Connect with us

Expert Speak

Tips to Protect Enterprise Networks and Resources Against Mozi

Published

on

Written by Amr Alashaal, Regional Vice President – Middle East at A10 Networks

Malware has been playing an important role in the expansion of botnets, automating the process of bot infection and recruitment. These botnets are then used to launch large-scale DDoS attacks. One highly prevalent malware in the DDoS world is Mozi. Mozi is a DDoS-focused botnet that utilizes a large set of Remote Code Executions (RCEs) to leverage CVEs in IoT devices for infection. These IoT devices include readily available and commonly used DVRs and network gateways.

Once infected, the botnet uses peer-to-peer connectivity to send and receive configuration updates and attack commands. Mozi was first identified in 2019 and has been evolving and increasing in size ever since. It can now persist on network devices by infiltrating the device’s file system, remaining functional even after the device has been rebooted. During the first half of 2021, Mozi topped out at over 360,000 unique systems using more than 285,000 unique source IP addresses, likely due to address translation.

In order to protect their networks and resources, organizations need to take the following steps to block systems infected by Mozi and the malicious traffic generated by them:

  • Never Trust, Always Verify: Incorporate the Zero Trust model and its key principles into your security strategy. Create micro-perimeters within your networks. Limit access to your resources and invest into modern, AI/ML-based solutions. Ensure visibility into not only the endpoints and network nodes, but also into users, their activities, and workflows.
  • Investigate Whether You are Already Infected: The initial infection of Mozi comes in the form of RCEs sent using ports 80, 8080, 8443, etc. This can make initial infections stand out, which can help in tracking them with low false positives. If your network devices suddenly start generating abnormal amounts of TCP or UDP traffic, immediately isolate suspicious devices and limit the traffic originating from them. If this is not possible, then apply global rate limiting on all traffic until you track the source.
  • Observe and Block Commonly Exploited Ports: Incorporate the Zero Trust Closely monitor any traffic using TCP ports 60001, 37215, 5555, 52869, 49152, both before or after a suspected infection. While these aren’t the only ports Mozi uses, they may help find the needle in the haystack. As a general good practice, monitor and block sources that send TCP SYNs to ports 23 and 2323 as most malware use Telnet to initiate IoT device infections.
  • Take a Closer Look at the Payloads: If your network devices are generating large amounts of traffic, look at the payloads (i.e., the HTTP POST as shown on page 13). RegEx can be used to filter these malicious traffic requests out and block them before they infect other devices.
  • Block BitTorrent: Since BitTorrent is one of the most common peer-to-peer networks used by Mozi for Command and Control (C2) communications, any BitTorrent traffic coming into or going out of the network should be blocked. The sheer amount of BitTorrent traffic could be a dead giveaway of an infection depending on your customer type.
  • Ensure Your Security is up to Date: Make sure your security infrastructure is updated regularly and that your IoT devices are running the latest version of firmware with all the necessary security patches applied. Keep track of CVEs for your network devices and seek out help if there are any patches available. If fixes are not readily available, take appropriate action based on the particular CVEs.
  • Employ or Review DDoS Baselining and AI/ML Techniques: Using modern DDoS techniques like baselining to see anomalous behavior versus historical norms, and AI/ML techniques, for detection and zero-day attack prevention, can be a force multiplier for your security team as manual tasks can be discovered and dealt with efficiently and 24×7.

Cyber Security

Why Context is Everything When it Comes to Cybersecurity?

Published

on

Written by Hadi Jaafarawi, managing director – Middle East, Qualys

The cybersecurity threat landscape has never been more challenging, sophisticated, and severe. Research suggests that in the UAE alone, around $746 million is lost every year to cybercrime, and the country faced a 79% increase in the problem from 2019 to 2020. For firms and IT departments across the region, it’s a constant battle to stay ahead of the bad actors.

Add in the fact that several security teams are either stretched or under-skilled, not to mention, that many face pressure to keep budgets in check and it really is a perfect storm. In an effort to level the playing field, security teams are turning to technology. But that comes with challenges of its own.

A lack of clarity
There’s no shortage of security tools offering what professes to be the solution. And it’s no surprise that security teams reach for them in the hope of coping with the issue and reducing their risks. More and more, companies are adopting an increasing number of tools to add further layers of security and protect against risk. Today an organisation’s security infrastructure will include everything from Security Incident and Event Management (SIEM) and Security Orchestration Automation and Response (SOAR) to Network Detection & Response (NDR) and Extended Detection and Response (XDR)

Admittedly, the tools each have value, so that’s not the problem. The challenge is that each new tool adds another data silo. Each separately reports its own specific data based on its own particular use and area of the network. And it’s then down to the analysts, who are faced with multiple alerts from multiple systems and solutions, to make sense of it all.

When there are too many alerts, issues can be notified to lots of different teams, or worse missed altogether. Alert fatigue — where the team is exposed to constant alerts and consequently fails to act when it really matters — is a real problem. This is why XDR tools are designed as a holistic, top-layer solution that collects data from multiple sources to provide a comprehensive picture, enabling real-time incident detection and response. But again, it’s not that simple, as XDRs vary in quality, effectiveness, and even function.

Some SIEM and XDR tools simply deliver raw data to analysts, who then have to interpret the data and make endless decisions about any actions that are needed. They collect disparate, unrelated data, and it’s up to the analyst to deal with the notifications, analyse, prioritise and then act, or not. Busy security analysts are likely to be faced with multiple alerts in any given day, many of which are actually false alarms. It’s little wonder that it’s easy to miss or ignore that one really vital alert.

Context is key
Enter the value of contextual insight. Rather than simply churning out data and leaving it to the over-worked analyst to handle, some XDR tools can go a step further by providing that all-important context. All alerts may look basically the same in one tool. But, when brought together with external threat intelligence and other security data, that harmless-looking alert will suddenly have more meaning and jump up the priority list. XDR is designed to break down data silos and provide the context required to help analysts get better insight, by creating a consolidated view of the entire enterprise technology stack and any threats. It pulls together all security solutions and functions into one place, giving analysts a single, comprehensive view of threats across the entire network.

By correlating data from asset inventory and vulnerability information, high-quality threat intelligence, network endpoint telemetry, and third-party log data, analysts get more context on what’s happening — leading to a far more effective and quicker response to threats. Without this context, too much time is wasted on manual tasks and important alerts can easily be missed. This context allows the rapid, focused investigation to be carried out where it’s actually needed.

Providing context using XDR gives security professionals the visibility and insights they need to reduce risks and improve their security approach. It empowers busy teams with the clarity and context to enable them to make the right decisions and deal with potential issues — and quickly.

Continue Reading

Cyber Security

How Cybersecurity Readiness Prevents SMBs from Fuelling Supply Chain Attacks

Published

on

Written by Ram Narayanan, Country Manager at Check Point Software Technologies, Middle East

Supply chain attacks aren’t new. If the past couple of years has taught businesses anything, it’s that the impact of supply chain cyber-attacks is now, universal, from the fallout of the SolarWinds software breach to the exposed Apache Log4j vulnerability and Kaseya last year. Unfortunately, when such supply chain attacks hit smaller businesses who are usually the suppliers to larger enterprises, their impact is especially prohibitive.

For SMBs already feeling the prolonged impact of the pandemic, the added pressure of dealing with sophisticated and frequent cyber attacks in real-time, is a heavy burden, as they try to protect their business against financial, legal, and reputational damage, as well as their own suppliers and larger clients’ security. It is now more important than ever for SMBs to implement strict security hygiene and effective cybersecurity processes to ensure their business is prepared for the event of cyber attacks happening.

SMBs as an indirect avenue of cyber attacks
The ‘new normal’ opened the door to several new vulnerabilities; cyber-attacks globally increased by 50% on average in 2021, compared to 2020. Our Check Point Threat Intelligence report revealed that an organisation in the United Arab Emirates is being attacked on average 906 times per week in the last six months. While security breaches are on the rise, the top threats impacting SMBs have remained the same. In Check Point’s Small and Medium Business Security Report from 2020/2021, we revealed phishing, malware, credential theft, and ransomware to be the top four threats impacting these businesses. So, what does this mean for them?

The reality is threat actors have taken advantage not only of the now-entrenched remote working model to target organisations, but also the usual limits preventing SMBs from bulking up on their cyber security defenses, mainly lack of budget and expertise. SMBs often do not have a dedicated IT or security department, meaning with no in-house security expertise and reduced focus on security patching, these companies are easier to socially engineer and infiltrate.

Adding to this, SMBs usually have employees doing multiple roles, and thus wider access to valuable areas of the business and information is given to them, and so if breached, they pose a  threat to multiple areas within the business. In addition, the business IT infrastructure is often shared for personal use communication as well eg. social media, personal emails allowing easier access to hackers, as the data is often not secured.

Threat actors often target SMBs as low-hanging fruit for their vital role in supply chains. This is especially so as such attacks wreak havoc on not only one organisation but entire businesses within the supply networks. By leveraging tactics such as phishing, cybercriminals gain access to an organisation to launch a malware attack, steal data and credentials or instigate ransomware.

Take, for example, the attack against Target USA where hackers used stolen credentials from an SMB vendor that serviced the HVAC systems in Target stores, to gain access to the retailer’s network and then laterally move to the systems that kept customer payment information. As a result, the global retailer was breached and 40 million credit and debit card details stolen.

The key factor to preventing cyberattacks is threat prevention. With minimal time and lack of cyber expertise or manpower, SMBs must adopt a prevention mindset to minimise potential cyber-attacks and threats.

Why cybersecurity readiness is paramount for SMBs
Beyond the immediate financial impact and reputational blow as a trustworthy, reliable partner, SMBs can also face legal or regulatory repercussions, operational disruption, flow-on costs for system remediation and cyberattack response, customer churn, and the loss of competitive advantage that can make or break a smaller business. In fact, a tarnished reputation as an avenue of attack can be even more detrimental to an SMB organisation, as the loss of trust with a larger organisation could mean a loss of potential business and revenue down the line with them or other new, potential customers.

With this in mind, budgetary constraints to keep computers and corporate networks protected should never be an excuse, as keeping sensitive data and information protected will bring many advantages and benefits to companies. This can range from overall cost savings, compliance with data protection laws, gaining the trust of customers and suppliers, to protecting your documents and information to the maximum by preventing any type of data breach.

How SMBs can prevent supply chain attacks
By applying stronger cyber defences, SMBs are in a position to provide larger organisations with assurance that larger companies they supply to will not be compromised via the SMB partner or third-party vendor. Whilst there are multiple means to prevent such supply chain attacks, the first step is to have good software capable of covering the entire company, protecting the company’s endpoints and devices, supported by regular backups so that, in the event of a cyberattack, they have the possibility of restoring all the data.

Any device that connects to the network can become a security breach, so it is important to secure all endpoints. It is especially critical for remote or hybrid workforces to avoid security breaches and data compromise. Also, all employees should be trained in cybersecurity so that they themselves become the first barrier to any attempted attack, such as phishing via email or SMS. Keep in mind that prevention is one of the best protection measures available.

A viable option for SMBs is to also consider engaging an experienced Managed Security Service Provider (MSSP), who will have the skilled resources, updated security software and experienced expertise to monitor for and analyse threats on behalf of the SMB player. This is especially useful for SMBs who have neither the time nor resources to adequately enforce threat detection and response.

Partnering with a cybersecurity expert equipped with best-in-class security and scalable solution such as Check Point Software can put SMBs in good stead to protect against the most sophisticated attacks and generate trust among larger potential players. Ultimately, SMBs seek a simple plug-and-play solution with best-in-class threat protection, given their lack of financial funding and skills. With an effective cybersecurity strategy, SMBs are better placed to demonstrate their credibility as secure partners to larger organisations, opening up more business opportunities.

Continue Reading

Cyber Security

How Cybercriminals Target Cryptocurrency

Published

on

Written by Sherrod DeGrippo, Vice President for Threat Research and Detection at Proofpoint

As cryptocurrency and non-fungible tokens (NFTs) become more mainstream, and capture headlines for their volatility, there is a greater likelihood of more individuals falling victim to fraud attempting to exploit people for digital currencies.  The rise and proliferation of cryptocurrency have also provided attackers with a new method of financial extraction. It’s commonly believed that cryptocurrency provides more anonymity via less governmental and organizational oversight and visibility coupled with the inherent fungibility, thus making it an appealing financial resource for threat actors. The financially motivated attacks targeting cryptocurrency have largely coalesced under pre-existing attack patterns observed in the phishing landscape prior to the rise of blockchain based currency.

Proofpoint researchers observe multiple objectives demonstrated by cybercriminal threat actors relating to digital tokens and finance such as traditional fraud leveraging business email compromise (BEC) to target individuals, and activity targeting decentralized finance (DeFi) organizations that facilitate cryptocurrency storage and transactions for possible follow-on activity. Both of these threat types contributed to a reported $14 billion in cryptocurrency losses in 2021. In fact, Business Email Compromise topped the list of types of attacks CISOs in UAE expect to face in the coming months with 35% of CISO’s being concerned of potential BEC attacks.

While most attacks require a basic understanding of how cryptocurrency transfers and wallets function, they do not require sophisticated tooling to find success. Common techniques observed when targeting cryptocurrency over email include credential harvesting, the use of basic malware stealers that target cryptocurrency credentials and cryptocurrency transfer solicitation like BEC. These techniques are viable methods of capturing sensitive values which facilitate the transfer and spending of cryptocurrency.

There are multiple DeFi applications and platforms – such as cryptocurrency exchanges – that people can use to manage their cryptocurrency. These platforms often require usernames and passwords, which are potential targets for financially motivated threat actors.

Despite public keys being “safe” to share, researchers are seeing actors solicit the transfer of cryptocurrency funds via BEC type emails that include threat actor-controlled public keys and cryptocurrency addresses. These email campaigns rely on social engineering to secure the transfer of funds from targeted victims.

Credential Harvesting and Cryptocurrency
In 2022 Proofpoint has observed regular attempts to compromise user’s cryptocurrency wallets using credential harvesting. This method often relies on the delivery of a URL within an email body or formatted object which redirects to a credential harvesting landing page. Notably these landing pages have begun to solicit values utilized in the transfer and conversion of cryptocurrencies.

Crypto Phishing Kits
Credential harvesting landing pages are often built with phish kits that can be used to create multiple landing pages and used in multiple campaigns. Phish kits give threat actors the ability to deploy an effective phishing page regardless of their skill level. They are pre-packaged sets of files that contain all the code, graphics, and configuration files to be deployed to make a credential capture web page. These are designed to be easy to deploy as well as reusable. They are usually sold as a zip file and ready to be unzipped and deployed without a lot of “behind the scenes” knowledge or technical skill.

It is no wonder that CISOs around the world consider phishing as one of the most prevalent and challenging cybersecurity threats. A 2021 Proofpoint study found that almost a third of CISOs in the UAE believed they were at risk of suffering a phishing attack. Proofpoint researchers have observed multiple examples of phishing threat actors create and deploy phishing kits to harvest both login credentials to cryptocurrency related sites and cryptocurrency wallet credentials or passphrases.

Business Email Compromise – But For Crypto
A popular form of financial crime vectored through phishing is business email compromise (“BEC”). In 2022 Proofpoint regularly observes cryptocurrency transfer within the context of BEC attempts. Primarily these requests are observed in the context of employee targeting, using impersonation as a deception, and often leveraging advanced fee fraud, extortion, payroll redirect, or invoicing as themes.

The initial BEC email often contains the safe for public consumption values, including public keys and cryptocurrency addresses. By impersonating an entity known to the user and listing an actor-controlled public key or address, actors are attempting to deceive users into transferring funds from their account willingly based on social-engineering content. This is like the way actors use routing and bank account numbers during BEC phishing campaigns.

Conclusion
Financially motivated threat actor activity attempting to steal or extort cryptocurrency is not new. However, cryptocurrencies, digital tokens, and “Web3” concepts are becoming more widely known and accepted in society. Where once “crypto” was a concept that thrived in certain parts of the internet, it is now a mainstream idea, with cryptocurrency apps and services advertised by professional athletes and celebrities, and major events sponsored by cryptocurrency and block chain companies.

But threat actors are way ahead of general adoption of cryptocurrency, with existing infrastructure and ecosystems long established for stealing and using it. And as mainstream awareness and interest increases, it is more likely people will trust or engage with threat actors trying to steal cryptocurrency because they better understand how DeFi operates or are interested in being a part of “the next big thing”.

Users should be aware of common social engineering and exploitation mechanisms used by threat actors aiming to steal cryptocurrencies.

Continue Reading
Advertisement


Follow Us

Trending

Copyright © 2021 Security Review Magazine. Rysha Media LLC. All Rights Reserved.