Connect with us

Cyber Security

The Prometheus traffic direction system is a major player in malware distribution



Cybercrime is fueled by a complex ecosystem of criminal groups that specialize on different pieces of the final attack chains experienced by victims. There are the malware developers, the access brokers, the spammers, the private information sellers, the botnet operators, the malvertizers and more.

One service that is often overlooked but still plays an important role in malware delivery are so-called traffic direction systems (TDS). These are networks of compromised websites and other servers whose goal is to direct victims to malware or phishing pages. Due to the decline of web-based exploit kits and drive-by downloads in recent years, such services have fallen out of the spotlight, but an investigation into a TDS called Prometheus shows that they still play a key role in ransomware and other malware distribution.

What is Prometheus TDS?

According to a new report by researchers from Blackberry, Prometheus TDS appeared around September 2020 when it was advertised on an underground Russian forum by a user called Ma1n. The user has been active in the cybercrime scene since at least 2018, previously advertising mass email services and non-blacklisted business-grade SMTP servers that can be used to send hundreds of thousands of emails with proper SPF, DKIM and DMARC headers.

Ma1n also previously offered web traffic redirect services via existing TDS solutions such as Blacktds and KeitaroTDS. It seems the expertise acquired over the years led to them creating their own solution dubbed Prometheus.

The goal of such traffic direction systems is to redirect legitimate web users to malware, phishing pages, tech support scams, or other malicious operations. This is achieved by placing malicious scripts on compromised websites that intercept traffic or through malicious advertisements that are served to users on legitimate websites through ad networks.

The main benefit of a TDS is that it allows cybercriminals to define redirection rules from an administration panel based on the type of visitors hitting the system’s web of malicious landing pages. On compromised websites, Prometheus achieves this through a simple PHP backdoor script that fingerprints visitors — browser, OS, timezone, language settings — and sends the information back to a command-and-control server from where it pulls redirect instructions defined by attackers. This means that different categories of visitors can be redirected to different campaigns depending on the target audience the different groups renting TDS services want to reach and victims can also end up seeing localized scams in their language.

The BlackBerry researchers believe the Prometheus PHP backdoor is deployed on websites that use a vulnerable version of the PHPMailer software. However, the use of this script has declined significantly over the past few months, possibly in favor of other methods.

According to an August analysis of Prometheus by Russian cybercrime investigation firm Group-IB, a typical attack chain will start with spam emails that contain either an HTML attachment, a Google Docs URL, or a link to a web shell hosted on a compromised server. In all cases, the goal is to get the user to open a malicious URL that will lead to a Prometheus PHP backdoor. In the second stage, the backdoor collects the visitor info, sends it to the admin panel and then decides to either serve malware directly to the user or redirect them to another URL that has been defined by attackers.

Prometheus is used by many cybercriminal groups

In its analysis, Group-IB mentioned seeing Prometheus distributing Campo Loader, also known as BazaLoader, in the form of decoy Microsoft Office files with malicious macros attached. Malware loaders are small first-stage downloaders that are used to distribute other malicious programs, often as part of a pay-per-install service offered to cybercriminals. Campo Loader was used in the past to distribute TrickBot and the Ursnif/Gozi Trojans. TrickBot was used itself in the past as an access facilitator to deploy Ryuk ransomware and other malware.

According to Group-IB, other Trojans distributed by Prometheus include Hancitor, which was linked to Ficker Stealer, Cobalt Strike, and Send-Safe; IcedID, which is known to distribute ransomware; QBot, a general-purpose banking Trojan; VBS Loader; Buer Loader; and SocGholish. The lures used by Prometheus to distribute these malware programs varies from fake Chrome updates and VPN software to malicious documents that claim to need DocuSign authorization and ZIP archives with malicious scripts. The TDS has also been used to redirect users to bank phishing sites, Viagra spam and more.

The pirated Cobalt Strike link

BlackBerry researchers noticed a significant correlation between Prometheus affiliates and the use of the Cobalt Strike Beacon with a particular pirated encryption key. Cobalt Strike is a commercial penetration testing toolkit, but it has been adopted by many cybercriminal groups as a backdoor because of its stealthy capabilities.

The Cobalt Strike implant called a beacon that’s deployed on compromised machines communicates back to a command-and-control server called a team server. The traffic between the beacon is encrypted using public-private cryptography with a key pair generated when the team server is first deployed. However, the BlackBerry researchers noted many Prometheus-related malware distribution campaigns using the same Cobalt Strike key pair.

One of these key pairs has also been found and documented by researcher  Didier Stevens of NVISO Labs who noted that along with another key pair, it accounts for 25% of Cobalt Strike team servers on the internet. This suggests it’s likely distributed as part of a pirated version of Cobalt Strike, since normally each team server deployment should have its unique key pair.

“While we cannot say for certain, it’s possible that someone connected with the Prometheus TDS is maintaining this cracked copy and providing it upon purchase,” the BlackBerry researchers said. “It is also possible that this cracked installation may be provided as part of a standard playbook or a virtual machine (VM) installation.”

Since January 2020, many cybercriminal groups have used Cobalt Strike with this unique key pair and while it’s not clear if all were Prometheus customers, the BlackBerry researchers have seen evidence that the following were: DarkCrystalRAT, FickerStealer, Cerber, REvil (a.k.a. Sodinokibi), Ryuk (a.k.a. WizardSpider) and BlackMatter. Additionally, other groups mentioned in Group-IB’s Prometheus analysis last year have used the same Cobalt Strike pirated version: MAN1, FIN7 and IcedID.

“Searching across our customers’ data for signs of Prometheus/Cobalt Strike-related activity reveals some interesting trends,” the BlackBerry researchers said. “The list of inbound TCP ports shows evidence of port scanning, with threat actors performing reconnaissance of Internet-facing infrastructure. In all likelihood, they are doing so in search of one of the greatest Achilles’ heels for organizations: remotely exploitable services.”

Scans on port 3389 used by the Windows Remote Desktop Protocol (RDP) were most common and seen in almost 60% of cases. This is not surprising, since RDP has been one of the main ways for ransomware gangs to break into networks and, as previously seen, the list of Prometheus customers includes many ransomware groups. Also, some Cobalt team servers were seen operating as RDP jump stations for Prometheus. Scans on ports 443 (HTTPS), 21 (Telnet) and 80 (HTTP) were also common, as expected. The researchers noted multiple connections from Tomcat Java web servers back to a Prometheus-related IP address, which could suggest some Tomcat vulnerability exploitation and Cobalt beacon deployment.

Across campaigns using the pirated Cobalt Strike version and key pair, organizations in the public sector were by far the most common target at 21%, followed by those in commerce, retail, education and health — all in the low single digits percentage-wise.

“Prometheus can be considered a full-bodied service/platform that allows threat groups to purvey their malware or phishing operations with ease,” the BlackBerry researchers said. “Think of Prometheus like a freight transport infrastructure, except instead of carrying food or petrochemicals, it carries a range of cyber offensive capabilities and malware to its targets. The irony of this analogy is that services like Prometheus enable bad actors to target companies that provide actual infrastructure – such as freight transport and other critical services – in the physical world.”

Copyright © 2022 IDG Communications, Inc.

Source link

Cyber Security

In-house vs. Outsourced Security: Understanding the Differences



Cybersecurity is not optional for businesses today. Ignoring security can result in a devastating breach or a productivity-sapping attack on the organization. But for many small- and medium-sized businesses (SMBs), the debate often revolves around whether to hire a third party or assemble an in-house security operations team.

Both options have their own pros and cons, but SMBs should weigh several factors to make the best decision for their own unique security needs. An in-house team, a managed security services provider (MSSP), or even a hybrid approach can make sense for various reasons.

Before choosing to build an in-house security team or outsource to an MSSP, businesses must first evaluate their unique needs to ensure the choice lays a foundation for future success.

Weighing control vs. costs

The obvious reason for assembling your own security team is control and immediate knowledge of what goes into your security operations.

“Handling security internally means you will sometimes have better visibility and centralized management,” says Scott Barlow, vice president of global MSP and cloud alliances at Sophos. “That said, if you outsource with the right service provider, visibility into what is going on should not be an issue.”

For many smaller organizations, the cost of running an in-house security program is prohibitive. Hiring skilled security specialists is expensive, and they are often difficult to find. They require regular training, and certifications must be kept fresh – typically at a cost to the employer.

“When you outsource to an MSSP, you will be paying a lot less than paying a senior security executive,” Barlow says. “I suggest that organizations conduct a cost analysis of outsourcing compared to paying salaries. Much of the time, it’s better to outsource.”

There are also technology and license costs to consider. Keeping software licenses up to date can consume both time and money, whereas working with an MSSP means access to the latest technology without worrying about license costs.

If both are important, try a hybrid model

Of course, some large organizations might need an in-house security presence.

“Generally, the larger you become, the more you need someone internally. That is where a co-managed model makes the most sense,” Barlow says.

In a hybrid model, companies tap outside support to collaborate with an internal security executive or team. This approach allows for more scalability while also providing the business with plenty of expertise through their relationship with the MSSP.

“Maybe you want to outsource a portion of the services because you can’t cover 24-7. Or maybe you need coverage on weekends,” Barlow says.

One major benefit to tapping outside support: your in-house team will have more time to focus on mission-critical objectives.

“With a hybrid approach, the internal IT and security teams can pivot to focus on more revenue generating activities,” Barlow says.

Click here to learn more.

Copyright © 2022 IDG Communications, Inc.

Source link

Continue Reading

Cyber Security

Prevention or Detection: Which Is More Important for Defending Your Network?



When it comes to physically protecting a building, you have two primary defenses: prevention and detection. You can either prevent people from entering your property without your permission, or you can detect when they have already trespassed onto your property. Most people would prefer to prevent any trespassing, but a determined adversary is always going to be able gain access to your building, given enough time and resources. In this scenario, detection becomes the only alternative.

The same holds true for protecting assets in the digital world. We have the same two primary defenses: prevention and detection. And just like in the physical world, a determined adversary is going to gain access to your digital assets, given enough time and resources. The question will be: How quickly are you able to determine that an adversary has penetrated your network?

If you can’t prevent, you must discover

This is where detection comes in. Do you have the right tools and procedures in place to find attacks quickly when they are occurring? Most businesses do not. It takes days, weeks, and often even months before an attack is discovered. The gap between breach and discovery is known as dwell time, which is estimated to be more than 200 days in most cases and, according to IBM, as many as 280 days in some instances. If it takes this long to discover that an attack is in process, it may be impossible to determine the root cause if you don’t have enough historical data to review.

Therefore, it is just as important, and maybe even more important, to spend money increasing your ability to detect when a breach has occurred rather than to determine when a breach is actively occurring or to see that specific firewall (FW) or intrusion detection system (IDS) rules have actively prevented an attack. New attacks are taking place all the time, and bad actors are constantly coming up with new ways of infiltrating your network. It is important to understand that, at some point, a bad actor is going to get through and penetrate your network. What will be vitally important is whether you are able to see the attack when it is taking place, or shortly after, or whether instead the attack will be discovered weeks or months after the fact. In the latter case, do you have enough historical data to go back and determine when the attack started, or will that data be long gone by the time you notice something is wrong?

Saving the data you need

It is important to have several months’ worth of data so that you can go back and determine the initial compromise on your network. Having an advanced network detection and response (NDR) tool such as NETSCOUT’s Omnis Cyber Intelligence (OCI) can ensure that you have the data you need. OCI stores all of the relevant information, including layer 2-7 metadata and packets that you need to determine the root cause of an attack—not just flow data that won’t help in this situation.

How much historical network traffic are you storing? Do you have enough data to go back and research the start of an attack if it occurred 200 days ago? Or are you going to rely on catching bad actors faster than the industry average? It is important to understand the need for leveraging both prevention and detection capabilities and ensuring that you have enough storage to thoroughly investigate an attack when it occurs.

Watch this video to see how NETSCOUT can help your back-in-time investigation.

Copyright © 2022 IDG Communications, Inc.

Source link

Continue Reading

Cyber Security

Want to Help Your Analysts? Embrace Automation and Outsourcing.



While the security tools we choose to invest in can undoubtedly make or break our success, one area we tend to focus less on is the human component of cybersecurity. Yet today, two-thirds of global leaders claim that the global skills shortage creates additional cyber risks for their organization, including 80% who reported experiencing at least one breach during the last 12 months that they attributed to the cybersecurity skills gap.

The always-changing threat landscape, with fewer skilled people makes it nearly impossible to keep ahead of threats. That’s why it’s time to talk about the human element – specifically your Security Operations Center (SOC) analysts – and their role in your cybersecurity framework.

Helping the Humans in Your Security Stack: Enhance, Automate, and Outsource

When you consider your security stack, you probably immediately think of the technology you use. And you’re likely already consuming these as a service. Security vendors operate, maintain, and improve critical security capabilities for the tech you use, keeping those tools tuned to be resilient against the latest threats so your team can focus on more critical tasks.

But what about the people? They’re just as much a part of your security stack as any firewall, endpoint, application, devices, or sandboxing tool. But there’s likely less of a roadmap for their continual improvement. Your analysts are playing a constant catch up game with alerts, which leaves no time for professional development. You’ve probably considered evaluating which tasks the SOC performs that you could automate or outsource, but a lengthy list of other to-dos often means that process improvements get deprioritized.

If your team is overwhelmed, you’re not alone. Here’s the good news: You can take steps to strengthen your organization’s security posture while simultaneously reducing your analysts’ workloads (and lowering the chances that they’ll burn out).

The first is to enhance their capabilities by choosing the right technology and making time for training when possible. Next is to automate many of your team’s processes to improve accuracy, mean time to detection (MTTD), and mean time to remediation (MTTR). Lastly, there are simply some aspects of cybersecurity you’ll want to outsource to keep your team focused on the most critical tasks.

Enhance Their Capabilities with the Right Technology and Training Opportunities

If you’re like most of us, your SOC teams are heads-down sifting through alerts, logs, and tasks. They find it challenging to find the time to stay sharp as they’re focused on the evolving threat landscape and supporting (and improving) your organization’s security posture.

That said, practice – even if done every few months ­– will make your team better and faster in responding to attacks. Make the time for it. Build and test your processes and playbooks, and then allocate time for tactical training sessionsbased on real-world attacks. Consider partnering with an outside organization to help hone skills and provide additional insights into potential security gaps. Also, take advantage of onboarding and training programs that support short learning curve objectives.

Automate Processes to Improve Accuracy and Efficiency

The goal of every cybersecurity leader today should be to establish a unified security framework across the entire organization that prioritizes synergetic systems and centralized processes to deliver ML-powered automation. If you’re just starting with automation, looking within your team and identifying repetitive processes that may benefit from automation is a good jumping-off point. Consider log review, bot activity monitoring, and initial alert triage for starters.

Remember that AI and ML are only as good as the data they’re trained on and the people who teach and optimize them. When engaging with vendors offering ML-powered solutions, you must look inside the organization and figure out who’s designing their models. What datasets are they working with? What AI training models do they use? Ensure that the processes and automation used to gather, process, identify, and respond to incidents are trustworthy. 

Outsource to Improve (or Redirect) Your Team’s Focus

The current intensity we see across the threat landscape, both in velocity and sophistication, means we all need to work harder to stay on top of our game. But that can only get you so far. Working smarter means outsourcing certain tasks – like incident response and threat hunting – so your team can refocus on other strategic priorities.

This is why relying on a Managed Detection and Response (MDR) provider, Incident response (IR) or a SOC-as-a-service offering is helpful. Such enhancements are a critical way to eliminate noise, help your team focus on their most important tasks, and advance your business. Outsourcing can either be used as a temporary measure until your analysts are past the learning curve of new technology, or you can use these services as a permanent extension of your security team, adding professional expertise when and where you need it.

Don’t Forget About Employee Cybersecurity Education

There are many ways to support your SOC analysts, from enhancing their skills through training and certification to outsourcing your detection and response activities.

Yet security is everyone’s job, not just the responsibility of you and your analysts. In many cases, your employees are your first line of defense, which is why everyone in the organization must understand basic cybersecurity principles.

When you invest in ongoing training programs to help your workforce enhance their security knowledge, combined with tools like ongoing phishing simulation services, you enable them to be strong partners to your SOC. It’s one more important opportunity – beyond training, automation, and outsourcing – to support the people who are part of your cybersecurity stack.

Learn more about how Fortinet’s team of cybersecurity experts can help you enhance, automate, and outsource critical security functions to keep your organization secure.  


Copyright © 2022 IDG Communications, Inc.

Source link

Continue Reading