Tag Archives: threat intelligence

AI in Cyberattacks: A Closer Look at Emerging Threats for 2025

Posted on by
Reply

 

The complex interplay between technological advancement and cyber threats is reaching unprecedented heights. As artificial intelligence (AI) evolves, it presents both transformative opportunities and significant perils in the realm of cyberattacks. Cybercriminals are leveraging AI to devise more sophisticated and cunning threats, shifting the paradigm of how these dangers are understood and countered.

RedHacker3

AI’s influence on cyberattacks is multifaceted and growing in complexity. AI-powered tools are now utilized to develop advanced malware and ransomware, enhance phishing tactics, and even create convincing deepfakes. These advancements foreshadow a challenging landscape by 2025, as cybercriminals sharpen their techniques to exploit vulnerabilities in ubiquitous technologies—from cloud computing to 5G networks.

In response to the evolving threat landscape, our methods of defense must adapt accordingly. The integration of AI into cybersecurity strategies offers powerful countermeasures, providing innovative ways to detect, deter, and respond decisively to these high-tech threats. This article explores the emerging tactics employed by cybercriminals, the countermeasures under development, and the future prospects of AI in cybersecurity.

The Role of AI in Cyberattacks

As we approach 2025, the landscape of cyber threats is increasingly shaped by advancements in artificial intelligence. AI is revolutionizing the way cyberattacks are conducted, allowing for a level of sophistication and adaptability that traditional methods struggle to compete with. Unlike conventional cyber threats, which often follow predictable patterns, AI-driven attacks are dynamic and capable of learning from their environment to evade detection. These sophisticated threats are not only more difficult to identify but also require real-time responses that traditional security measures are ill-equipped to provide. As AI continues to evolve, its role in cyberattacks becomes more pronounced, highlighting the urgent need for integrating AI-driven defenses to proactively combat these threats.

AI as a Tool for Cybercriminals

AI has significantly lowered the barrier to entry for individuals looking to engage in cybercrime, democratizing access to sophisticated tools. Even those with minimal technical expertise can now launch advanced phishing campaigns or develop malicious code, thanks to AI’s ability to automate complex processes. This technology also allows cybercriminals to launch adaptive attacks that grow more effective over time, challenging traditional cybersecurity defenses. AI plays a critical role in the emergence of Cybercrime-as-a-Service, where even unskilled hackers can rent AI-enhanced tools to execute complex attacks. Additionally, machine learning models enable faster and more efficient password cracking, giving cybercriminals an edge in breaking into secure systems.

AI-Driven Malware and Ransomware

AI-driven malware is reshaping the threat landscape by making attacks more efficient and harder to counter. Ransomware, enhanced by AI, automates the process of identifying data and optimizing encryption, which poses significant challenges for mitigation efforts. Malicious GPTs, or modified AI models, can generate complex malware and create supportive materials like fake emails, enhancing the efficacy of cyberattacks. The rise of AI-driven Cybercrime-as-a-Service in 2025 allows less experienced hackers to wield powerful tools, such as ransomware-as-a-service, to launch effective attacks. Self-learning malware further complicates security efforts, adapting seamlessly to environments and altering its behavior to bypass traditional defenses, while AI-driven malware utilizes automated DDoS campaigns and sophisticated credential-theft techniques to maximize impact.

Enhancing Phishing with AI

Phishing attacks, a longstanding cyber threat, have become more sophisticated with the integration of AI. This technology enables the creation of highly personalized and convincing phishing emails with minimal manual effort, elevating the threat to new heights. AI’s ability to process large datasets allows it to craft messages that are tailored to individual targets, increasing the likelihood of successful infiltration. As these attacks become more advanced, traditional email filters and user detection methods face significant challenges. Preparing for these AI-enhanced threats necessitates a shift towards more proactive and intelligent security systems that can detect and neutralize adaptive phishing attacks in real-time.

The Threat of Deepfakes

Deepfakes represent a growing challenge in the cybersecurity domain, harnessing AI to create realistic impersonations that can deceive users and systems alike. As AI technology advances, these synthetic audio and video productions become increasingly difficult to distinguish from authentic content. Cybercriminals exploit deepfakes for purposes such as misinformation, identity theft, and reputational damage, thereby eroding trust in digital platforms. Organizations must use AI-based detection tools and educate employees on identifying these sophisticated threats to maintain their digital integrity. Furthermore, the rise of AI-powered impersonation techniques complicates identity verification processes, necessitating the development of new strategies to validate authenticity in online interactions.

Emerging Tactics in AI-Driven Attacks

In 2025, AI-driven cyberattacks are poised to escalate significantly in both scale and sophistication, presenting formidable challenges for detection and mitigation. Malicious actors are capitalizing on advanced algorithms to launch attacks that are not only more efficient but also difficult to counteract. Their adaptability enables these attacks to dynamically adjust to the defenses deployed by their targets, thus enhancing their effectiveness. AI systems can analyze vast quantities of data in real-time, allowing them to identify potential threats before they fully materialize. Consequently, the cybersecurity industry is intensifying efforts to integrate AI into security measures to predict and counter these threats proactively, ensuring that security teams are equipped to manage the rapidly evolving threat landscape.

Understanding AI Phishing

AI phishing attacks have transformed the cyber threat landscape by leveraging generative AI to create communications that appear exceedingly personalized and realistic. These communications can take the form of emails, SMS messages, phone calls, or social media interactions, often mimicking the style and tone of trusted sources to deceive recipients. Machine learning empowers these attacks by allowing them to evade traditional security measures, making them more challenging to detect. AI-driven phishing schemes can automate the entire process, providing outcomes similar to human-crafted attacks but at a significantly reduced cost. As a result, a notable increase in sophisticated phishing incidents has been observed, impacting numerous organizations globally in recent years.

Transition to Vishing (Voice Phishing)

Emerging as a novel threat, vishing or voice phishing employs AI to enhance the traditional scams, enabling wider and more efficient campaigns with minimal manual input. This method intensifies the effectiveness and sophistication of attacks, as AI-driven vishing can dynamically adjust to the defenses of targets. Unlike traditional, static cyber attacks, AI-enhanced vishing scams modify their tactics on-the-fly by monitoring defenses in real-time, making them harder to identify and mitigate. As this threat continues to evolve, businesses must employ proactive AI-driven defenses that can anticipate and neutralize potential vishing threats before they inflict damage. The incorporation of AI-driven security systems becomes vital in predicting and countering these evolving cyber threats.

Exploiting Zero-Day Vulnerabilities

AI-enabled tools are revolutionizing vulnerability detection by quickly scanning extensive codebases to identify zero-day vulnerabilities, which pose significant risks due to their unpatched nature. These vulnerabilities provide an open door for exploit that threat actors can use, often generating automated exploits to take advantage of these weaknesses rapidly. Concerns are growing that the progression of AI technologies will allow malicious actors to discover zero-day vulnerabilities with the same proficiency as cybersecurity professionals. This development underscores the importance of programs like Microsoft’s Zero Day Quest bug bounty, aiming to resolve high-impact vulnerabilities in cloud and AI environments. The rapid escalation of AI-driven zero-day phishing attacks means that defenders have a narrower window to react, necessitating robust response systems to address cybersecurity challenges effectively.

Targeting Cloud Environments

Cloud environments are becoming increasingly susceptible to AI-driven cyberattacks, which employ machine learning to circumvent standard protections and breach cloud systems. The sophistication of AI-powered impersonation necessitates enhanced identity verification to safeguard digital identities. Organizations must therefore integrate AI-driven defenses capable of identifying and neutralizing malicious activities in real-time. AI-assisted detection and threat hunting are instrumental in recognizing AI-generated threats targeting these environments, such as synthetic phishing and deepfake threats. With cloud infrastructures being integral to modern operations, adopting proactive AI-aware cybersecurity frameworks becomes essential to anticipate and thwart potential AI-driven intrusions before they cause irreparable harm.

Threats in 5G Networks

The expansion of IoT devices within 5G networks significantly enlarges the attack surface, presenting numerous unsecured entry points for cyber threats. Unauthorized AI usage could exploit these new attack vectors, compromising vital data security. In this context, AI-powered systems will play a crucial role in 2025 by utilizing predictive analytics to identify and preempt potential threats in real-time within 5G infrastructures. Agentic AI technologies offer tremendous potential for improving threat detection and neutralization, securing 5G networks against increasingly sophisticated cyber threats. As the threat landscape continues to evolve, targeting these networks could result in a global cost burden potentially reaching $13.82 trillion by 2032, necessitating vigilant and innovative cybersecurity measures.

Countermeasuring AI Threats with AI

As the cyber threat landscape evolves, organizations need a robust defense mechanism to safeguard against increasingly sophisticated AI-driven threats. With malicious actors utilizing artificial intelligence to launch more complex and targeted cyberattacks, traditional security measures are becoming less effective. To counter these AI-driven threats, organizations must leverage AI-enabled tools to automate security-related tasks, including monitoring, analysis, and patching. The use of such advanced technologies is paramount in identifying and remediating AI-generated threats. The weaponization of AI models, evident in dark web creations like FraudGPT and WormGPT, underscores the necessity for AI-aware cybersecurity frameworks. These frameworks, combined with AI-native solutions, are crucial for dissecting vast datasets and enhancing threat detection capabilities. By adopting AI-assisted detection and threat-hunting tools, businesses can better handle synthesized phishing content, deepfakes, and other AI-generated risks. The integration of AI-powered identity verification tools also plays a vital role in maintaining trust in digital identities amidst AI-driven impersonation threats.

AI in Cyber Defense

AI is revolutionizing the cybersecurity industry by enabling real-time threat detection and automated responses to evolving threats. By analyzing large volumes of data, AI-powered systems can identify anomalies and potential threats, providing a significant advantage over traditional methods. Malicious actors may exploit vulnerabilities in existing threat detection frameworks by using AI agents, but the same AI technologies can also strengthen defense systems. Agentic AI enhances cybersecurity operations by automating threat detection and response processes while retaining necessary human oversight. Moreover, implementing advanced identity verification that includes multi-layered checks is crucial to counter AI-powered impersonation, ensuring the authenticity of digital communications.

Biometric Encryption Innovations

Biometric encryption is emerging as a formidable asset in enhancing user authentication, particularly as cyber threats become more sophisticated. This technology leverages unique physical characteristics—such as fingerprints, facial recognition, and iris scans—to provide an alternative to traditional password-based authentication. By reducing reliance on static passwords, biometric encryption not only strengthens user authentication protocols but also mitigates the risk of identity theft and impersonation. As a result, businesses are increasingly integrating biometric encryption into their cybersecurity frameworks to safeguard against the dynamic landscape of cyber threats, minimizing potential vulnerabilities and ensuring more secure interactions.

Advances in Machine Learning for Cybersecurity

Machine learning, a subset of AI, is instrumental in transforming cybersecurity strategies, enabling rapid threat detection and predictive analytics. Advanced machine learning algorithms simulate attack scenarios to improve incident response strategies, providing cybersecurity professionals with enhanced tools to face AI-driven threats. While AI holds the potential to exploit vulnerabilities in threat detection models, it also enhances the efficacy of security teams by automating operations and reducing the attack surface. Investments in AI-enhanced cybersecurity solutions reflect a strong demand for robust, machine-learning-driven techniques, empowering organizations to detect threats efficiently and respond effectively in real time.

Identity and Access Management (IAM) Improvements

The integration of AI-powered security tools into Identity and Access Management (IAM) systems significantly bolsters authentication risk visibility and threat identification. These systems, critical in a digitized security landscape, enhance the foundation of cyber resilience by tackling authentication and access control issues. Modern IAM approaches include multilayered identity checks to combat AI-driven impersonations across text, voice, and video—recognizing traditional digital identity trust as increasingly unreliable. Role-based access controls and dynamic policy enforcement are pivotal in ensuring users only have essential access, preserving the integrity and security of sensitive systems. As AI-driven threats continue to advance, embracing AI capabilities within IAM systems remains vital to maintaining cybersecurity.

Implementing Zero-Trust Architectures

Zero-Trust Architecture represents a paradigm shift in cybersecurity by emphasizing least-privilege access and continuous verification. This model operates on the principle of never trusting, always verifying, where users and devices’ identities and integrity are continually assessed before access is granted. Such a dynamic approach ensures real-time security policy adaptation based on emerging threats and user behaviors. Transitioning to Zero-Trust minimizes the impact of breaches by compartmentalizing network resources, ensuring that access is granted only as necessary. This proactive strategy stresses the importance of continuous monitoring and data-driven analytics, effectively moving the focus from reactive measures to a more preemptive security posture, in anticipation of future AI-driven threats.

Preparing for AI-Enabled Cyber Threats

As we near 2025, the landscape of cyber threats is becoming increasingly complex, driven by advances in artificial intelligence. AI-enabled threats have the sophisticated ability to identify system vulnerabilities, deploy widespread campaigns, and establish undetected backdoors within infrastructures, posing a significant risk to data integrity and security. Cybersecurity professionals are finding these AI-driven threats challenging, as threat actors can exploit weaknesses in AI models, leading to novel forms of cybercrime. The critical need for real-time AI-driven defenses becomes apparent as businesses strive to recognize and neutralize malicious activities as they occur. Organizations must prioritize preparing for AI-powered cyberattacks to maintain resilience against these evolving threats. Traditional security measures are becoming outdated in the face of AI-powered cyberattacks, thus compelling security teams to adopt advanced technologies that focus on early threat detection and response.

Developing AI Resilience Strategies

The development of AI resilience strategies is essential as organizations prepare to counter AI-driven cyber threats. Robust data management practices, including data validation and sanitization, play a crucial role in maintaining data integrity and security. By leveraging AI’s power to monitor networks continuously, security teams gain enhanced visibility, allowing for the early detection of potential cyber threats. Preparing AI models by exposing them to various attack scenarios during training significantly increases their resilience against real-world adversarial threats. In this evolving threat landscape, integrating AI into cybersecurity strategies provides a notable advantage, enabling preemptive counteraction against emerging risks. AI-enabled agentic cybersecurity holds the promise of automating threat detection and response, thus reducing response time and alleviating the workload on security analysts.

Importance of Cross-Sector Collaborations

Cross-sector collaborations have become vital in adapting to the rapidly evolving AI-driven cyber threat landscape. Public-private partnerships and regional interventions provide a foundation for effective intelligence sharing and identifying new threats. These collaborations between tech companies, cybersecurity vendors, universities, and government agencies enhance cyber resilience and develop best practices. The collective efforts extend beyond individual organizational capabilities, leveraging a diverse expertise pool to tackle systemic cybersecurity challenges strategically. By fostering strong public-private cooperation, sectors can combat cybercrime through unified action, demonstrating the importance of cybersecurity as a strategic priority. Initiatives like the Centres’ collaboration with over 50 partners exemplify the power of alliances in combating AI-driven threats and fortifying cyber defenses.

Upgrading Security Infrastructures

The evolution of AI-driven threats necessitates a comprehensive upgrade of security infrastructures. Organizations must align their IT, security, procurement, and compliance teams to ensure effective modernization of their security measures. Strengthening identity security is paramount and involves deploying centralized Identity and Access Management (IAM), adaptive multi-factor authentication (MFA), and real-time behavioral monitoring. Implementing AI-powered solutions is essential for automating critical security tasks, such as monitoring, analysis, patching, prevention, and remediation. AI-native cybersecurity systems excel in leveraging vast datasets to identify patterns and automate responses, enhancing an organization’s defensive capabilities. As communication modes become more complex, multi-layered identity checks must account for AI-powered impersonation to ensure that verification processes remain secure and robust.

The Role of Continuous Monitoring and Response

Continuous monitoring and response are core components of modern cybersecurity strategies, particularly in the face of sophisticated AI-powered cyberattacks. AI-driven security systems significantly enhance this process by analyzing behavioral patterns to detect anomalies in real time. Automated incident response systems, using AI, can contain breaches much quicker than traditional human-led responses, allowing for more efficient mitigation of threats. The AI algorithms in these systems are designed to learn and evolve, adapting their strategies to effectively bypass static security defenses. As the complexity of attack vectors increases, the need for continuous monitoring becomes critical in adapting quickly to new threats. Advanced AI tools automate vulnerability scanning and exploitation, identifying zero-day and n-day vulnerabilities rapidly, thereby bolstering an organization’s ability to preempt and respond to cyber risks proactively.

The Future of AI in Cybersecurity

Artificial Intelligence (AI) is revolutionizing the field of cybersecurity, playing a pivotal role in enabling real-time threat detection, providing predictive analytics, and automating responses to the ever-evolving landscape of cyber threats. By 2025, the sophistication and scale of AI-driven cyberattacks are anticipated to significantly escalate, pressing organizations to deploy robust, AI-powered defense systems. The global market for AI in cybersecurity is on a path of remarkable growth, expanding from $15 billion in 2021 to a projected $135 billion by 2030. AI technologies are transforming the cybersecurity industry by allowing businesses to pinpoint vulnerabilities far more efficiently than traditional security measures. In this battleground of cybersecurity, AI is not only a tool for defenders but also a weapon for attackers, as both sides leverage AI to enhance their strategies and respond to emerging threats.

Predictions for 2025 and Beyond

The integration of AI into cybersecurity is predicted to greatly enhance threat detection and mitigation abilities by processing extensive data in real-time, enabling swift responses to potential threats. The financial burden of global cybercrime is expected to rise drastically, from an estimated $8.15 trillion in 2023 to $11.45 trillion by 2026, potentially reaching $13.82 trillion by 2027. The increasing impact of AI-powered cyber threats is acknowledged by 78% of Chief Information Security Officers, who report its significant influence on their organizations. To counteract these threats, it’s critical for organizations to cultivate a security-first culture by 2025, incorporating AI-specific cybersecurity training and incident response drills. The accelerating sophistication of AI-driven cyberattacks is reshaping the cybersecurity landscape, creating an imperative for proactive, AI-driven defense strategies. This evolution demands that cybersecurity professionals remain vigilant and adaptive to stay ahead of malicious actors who are constantly innovating their attack methods.

Ethical Implications and Challenges

As AI becomes broadly available, it presents both exciting opportunities and significant risks within the cybersecurity domain. The potential for AI-driven methods to be manipulated by threat actors introduces new vulnerabilities that must be meticulously managed. Balancing the implementation of AI-driven security measures with the ethical necessity for human oversight is crucial in preventing the unauthorized exploitation of AI capabilities. As these technologies advance, ethical challenges emerge, particularly in the context of detecting zero-day vulnerabilities, which can be used exploitatively by both defenders and attackers. Effective mitigation of AI-driven cyberattacks requires an equilibrium between technological innovation and ethical policy development, ensuring that AI is not misused in cybersecurity operations. The expanding application of AI in this field underscores the ethical obligation to pursue continuous monitoring and secure system development, acknowledging that AI’s powerful capabilities can serve both defensive purposes and malicious ends.

More Info and Help from MicroSolved

For organizations looking to fortify their defenses against AI-driven cyber threats, MicroSolved offers expert assistance in AI threat modeling and integrating AI into information security and risk management processes. With the growing complexity of cyber threats, especially those leveraging artificial intelligence, traditional security measures often prove inadequate.

MicroSolved’s team can help your business stay ahead of the threat landscape by providing comprehensive solutions tailored to your needs. Whether you’re dealing with ransomware attacks, phishing emails, or AI-driven attacks on critical infrastructures, they are equipped to handle the modern challenges faced by security teams.

Key Services Offered by MicroSolved:

  • AI Threat Modeling
  • Integration of AI in Cybersecurity Practices
  • Comprehensive Risk Management

For expert guidance or to initiate a consultation, contact MicroSolved at:

By partnering with MicroSolved, you can enhance your organization’s ability to detect and respond to AI-powered cyberattacks in real time, ultimately protecting your digital assets and ensuring cybersecurity resilience in 2025 and beyond.

 

 

* AI tools were used as a research assistant for this content, but human moderation and writing are also included. The included images are AI-generated.

 

 

The Biggest Challenges to Firms using Cyber Threat Intelligence

Posted on by
Reply

Cyber threat intelligence is one of the hottest topics in cybersecurity today. Many firms are investing heavily in developing and deploying solutions to identify and respond to cyber threats. But despite the hype surrounding cyber threat intelligence, many firms still struggle to make sense of the data they collect.

Why are firms struggling to make sense of their data, and how they can overcome this challenge? We asked around. It looks like three key challenges emerged, and here they are:

1. Data quality – How do we know if our data is accurate?

2. Data volume – How much data do we need to store?

3. Data integration – How do we combine multiple sources of data?

We’re working on ideas around these 3 most common problems. We’re working with firms of all sizes to help solve them. When we get to firm, across-the-board answers, we’ll post them. In the meantime, knowing the most common issues firms are facing in the threat intelligence arena gives us all a good place to start.

Got workarounds or solutions to these issues? Drop me a line on Twitter (@lbhuston) and let me know how you’re doing it. We’ll share the great ideas as they are proven out.

3 Threats We Are Modeling for Clients These Days

Posted on by
Reply

Just a quick post today to discuss three threat scenarios we are modeling frequently with clients these days. #ThreatModeling

1) Ransomeware or other malware infection sourced from managed service providers – this scenario is become a very common issue, so common that DHS and several other organizations have released advisories. Attacker campaigns against managed services providers have been identified and many have yielded some high value breaches. The most common threat is spear phishing into a MSP, with the attackers eventually gaining access to the capability to push software to the clients. They then push a command and control malware or a ransomware infection down the pipe. Often, it is quite some time before the source of the event is traced back to the MSP. The defenses here are somewhat limited, but the scenario definitely should be practiced at the tabletop level. Often, these MSPs have successfully passed a SOC audit, but have very little security maturity beyond the baselines.

2) Successful credential stuffing attacks against Office 365 implementations leading to wire/ACH/AP fraud – This is another very common scenario, not just for banks and credit unions, but a lot of small and mid-size organizations have fallen victim to it as well via account payable attacks. In the scenario, either a user is phished into giving up credentials, or a leaked set of credentials is leveraged to gain access to the Office 365 mail and chat system. The attackers then leverage this capability to perform their fraud, appearing to come from internal email accounts and chats. They often make use of stored forms and phish their way to other internal users in the approval chain to get the money to actually move. Once they have their cash, they often use these email accounts to spread malware and ransomware to other victims inside the organization or in business partners – continuing the chain over and over again. The defenses here are to MFA, limited access to the O365 environment to require VPN or other IP-specifc filtering, hardening the O365 environment and enabling many of the detection and prevention controls that are off by default. 

3) Voicemail hacking and dial-system fraud – I know, I know, it’s 2020… But, this remains an incredibly impactful attack, especially against key management employees or employees who traffic in highly confidential data. Often this is accessed and then either used for profit via trading (think M&A info) or as ransom/blackmail types of social engineering. Just like above, the attackers often hack one account and then use social engineering to get other users to follow instructions around fraud or change their voicemail password to a given number, etc. Larger corporations where social familiarity of employees and management is low are a common attack target. Dial system fraud for outbound long distance remains pretty common, especially over long weekends and holidays. Basically, the attackers hack an account and use call forwarding to send calls to a foreign number – then sell access to the hacked voicemail line, changing the destination number for each caller. Outbound dial tone is also highly regarded here and quite valuable on the underground markets. Often the fraud goes undetected for 60-90 days until the audit process kicks in, leaving the victim several thousand dollars in debt from the illicit activity. The defenses here are voicemail and phone system auditing, configuration reviews, hardening and lowering lockout thresholds on password attempts. 

We can help with all of these issues and defenses, but we love to help organizations with threat scenario generation, threat modeling and attack surface mapping. If you need some insights into outside the box attacks and fraud potential, give us a call. Our engagements in this space are informative, useful and affordable.

Thanks for reading, and until next time, stay safe out there! 

Are You Seeing This? Join a Threat Sharing Group!

Posted on by
Reply

Just a quick note today about threat sharing groups. 

I am talking to more and more companies and organizations that are putting together local, regional or vertical market threat sharing groups. These are often adhoc and usually driven by security practitioners, who are helping each other with cooperative defenses and sharing of new tactics and threat patterns (think TTPs (tactics, techniques & procedures)) or indicators of compromise (IOCs). Many times, these are informal email lists or RSS feeds that the technicians subscribe to and share what they are seeing in the trenches. 

A few folks have tried to commercialize them, but in most cases, these days, the sharing is simply free and open. 

If you get a chance to participate in one or more of these open source networks, you might want to check it out. Many of our clients are saying great things about the data they get via the networks and often they have helped contain incidents and breaches in a rapid fashion.

If you want to discuss your network, or if you have one that you’d like me to help promote, hit me up on Twitter (@lbhuston). If you are looking for one to join, check Twitter and I’ll share as folks allow, or I’ll make private connections as possible. 

As always, thanks for reading, and until next time, stay safe out there! 

Where Does Trouble Come From?

Posted on by
Reply

One of the most common questions I get is, “Where does attack traffic come from?”. I want to present a quick and dirty answer, just to show you how diverse illicit traffic sources are. 

To give you a glimpse into that, here is a list of the top 20 ISPs, based on the number of unique malicious source IP addresses who touched one of my HoneyPoint deployments in a single 24 hour period.

The list:

9 korea telecom
7 hinet
6 dynamic distribution ip’s for broadband services ojsc rosteleom, regional branch “urals”
5 sl-reverse
5 sfr
5 rr
5 chinanet jiangsu province network china telecom no.31,jingrong street beijing 100032
5 china mobile communications corporation mobile communications network operator in china internet service provider in china
4 turknet-dsl
4 superonline
4 sbcglobal
4 chinanet jiangsu province network china telecom 260 zhongyang road,nanjing 210037
3 zenlayer inc
3 virginm
3 verizon
3 totbb
3 jsc rostelecom regional branch “siberia”
3 intercable
3 comcastbusiness
3 comcast
3 charter
3 broadband multiplay project, o/o dgm bb, noc bsnl bangalore
3 as13285

As you can see by the above, the list is pretty diverse. It covers sources in many countries and across both domestic and foreign ISPs. In my experience, the list is also pretty dynamic, at least in terms of the top 10-20 ISPs. They tend to spike and fall like waves throughout different time periods. One of these days, maybe I will get around to visualizing some of that data to get a better view of the entropy around it. But, for now, I hope this gives you an idea of the diversity in sources of attacks.

The diversity also makes it very difficult to baseline log activity and such. As such, there may be some effective risk reduction in blocking ISPs by netblock, if your organization can tolerate the risk associated with doing so. But, more on that in another post. Hit me up on Twitter (@lbhuston) and let me know what your firm’s experience with that type blocking has been; if you’ve tried it or are doing it today. I’d love to hear if it reduced log noise, made traffic modeling easier or led to any specific risk reductions.

Thanks for reading! 

Petya/PetyaWrap Threat Info

Posted on by
Reply

As we speak, there is a global ransomware outbreak spreading. The infosec community is working together, in the open, on Twitter and mailing lists sharing information with each other and the world about the threat. 

The infector is called “Petya”/“PetyaWrap” and it appears to use psexec to execute the EternalBlue exploits from the NSA.

The current infector has the following list of target file extensions in the current (as of an hour ago) release. https://twitter.com/bry_campbell/status/879702644394270720/photo/1

Those with robust networks will likely find containment a usual activity, while those who haven’t implement defense in depth and a holistic enclaving strategy are likely in trouble.

Here are the exploits it is using: CVE-2017-0199 and MS17-010, so make sure you have these patched on all systems. Make sure you find anything that is outside the usual patch cycle, like HVAC, elevators, network cameras, ATMs, IoT devices, printers and copiers, ICS components, etc. Note that this a combination of a client-side attack and a network attack, so likely very capable of spreading to internal systems… Client side likely to yield access to internals pretty easily.

May only be affecting the MBR, so check that to see if it is true for you. Some chatter about multiple variants. If you can open a command prompt, bootrec may help. Booting from a CD/USB or using a drive rescue tool may be of use. Restore/rebuild the MBR seems to be successful for some victims. >>  “bootrec /RebuildBcd bootrec /fixMbr bootrec /fixboot” (untested)

New Petrwrap/Petya ransomware has a fake Microsoft digital signature appended. Copied from Sysinternals Utils. – https://t.co/JooBu8lb9e

Lastline indicated this hash as an IOC: 027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745 – They also found these activities: https://pbs.twimg.com/media/DDVj-llVYAAHqk4.jpg

Eternal Blue detection rules are firing in several detection products, ET Rules firing on that Petya 71b6a493388e7d0b40c83ce903bc6b04  (drops 7e37ab34ecdcc3e77e24522ddfd4852d ) – https://twitter.com/kafeine/status/879711519038210048

Make sure Office updates are applied, in addition to OS updates for Windows. <<Office updates needed to be immune to CVE-2017-0199.

Now is a great time to ensure you have backups that work for critical systems and that your restore processes are functional.

Chatter about wide scale spread to POS systems across europe. Many industries impacted so far.

Bitdefender initial analysis – https://labs.bitdefender.com/2017/06/massive-goldeneye-ransomware-campaign-slams-worldwide-users/?utm_source=SMGlobal&utm_medium=Twitter&utm_campaign=labs

Stay safe out there! 

 

3:48pm Eastern

Update: Lots of great info on detection, response, spread and prevention can be found here: https://securelist.com/schroedingers-petya/78870/

Also, this is the last update to this post unless something significant changes. Follow me on Twitter for more info: @lbhuston 

Pay Attention to Egress Anomalies on Weekends

Posted on by
6

Just a quick note to pay careful attention to egress anomalies when the majority of your employees are not likely to be using the network. Most organizations, even those that are 24/7, experience reduced network egress to the Internet during nights and weekends. This is the perfect time to look for anomalies and to take advantage of the reduced traffic levels to perform deeper analysis such as a traffic level monitoring, average session/connection sizes, anomalies in levels of blocked egress ports, new and never before seen DNS resolutions, etc. 

If you can baseline traffic, even using something abstract like net flow, you may find some amazing stuff. Check it out! 

Password Breach Mining is a Major Threat on the Horizon

Posted on by
3

Just a quick note today to get you thinking about a very big issue that is just over the security horizon.

As machine learning capabilities grow rapidly and mass storage pricing drops to close to zero, we will see a collision that will easily benefit common criminals. That is, they will begin to apply machine learning correlation and prediction capabilities to breach data – particularly passwords, in my opinion.

Millions of passwords are often breached at a time these days. Compiling these stolen password is quite easy, and with each added set, the idea of tracking and tracing individual users and their password selection patterns becomes trivial. Learning systems could be used to turn that raw data into insights about particular user patterns. For example, if a user continually creates passwords based on a season and a number (ex: Summer16) and several breaches show that same pattern as being associated with that particular user (ex: Summer16 on one site, Autumn12 on another and so on…) then the criminals can use prediction algorithms to create a custom dictionary to target that user. The dictionary set will be concise and is likely to be highly effective.

Hopefully, we have been teaching users not to use the same password in multiple locations – but a quick review of breach data sets show that these patterns are common. I believe they may well become the next evolution of bad password choices.

Now might be the time to add this to your awareness programs. Talk to users about password randomization, password vaults and the impacts that machine learning and AI are likely to have on crime. If we can change user behavior today, we may be able to prevent the breaches of tomorrow!

3 Reasons You Need Customized Threat Intelligence

Posted on by
5

Many clients have been asking us about our customized threat intelligence services and how to best use the data that we can provide.

1. Using HoneyPoint™, we can deploy fake systems and applications, both internally and in key external situations that allow you to generate real-time, specific to your organization, indicators of compromise (IoC) data – including a wide variety of threat source information for blacklisting, baseline metrics to make it easy to measure changes in the levels of threat actions against your organization up to the moment, and a wide variety of scenarios for application and attack surface hardening.

2. Our SilentTiger™ passive assessments, can help you provide a wider lens for vulnerability assessment visibility than your perimeter, specifically. It can be used to assess, either single instance or ongoing, the security posture of locations where your brand is extended to business partners, cloud providers, supply chain vendors, critical dependency API and data flows and other systems well beyond your perimeter. Since the testing is passive, you don’t need permission, contract language or control of the systems being assessed. You can get the data in a stable, familiar format – very similar to vulnerability scanning reports or via customized data feeds into your SEIM/GRC/Ticketing tools or the like. This means you can be more vigilant against more attack surfaces without more effort and more resources.

3. Our customized TigerTrax™ Targeted Threat Intelligence (TTI) offerings can be used for brand specific monitoring around the world, answering specific research questions based on industry / geographic / demographic / psychographic profiles or even products / patents or economic threat research. If you want to know how your brand is being perceived, discussed or threatened around the world, this service can provide that either as a one-time deliverable, or as an ongoing periodic service. If you want our intelligence analysts to look at industry trends, fraud, underground economics, changing activist or attacker tactics and the way they collide with your industry or organization – this is the service that can provide that data to you in a clear and concise manner that lets you take real-world actions.

We have been offering many of these services to select clients for the last several years. Only recently have we decided to offer them to our wider client and reader base. If you’d like to learn how others are using the data or how they are actively hardening their environments and operations based on real-world data and trends, let us know. We’d love to discuss it with you! 

What is MSI Passive Assessment & How Does it Empower Supply Chain Security

Posted on by
2
MSI’s passive assessment represents a new approach to understanding the security risks associated with an organization, be it yours or a vendor, prospect or business partner’s. MSI’s passive assessment leverages the unique power of the MSI TigerTrax™ analytics platform to perform automated research, intelligence gathering and correlation from hundreds of sources, both public and private, that describe the effective security posture of an organization.
 
The engine is able to combine the power of hundreds of existing tools to build the definitive profile of an organization’s security posture –  such as:
  • open source intelligence
  • corporate data analytics
  • honeypot sources
  • deep & dark net search engines
  • other data mining tools 
 
MSI’s passive assessment gives you current and historical information about the security posture of the target, such as:
  • Current IOCs associated with them or their hosted applications/systems (perfect for cloud environments!)
  • Historic campaigns, breaches or outbreaks that have been identified or reported in public and in our proprietary intelligence sources
  • Leaked credentials, account information or intellectual property associated with the target
  • Underground and dark net data associated with the target
  • Misconfigurations or risky exposures of systems and services that could empower attackers
  • Public vulnerabilities
  • Other relevant intelligence about their risks, threats and vulnerabilities – new sources added weekly…
 
Best of all, it gathers and correlates that data without touching the target’s network or systems directly in any way. That means you do not need the organization’s permission or knowledge of your research, so you can keep your interest private!
 
In the supply chain security use case, the tool can be run against organizations as a replacement for full risk assessment processes and used as an initial layer to identify and focus on vendors with identified security issues. You can find more information about it used in the following posts about creating a process for supply chain security initiatives:
 
Clients are currently using this service for M&A, vendor supply chain security management, risk assessment and to get an attacker’s eye view of their own networks or cloud deployments/hosted solutions.
 
To learn more about MSI’s passive assessment, please talk with your MSI account executive today!