Netflix has a new documentary series airing next week — “Web of Make Believe: Death, Lies & the Internet” — in which Yours Truly apparently has a decent amount of screen time. The debut episode explores the far-too-common harassment tactic of “swatting” — wherein fake bomb threats or hostage situations are phoned in to police as part of a scheme to trick them into visiting potentially deadly force on a target’s address.
Image: Netflix.com
The producers of the Netflix show said footage from an interview I sat for in early 2020 on swatting and other threats should appear in the first episode. They didn’t specify what additional topics the series would scrutinize, but Netflix’s teaser for the show suggests it concerns cybercrimes that result in deadly, real-world kinetic attacks.
“Conspiracy. Fraud. Violence. Murder,” reads the Netflix short description for the series. “What starts out virtual can get real all too quickly — and when the web is worldwide, so are the consequences.”
Our family has been victimized by multiple swatting attacks over the past decade. Our first swatting, in March 2013, resulted in Fairfax County, Va. police surrounding our home and forcing me into handcuffs at gunpoint. For an excruciating two minutes, I had multiple police officers pointing rifles, shotguns and pistols directly at me.
In 2021, an 18-year-old Tennessee man who helped set in motion a fraudulent distress call to police that led to the death of a 60-year-old grandfather in was sentenced to five years in prison.
https://phxtechsol.com/wp-content/uploads/2017/02/PTS-Horiz-logo-1-1200-300x53.jpg00Phoenix Technologyhttps://phxtechsol.com/wp-content/uploads/2017/02/PTS-Horiz-logo-1-1200-300x53.jpgPhoenix Technology2022-06-07 15:57:092022-06-07 15:57:20KrebsOnSecurity in New Netflix Series on Cybercrime
Researchers have recently noted the emergence of a new ransomware operator calling itself ‘Mindware’. The gang is thought to be responsible for a number of attacks beginning around March to April 2022, with suggestions that the malware was used to attack a not-for-profit mental health provider. Aside from targeting organizations in the Healthcare sector, Mindware has posted data on its leaks site belonging to organizations in sectors such as Finance, Engineering and Manufacturing. Mindware has a number of overlaps with an earlier ransomware strain known as SFile (aka SFile2, Escal). In this post, we review how Mindware differs from other ransomware families, note its similarities to SFile, and provide technical indicators to aid threat hunters and detection teams.
Overview
According to one source, the Mindware gang first became active in March 2022. By April, the group was practicing double extortion and operating its own leaks site. Mindware received further attention in April when it was noted by a different researcher to have attacked a mental health provider.
Mindware samples use a distinctive Reflective DLL injection technique. This, along with other indicators described below, show strong overlaps with SFile ransomware samples. Although we do not yet have specifics as to how Mindware attacks are initiated, SFile is known to use RDP bruteforce as an entry vector into an organization.
Each Mindware payload is configured for a specific target. Upon infection and successful execution, the payload drops a hardcoded ransomware note containing a combination of instructions and threats.
In common with a move made by other ransomware groups recently, Mindware attempts to discourage victims from contacting ‘recovery companies’, negotiators or authorities, threatening to immediately leak data should they do so. Victims are provided with a .onion URL as a means to make contact with the attackers and to decrypt two “random files” as proof that the operators possess a decryption key. Victims that refuse to pay are listed on the Mindware ransomware public leaks site.
Mindware Technical Analysis
As noted above, Mindware uses Reflective DLL Injection, a technique in which the shellcode dynamically retrieves handles to key API functions like LoadLibraryA() and GetProcAddress() by locating function addresses through the Export Address Table loaded by the host process.
This allows the shellcode to be position-independent by building its own import table and parsing through when executed in memory. This means a PE file could be loaded in the form of shellcode or a DLL entirely from memory.
The technique, which has also been noted in other ransomware families such as BlackMatter, avoids searching for module names directly and instead checks for hashes precalculated with a ROT13 algorithm.
Mindware and SFile samples require kernel32.dll and ntdll.dll. The APIs are searched for using a combination of the PEB (Process Environment Block) of the module and the EAT (Export Address Table) and enumerating all function names.
As noted, the same technique is characteristic of SFile ransomware samples, first seen in 2020 and active through 2021. Interestingly, SFile attacks seem to have been on hiatus over the last 9 months or so, and the emergence of Mindware samples with strong overlaps is indicative, as other researchers have noted, of a possible rebrand.
Both SFile and Mindware ransomware payloads accept the following parameters:
--enable-shares -> encrypt network shares
--kill-susp -> Triggers process termination
The ransomware checks for and then encrypts internal, removable and remote drive types.
Over 200 file types are targeted for encryption, denoted by a hardcoded list of file extensions. However, the following files are specifically excluded from encryption:
autorun.inf
desktop.ini
ntuser.ini
boot.ini
iconcache.db
thumbs.db
bootfont.bin
ntuser.dat
bootmgr
bootsect.bak
ntuser.dat.log
message_to_<>.txt
! cynet ransom protection(don’t delete)
Similarly, files in the following locations are also excluded from encryption:
%windir%
all usersmicrosoft
cache2
google
All UsersMicrosoft
:$RECYCLE.BIN
Program FilesInternet Explorer
far manager
mozilla
RoamingMicrosoft
windowssystem32
:system volume information
ida 7.0
tor browser
LocalMicrosoft
windowssyswow64
Program FilesMicrosoft Games
ida 6.8
windows.old
Local SettingsMicrosoft
windowssystem
inetpublogs
DefaultExtensions
intel
LocalLowMicrosoft
windowswinsxs
:boot
Temporary Internet Files
msocache
CommonMicrosoft
Systemmsadc
:drivers
Temp
perflogs
Sophos
Common Files
:wsus
$windows.~bt
ProgramDataMicrosoft
Symantec
WindowsPowerShell
cache
$windows.~ws
Application DataMicrosoft
Leaked
Mozilla Firefox
In order to protect itself and prevent other running processes from interfering with the encryption process, Mindware kills all other processes, with the exception of the following:
explorer.exe
powershell.exe
rundll32.exe
vmnetdhcp.exe
vmware-authd.exe
vmware-hostd.exe
vmware-tray.exe
vmware-usbarbitrator.exe
vmware-usbarbitrator32.exe
vmware-usbarbitrator64.exe
webroot_updater.exe
werfault.exe
windowsupdate.exe
SFile and Mindware samples are PEs typically around 250-300KB in size.
SFile and Mindware Ransomware Targeting
Analysis of the SFile payloads shows that SFile ransomware was mostly used against U.S organizations in Manufacturing, Mechanical, and Automobile sectors.
SHA1 – SFile Samples
Targeted Sector/Industry
28f73b38ace67b48e525d165e7a16f3b51cec0c0
Automotive Engineering
bdb0c0282b303843e971fbcd6d2888d834da204c
Other Personal Services
5ffac9dff916d69cd66e91ec6228d8d92c5e6b37
Investment
6960beedbf4c927b75747ba08fe4e2fa418d4d9b
Manufacturing
665572b84702c4c77f59868c5fe4d0b621f2e62a
Insurance
a67686b5ce1d970a7920b47097d20dee927f0a4d
Retail
14e4557ea8d69d289c2432066d860b60a6698548
Sample has hardcoded org name as CCCR [parent organization could not be determined]
0f20e5ccdbbed4cc3668577286ca66039c410f95
Engineering
Mindware samples also show a strong preference for businesses in similar industries.
SHA1 – Mindware Samples
Targeted Sector/Industry
ae974e5c37936ac8f25cfea0225850be61666874
Engineering
e9b52a4934b4a7194bcbbe27ddc5b723113f11fe
Healthcare
9bc1972a75bb88501d92901efc9970824e6ee3f5
Manufacturing
f91d3c1c2b85727bd4d1b249cd93a30897c44caa
Finance
46ca0c5ad4911d125a245adb059dc0103f93019d
Engineering
How To Protect Against Mindware and SFile Ransomware
The SentinelOne Singularity platform detects and prevents execution of Mindware and SFile ransomware strains.
For organizations not currently protected by SentinelOne, please see the list of Indicators of Compromise at the end of this post and the technical indicators described above.
Conclusion
Indications suggest Mindware is likely a rebrand of SFile, or at least that the same source code or builder for SFile is available to Mindware operators. While neither strain has achieved the notoriety of some of the more well-known ransomware strains that have been circulating recently, it may be that flying under the radar and hitting selective targets without attracting too much public attention is exactly what the gang are aiming for.
We hope that the information in this post serves to enable security teams to ensure that they have adequate resources to detect and prevent this threat. The SentinelOne Singularity platform detects and protects against SFile, Mindware and all other known ransomware threats. For more information about ransomware protection, see here. To learn more about how SentinelOne can help protect your organization from ransomware and other threats, contact us or request a free demo.
MITRE ATT&CK TA0005 – Defense Evasion T1485 – Data Destruction T1486 – Data Encrypted for Impact T1027.002 – Obfuscated Files or Information: Software Packing T1007 – System Service Discovery T1059 – Command and Scripting Interpreter T1112 – Modify Registry TA0010 – Exfiltration T1018 – Remote System Discovery T1082 – System Information Discovery
https://phxtechsol.com/wp-content/uploads/2022/06/Another-Rebrand-Mindware-and-SFile-Ransomware-Technical-Breakdown.jpg6281200Phoenix Technologyhttps://phxtechsol.com/wp-content/uploads/2017/02/PTS-Horiz-logo-1-1200-300x53.jpgPhoenix Technology2022-06-06 16:08:142022-06-06 16:08:25From the Front Lines | Another Rebrand? Mindware and SFile Ransomware Technical Breakdown
The U.S. Department of Justice (DOJ) recently revised its policy on charging violations of the Computer Fraud and Abuse Act (CFAA), a 1986 law that remains the primary statute by which federal prosecutors pursue cybercrime cases. The new guidelines state that prosecutors should avoid charging security researchers who operate in “good faith” when finding and reporting vulnerabilities. But legal experts continue to advise researchers to proceed with caution, noting the new guidelines can’t be used as a defense in court, nor are they any kind of shield against civil prosecution.
In a statement about the changes, Deputy Attorney General Lisa O. Monaco said the DOJ “has never been interested in prosecuting good-faith computer security research as a crime,” and that the new guidelines “promote cybersecurity by providing clarity for good-faith security researchers who root out vulnerabilities for the common good.”
What constitutes “good faith security research?” The DOJ’s new policy (PDF) borrows language from a Library of Congress rulemaking (PDF) on the Digital Millennium Copyright Act (DMCA), a similarly controversial law that criminalizes production and dissemination of technologies or services designed to circumvent measures that control access to copyrighted works. According to the government, good faith security research means:
“…accessing a computer solely for purposes of good-faith testing, investigation, and/or correction of a security flaw or vulnerability, where such activity is carried out in a manner designed to avoid any harm to individuals or the public, and where the information derived from the activity is used primarily to promote the security or safety of the class of devices, machines, or online services to which the accessed computer belongs, or those who use such devices, machines, or online services.”
“Security research not conducted in good faith — for example, for the purpose of discovering security holes in devices, machines, or services in order to extort the owners of such devices, machines, or services — might be called ‘research,’ but is not in good faith.”
The new DOJ policy comes in response to a Supreme Court ruling last year in Van Buren v. United States (PDF), a case involving a former police sergeant in Florida who was convicted of CFAA violations after a friend paid him to use police resources to look up information on a private citizen.
But in an opinion authored by Justice Amy Coney Barrett, the Supreme Court held that the CFAA does not apply to a person who obtains electronic information that they are otherwise authorized to access and then misuses that information.
Orin Kerr, a law professor at University of California, Berkeley, said the DOJ’s updated policy was expected given the Supreme Court ruling in the Van Buren case. Kerr noted that while the new policy says one measure of “good faith” involves researchers taking steps to prevent harm to third parties, what exactly those steps might constitute is another matter.
“The DOJ is making clear they’re not going to prosecute good faith security researchers, but be really careful before you rely on that,” Kerr said. “First, because you could still get sued [civilly, by the party to whom the vulnerability is being reported], but also the line as to what is legitimate security research and what isn’t is still murky.”
Kerr said the new policy also gives CFAA defendants no additional cause for action.
“A lawyer for the defendant can make the pitch that something is good faith security research, but it’s not enforceable,” Kerr said. “Meaning, if the DOJ does bring a CFAA charge, the defendant can’t move to dismiss it on the grounds that it’s good faith security research.”
Kerr added that he can’t think of a CFAA case where this policy would have made a substantive difference.
“I don’t think the DOJ is giving up much, but there’s a lot of hacking that could be covered under good faith security research that they’re saying they won’t prosecute, and it will be interesting to see what happens there,” he said.
The new policy also clarifies other types of potential CFAA violations that are not to be charged. Most of these include violations of a technology provider’s terms of service, and here the DOJ says “violating an access restriction contained in a term of service are not themselves sufficient to warrant federal criminal charges.” Some examples include:
-Embellishing an online dating profile contrary to the terms of service of the dating website;
-Creating fictional accounts on hiring, housing, or rental websites;
-Using a pseudonym on a social networking site that prohibits them;
-Checking sports scores or paying bills at work.
ANALYSIS
Kerr’s warning about the dangers that security researchers face from civil prosecution is well-founded. KrebsOnSecurity regularly hears from security researchers seeking advice on how to handle reporting a security vulnerability or data exposure. In most of these cases, the researcher isn’t worried that the government is going to come after them: It’s that they’re going to get sued by the company responsible for the security vulnerability or data leak.
Often these conversations center around the researcher’s desire to weigh the rewards of gaining recognition for their discoveries with the risk of being targeted with costly civil lawsuits. And almost just as often, the source of the researcher’s unease is that they recognize they might have taken their discovery just a tad too far.
Here’s a common example: A researcher finds a vulnerability in a website that allows them to individually retrieve every customer record in a database. But instead of simply polling a few records that could be used as a proof-of-concept and shared with the vulnerable website, the researcher decides to download every single file on the server.
Not infrequently, there is also concern because at some point the researcher suspected that their automated activities might have actually caused stability or uptime issues with certain services they were testing. Here, the researcher is usually concerned about approaching the vulnerable website or vendor because they worry their activities may already have been identified internally as some sort of external cyberattack.
What do I take away from these conversations? Some of the most trusted and feared security researchers in the industry today gained that esteem not by constantly taking things to extremes and skirting the law, but rather by publicly exercising restraint in the use of their powers and knowledge — and by being effective at communicating their findings in a way that maximizes the help and minimizes the potential harm.
If you believe you’ve discovered a security vulnerability or data exposure, try to consider first how you might defend your actions to the vulnerable website or vendor before embarking on any automated or semi-automated activity that the organization might reasonably misconstrue as a cyberattack. In other words, try as best you can to minimize the potential harm to the vulnerable site or vendor in question, and don’t go further than you need to prove your point.
The European Union Agency for Law Enforcement Cooperation (Europol) has successfully shut down one of the fastest-spreading mobile malware strains in today’s cyber landscape.
According to a statement from Europol, the European Cybercrime Centre (EC3) coordinated with 11 law enforcement agencies around the world to respond to a global campaign involving FluBot, an Android-based malware that was first sighted in December 2020.
Takedown of SMS-based FluBot spyware
International law enforcement operation involving 11 countries
Fastest-spreading mobile malware to date
The Android malware has now been rendered inactive
The FluBot malware spreads through SMS, masquerading as package tracking or voicemail notifications. When an Android user clicks the link in these text messages, they’re prompted to install FluBot, which is disguised as another application.
Once installed, the FluBot app will ask for accessibility permissions, which are used to disable a phone’s security and exfiltrate credentials for the user’s banking accounts and cryptocurrency wallets. The malware then spreads even further by accessing an infected device’s contact list and sending malicious messages to each entry.
After its initial sighting in 2020, FluBot quickly spread through a large number of devices in Spain and Finland. As the malware spread through Europe and Australia, Europol brought in law enforcement agencies from multiple impacted nations (Australia, Belgium, Finland, Hungary, Ireland, the Netherlands, Spain, Sweden, Switzerland, and the United States) to create a joint strategy and offer digital forensic support.
Earlier in May, the Dutch police completed the final takedown and took control of FluBot’s infrastructure, making the malware strain inactive.
Although Europol is still looking for the threat actors behind the campaign, operations like these show that an international infrastructure to proactively respond to malware is still coming together. Concerned users can follow Europol’s guidance on identifying and resetting phones infected with FluBot here.
The Bad
This week, cyber criminals wiped hundreds of unsecured Elasticsearch databases and sent ransom notes to admins demanding 0.012 Bitcoin in exchange for their data.
According to a report, the threat actors responsible have already wiped over 450 indexes, and analysts have identified over 1,200 Elasticsearch databases containing the ransom note.
The attackers use an automated script to handle most of the work, including parsing vulnerable databases, deleting the indexes and dropping a ransom note.
In the ransom note, the attackers demand approximately $620 worth of Bitcoin within seven days. If the initial deadline isn’t met, victims have an additional week to submit a payment before the attackers permanently delete their data.
Although the individual ransoms are only around $620, all 450 ransom payments totals up to almost $280,000. However, at the time of publication, the Bitcoin wallets in the ransom note appear to be empty.
Analysts believe that even if victims paid the ransom, it’s unlikely they would be able to recover their databases. Although an attacker could have exfiltrated the data, researchers pointed out that storing this data would be “prohibitively expensive.”
To mitigate the risk of falling victim to one of these attacks, security experts emphasize that like other cloud resources, Elasticsearch databases should not be Internet-facing unless it’s necessary for day-to-day operations. Enforcing multi-factor authentication (MFA) and adopting strong cloud security measures are also essential.
While these attacks aren’t unique, such widespread campaigns also provide an alarming reminder that organizations should review their cloud security policies to ensure they’re properly protected.
The Ugly
Security researchers have identified and are working to quickly respond to a critical zero-day vulnerability in Microsoft Windows’ Support Diagnostic Tool (ms-msdt), tracked as CVE-2022-30190 and dubbed “Follina”.
Follina allows threat actors to execute arbitrary code on a vulnerable machine by calling the tool’s ms-msdt protocol, and impacts all Windows versions currently supported by Microsoft.
While the most commonly observed approaches abuse Microsoft .doc and .rtf files to call the ms-msdt protocol and execute malicious code, other execution methods such as using WGET are continuing to emerge as the zero-day gains traction.
In recent weeks, researchers identified the first public sample of a malicious Word document designed to abuse this vulnerability, and observed both a Belarus-based threat actor exploiting the flaw through Word’s ability to load HTML to execute PowerShell code, and a Chinese APT using a C2 domain (tibet-gov.web[.]app) to execute their code.
Follina has the potential to impact unprepared organizations in a not dissimilar way to the recent log4j vulnerability. As in that case, security teams are strongly advised to be proactive and to determine the risk and take appropriate mitigation steps without delay.
https://phxtechsol.com/wp-content/uploads/2022/06/1f6a8.png7272Phoenix Technologyhttps://phxtechsol.com/wp-content/uploads/2017/02/PTS-Horiz-logo-1-1200-300x53.jpgPhoenix Technology2022-06-03 15:31:222022-06-03 15:31:30The Good, the Bad and the Ugly in Cybersecurity – Week 23
Cybercriminals often look at different methods to gain an organization’s sensitive data. One common way is to abuse the AdminSDHolder object in Active Directory. This post discusses how attackers can add accounts with sufficient access to the AdminSDHolder object and end up gaining complete control of the Active Directory environment.
What is an AdminSDHolder?
Active Directory Domain Services (AD DS) use the AdminSDHolder object and the Security Descriptor propagator (SDProp) process to secure privileged users and groups. The AdminSDHolder object has a unique Access Control List (ACL), which controls the permissions of security principals that are members of built-in privileged Active Directory groups. The SDProp is a process that runs every 60 minutes on the Primary Domain Controller emulator to ensure the AdminSDHolder Access Control List (ACL) is consistent on all privileged users and groups.
How Do Attackers Exploit AdminSDHolder for Persistent Administrative Access to Active Directory?
The AdminSDHolder attack allows attackers to apply changes to the AdminSDHolder object. Attackers can add accounts to the list with the same privileged access as other protected accounts and move laterally. The figure below shows an attacker adding a new account to the ACL in the AdminSDHolder object and granting permissions – either full control or modified rights.
After running SDProp, the user account “poctest” is automatically added to the Security Descriptor of the Domain Admins group, giving “poctest” full control or modify permission on the group. This new user account added can change the Domain Admins group membership. Note that the user account “poctest” has no group membership. Despite not being a member of any groups, attackers can use this new account to modify the group membership of Domain Admins. You can run the PowerShell command below to check the group membership.
> get-aduser poctest -properties memberof
Detect and Report AdminSDHolder ACL Exposure
Active Directory misconfigurations significantly increase the risk of advanced attacks. The Ranger® AD Assessor (Ranger AD) solution continuously monitors AD exposures and detects unprivileged ACLs in AdminSDHolder that could lead to malicious activity.
Security admins must identify who currently possesses permissions/access as per the organization’s existing access policies, monitor the default configured ACLs, and review access permissions for objects that are members of privileged groups on the AdminSDHolder object.
The following security steps can adequately mitigate the risks of unprivileged AD exposures:
Security admins can verify and remove unprivileged users from the AdminSDHolder ACL. As shown in the figure below, the Security tab displays the ACL applied to all members of protected groups.
Monitor users and groups with adminCount = 1 to identify accounts with ACLs set by SDProp. The PowerShell AD cmdlets output below shows users with security ACLs set by SDProp.
Conclusion
AdminSDHolder object offers attackers opportunities to exploit user accounts and groups to take relative control of the Active Directory environment. Organizations must identify all unprivileged users that pose potential risks. The Ranger® AD solution provides real-time detection of AD privilege escalations. Assessing and monitoring the rights of specific privileged domain objects will reduce the attacker’s ability to modify the most privileged groups in Active Directory.
https://phxtechsol.com/wp-content/uploads/2022/06/Protecting-Your-Active-Directory-from-AdminSDHolder-Attacks.jpg6281200Phoenix Technologyhttps://phxtechsol.com/wp-content/uploads/2017/02/PTS-Horiz-logo-1-1200-300x53.jpgPhoenix Technology2022-06-02 15:21:372022-06-02 15:21:44Protecting Your Active Directory from AdminSDHolder Attacks
On May 27th 2022, @nao_sec identified a malicious Microsoft Word document using a “ms-msdt” protocol scheme for arbitrary code execution.
As the industry continues to identify novel ways to abuse this ability over the weekend, Microsoft assigned it as CVE-2022-30190.
Similar to what we observed with Log4j, the methods of execution and outcomes of this vulnerability continue to expand as it gains more researcher and attacker attention.
Specific attackers have been observed exploiting the vulnerability. Chinese APTs have potentially made use of it around May 20th, 2022, but first samples identified as easily as mid-April 2022.
Defenders should consider it a critical vulnerability and seek mitigation steps immediately. Additional effort should then be made to hunt for execution prior to public knowledge as attackers could have already abused it.
Background
Concerns are rising after Microsoft confirmed that its Microsoft Windows Support Diagnostic Tool (ms-msdt) contains a zero-click remote code execution vulnerability. The zero day appears to have been exploited in the wild since at least early April 2022, based on current reports.
The vulnerability, dubbed “Follina”, makes use of how the ms-msdt handles URLs. In its simplest form, calling ms-msdt can allow attackers to execute code on a machine. The vulnerability impacts all Windows versions currently supported by Microsoft.
The call to ms-msdt with code execution is most commonly being reported on through the abuse of Microsoft ,.doc and .rtf files. However, as we continue to gain new insight into the vulnerability, newer methods are coming to light. For example as Will Dormann observed, a WGET to an attacker domain can return HTML content with the call to ms-msdt to run code on the machine running the WGET.
Observed Threat Activity
Since we are in the very early stages of this vulnerability being publicly known, we expect to update this section as we continue our analysis and research. However, at the time of writing our colleagues from Malwarebytes identified the first public sample (f531a7c270d43656e34d578c8e71bc39) of a matching Word document on April 12th 2022. This sample is themed around the Russian invasion of Ukraine.
On May 27th 2022, @nao_sec tweeted about a file uploaded to VirusTotal from Belarus (52945af1def85b171870b31fa4782e52) that uses Word’s external link to load HTML and then uses the “ms-msdt” scheme to execute PowerShell code. In this sample, the file beacons out to xmlformats[.]com, which at the time of discovery resolved to 141[.]105.65.149. Note that the actor behind this particular sample began their infrastructure build around May 19th.
Subsequently, on May 30th 2022, a Chinese APT was observed by Proofpoint abusing the vulnerability through the C2 domain tibet-gov.web[.]app.
Group Policy Editor -> Computer Configuration -> Administrative Templates -> System -> Troubleshooting and Diagnostics -> Scripted Diagnostics. Set "Troubleshooting: Allow users to access and run Troubleshooting Wizards" to "disabled".
Microsoft has also recommended disabling the MSDT URL Protocol by executing the following command:
reg delete HKEY_CLASSES_ROOTms-msdt /f
SentinelOne vs CVE-2022-30190 (Follina)
The SentinelOne agent detects the execution of known “Fallina” samples exploiting CVE-2022-30190.
SentinelOne customers can use the following STAR rule for real-time behavioral detection or as a hunting rule in Deep Visibility:
EndpointOS = "windows" AND
EventType = "Process Creation" AND
TgtProcName Contains Anycase "msdt.exe" AND
TgtProcCmdLine Contains Anycase "PCWDiagnostic" AND
(TgtProcCmdLine Contains Anycase "IT_BrowseForFile" OR
TgtProcCmdLine Contains Anycase "IT_RebrowseForFile")
In the past, organizations might have been able to get away with firewalls and antivirus software as their primary defenses against cybercriminals. Unfortunately, those days are long gone. Defending against today’s threats requires a more active approach capable of evolving alongside attackers and their ever-changing tactics. “Set it and forget it” security tools are no longer an option. Today’s organizations need to continuously evaluate the effectiveness of their security controls, identifying potential weaknesses, vulnerabilities, compliance issues, and other problems.
Determining the effectiveness of these tools isn’t always easy, though. What’s more, company leaders are generally interested in knowing more than just how security solutions deal with threats. They want to understand the value the tools provide and whether they are generating enough ROI to justify continued use, which can be difficult to measure in specific, quantifiable terms. Fortunately, there are options available. Organizations seeking to understand the performance of their security solutions better should focus on a few key areas.
1. Gauging Attack Surface Awareness
Building a wall to keep attackers at bay isn’t sufficient in today’s threat landscape. Eventually, one or more will get in. It simply isn’t possible to stop 100% of threats, meaning that security should shift from focusing on perimeter protection to in-network detection. To be successful, organizations need awareness of things like exposed credentials, misconfigurations, potential attack paths, and other vulnerabilities that attackers are likely to exploit.
There is a wide range of tools available that can help. Endpoint Detection and Response (EDR) tools provide visibility into attacks on endpoints, while Extended Detection and Response (XDR) tools expand upon those capabilities by integrating with other solutions. Attackers will almost always look to compromise Active Directory (the service that handles authentication throughout the enterprise), which is notoriously difficult to secure. Detection tools capable of identifying suspicious AD queries and other potential attack activity can help prevent the nightmare scenario of a compromised AD.
Of course, identity security is also increasingly critical. While traditional EDR tools and AD security solutions don’t offer the identity protection needed in today’s environments, Identity Threat Detection and Response (ITDR) solutions have emerged to fill that gap.
It all comes down to coverage. Organizations can assess the degree of awareness they have in the network. Identity controls without endpoint protections can leave their networks dangerously vulnerable, as can endpoint protections with AD security. And as more and more organizations embrace the cloud, new cloud environments will expand the attack surface even further. Ensuring sufficient visibility across the entire network is a critical first step in assessing the effectiveness of an organization’s tools.
2. Investigating Permissions and Entitlements
Overprovisioning is a serious problem today. IT teams generally do not want to interfere with business operations, which means it is easier to provide users and other identities with more permissions than they need rather than risk impeding someone’s job function. Unfortunately, identities often end up with entitlements that far outstrip what they actually need to do their jobs. Consequently, when attackers compromise those identities, they also have access to far more data than they otherwise would have.
Implementing a Zero Trust Architecture (ZTA) is one way of dealing with this challenge, providing identities with only the minimum level of access they need to function and continuously validating that they are who or what they say they are. To that end, organizations need tools to identify excessive permissions and other potential vulnerabilities throughout the network. Organizations should regularly audit and update these permissions to ensure they remain appropriate, and that someone can examine those audits. How many excessive permissions were detected? How many obsolete or orphaned credentials did they expunge? Proper awareness across the network can help IT teams gauge how effectively they are managing their permissions.
3. Measuring and Improving Detection Accuracy
Security alerts are good—ostensibly, they indicate that security tools are functioning correctly and detecting threats. Unfortunately, that isn’t always the case. Suspicious-looking activity often turns out to be harmless, resulting in a false alarm that wastes the security team’s time with useless investigation. These false alerts can result in alert fatigue, with excessive false alarms drowning out the actual threats needing remediation.
Tracking the false positive reporting rate (FPRR) can help security personnel understand the quality of their alerts. If the FPRR is too high, it may be time to look into newer, more accurate tools. Today’s detection technology often comes armed with artificial intelligence and machine learning (AI and ML) capabilities that allow them to learn over time and substantiate alerts before relaying them to the security team. These high-fidelity alerts reduce the overall alert volume and enable network defenders to focus on actual threats rather than chasing ghosts.
4. Understanding the Effectiveness of Automation
Automation is useful for more than reducing false alarms. It isn’t always feasible to manually remediate all threats at today’s attack volumes. Fortunately, today’s tools can automatically correlate attack information from different sources and display it on a single dashboard for assessment. By creating playbooks for certain types of attack activity, these tools can automatically remediate specific threats before even bringing them to the attention of a defender. This automation accelerates and simplifies incident response, addressing threats as soon as they are detected and stopping them before they can escalate and spread throughout the network.
Incident response volume is a good way to gauge how effective these controls are. The number of incidents reported as open, closed, or pending can provide insight into how well automated tools deal with threats. Too many open or pending incidents doesn’t bode well, but a significant number of verifiably closed cases means the system is doing its job.
Conclusion
Today’s threats are wide-ranging, and modern attackers don’t just focus on large organizations. Everyone is at risk, and organizations large and small need to have appropriate protections in place and the knowledge and resources necessary to gauge their efficacy. Fortunately, assessing things like network visibility, entitlement management, and incident and false alarm reporting can help organizations determine their overall network health and how well their defenses are faring.
This information can also help security teams generate additional buy-in from CISOs and corporate boards when enhancing and expanding their network defense capabilities. As attackers evolve, network defense tools evolve alongside them, and helping today’s business leaders understand the steps needed to stay one step ahead of the cybercriminals is essential. Given that the average cost of a data breach in 2021 rose to $4.24 million, effective security solutions have never been more critical.
https://phxtechsol.com/wp-content/uploads/2022/06/Measuring-the-Effectiveness-of-Your-Security-Controls-3.jpg6281200Phoenix Technologyhttps://phxtechsol.com/wp-content/uploads/2017/02/PTS-Horiz-logo-1-1200-300x53.jpgPhoenix Technology2022-06-01 15:12:302022-06-01 15:12:334 Steps Toward Successfully Measuring the Effectiveness of Your Security Controls
We may request cookies to be set on your device. We use cookies to let us know when you visit our websites, how you interact with us, to enrich your user experience, and to customize your relationship with our website.
Click on the different category headings to find out more. You can also change some of your preferences. Note that blocking some types of cookies may impact your experience on our websites and the services we are able to offer.
Essential Website Cookies
These cookies are strictly necessary to provide you with services available through our website and to use some of its features.
Because these cookies are strictly necessary to deliver the website, refusing them will have impact how our site functions. You always can block or delete cookies by changing your browser settings and force blocking all cookies on this website. But this will always prompt you to accept/refuse cookies when revisiting our site.
We fully respect if you want to refuse cookies but to avoid asking you again and again kindly allow us to store a cookie for that. You are free to opt out any time or opt in for other cookies to get a better experience. If you refuse cookies we will remove all set cookies in our domain.
We provide you with a list of stored cookies on your computer in our domain so you can check what we stored. Due to security reasons we are not able to show or modify cookies from other domains. You can check these in your browser security settings.
Google Analytics Cookies
These cookies collect information that is used either in aggregate form to help us understand how our website is being used or how effective our marketing campaigns are, or to help us customize our website and application for you in order to enhance your experience.
If you do not want that we track your visit to our site you can disable tracking in your browser here:
Other external services
We also use different external services like Google Webfonts, Google Maps, and external Video providers. Since these providers may collect personal data like your IP address we allow you to block them here. Please be aware that this might heavily reduce the functionality and appearance of our site. Changes will take effect once you reload the page.
Google Webfont Settings:
Google Map Settings:
Google reCaptcha Settings:
Vimeo and Youtube video embeds:
Other cookies
The following cookies are also needed - You can choose if you want to allow them: