Connect with us

Featured

Spy vs Spy in hacker wars

Published

on

Kaspersky Labs has revealed that hackers are now hacking other attack groups, using their tools and stealing victim data, making more difficult to gather accurate threat intelligence.

Sophisticated threat actors are actively hacking other attack groups in order to steal victim data, borrow tools and techniques and re-use each other’s infrastructure – making accurate threat intelligence ever harder for security researchers, according to Kaspersky Lab’s Global Research and Analysis Team (GReAT).

Accurate threat intelligence relies on identifying the patterns and tools that signpost a particular threat actor. Such knowledge allows researchers to better map different attackers’ goals, targets and behaviours, and to help organisations determine their level of risk. When threat actors start hacking each other and taking over tools, infrastructure and even victims, this model quickly starts to break down.

Kaspersky Lab believes that such attacks are likely to be implemented mainly by nation-state backed groups, targeting foreign or less competent actors. It is important that IT security researchers learn how to spot and interpret the signs of these attacks, so that they can present their intelligence in context.

In a detailed review of the opportunities for such attacks, GReAT researchers identified two main approaches: passive and active. Passive attacks involve intercepting other groups’ data in transit, for example as it moves between victims and command and control servers – and are almost impossible to detect. The active approach involves infiltrating another threat actor’s malicious infrastructure.

There is a greater risk of detection in the active approach, but it also offers more benefits as it allows the attacker to extract information on a regular basis, monitor its target and their victims, and potentially even insert its own implants or mount attacks in the name of its victim. The success of active attacks relies heavily on the target making mistakes in operational security.

GReAT has encountered a number of strange and unexpected artefacts while investigating specific threat actors that suggest such active attacks are already happening in-the-wild.

Examples include:

  1. Backdoors installed in another entity’s command-and-control (C&C) infrastructure

Installing a backdoor in a hacked network allows attackers to establish persistence inside the operations of another group. Kaspersky Lab researchers have found what appear to be two in-the-wild examples of such backdoors.

One of these was found in 2013, while analysing a server used by NetTraveler, a Chinese-language campaign targeting activists and organisations in Asia. The second one was found in 2014, while investigating a hacked website used by Crouching Yeti (also known as Energetic Bear), a Russian-language threat actor targeting the industrial sector since 2010. The researchers noticed that, for a brief period of time, the panel managing the C&C network was modified with a tag that pointed to a remote IP in China (likely a false flag). The researchers believe this was also a backdoor belonging to another group, although there are no indicators as to who this might be.

  1. Sharing hacked websites

In 2016, Kaspersky Lab researchers found that a website compromised by the Korean-language DarkHotel also hosted exploit scripts for another targeted attacker, which the team called ScarCruft, a group targeting mainly Russian-, Chinese- and South Korean- organisations. The DarkHotel operation dates from April 2016, while the ScarCruft attacks were implemented a month later, suggesting that ScarCruft may have observed the DarkHotel attacks before launching its own.

  1. Targeting-by-proxy

Infiltrating a group with an established stake in a certain region or industry sector enables an attacker to reduce costs and improve targeting, benefiting from the specialist expertise of its victim.

Some threat actors share rather than steal victims. This is a risky approach if one of the groups is less advanced and gets caught, as the inevitable forensic analysis that follows will also reveal the other intruders. In November 2014, Kaspersky Lab reported that a server belonging to a research institution in the Middle East, known as the Magnet of Threats, simultaneously hosted implants for the highly sophisticated threat actors Regin and Equation Group (English-language), Turla and ItaDuke (Russian-language), as well as Animal Farm (French-language) and Careto (Spanish). In fact, this server was the starting point for the discovery of the Equation Group.

“Attribution is hard at the best of times as clues are rare and easily manipulated, and now we also have to factor in the impact of threat actors hacking each other. As more groups leverage each other’s toolkits, victims and infrastructure, insert their own implants or adopt the identity of their victim to mount further attacks, where will that leave threat hunters trying to build a clear, accurate picture? Our examples hint that some of this is already happening in-the-wild and threat intelligence researchers will need to pause and adapt their thinking when it comes to analysing the work of advanced threat actors,” said Juan Andres Guerrero-Saade, Principal Security Researcher, Global Research and Analysis Team, Kaspersky Lab.

In order to keep pace with the rapidly evolving threat landscape, Kaspersky Lab advises enterprises to implement a full-scale security platform combined with cutting-edge threat intelligence. Kaspersky Lab’s enterprise security portfolio provides businesses with threat prevention through its next-generation endpoint security suite, detection based on the Kaspersky Anti Targeted Attack platform, and prediction and incident response through its threat intelligence services.

Further details on ways in which threat actors acquire and reuse elements of other groups, including tool repurposing and malware clustering, and their ramifications for threat intelligence can be found in the paper, Walking in your enemy’s shadow: when fourth-party collection becomes attribution hell.

Featured

Gadget goes to Hollywood

Gadget visited the Netflix studios last week. In the first of a series, ARTHUR GOLDSTUCK talks to CEO Reed Hastings.

Published

on

Netflix CEO Reed Hastings is no stranger to Africa. He has travelled throughout South Africa, taught maths in Swaziland for two years with the Peace Corps, and visits close family in Maputo. As a result, he is keenly aware of the South African entertainment and connectivity landscape.

In an exclusive interview at the Netflix studios in Hollywood, Los Angeles, last week, he revealed that Netflix had no intentions of challenging MultiChoice’s dominance of live sports broadcasting on the continent.

“Other firms will do sport and news; we are trying to focus on movies and TV shows,” he said. “There are a lot of areas that are video that we are not doing: sports, news, video gaming, user-generated content. We don’t have live sport.

Reed Hastings at the Netflix studios in Hollywood last week. Pic: ADAM ROSE

“We’re not replacing MultiChoice at all. Their subscriber growth is steady in South Africa. They serve a need that’s independent of the Internet, via low-price satellite. There is no intention of capturing that audience. If they’re growing, it’s because they serve a need.”

While Reed ruled out any collaboration with MultiChoice on its satellite delivery platform, despite its collaboration with another pay-TV service, Sky TV in the United Kingdom, he did not close the door. He stressed that Netflix saw itself as an Internet-based service, and would pursue the opportunities offered by evolving broadband in Africa.

“If you look in other markets like the USA, how Comcast carries us on set-top boxes with their other services, it could happen with MultiChoice, the same as with all the pay-TV providers.

“We’re really focused on being a service over the Internet and not over satellite. Our service doesn’t work on satellite. Where we work with Sky is on Internet-connected devices. We’re happy to work on Internet-connected devices. We tend to work on smart TVs, but need broadband Internet for that.

“Broadband is getting faster in Nigeria, Tanzania, Kenya and South Africa – we can see the positive trendlines – so it’s more likely we will work with broadband Internet companies.”

Hastings is a firm believer in the idea that one content provider’s success does not depend on pushing another down.

“HBO has grown at the same time as we have, so can see our success doesn’t determine their success. What matters is amazing content with which the world falls in love.”

Click here to read on about Hastings’ views on international expansion, and how the streaming service selects content for its platform.

Previous Page1 of 2

Continue Reading

Featured

Take these 5 steps to digital

Published

on

By MARK WALKER, Associate Vice President for Sub-Saharan Africa at IDC Middle East, Africa and Turkey.

Digital transformation isn’t a buzz word because it sounds nice and looks good on the business CV. It is fundamental to long-term business success. IDC anticipates that 75% of enterprises will be on the path to digital transformation by 2027. 

However, digital transformation is not a process that ticks a box and moves to the next item on the agenda – it is defined by the organisation’s shift towards a digitally empowered infrastructure and employee. It is an evolution across system, infrastructure, process, individual and leadership and should follow clear pathways to ensure sustainable success.

The nature of the enterprise has changed completely with the influence of digital, cloud and the Fourth Industrial Revolution (4IR), and success is reliant on strategic change.

There is a lot more ownership and transparency throughout the organisation and there is a responsibility that comes with that – employees want access to information, there has to be speed in knowledge, transactions and engagement. To ensure that the organisation evolves alongside digital and demand, it has to follow five very clear pathways to long-term, achievable success.

The first of these is to evaluate where the enterprise sits right now in terms of its digital journey. This will differ by organisation size and industry, as well as its reliance on technology. A smaller organisation that only needs a basic accounting function or the internet for email will have far different considerations to a small organisation that requires high-end technology to manage hedge funds or drive cloud solutions. The same comparisons apply to the enterprise-level organisation. The mining sector will have a completely different sub-set of technology requirements and infrastructure limitations to the retail or finance sectors.

Ultimately, every organisation, regardless of size or industry, is reliant on technology to grow or deliver customer service, but their digital transformation requirements are different. To ensure that investment into artificial intelligence (AI), machine learning, knowledge engines, automation and connectivity are accurately placed within the business and know exactly where the business is going.

The second step is to examine what the business wants to achieve. Again, the goals of the organisation over the long and short term will be entirely sector dependent, but it is essential that it examine what the competitive environment looks like and what influences customer expectations. This understanding will allow for the business to hone its digital requirements accordingly.

The third step is to match expectations to reality. You need to see how you can move your digital transformation strategy forward and what areas require prioritisation, what funding models will support your digital aspirations, and how this tie into what the market wants. Ultimately, every step of the process has to be prioritised to ensure it maps back to where you are and the strategic steps that will take you to where you want to go.

The fourth step is to look at the operational side of the process. This is as critical as any other aspect of the transformation strategy as it maps budget to skills to infrastructure in such a way as to ensure that any project delivers return on investment. Budget and funding are always top of mind when it comes to digital transformation – these are understandably key issues for the business. How will it benefit from the investment? How will it influence the customer experience? What impact will this have on the ongoing bottom line? These questions tie neatly into the fifth step in the process – the feedback loop.

This is often the forgotten step, but it is the most important. The feedback loop is critical to ensuring that the digital transformation process is achieving the right results, that the right metrics are in place, and that the needle is moving in the right direction. It is within this feedback loop that the organisation can consistently refine the process to ensure that it moves to each successive step with the right metrics in place.

There is also one final element that every organisation should have in place throughout its digital evolution. An element that many overlook – engagement. There must be a real desire to change, from the top of the organisation right down to the bottom, and an understanding of what it means to undertake this change and why it is essential. This is why this will be a key discussion at the 2019 IDC South Africa CIO Summit taking place in April this year. With this in place, the five steps to digital transformation will make sense and deliver the right results.

Continue Reading

Trending

Copyright © 2018 World Wide Worx