THE CURRENT STATE OF CYBER THREATS
INTH3WILD is an RSA thought leadership platform where we share our research findings, opinions and industry trends on external threats organizations face in the wild. Our focus is on Advanced Threats such as APTs and cyber espionage as well as Fraud & Cybercrime including but not limited to new malware families and attack methods.
In a recent investigation, RSA researchers uncovered the server infrastructure used in a global Point-of-Sale (PoS) malware operation responsible for the electronic theft of payment card and personal data from several dozen retailers, mostly based in the U.S. Infection activity has also been detected in 10 other countries including Russia, Canada and Australia. While the malware used in the operation is not new, RSA researchers discovered that, beginning October 25th, it had logged track 1 and 2 data of payment cards it had scraped from infected PoS systems.
Was that a typo? What is a “KINS”? Well, it appears that KINS is the name of a new professional-grade banking Trojan that is very likely taking its first steps in the cybercrime underground and could be poised to infect new victims as quickly and effectively as its Zeus, SpyEye and Citadel predecessors.
Be it internal disagreements within the Carberp team, or law enforcement pressure following the arrests in 2012, the Carberp cyber gang members have disbanded, leaving their Trojan code publicly available, following a failed attempt to sell it. Stop me if you’ve heard this before…
Hacktivism and the Ever-Targeted Enterprise It’s no surprise that hacktivism continues to be top of mind. We are seeing the weaponization of financial Trojans such as Zeus variants being used in APT-style attacks and the Citadel financial Trojan which has the ability to map the corporate network. Hacktivism is also making waves in the underground for financially motivated criminals as they seek to buy the information stolen in these attacks to commit fraud.
Privatizing Financial Banking Trojans and other Malware Cybercriminals are slowly bringing malware development deeper into the underground due to fear of infiltration by undercover agents. Yet, development has not slowed down by any means. For cybercriminals that rely on commercial malware offerings, this past year showed Trojan development increase – beginning with the introduction of Citadel and ending with the return of the Carberp Trojan.
The RSA Incident Response Team (RSA IR) has led multiple incident response engagements involving a common adversary RSA has dubbed “Shell_Crew; a group of advanced threat actors whose objective is to gain access, stay entrenched and ultimately steal as much data and intellectual property as possible.
It appears Shell_Crew has persisted in enterprises of varying sizes for years without being detected — updating or replacing existing malicious backdoors and continuing to map the enterprise while installing Web shells and poisoning existing web pages. These tenacious approaches make it difficult for an under resourced internal security team to detect and remediate the actions of this adversary.
E-mail has long been used as an effective attack vector for delivering malware and conducting phishing attacks. We get unsolicited and potentially malicious emails like this in our inbox nearly every day, but what really makes an e-mail attack successful has more to do with trust than anything else. If an e-mail appears to be…
Did you know you that social media followers and “likes” are a hot commodity on the black market? People want to be popular and some will even pay big bucks for it. Lists of Twitter followers have been known to go for more than even stolen credit card information, and it appears that Instagram followers are the next big thing.
An unusual variant of the Zbot Trojan has recently been taking advantage of this trend. The typical charter of Zbot has been to attempt to swipe passwords, but now this variant has also started to check for availability of Instagram usernames – likely in an effort to create an army of fake Instagram users that can be sold as followers to help individual users or businesses create an image of popularity.
- Data Injection
- Automated backups of SA configs/rules/reports?
- Session Threshold / Meta Open Files
- Application Rules
- Searching for a specific packet size
- Security Analytics Log Parser 1.4.zip
- How to find domain generation algorithm (DGA) botnets
- Updating Custom Feeds
- Run a report based on other action.
- New Kazy Variant Evades Research Detection Using "Chameleon Encoding"