Search This Blog

Showing posts with label FireEye. Show all posts

Threat Actors' Dwell Time Reduced to 24 Days, FireEye Reports

 

FireEye, the intelligence-led security company, published the FireEye Mandiant M-Trends 2021 report. The FireEye-owned forensic specialist’s M-Trends 2021 report was compiled from investigations of targeted attack activity between October 1, 2019, and September 30, 2020. This year’s report outlines critical details on the latest attacker methodologies and malware, the growth of multifaceted extortion and ransomware, preparing for expected UNC2452 / SUNBURST threat actors, growing insider threats, and industry targeting trends. 

“UNC2452, the threat actor responsible for the SolarWinds supply chain attack, reminds us that a highly-disciplined and patient actor cannot be underestimated. This actor’s attention paid to operational security, counter forensics, and even counterintelligence set it apart from its peers. Defense against this actor will not be easy, but it is not impossible. We have learned a great deal about UNC2452 in recent months, and we believe that intelligence will be our advantage in future encounters," said Sandra Joyce, Executive Vice President, Global Threat Intelligence, Mandiant.

Over the past decade, Mandiant has noticed a trending reduction in global median dwell time (defined as the duration between the start of a cyber intrusion and when it is identified). The researchers revealed that 59% of organizations detected attackers within their own environments over the period, a 12-percentage point increase on the previous year. The speed at which they did so also increased: dwell time for attackers inside corporate networks fell below a month for the first time in the report’s history, with the median global figure now at 24 days.

This is in stark contrast to the 416 days it took firms when the report was first published in 2011. It's also more than twice as fast as the previous year (56 days) and shows that detection and response are moving in the right direction. For incidents notified to firms externally, the figure was slightly higher (73 days) and for internally detected attacks it was lower (12 days). In America, dwell time dropped from 60 days in 2019 to just 17 days last year, while in APAC (76 days) and EMEA (66 days) the figure increased slightly. 

The top five most targeted industries, in order, are Business and Professional Services, Retail and Hospitality, Financial, Healthcare and High Technology. Mandiant experts observed that organizations in the Retail and Hospitality industry were targeted more heavily in 2020 – coming in as the second most targeted industry compared to 11th in last year’s report. 

Healthcare also rose significantly, becoming the third most targeted industry in 2020, compared to eighth in last year’s report. This increased focus by threat actors can most likely be explained by the vital role the healthcare sector played during the global pandemic.

However, a major contributing factor to the global reduction in dwell time may be the escalation of ransomware attacks, which usually take place over a shorter time frame than traditional cyber-espionage or data theft operations.

Sunshuttle, the Latest Strain Allegedly Linked to SolarWinds Hackers

 

FireEye researchers have discovered a new strain of backdoor malware on the servers of an organization exploited by the SolarWinds hackers. The new strain is identified as ‘Sunshuttle’ and it was uploaded by a U.S.-based entity to a public malware repository in August 2020.

FireEye researchers Lindsay Smith, Jonathan Leathery, and Ben Read believe this new strain is connected to the hackers behind the SolarWinds supply-chain attack. Sunshuttle is a second-stage backdoor written in Go that uses HTTP to link with a command-and-control server for data exfiltration and adding a new code. 


Hacking of cybercrime forums ‘Mazafaka and Exploit’


Mysterious threat actors are targeting popular Russian language cybercrime forums ‘Mazafaka and Exploit’ and are leaking the stolen data on the dark web. On Tuesday, unknown threat actors dumped thousands of usernames, email addresses, and passwords on the dark web apparently stolen from Mazafaka. Threat actors have also leaked a 35-page PDF online which is a private encryption key allegedly used by Maza administrators. 

According to cyber intelligence firm Intel 471, “the file comprised more than 3,000 rows, containing the username, partially obfuscated passwords hashes, email addresses, and other contact details. Initial analysis of the leaked data pointed to its probable authenticity, as at least portion of the leaked user records correlated with our own data holdings.”

Antivirus Creator John McAfee charged with $13M cryptocurrency fraud 


John McAfee has been charged with securities fraud over a ‘pump-and-dump’ cryptocurrency scheme. Federal prosecutors unsealed a case against McAfee and his executive advisor and bodyguard Jimmy Gale Watson Jr. claiming the pair has raked in more than $13 million from the investors they victimized with their fraudulent schemes.

In late 2017 and early 2018, McAfee urged his hundreds of thousands of Twitter followers to invest in a number of obscure cryptocurrencies. Prosecutors say he failed to disclose his own financial stake in those tokens and in some cases outright lied about it. 

“The defendants allegedly used McAfee’s Twitter account to publish messages to his hundreds of thousands of Twitter followers touting various cryptocurrencies through false and misleading statements to conceal their true, self-interested motives,” Manhattan US Attorney Audrey Strauss stated.

US Cybersecurity Company FireEye Hacked by 'Nation-Backed' Threat Actors


On Tuesday, one of the leading cybersecurity firms, FireEye said that it has been attacked by "highly sophisticated" state-sponsored hackers who stole the company's valuable hacking tools used for testing customers' security and computer networks. The attack was heavily customized to breach FireEye's systems. 
 
The breach substantiated the biting reality that the most advanced security vendors out there, primarily to protect others from intrusions can also be targeted and consequently hacked. Notably, the attacker mainly sought data of some government customers, using an unprecedented combination of tactics, according to the firm. CEO Kevin Mandia in his blogpost characterized the attack as a 'highly targeted cyberattack', a kind never witnessed before. So far, no customer data seem to be accessed by the attackers. 
 
There are a number of speculations about who might have performed the attack, however, the firm gave no clarity about the origins of the attackers and is investigating the matter along with the FBI. In a similar context, Mandia indicated in his blog post that the nation responsible for the attack is someone with world-class offensive capabilities as the unfamiliarity of the attack speaks volumes about the top-notch capabilities tailor-made to attack FireEye.  
 
On the basis of his 25 years of experience in cybersecurity, Mr. Mandia further said in his Saturday's blog that this attack was “different from the tens of thousands of incidents we have responded to throughout the years,” and “used a novel combination of techniques not witnessed by us or our partners in the past.” 
 
“These tools mimic the behavior of many cyber threat actors and enable FireEye to provide essential diagnostic security services to our customers,” the company said in the filing. “Consistent with our goal to protect the community, we are proactively releasing methods and means to detect the use of our stolen Red Team tools.” 
 
While giving insights, a CISA spokesperson told, "As details are made available we are working to share and implement countermeasures across the federal networks and with our private sector partners," 
 
Meanwhile, FireEye has been said to have a "ringside seat" for some of the most advanced intrusions carried out globally by Mike Chapple, a former NSA official who's currently working at the University of Notre Dame as a cybersecurity expert.

Indian Healthcare Website Hacked, stolen data for sale





US-based cyber-security firm FireEye discovered a hack into a leading Indian healthcare website, stealing more than 68 lakh data of both doctors and patients.

The FireEye did not name the website but said that the cybercriminals mostly from China are selling the stolen data in web portals around the world.

"In February, a bad actor that goes by the name "fallensky519" stole 6,800,000 records associated with an India-based healthcare website that contains patient information and personally identifiable information (PII), doctor information and PII and credentials," FireEye said in its report shared with IANS.

According to FireEye, in between October 1, 2018, and March 31, 2019, their intelligence team stumbled upon on multiple healthcare-associated databases which were for sale in $2,000.

"In particular, it is likely that an area of unique interest is cancer-related research, reflective of China's growing concern over increasing cancer and mortality rates, and the accompanying national health care costs," the cyber-security agency noted.

"Targetting medical research and data from studies may enable Chinese corporations to bring new drugs to market faster than Western competitors," the report claimed.

Asia Pacific is No 1 hunting ground for hackers

Global data from last year found that 64 per cent of all FireEye-managed detection and response customers were targeted again by the same or similarly motivated attack group -- up from 56 per cent in 2017 and Asia Pacific tops the list of malware report for 2019.

As organisations get better at detecting data breaches, hackers have become increasingly persistent, retargeting the firms they earlier broke into, US-based cybersecurity firm FireEye said on Monday.

A US-headquartered firm, Malwarebytes estimated an increase of 270% of malware detections amongst business in the Asia-Pacific region.

The financial services sector was seen to have the largest number of retargeted victims in 2018, particularly in the Asia-Pacific region, revealed the "FireEye 2019 Mandiant M-Trends Report". This trend is particularly relevant for the Indian market, given last year's cyber attack incidents at Cosmos Bank and State Bank of Mauritius.

Among the top ten countries that pose the biggest threat to malware, Asia Pacific tops the list with five countries.

Country                                          Biggest Threat

1. United States                              Information Theft
2. Indonesia                                    Backdoors
3. United Kingdom                         Information Theft
4. France                                         Information Theft
5. Malaysia                                     Backdoors
6. Thailand                                      Backdoors
7. Australia                                     Cryptomining
8. Germany                                     Information Theft
9. Brazil                                          Adware
10. Philippines                                Information Theft

"I encourage Indian firms to reassess their security posture and determine whether they can quickly detect and respond to intrusions," said Steve Ledzian, Vice President and APAC CTO, FireEye.

The Indian businesses must also determine whether "they know who is likely to attack them and how, and whether they have tested their security against human attackers in a red team scenario to try to spot weaknesses before their real world adversaries do," Ledzian said in a statement.

Singapore, a prized target

In Singapore alone, Malwarebytes saw a 180% increase in malware detections amongst the business sectors.

In the meantime, organisations appear to be getting better at discovering breaches internally, rather than being notified by an outside source such as law enforcement.