THE CURRENT STATE OF CYBER THREATS
INTH3WILD is an RSA thought leadership platform where we share our research findings, opinions and industry trends on external threats organizations face in the wild. Our focus is on Advanced Threats such as APTs and cyber espionage as well as Fraud & Cybercrime including but not limited to new malware families and attack methods.
In a recent investigation, RSA researchers uncovered the server infrastructure used in a global Point-of-Sale (PoS) malware operation responsible for the electronic theft of payment card and personal data from several dozen retailers, mostly based in the U.S. Infection activity has also been detected in 10 other countries including Russia, Canada and Australia. While the malware used in the operation is not new, RSA researchers discovered that, beginning October 25th, it had logged track 1 and 2 data of payment cards it had scraped from infected PoS systems.
Was that a typo? What is a “KINS”? Well, it appears that KINS is the name of a new professional-grade banking Trojan that is very likely taking its first steps in the cybercrime underground and could be poised to infect new victims as quickly and effectively as its Zeus, SpyEye and Citadel predecessors.
Be it internal disagreements within the Carberp team, or law enforcement pressure following the arrests in 2012, the Carberp cyber gang members have disbanded, leaving their Trojan code publicly available, following a failed attempt to sell it. Stop me if you’ve heard this before…
Hacktivism and the Ever-Targeted Enterprise It’s no surprise that hacktivism continues to be top of mind. We are seeing the weaponization of financial Trojans such as Zeus variants being used in APT-style attacks and the Citadel financial Trojan which has the ability to map the corporate network. Hacktivism is also making waves in the underground for financially motivated criminals as they seek to buy the information stolen in these attacks to commit fraud.
Privatizing Financial Banking Trojans and other Malware Cybercriminals are slowly bringing malware development deeper into the underground due to fear of infiltration by undercover agents. Yet, development has not slowed down by any means. For cybercriminals that rely on commercial malware offerings, this past year showed Trojan development increase – beginning with the introduction of Citadel and ending with the return of the Carberp Trojan.
The world has been talking about a new security buzzword and that buzzword is “HeartBleed”. What is Heartbleed? Heartbleed is the nickname given to the vulnerability known as CVE-2014-0160, which is a flaw in the TLS/DTLS heartbeat extension implementation in certain versions of OpenSSL. In plain English, this vulnerability allows an attacker to use a…
We don’t often look at old intelligence, but recently one known botnet published a list of new Dynamically Generated Domain names, and it caught our attention. As we investigated, we were surprised to find out that one malware family associated with Cutwail bot was launching a Denial of Service attack against the infrastructure of a botnet associated with Zbot, Zeus and Blackhole. This was quite literally a live action view of botmasters attacking one another.
The RSA Incident Response Team (RSA IR) has led multiple incident response engagements involving a common adversary RSA has dubbed “Shell_Crew; a group of advanced threat actors whose objective is to gain access, stay entrenched and ultimately steal as much data and intellectual property as possible.
It appears Shell_Crew has persisted in enterprises of varying sizes for years without being detected — updating or replacing existing malicious backdoors and continuing to map the enterprise while installing Web shells and poisoning existing web pages. These tenacious approaches make it difficult for an under resourced internal security team to detect and remediate the actions of this adversary.
- Searching the Subject
- Context menu actions for Virus Total and Mxtool box
- Should We Keep This Community Public?
- question on network reconstruction
- Detecting Sinkholed Domains With The X-Factor Parser
- lua - nw.log* functions
- Monitoring proxied web traffic with SA
- IT-Harvest interview with RSA on Security Analytics
- External Authentification
- Can someone share below sample files for lua parser?