modern workforce has resulted in an increase of users, devices, and applications existing outside of controlled networks, including corporate networks, the business emphasis on the “network” has decreased and the reliance on the internet as the connective tissue for businesses has increased. Zscaler analyzes the attack surface of 1,500 organizations and identifies trends affecting businesses of all sizes and industries, across all geographies. Key findings include: The attack surface impact based on company size The countries with the greatest attack surface The industries that are most exposed The research can be found here: “Exposed”: The world’s first report to reveal how exposed corporate networks really are. Learn more about your ad choices. Visit megaphone.fm/adchoices

Guest Daniel Kats, Senior Principal Research Engineer at NortonLifeLock, joins Dave to discuss his team's work, "Encrypted Chat Apps Doubling as Illegal Marketplaces." Encrypted chat apps are gaining popularity worldwide due to their central premise of not sending user data to tech giants. Some popular examples include WhatsApp, Telegram and Signal. These apps have also been adopted by businesses to securely communicate directly to their users. Additionally, these apps have been instrumental to subverting authoritarian regimes. However, NortonLifeLock found that encrypted chat apps are also being used by criminals to sell illegal goods. Because content moderation is, by design, nearly impossible on these apps, they allow for an easy vector for dealers of illicit goods to communicate directly to customers without fear of law enforcement involvement. The research can be found here: Encrypted Chat Apps Doubling as Illegal Marketplaces Learn more about your ad choices. Visit megaphone.fm/adchoices

Guest Tom Roter from Minera Labs joins Dave to discuss his team research: "Rigging a Windows Installation." It is common knowledge that pirated software might contain malware, yet millions still put themselves and their devices at risk and download from dubious sources. It is even more surprising to see the popularity of torrented operating system installations, which are ranked at the top of most torrent tracker ranking lists. Today we will prove conventional wisdom right and show off a devious, yet clever attack chain employed by an infected Windows 10 image, frequently shared and downloaded by tens of thousands of users. Over the last year, numerous malicious PowerShell events popped up in our telemetry. The events caught our attention because a payload was being downloaded into the “C:\Windows” directory, which is usually well guarded under NTFS permissions, this implies that the attacker had very high privilege on the compromised system. The research can be found here: Rigging a Windows installation Learn more about your ad choices. Visit megaphone.fm/adchoices

Guest Yonatan Striem-Amit joins Dave to talk about Cybereason's research "Prometei Botnet Exploiting Microsoft Exchange Vulnerabilities." The Cybereason Nocturnus Team responded to several incident response (IR) cases involving infections of the Prometei Botnet against companies in North America, observing that the attackers exploited recently published Microsoft Exchange vulnerabilities (CVE-2021-27065 and CVE-2021-26858) in order to penetrate the network and install malware. Yonatan shares his team's findings of the investigation of the attacks, including the initial foothold sequence of the attackers, the functionality of the different components of the malware, the threat actors’ origin and the bot’s infrastructure. The research can be found here: Prometei Botnet Exploiting Microsoft Exchange Vulnerabilities Learn more about your ad choices. Visit megaphone.fm/adchoices

Guests Gage Mele and Yury Polozov join Dave to talk about Anomali's research "Primitive Bear (Gamaredon) Targets Ukraine with Timely Themes." Anomali Threat Research identified malicious samples that align with the Russia-sponsored cyberespionage group Primitive Bear’s (Gamaredon, Winterflounder) tactics, techniques, and procedures (TTPs). Primitive Bear, known primarily to focus on Ukraine, has been very active in 2021. However, the themes of the samples Anomali found, as well as those shared by the security community, could also be used to target multiple former Union of Soviet Socialist Republic (USSR) countries. Anomali Threat Research found malicious .docx files being distributed by Primitive Bear, likely through spearphishing, that attempted to download remote template .dot files through template injection. The research can be found here: Primitive Bear (Gamaredon) Targets Ukraine with Timely Themes Learn more about your ad choices. Visit megaphone.fm/adchoices

Guest Adam Tagert is a Science of Security (SoS) Researcher in the National Security Agency Research Directorate. The National Security Agency (NSA) sponsors the Science of Security (SoS) Initiative for the promotion of a foundational cybersecurity science that is needed to mature the cybersecurity discipline and to underpin advances in cyberdefense. Adam works in all aspects of SoS particularly in the promotion of collaboration and use of foundational cybersecurity research. He promotes rigorous research methods by leading the Annual Best Scientific Cybersecurity Paper Competition. Adam joins Dave Bittner to discuss the NSA's SoS Initiative and their Science of Security and Privacy 2021 Annual Report. Information on the SoS Initiative and the report can be found here: Science of Security Science of Security and Privacy 2021 Annual Report Learn more about your ad choices. Visit megaphone.fm/adchoices

Guest Karl Sigler of Trustwave's SpiderLabs joins Dave Bittner to talk about their research: "Hidden Phishing at Free JavaScript Site". The research describes an interesting phishing campaign SpiderLabs encountered recently. In this campaign, the email subject pertains to a price revision, followed by some numbers. There is no email body, but there is an attachment about an ”investment.” The attachment’s convoluted filename contains characters the file-naming convention doesn’t allow, notably the vertical stroke, “|.” Even though "xlsx" is in the filename, double-clicking the attachment will prompt the user to open it with the default web browser. Thus, the file indeed appears to be an HTML document. Of course, it’s malicious. The research can be found here: HTML Lego: Hidden Phishing at Free JavaScript Site Learn more about your ad choices. Visit megaphone.fm/adchoices

Guest Brandon Hoffman of Intel 471 joins Dave Bittner to share his team's research "EtterSilent: the underground’s new favorite maldoc builder". The cybercrime underground often mimics behaviors that we see in everyday facets of life. Intel 471’s latest discovery is an example of one of these patterns: when a product takes off in the marketplace, users will rush to obtain it and find unique ways to use it in order to fit their needs. The latest “product” is a malicious document builder, known in the underground as “EtterSilent,” that Intel 471 has seen leveraged by various cybercrime groups. As it has grown in popularity, it has constantly been updated in order to avoid detection. Used in conjunction with other forms of malware, it’s a prime example of how ease of use and a concentration of skill sets leads to a commoditization of the cybercrime economy. EtterSilent: the underground’s new favorite maldoc builder Learn more about your ad choices. Visit megaphone.fm/adchoices

Guest Joe Slowik joins us from DomainTools to discuss his team's research "COVID-19 Phishing With a Side of Cobalt Strike." Multiple adversaries, from criminal groups to state-directed entities, engaged in malicious cyber activity using COVID-19 pandemic themes since March 2020. Adversaries continue to leverage the pandemic, arguably the most significant issue globally as of this writing, in various ways. Yet the most persistent avenue remains using COVID-19 themes for building malicious document files. Examples include lures associated with Cloud Atlas-linked activity and broader targeting of health authorities. Given the continued significance of the pandemic and persistent use of pandemic themes by adversaries, DomainTools researchers continuously monitor for items leveraging COVID-19 content for malicious purposes. While conducting this research, DomainTools analysts identified an interesting malicious document with what appeared to be unique staging and execution mechanisms. Research can be found here: COVID-19 Phishing With a Side of Cobalt Strike Learn more about your ad choices. Visit megaphone.fm/adchoices

Guest LTC Erica Mitchell from Army Cyber Institute joins us to talk about their infrastructure resiliency research project called Jack Voltaic. The Army Cyber Institute’s (ACI’s) Jack Voltaic (JV) project enables the institute to study incident response gaps alongside assembled partners to identify interdependencies among critical infrastructure and provide recommendations. JV provides an innovative, bottom‐up approach to critical infrastructure resilience in two unique ways. Whereas most federal efforts to improve resiliency focus on regional or multistate emergency response, JV focuses on cities and municipalities where critical infrastructure and populations are most heavily populated. Furthermore, JV deviates from other cybersecurity and national preparedness exercises in that it builds around areas of interest nominated by the participants. Although JV events include national-level capabilities and resources, they are conceptually driven by the concerns of the cities and their infrastructure partners. Through this approach, the ACI, the Army, and the Department of Defense (DoD) are able to harvest insights about potential roles, dependencies, partners, and support requests, while cities are able to discover potential capability gaps and expand their critical infrastructure information-sharing networks before a potential disaster strikes. Research links: Jack Voltaic Cyber Research Project Jack Voltaic 3.0 Cyber Research Report Executive Summary Learn more about your ad choices. Visit megaphone.fm/adchoices

Guest Mike McLellan from Secureworks joins us to share his team's insights about SUPERNOVA and threat group attribution. Similarities between the SUPERNOVA activity and a previous compromise of the network suggest that SPIRAL was responsible for both intrusions and reveal information about the threat group. In late 2020, Secureworks® Counter Threat Unit™ (CTU) researchers observed a threat actor exploiting an internet-facing SolarWinds server to deploy the SUPERNOVA web shell. Additional analysis revealed similarities to intrusion activity identified on the same network earlier in 2020, suggesting the two intrusions are linked. CTU™ researchers attribute the intrusions to the SPIRAL threat group. Characteristics of the activity suggest the group is based in China. The research can be found here: SUPERNOVA Web Shell Deployment Linked to SPIRAL Threat Group Learn more about your ad choices. Visit megaphone.fm/adchoices

Guest Jen Miller-Osborn from Palo Alto Networks' Unit 42 joins Dave to discuss their 2021 Unit 42 Ransomware Threat Report, which highlights a surge in ransomware demands based on a global analysis of the threat landscape in 2020. To evaluate the current state of the ransomware threat landscape, the Unit 42 threat intelligence team and the Crypsis incident response team collaborated to analyze the ransomware threat landscape in 2020, with global data from Unit 42 as well as US, Canada, and Europe data from Crypsis. The report details the top ransomware variants, average ransomware payments, ransomware predictions, and actionable next steps to immediately reduce ransomware risk. The report can be found here: 2021 Unit 42 Ransomware Threat Report Learn more about your ad choices. Visit megaphone.fm/adchoices

Guest Jason Passwaters of Intel 471 joins us to discuss his team's research into bulletproof hosting (BPH). The research team at Intel 471 defined what a typical BPH service offers and how these services can be stopped in order to limit the damage they have on enterprises, businesses and digital society itself. They examined some popular malware families that actors host or leverage via BPH services. While much more goes into a cybercriminal’s full operation, it would be vastly more difficult to pull off without the ability to host malware and be free from impunity. Finally, they listed of some of the BPH providers that are firmly entrenched in the cybercrime underground and how they give support to other cybercriminal enterprises. By recognizing their behaviors, security teams can begin to take measures to figure out who the actors are, how they operate and what their infrastructure looks like. By doing so, organizations can begin to uncover ways to proactively counter maliciously-used infrastructure before criminals have a chance to launch their attacks. The blog posts can be found here: Hiding in plain sight: Bulletproof Hosting’s dueling forms Bulletproof hosting: How cybercrime stays resilient Here’s who is powering the bulletproof hosting market Learn more about your ad choices. Visit megaphone.fm/adchoices

Guest Deepen Desai joins Dave to talk about Zsaler's research "Return of the MINEBRIDGE RAT With New TTPs and Social Engineering Lures." In Jan 2021, Zscaler ThreatLabZ discovered new instances of the MINEBRIDGE remote-access Trojan (RAT) embedded in macro-based Word document files crafted to look like valid job resumes (CVs). Such lures are often used as social engineering schemes by threat actors. MINEBRIDGE buries itself into the vulnerable remote desktop software TeamViewer, enabling the threat actor to take a wide array of remote follow-on actions such as spying on users or deploying additional malware.The use of social engineering tactics targeting security teams appears to be on an upward trend. The research can be found here: Return of the MINEBRIDGE RAT With New TTPs and Social Engineering Lures Learn more about your ad choices. Visit megaphone.fm/adchoices

Guests Gage Mele, Winston Marydasan, and Yury Polozov from Anomali join Dave to discuss their research into Static Kitten targeting government agencies in the UAE and Kuwait. Anomali Threat Research uncovered malicious activity very likely attributed to the Iran-nexus cyberespionage group, Static Kitten (Seedworm, MERCURY, Temp.Zagros, POWERSTATS, NTSTATS, MuddyWater), which is known to target numerous sectors primarily located in the Middle East This new campaign, which uses tactics, techniques, and procedures (TTPs) consistent with previous Static Kitten activity, uses ScreenConnect launch parameters designed to target any MOFA with mfa[.]gov as part of the custom field. Anomali's team found samples specifically masquerading as the Kuwaiti government and the UAE National Council respectively, based on references in the malicious samples. The research can be found here: Probable Iranian Cyber Actors, Static Kitten, Conducting Cyberespionage Campaign Targeting UAE and Kuwait Government Agencies Learn more about your ad choices. Visit megaphone.fm/adchoices

Guests Fernando Martinez and Tom Hegel from AT&T Alien Labs join Dave to discuss their team's research "Malware using new Ezuri memory loader." Multiple threat actors have recently started using a Go language (Golang) tool to act as a packer and avoid Antivirus detection. Additionally, the Ezuri memory loader tool acts as a malware loader and executes its payload in memory, without writing the file to disk. While this technique is known and commonly used by Windows malware, it is less popular in Linux environments. The research can be found here: Malware using new Ezuri memory loader Learn more about your ad choices. Visit megaphone.fm/adchoices

Guest Sergio Caltagirone from Dragos joins us to take us through their 2020 ICS Cybersecurity Year in Review report. Dragos's annual ICS Year in Review provides an overview and analysis of ICS vulnerabilities, global threat activity targeting industrial environments, and industry trends and observations gathered from customer engagements worldwide. The goal of the report is to give asset owners and operators proactive, actionable information and defensive recommendations in order to prepare for and combat the world’s most significant industrial cybersecurity adversaries. The report can be found here: 2020 ICS CYBERSECURITY YEAR IN REVIEW Learn more about your ad choices. Visit megaphone.fm/adchoices

Guest Jen Miller-Osborn from Palo Alto Networks' Unit 42 joins us to discuss their research into BendyBear. Highly malleable, highly sophisticated and over 10,000 bytes of machine code. The code behavior and features strongly correlate with that of the WaterBear malware family, which has been active since as early as 2009. The malware is associated with the cyber espionage group BlackTech, which many in the broader threat research community have assessed to have ties to the Chinese government, and is believed to be responsible for recent attacks against several East Asian government organizations. Due to the similarities with WaterBear, and the polymorphic nature of the code, Unit 42 named this novel Chinese shellcode “BendyBear.” It stands in a class of its own in terms of being one of the most sophisticated, well-engineered and difficult-to-detect samples of shellcode employed by an Advanced Persistent Threat (APT). The research can be found here: BendyBear: Novel Chinese Shellcode Linked With Cyber Espionage Group BlackTech Learn more about your ad choices. Visit megaphone.fm/adchoices

Guest Dr. Rosario Cammarota from Intel Labs joins us to discuss confidential computing. Confidential computing provides a secure platform for multiple parties to combine, analyze and learn from sensitive data without exposing their data or machine learning algorithms to the other party. This technique goes by several names — multiparty computing, federated learning and privacy-preserving analytics, among them. Confidential computing can enable this type of collaboration while preserving privacy and regulatory compliance. The research and supporting documents can be found here: Intel Labs Day 2020: Confidential Computing Confidential Computing Presentation Slides Demo video Learn more about your ad choices. Visit megaphone.fm/adchoices

Guest Hossein Jazi of Malwarebytes joins us to take a deep dive into North Korea's APT37 (aka ScarCruft, Reaper and Group123) toolkit. On December 7 2020 the Malwarebytes Labs threat team identified a malicious document uploaded to Virus Total which was purporting to be a meeting request likely used to target the government of South Korea. The meeting date mentioned in the document was 23 Jan 2020, which aligns with the document compilation time of 27 Jan 2020, indicating that this attack took place almost a year ago. The file contains an embedded macro that uses a VBA self decoding technique to decode itself within the memory spaces of Microsoft Office without writing to the disk. It then embeds a variant of the RokRat into Notepad. Based on the injected payload, the Malwarebytes team believes that this sample is associated with APT37. This North Korean group is also known as ScarCruft, Reaper and Group123 and has been active since at least 2012, primarily targeting victims in South Korea. The research can be found here: Retrohunting APT37: North Korean APT used VBA self decode technique to inject RokRat Learn more about your ad choices. Visit megaphone.fm/adchoices

Guest Maurits Lucas from Intel471 joins us to discuss his team's research into cybercrime in China. Data from Intel 471 show that the Chinese cybercrime underground proliferates through use of common methods or platforms, but behaves differently in large part due to the caution that actors take with regard to their identity. While the average citizen must follow the heavy handed nature of the government’s surveillance of cyberspace, Chinese threat actors take special precautions to protect their forums, TTPs and themselves. This leads to the Chinese cybercrime underground being disorderly when compared to others, particularly Russia, which tend to be much more organized. The research can be found here: No pandas, just people: The current state of China’s cybercrime underground Learn more about your ad choices. Visit megaphone.fm/adchoices

Guest Bojan Zdrnja of Infigo IS and a certified instructor at SANS Institute shares an incident he discovered where attackers were using a pretty novel way of exfiltrating data and using that channel for C&C communication. The code that was acquired was only partially recovered, but enough to indicate powerful features that the attackers were (ab)using in Google Chrome. The basis for this attack were malicious extensions that the attacker dropped on the compromised system. The research can be found here: Abusing Google Chrome extension syncing for data exfiltration and C&C Learn more about your ad choices. Visit megaphone.fm/adchoices

Guest Dr. Shreyas Sen, a Perdue University associate professor of electrical and computer engineering, joins us to discuss the following scenario:. Instead of inserting a card or scanning a smartphone to make a payment, what if you could simply touch the machine with your finger? A prototype developed by Purdue University engineers would essentially let your body act as the link between your card or smartphone and the reader or scanner, making it possible for you to transmit information just by touching a surface. The research can be found here: Tech makes it possible to digitally communicate through human touch (press release) BodyWire-HCI: Enabling New Interaction Modalities by Communicating Strictly During Touch Using Electro-Quasistatic Human Body Communication (research paper) Learn more about your ad choices. Visit megaphone.fm/adchoices

Guest Joe Slowik joins us from Domain Tools to share their research "Current Events to Widespread Campaigns: Pivoting from Samples to Identify Activity" where they examined technical artifacts emerging around the 2020 conflict between Armenia and Azerbaijan in the Caucasus region. Cyber Threat Intelligence (CTI) practitioners can gain insight into adversary operations by tracking conflicts or geopolitical tensions. Similar to a “follow the money” approach in criminal investigations, looking at conflict zones can reveal cyber capabilities deployed as part of events —either by the parties to the conflict itself, or third parties interested in monitoring events for their own purposes. Based on precedent, analysts can identify developments in adversary operations and technical capabilities by tracking identifiers related to major events and conflict zones. Identifying capabilities deployed to take advantage of such items can yield insights into fundamental attacker tradecraft and behaviors, and enable defense and response for incidents which may strike far closer to home at a later date. The research can be found here: Current Events to Widespread Campaigns: Pivoting from Samples to Identify Activity Learn more about your ad choices. Visit megaphone.fm/adchoices

Guest Yonatan Striem-Amit joins us from Cybereason to share their Nocturnus Team research into Kimsuky. The Cybereason Nocturnus Team has been tracking various North Korean threat actors, among them the cyber espionage group known as Kimsuky, (aka: Velvet Chollima, Black Banshee and Thallium), which has been active since at least 2012 and is believed to be operating on behalf of the North Korean regime. The group has a rich and notorious history of offensive cyber operations around the world, including operations targeting South Korean think tanks, but over the past few years they have expanded their targeting to countries including the United States, Russia and various nations in Europe. The research can be found here: Back to the Future: Inside the Kimsuky KGH Spyware Suite Learn more about your ad choices. Visit megaphone.fm/adchoices

Guest Mark Arena from Intel471 joins us to discuss his team's research into Trickbot and its evolution from a banking trojan to a long-standing, most likely well-resourced operation that was taken down last year. Mark shares some insight into Trickbot's order of operations and what went on behind the scenes that his team working with Brian Krebs were able to discover. Since the separate and independent actions taken against Trickbot, Intel471 has observed successful disruption of its command and control infrastructure. However, the actors linked to Trickbot have not ceased their criminal activities. These actors have continued engaging in ransomware activity, using BazarLoader instead of Trickbot. Intel471 is unable to assess the long-term impact of the Trickbot disruption activity or whether Trickbot will continue to be used by cybercrime groups. This analysis covers the period from Sept. 22, 2020 until Nov. 6, 2020. The research can be found here: Trickbot down, but is it out? Learn more about your ad choices. Visit megaphone.fm/adchoices

Guest Selena Larson, senior cyber threat analyst at Dragos, Inc., joins us to discuss their research into recent observations of ICS-targeting threats to manufacturing organizations. Cyber risk to the manufacturing sector is increasing, led by disruptive cyberattacks impacting industrial processes, intrusions enabling information gathering and process information theft, and new activity from Industrial Control Systems (ICS)-targeting adversaries. Dragos currently publicly tracks five ICS-focused activity groups targeting manufacturing: CHRYSENE, PARISITE, MAGNALLIUM, WASSONITE, and XENOTIME in addition to various ransomware activities capable of disrupting operations. Manufacturing relies on ICS to scale, function, and ensure consistent quality control and product safety. It provides crucial materials, products, and medicine and is classified as critical infrastructure. Due to the interconnected nature of facilities and operations, an attack on a manufacturing entity can have ripple effects across the supply chain that relies on timely and precise production to support product fulfillment, health and safety, and national security objectives. Ransomware adversaries are adopting ICS-aware functionality with the ability to stop industrial related processes and cause disruptive – and potentially destructive – impacts. Dragos has not observed ICS-specific malware targeting manufacturing operations on the same scale or sophistication as that used in the disruptive TRISIS and CRASHOVERRIDE malware attacks that targeted energy operations in Saudi Arabia and Ukraine, respectively. However, known and ongoing threats to manufacturing can have direct and indirect impact to operations. This report provides a snapshot of the threat landscape as of October 2020 and is expected to change in the future as adversaries and their behaviors evolve. The research can be found here: ICS Threat Activity on the Rise in Manufacturing Sector Learn more about your ad choices. Visit megaphone.fm/adchoices

Deep Instinct's Shimon Oren joins us to talk about his team's research on "Why Emotet's latest wave is harder to catch than ever before - Part 2." Emotet appears to have reemerged more evasive than before, this time with a payload delivered from a loader that security tools aren’t equipped to handle. Emotet, the largest malware botnet today, started in 2014 and continues to be one of the most challenging threats in today’s landscape. This botnet causes huge damage by spreading ransomware and info stealers to its infected systems. Recently, a rise in the number of Emotet infections was observed in France, Japan, and New Zealand. The high number of infections shows the effectiveness of the Emotet malware at staying undetected. Shimon joins us to discuss how Deep Instinct investigated the payload that was encrypted inside the loader, analyzes the next steps in the infection process, and discovers the techniques used to make this malware difficult to analyze. The original blog post and updated post on the research can be found here: Emotet Analysis: Why Emotet’s Latest Wave is Harder to Catch than Ever Before Why Emotet's latest wave is harder to catch than ever before - Part 2 Learn more about your ad choices. Visit megaphone.fm/adchoices

Researchers at Cisco's Talos Unit recently published research exploring the tactics, technics and procedures of the global malvertising ecosystem. Craig Williams is head of Talos Outreach at Cisco, and he guides us through the life cycle of malicious online ads, along with tips for protecting yourself and your organization. The research can be found here: https://blog.talosintelligence.com/2019/07/malvertising-deepdive.html Learn more about your ad choices. Visit megaphone.fm/adchoices

Researchers at Symantec have been tracking Seedworm, a cyber espionage group targeting the Middle East as well as Europe and North America. The threat group targets government agencies, oil & gas facilities, NGOs, telecoms and IT firms. Al Cooley is director of product management at Symantec, and he joins us to share their findings. The original research can be found here: https://www.symantec.com/blogs/threat-intelligence/seedworm-espionage-group Learn more about your ad choices. Visit megaphone.fm/adchoices

On August 24, 2020, Snyk announced the discovery of suspicious behaviors in the iOS version of a popular advertising SDK known as Mintegral. At that time, they had confirmed with partners in the advertising attribution space that at minimum, Mintegral appeared to be using this functionality to gather large amounts of data and commit ad attribution fraud. Their research showed that Mintegral was using code obfuscation and method swizzling to modify the functionality of base iOS SDK methods without the application owner’s knowledge. Further, their research proved that Mintegral was logging all HTTP requests including its headers which could even contain authorization tokens or other sensitive data. Since that time Mintegral announced that they were opening the source of their SDK to the market. While the SDK can only be downloaded by registered partners, a major game publisher shared the source code with Snyk for further analysis. They also continued their research by digging deeper into the Android versions of the SDK in which they hadn’t found similar behaviors at the time of the initial disclosure. This has resulted in some significant discoveries that necessitate an update to the previous disclosure. Additionally, Mintegral and the community at large have responded to the situation, and Snyk felt a summary of the events was a good way to finalize their research into this SDK. Joining us on Research Saturday to discuss their research is Snyk's Alyssa Miller. The original blog and Snyk's update can be found here: SourMint: malicious code, ad fraud, and data leak in iOS SourMint: iOS remote code execution, Android findings, and community response Learn more about your ad choices. Visit megaphone.fm/adchoices

From US Department of Justice: "On Oct. 15, 2020, a federal grand jury in Pittsburgh returned an indictment charging six computer hackers, all of whom were residents and nationals of the Russian Federation (Russia) and officers in Unit 74455 of the Russian Main Intelligence Directorate (GRU), a military intelligence agency of the General Staff of the Armed Forces. These GRU hackers and their co-conspirators engaged in computer intrusions and attacks intended to support Russian government efforts to undermine, retaliate against, or otherwise destabilize: (1) Ukraine; (2) Georgia; (3) elections in France; (4) efforts to hold Russia accountable for its use of a weapons-grade nerve agent, Novichok, on foreign soil; and (5) the 2018 PyeongChang Winter Olympic Games after Russian athletes were banned from participating under their nation’s flag, as a consequence of Russian government-sponsored doping effort. Their computer attacks used some of the world’s most destructive malware to date, including: KillDisk and Industroyer, which each caused blackouts in Ukraine; NotPetya, which caused nearly $1 billion in losses to the three victims identified in the indictment alone; and Olympic Destroyer, which disrupted thousands of computers used to support the 2018 PyeongChang Winter Olympics. The indictment charges the defendants with conspiracy, computer hacking, wire fraud, aggravated identity theft, and false registration of a domain name." Returning to Research Saturday this week to discuss their research of NotPetya and Olympic Destroyer are Cisco Talos' Craig Williams and Matt Olney. The indictment and Cisco's research can be found here: Six Russian GRU Officers Charged in Connection with Worldwide Deployment of Destructive Malware and Other Disruptive Actions in Cyberspace New Ransomware Variant "Nyetya" Compromises Systems Worldwide The MeDoc Connection Who Wasn’t Responsible for Olympic Destroyer? Olympic Destroyer Takes Aim At Winter Olympics Learn more about your ad choices. Visit megaphone.fm/adchoices

While SSL/TLS encryption is the industry standard for protecting data in transit from prying eyes, encryption has, itself, become a threat. It is often leveraged by attackers to sneak malware past security tools that do not fully inspect encrypted traffic. As the percentage of traffic that is encrypted continues to grow, so do the opportunities for attackers to deliver threats through encrypted channels. To better understand the use of encryption and the volume of encrypted traffic that is inspected, Zscaler's research team, ThreatLabZ, analyzed encrypted traffic across the Zscaler cloud for the first nine months of 2020, assessing its use within specific industries. The study also set out to analyze the types of attacks that use encryption and the extent of the current risk. Returning to Research Saturday this week to discuss the report is Zscaler's CISO and VP of Security Research, Deepen Desai. The research can be found here: 2020: The State of Encrypted Attacks Blog 2020: The State of Encrypted Attacks Report Learn more about your ad choices. Visit megaphone.fm/adchoices

The goal of malicious activity is to compromise the system to install some unauthorized software. Increasingly that goal is tied to one thing: the user. Over the past several years, we as an industry improved exploit mitigation and the value of working exploits has increased accordingly. Together, these changes have had an impact on the threat landscape. We still see large amounts of active exploitation, but enterprises are getting better at defending against them. This has left adversaries with a couple of options, develop or buy a working exploit that will defeat today's protections, which can be costly, or pivot to enticing a user to help you. In today's threat landscape, adversaries are always trying to develop and implement the most effective lures to try and draw users into their infection path. They've tried a multitude of different tactics in this space, but one always stands out — current events. Joining us on this week's Research Saturday from Craig Williams from Cisco's Talos Outreach team to walk us through how current events are used as lures. The research and blog post can be found here: Adversarial use of current events as lures Learn more about your ad choices. Visit megaphone.fm/adchoices

Identity and access are intrinsically connected when providing security to cloud platforms. But security is only effective when environments are properly configured and maintained. In the 2H 2020 edition of the biannual Unit 42 Cloud Threat Report, researchers conducted Red Team exercises, scanned public cloud data and pulled proprietary Palo Alto Networks data to explore the threat landscape of identity and access management (IAM) and identify where organizations can improve their IAM configurations. During a Red Team exercise, Unit 42 researchers were able to discover and leverage IAM misconfigurations to obtain admin access to a customer’s entire Amazon Web Services (AWS) cloud environment – a potentially multi-million dollar data breach in the real-world. These examples highlight just how serious the failure to secure IAM can be for an organization. Joining us in this week's Research Saturday to discuss the report for Palo Alto Networks' Unit 42 is CSO of Public Cloud, Matt Chiodi. The research can be found here: Highlights from the Unit 42 Cloud Threat Report, 2H 2020 Learn more about your ad choices. Visit megaphone.fm/adchoices

In the late 90s, hackers who discovered vulnerabilities would sometimes send an email to Bugtraq with details. Bugtraq was a notification system used by people with an interest in network security. It was also a place that might have been monitored by employees of software companies looking for reports of vulnerabilities pertaining to their software. The problem was - there wasn't an easy way to track specific vulnerabilities in specific products. It was May 1999. Larry Cashdollar was working as a system administrator for Bath Iron Works under contract by Computer Sciences Corporation. Specifically, he was a UNIX Systems Administrator, level one. His team managed over 3,000 UNIX systems across BIW's campuses. Most of these were CAD systems used for designing AEGIS class destroyers. This position gave me access to over 3,000 various flavors of UNIX ranging from Sun Solaris to IBM AIX. Joining us in this week's Research Saturday to discuss his journey from finding that first CVE through the next 20 years and hundreds of CVEs is Akamai Senior Response Engineer Larry Cashdollar. The research can be found here: MUSIC TO HACK TO: MY FIRST CVE AND 20 YEARS OF VULNERABILITY RESEARCH Learn more about your ad choices. Visit megaphone.fm/adchoices

Cisco Talos discovered PoetRAT earlier this year. Since then, they observed multiple new campaigns indicating a change in the actor's capabilities and showing their maturity toward better operational security. They assess with medium confidence this actor continues to use spear-phishing attacks to lure a user to download a malicious document from temporary hosting providers. They currently believe the malware comes from malicious URLs included in the email, resulting in the user clicking and downloading a malicious document. These Word documents continue to contain malicious macros, which in turn download additional payloads once the attacker sets their sites on a particular victim. As the geopolitical tensions grow in Azerbaijan with neighboring countries, this is no doubt a stage of espionage with national security implications being deployed by a malicious actor with a specific interest in various Azerbajiani government departments. Joining us in this week's Research Saturday to discuss the research from Cisco's Talos Outreach is Craig Williams. The research can be found here: PoetRAT: Malware targeting public and private sector in Azerbaijan evolves Learn more about your ad choices. Visit megaphone.fm/adchoices

The U.S. government has charged seven men in relation to hundreds of cyber attacks against organizations in the U.S. and multiple other countries in Asia and Europe. Two of the men, who were based in Malaysia, were arrested and their extradition to the U.S. has been requested. The other five are based in China and remain at large. The attacks were attributed to a China-linked organization dubbed APT41 and involved a combination of intellectual property theft and financially motivated cyber crime. While some of our peers monitor APT41 as a single operation, Symantec regards it as two distinct actors: Grayfly and Blackfly. Joining us in this week's Research Saturday to discuss the research from Symantec's Threat Hunter Team is Jon DiMaggio. The research can be found here: APT41: Indictments Put Chinese Espionage Group in the Spotlight Learn more about your ad choices. Visit megaphone.fm/adchoices

Learn more about your ad choices. Visit megaphone.fm/adchoices

Ben-Gurion University researchers have developed a new artificial intelligence technique that will protect medical devices from malicious operating instructions in a cyberattack as well as other human and system errors. Complex medical devices such as CT (computed tomography), MRI (magnetic resonance imaging) and ultrasound machines are controlled by instructions sent from a host PC. Abnormal or anomalous instructions introduce many potentially harmful threats to patients, such as radiation overexposure, manipulation of device components or functional manipulation of medical images. Threats can occur due to cyberattacks, human errors such as a technician's configuration mistake or host PC software bugs. As part of his Ph.D. research, Tom Mahler has developed a technique using artificial intelligence that analyzes the instructions sent from the PC to the physical components using a new architecture for the detection of anomalous instructions. Joining us in this week's Research Saturday to discuss his research is CBG - Cyber@Ben Gurion University's Tom Mahler. The research can be found here: A Dual-Layer Architecture for the Protection of Medical Devices from Anomalous Instructions Learn more about your ad choices. Visit megaphone.fm/adchoices

Bitdefender researchers recently uncovered a sophisticated APT-style attack targeting an international architectural and video production company. The attack shows signs of industrial espionage, similar to another of Bitdefender’s recent investigations of the StrongPity APT group. The real-estate industry is highly competitive, and information exfiltrated by APT mercenary group can give negotiation advantages to other players in high-profile real-estate contracts. While APT groups traditionally could only be afforded by governments or were financially motivated purely out of self-interest, they recently appear to have become a commodity. Joining us in this week's Research Saturday to discuss the research is Global Cybersecurity Researcher Liviu Arsene from Bitdefender. The research can be found here: APT Hackers for Hire Used for Industrial Espionage Learn more about your ad choices. Visit megaphone.fm/adchoices

Containers offer speed, performance, and portability, but do they actually contain? While they try their best, the shared kernel is a disturbing attack surface: a mere kernel vulnerability may allow containerized processes to escape and compromise the host. This issue prompted a new wave of sandboxing tools that use either unikernels, lightweight VMs or userspace-kernels to separate the host OS from the container's OS. One of these solutions is Kata Containers, a container runtime that spawns each container inside a lightweight VM, and can function as the underlying runtime in Docker and Kubernetes. Kata's virtualized containers provide two layers of isolation: even if an attacker breaks out of the container, he is still confined to the microVM. Joining us in this week's Research Saturday to discuss the research is Yuval Avrahami from Palo Alto Networks Unit 42. The research presented at Black Hat USA 2020 can be found here: Escaping Virtualized Containers Learn more about your ad choices. Visit megaphone.fm/adchoices

Threat actors and cybercriminals that don’t have the ability to develop their own ransomware for malicious campaigns can turn to the Smaug Ransomware as a Service (RaaS) offering, which is available via a Dark Web Onion site. At least two threat actors are operating the site, providing ransomware that can be used to target Windows, macOS, and Linux machines. The site is built with ease of use in mind. To launch an attack, threat actors simply need to sign up, create a campaign, and then start distributing the malware. The site also handles decryption key purchasing and tracking for victims. Joining us in this week's Research Saturday to discuss the research is Anomali's Joakim Kennedy and Rory Gould. The research can be found here: Anomali Threat Research Releases First Public Analysis of Smaug Ransomware as a Service Learn more about your ad choices. Visit megaphone.fm/adchoices

Throughout March and April, QuoIntelligence (QuoINT) observed four attacks (i.e. sightings) utilizing various tools from the Golden Chickens (GC) Malware-as-a-Service (MaaS) portfolio – they recently declassified their findings, after first notifying their clients. Further, during their analysis of the sightings, QuoIntelligence confirmed the GC MaaS Operator, Badbullzvenom, released improved variants with code updates to three tools in the service portfolio. Joining us in this week's Research Saturday to discuss the research is QuoIntelligence's Vice President of Threat Intelligence, Chaz Hobson. The research can be found here: Latest Golden Chickens MaaS Tools Updates and Observed Attacks Learn more about your ad choices. Visit megaphone.fm/adchoices

After the 2016 General Election, the talk was all around foreign meddling. Rumors swirled that some votes may have been changed or influenced by state-sponsored actors. Sanctions and accusations followed. Four years later, is the U.S. any more prepared to protect the results of its largest elections? More than you may realize. Talos researchers take a deep dive into election security after spending the past four years talking to local, state and national officials, performing their own independent research and even watching one state plan an election in real-time. Joining us in this week's Research Saturday to discuss the report on this timely topic is Cisco Talos' Matt Olney. The research can be found here: What to expect when you’re electing: Talos’ 2020 election security primer. Learn more about your ad choices. Visit megaphone.fm/adchoices

Researchers at Symantec spotted a Sodinokibi targeted ransomware campaign in which the attackers are also scanning the networks of some victims for credit card or point of sale (PoS) software. It is not clear if the attackers are targeting this software for encryption or because they want to scrape this information as a way to make even more money from this attack. Joining us in this week's Research Saturday to discuss the report is Jon DiMaggio of Symantec. The research can be found here: Sodinokibi: Ransomware Attackers also Scanning for PoS Software, Leveraging Cobalt Strike Learn more about your ad choices. Visit megaphone.fm/adchoices

A look at the realities of ransomware from Sophos, including an industry-first detailed look at new detection evasion techniques in WastedLocker ransomware attacks that leverage the Windows Cache Manager and memory-mapped I/O to encrypt files. A complementary article examines the evasion-centric arms race of ransomware, providing a months-long review of how cybercriminals have been escalating and markedly changing evasion techniques, tactics and procedures (TTPs) since Snatch ransomware in December 2019. The research also breaks down the five early warning signs organizations are about to be attacked by ransomware and why ransomware attacks continue to occur. Joining us on this week's Research Saturday to walk us through the research and share their findings is Sophos' Principal Research Scientist Chet Wisniewski and EVP & Chief Product Officer Dan Schiappa. The media alert and research articles can be found here: Media Alert: Sophos Reports on the Realities of Ransomware WastedLocker’s techniques point to a familiar heritage Ransomware’s evasion-centric arms race 5 signs you’re about to be hit by ransomware The realities of ransomware: extortion goes social Ransomware: why it’s not just a passing fad Learn more about your ad choices. Visit megaphone.fm/adchoices

Docker containers have been gaining popularity over the past few years as an effective way of packaging software applications. Docker Hub provides a strong community-based model for users and companies to share their software applications. This is also attracting the attention of malicious actors intending to make money by cryptojacking within Docker containers and using Docker Hub to distribute these images. Palo Alto Networks' Unit 42 researchers identified a malicious Docker Hub account, azurenql, active since October 2019 that was hosting six malicious images intended to mine the cryptocurrency, Monero. The images hosted on this account have been collectively pulled more than two million times. Additionally, when last checked minexmr.com for this wallet ID, Palo Alto's team saw recent activity indicating that it’s still being used. Joining us on this week's Research Saturday is Jen Miller-Osborn from Palo Alto Networks' Unit 42 group to share the research and findings. The research and blog post can be found here: Attackers Cryptojacking Docker Images to Mine for Monero Learn more about your ad choices. Visit megaphone.fm/adchoices