#ISC2CONGRESS – Lessons Learned from the Baltimore Ransomware Attack

Martin R. Okumu lived through the ransomware attack on the City of Baltimore in 2018, which affected 90% of the municipality’s applications. As the then-director of IT infrastructure for the city, he learned a lot of valuable lessons about defending against and recovering from a ransomware attack.

On Tuesday afternoon, he shared those lessons with (ISC)² Security Congress 2021 attendees during a virtual session. He is now the Chief Information Officer for the City and County of San Francisco.

In many ways, Okumu said, Baltimore was not prepared for the attack. The city did not have a cyber incident response team (CIRT), or well-defined plans for activating an incident response, or how to handle communication and escalation.

These are elements that organizations need in order to fend off a ransomware attack. “If you have these things in place and outline these procedures, you are in better shape than we were,” he said.

The city descended into chaos and confusion in the attack’s aftermath because of the lack of clearly defined procedures and roles, Okumu said. The only saving grace was that the city had invested in both on-premise and cloud backups. Still, it cost U.S. $18 million to recover from the attack after Baltimore refused to pay a ransom demand of between 1 and 5 bitcoins, Okumu said.

The Attack

The attack was first discovered in the early morning of May 19, 2018. It had started sometime between 4 a.m. and 7 a.m., Okumu said. When trying to log on to their computers, users were getting a message saying the systems had been encrypted with Ransom.Robinhood ransomware. The perpetrators, he said, “want you to know what has happened. They don’t hide.”

The city did not respond to the attackers, who in subsequent days made more extortion attempts, even offering to unlock one machine to prove they could do it, Okumu said. Their messages to the city became more aggressive in time and, finally, they issued a final deadline of June 7 for a response. Rather than respond, the city proceeded with its recovery process, which took months.

Be Prepared

To prepare for ransomware attacks, Okumu stressed the importance of an incident response plan (IRP) that addresses both the technology and business sides of recovery. On the former, it’s important to know your environment, establish a communication and escalation procedure, and have a methodical process for plan activation.

On the business side, the plan should address elements such as having a communication plan for the CISO, CIO and company executives as well as a risk management component that includes cyber insurance. It is also wise to have a ransomware expert on retainer so you’re not scrambling to find one in the aftermath of an incident and to set up a bitcoin account in case you decide to pay the ransom.

Backup Strategy

Having a backup strategy is also critical. “This is the reason we were able to recover,” Okumu said. “Make sure your organization has a solid backup plan. This is the number one area where businesses for one reason or another do not want to spend money. I don’t understand why.”

Data backup is only one of many steps organizations should take to protect against ransomware. Okumu walked through a series of other steps, including incident assessment and the creation of a CIRT. To ensure CIRT success, he said it’s critical to have an executive sponsor on the team and a clear mission statement.

Other steps include figuring out how to communicate internally during an incident as well as outside entities, such as the FBI, Homeland Security and CISA, local law enforcement and regulatory agencies.

It’s important to treat an incident as a crime scene by taking measures such as creating a record of critical facts about the incident and capturing images of affected computers. Okumu also recommended having a digital forensics specialist, either in-house or through an outsourcing arrangement.

If there is a need to engage outsiders, he cautioned against third parties that promise to solve the problem but whose main goal is to capitalize on the situation. Organizations should have a short list of parties to contact, such as insurance carriers, outside legal counsel, forensic investigators, regulators, crisis communication managers and “responsive vendors.”

(ISC)² Security Congress 2021 continues Wednesday, October 20 with opening keynotes beginning at 8:00 a.m. ET.

The post #ISC2CONGRESS – Lessons Learned from the Baltimore Ransomware Attack appeared first on Cybersecurity Insiders.

October 30, 2021 at 09:09PM

Read More

Every month should be Cybersecurity Awareness Month!

While October is famous for National Cybersecurity Awareness Month, and we provide resources and recommendations for our customers, really every month should focus on this business-critical topic. Given the frequency of Ransomware attacks, all industries need to be increasingly vigilant. This includes many aspects of cybersecurity, such as user training, endpoint security, network security, vulnerability management, and detection and response to incidents.

Industries such as healthcare and energy and utilities are susceptible and arguably the most vulnerable to ransomware or other cybersecurity incidents. Government agencies and schools have also become top targets. Small businesses, which previously felt they were too small to be of interest to criminals, are finding that they too are a target. Any organization with a digital presence should have resilient cybersecurity capabilities. Otherwise, they might not survive a cyberattack.

Stories from the SOC

The scope of cybersecurity is quite broad, but I’d like to share some of our Stories from the SOC experiences, to show how we provide services and products to protect our customers in real-life scenarios.

Data exfiltration

The most recent story is about detecting and remediating data exfiltration in our SOC for a customer. The AT&T Managed Threat Detection and Response Security Operations Center (SOC) observed a connection between a customer asset and an indicator of compromise (IOC) with a known reputation as part of a malicious network ecosystem hosting and distributing malware.

Facilitated by a relationship with Darktrace and their Cyber Intelligence Platform, an alarm was produced based on the observance of data being transferred out of the network over a 4-hour period via several external connections. Upon the acknowledgment of the alarm, the SOC was able to research correlating events and provide the customer a detailed explanation of what took place within the customer environment thus aiding in the proactive mitigation of this threat.

Phishing incident

The AT&T Managed Threat Detection and Response (MTDR) analyst team was notified that a user fell victim to a phishing email. The user received an email that was quarantined by Microsoft Office Advanced Threat Protection (ATP), but still opened the email, clicked a link and entered their credentials. The customer was notified about the successful phishing attack and requested additional information about what occurred between the successful attack and when the account was disabled.

Within 45 minutes, the MTDR analyst created an Investigation, attached all suspicious logs, and a report containing all the events between the attack and lockout. Due to the rapid information gathering, the customer was able to quickly start the remediation process and determine if any sensitive information may have been compromised.

Ransomware

One of the AT&T Managed Threat Detection and Response customers recently almost had an incident involving ransomware. In our analysis of what turned out to be the activity of the Sodinokibi ransomware gang, we were able to move quickly. Thanks to the SentinelOne advanced EDR platform, the attack was quickly detected and stopped automatically. Then, the combined efforts of the MTDR SOC, Threat Hunters, and the AT&T Alien Labs team led to a swift customer escalation, root cause discovery, and analysis of the Sodinokibi ransomware gang.

These attackers leverage search engine optimization (SEO) to ensure compromised sites hosting links to malicious files are pushed up to the first page of Google results for commonly asked questions. In this case, a user was taken to a compromised site and downloaded a file containing a malicious JavaScript file. While the JavaScript file was executed, there was little impact on the organization thanks to SentinelOne correlating and associating the activities that followed as malicious and autonomously stopping the attack.

And, with the help of AT&T, the client was able to take further remediation steps, enable additional proactive prevention policies, and confirm no other malicious domains were observed across the network. 

Conclusion

We’re in the business of solving problems for our customers, and the stories above are only a few examples of what we have in our broad portfolio of cybersecurity products and services. Happy National Cybersecurity Month!                                                                                                                                

The post Every month should be Cybersecurity Awareness Month! appeared first on Cybersecurity Insiders.

October 30, 2021 at 09:10AM

Read More

(ISC)2 Cybersecurity Workforce Study: Skills Gap Narrows But More Help Is Needed

The global cybersecurity skills gap narrowed over the past year, from 3.1 million to 2.7 million people, and job satisfaction got a substantial boost, according to the newly-published 2021 (ISC)² Cybersecurity Workforce Study.

The narrower skills gap reflects an increase in people joining the field, the study found. “For 2021, our study estimates there are 4.19 million cybersecurity professionals worldwide, which is an increase of more than 700,000 compared to last year.” However, the gap in Asia-Pacific (APAC) was reduced by 500,000 this year, overshadowing the increased deficits in all other regions where the gap has actually increased.

Roughly one-third of the survey respondents indicated that a shortage in cybersecurity team members has led to real world impacts, including misconfigured systems, not enough time for risk assessment and management, rushed deployments, and slowly patched critical systems.

Participants also offered opinions on what specialized skills and roles their teams lack, aligned with the roles outlined in the U.S. government’s National Initiative for Cybersecurity Education (NICE) Framework. They cited categories such as Securely Provision (48%); Analyze (47%); and Protect and Defend (47%) as the top areas of need, but the data also shows a strong need for help across all roles.

Asked how they would improve their security posture if their organization’s personnel needs were fully met, cybersecurity professionals clearly indicated they would make even greater investments in people in areas like training and certifications (50%), professional development (46%), and automation solutions to make their tasks easier (48%). Additionally, 49% of respondents would invest in security awareness training for everyone in the organization. But contrary to popular belief, respondents also indicated that these investments don’t come at the expense of technology investments. Even as their teams grow, they anticipate the need for continued technology and services investment to ensure they have the tools and support necessary to do their jobs and effectively strengthen their security posture.

Silver Linings

This year’s Workforce Study polled 4,753 cybersecurity professionals in North America, Europe, Latin America (LATAM) and Asia-Pacific (APAC). While much work needs to be done to recruit and retain more cybersecurity staff to the tune of a 65% increase, the findings provide several reasons to feel good about the state of the industry.

For one, cybersecurity professionals have weathered the pandemic well, even experiencing a boost in morale overall. Job satisfaction numbers are the highest ever reported, with 77% of respondents saying they are satisfied or extremely satisfied with their jobs. That’s a significant boost from 66% in 2019.

Satisfaction levels are highest among younger professionals – 79% among Millennials – and only slightly lower among Generation Xers (76%) and Baby Boomers (75%).

New Pathways

The study also found pathways outside of IT are becoming more common. “While an IT background remains the single most common route taken (47% of participants), that is giving way to a variety of entry points. Slightly more than half of cybersecurity professionals got their start outside of IT — 17% transitioned from unrelated career fields, 15% gained access through cybersecurity education and 15% explored cybersecurity concepts on their own.”

This portends well for the future of the field, indicating that the message from (ISC)² and others in the industry about embracing jobseekers with various skillsets and career backgrounds is starting to get through.

However, there is still a need for diversity in the industry, which remains male-dominated. “Among study participants, the field also continues to be predominantly male (76%) and Caucasian (72%) in North America and the U.K.”

Diversity Push

Even though the skills gap has narrowed, the study calculates that the global cybersecurity workforce still needs to increase by 65% to effectively protect organizations against cyber threats. Getting there will require attracting more people with diverse backgrounds and work experience.

The study makes a strong case for stepping up diversity equity and inclusion (DEI) efforts by, among other measures, promoting women and members of other under-represented groups to leadership roles. Study participants also said diversity can increase through mentorship programs, flexible workplace conditions, eliminating pay and promotion gaps and establishing diversity goals for organizations.

The New Remote Work Reality
The percentage of cybersecurity professionals working remotely in some capacity due to the pandemic remains unchanged at 85%; however, 37% report they must now come to the office at times compared to 31% in 2020. In addition to the advantages of remote work as a public health measure, organizations cited improved workplace flexibility (53%); accelerated innovation and digital transformation efforts (37%); and stronger collaboration (34%) as some of the ways the pandemic has changed their organizations for the better.

For more insights into topics such as cybersecurity salaries, top skills development priorities, and planned investments in people and technology, and to read recommended strategies from (ISC)² for closing the gap, please download the full study at: https://www.isc2.org/Research/Workforce-Study

The post (ISC)2 Cybersecurity Workforce Study: Skills Gap Narrows But More Help Is Needed appeared first on Cybersecurity Insiders.

October 30, 2021 at 09:09AM

Read More

Microsoft to offer cyber security training in community colleges across US

Microsoft has announced that it is going to offer cyber security training to interested students who are studying in community colleges across the United States. To reach its aim, the American tech giant has announced that it is going to invest millions of dollars on nurturing new talent to fill 250,000 jobs lying vacant in various cybersecurity roles.

Presently, the Redmond giant has focused on 936 public colleges and 73 independent community colleges operating under the American Association of Community College(AACC) banner in the United States.

Plan is to train, test and award the best candidate with a smart role and best pay package available in the industry. The software giant is also planning to train teachers of Community College over the next 3 years to nurture the best talent to serve the security industry by offering a vision on what curriculum to be taught and how to prepare the young talent to prepare for the worst, yet to be observed by the industry.

Microsoft President Brad Smith announced that his company will not put any kind of extra budgetary burden on the educational institutes and so is planning to offer the curriculum free of cost.

Note- According to an Annual Cybersecurity jobs report commissioned by Herjavec Group, the year 2021 will witness over 3.5 million job vacancies in 2021 on a global note, up from 1 million positions witnessed in 2014. So, the Satya Nadella led company seems to have taken an initiative to lead the front of filling in the job vacancies in the security field with the best talent. So, all you IT students dreaming to defend apps, data, devices and infrastructure from individuals and state funded groups, you better use this opportunity to grow big in the cyberworld.

The post Microsoft to offer cyber security training in community colleges across US appeared first on Cybersecurity Insiders.

October 29, 2021 at 08:41PM

Read More

How Can You Keep Your Personal Information Safe?

A few simple changes to your devices and accounts can help discourage cyber criminals from trying to access your data. Getting started is easy. This short guide presents some quick measures you can take to protect your privacy and keep your personal info safe.

Prevent Data Breaches

Giants like Facebook and Target have suffered breaches and password leaks, so it’s safe to say data from at least one of your online accounts could have been leaked. If you want to see whether luck was on your side, go to Have I Been Pwned? and enter your email. This site will show you if your data appears anywhere.

Use a password manager to generate and remember complex, different passwords for each of your accounts. This is the most crucial step to keep your personal information safe. Change the default passwords of any smart devices in your home, like routers, smart fridges, or security cameras.

Ideally, your online accounts should be equipped with two-step factor authentication. Most banks and social media offer this option now. You can enter a phone number and a password that no one but you has access to.

Check for Your Personal Info on the Dark Web

Companies will offer a dark web scan as a service that, as the name suggests, searches the dark web for you. It checks for stolen passwords, usernames, credit card numbers, and Social Security numbers for sale. Your company of choice will let you know if they find your personal data anywhere on the dark web.

Unfortunately, you can’t get your personal information removed from the dark web, but you can be proactive in protecting it from theft once you know what information has become vulnerable. Before that, let’s go into the details.

The Dark Web Uses Encryption to Hide Locations

You can’t access the dark web through a typical search engine because dark websites use encryption to conceal their locations. A large portion of this web is dedicated to transacting stolen personal and financial data. This information can be used to buy things with stolen credit card data, open new lines of credit, or take out loans in the unsuspecting victim’s name and Social Security number. It may even be possible to transfer funds from a hacked bank account.

The following types of personal information are typically transacted on the dark web:

• Login details for payment services
• Credit and debit card numbers
• Driver’s licenses
• Login details for subscription services
• Medical records
• Social Security numbers
• Passports
• Phone numbers
• Fake diplomas

The Anatomy of a Dark web Scan

As mentioned, a dark web scan will search the dark web and alert you if your info is found in one or more collections of stolen personal data. If you find your social security number has been leaked, you can report it to the respective authority, as with any other stolen information. Unfortunately, no company can search the whole dark web. As data breaches don’t always expose all personal data, a scan can’t find every instance of stolen data.

Free Dark web Scans

Some cybersecurity services will offer free dark web scans. Proceed with caution and make sure the service is legitimate. In every event, reliable search results are worth paying for.

Upgrade to the Latest OS Version

If your computer is running on Windows 10, Defender is sufficiently reliable as an inbuilt element of the OS. Most users will be happy with the degree of security it provides. Always upgrade to the latest version of your OS as older versions quickly become vulnerable to attacks. For example, malware can scan and intercept sensitive personal data as well as drive you insane with popups. Set up reliable antivirus programs and upgrade them as often as possible, especially if you work on a shared computer.

Be Wary of Targeted Advertising

You are leaving a far more discernible digital footprint than you imagine. Every company’s site collects data about user locations and browsing habits. Data advertisers and marketers on social media use all the information you share to learn more about you. Disabling targeted advertising is one way to keep them from getting your data.

To disable ads from Twitter, Apple, Google, or Facebook, manual adjustments might be in order. Sites like Netflix and Reddit have comprehensible opt-out instructions. Follow them and the volume of information collected from you will drop dramatically. Some adjustments will even stop companies from accessing any data whatsoever.

Use a VPN

Virtual private networks have helped lots of people protect their personal info. They are mandatory if you need to connect to public Wi-Fi frequently. They can guarantee privacy from your internet service provider and limit IP address-based tracking substantially. Of course, there are VPNs that sell their users’ data or are otherwise untrustworthy. Always select reputable providers whom you can trust.

Get HTTPS Everywhere Installed

Last but not least, HTTPS Everywhere is a free, open-source extension that you can use to access the safe version of every website – at least every website that has such a version. Nobody can steal your information from a secure version of a website though, so HTTPS Everywhere is highly recommended, especially if you’re using a store, airport, café, or hotel’s public Wi-Fi.

The post How Can You Keep Your Personal Information Safe? appeared first on Cybersecurity Insiders.

October 29, 2021 at 07:57PM

Read More

Ranzy Locker Ransomware warning issued by FBI

US Federal Bureau of Investigation (FBI) has issued an alert that a new ransomware dubbed as Ranzy Locker is on the prowl in the wild and has so far attained success in victimizing over 30 companies operating in America.

Confirming the same, the Cybersecurity and Infrastructure Security Agency (CISA) issued a warning that Ranzy Locker Ransomware has the potential to target its victims through brute force attacks launched on Remote Desktop Protocol (RDP).

As usual, the said malware gang is reportedly spreading its wings by exploiting the vulnerability in Microsoft Exchange Servers like how REvil and Maze have done in the past.

Investigations made by the law enforcement agency state that the ransomware gang has so far targeted financial sector based companies and have stolen millions of files, including banking transactions, customer details, contact information, and other such details before encrypting the files.

Ranzy Locker malware is also available for rent and so any threat actors having the intention to make quick money are seen distributing the newly developed file encrypting malware.

Taking regular backups that can be efficiently used to data continuity when the need arises, implementing network segmentation, installing regular software and firmware updates, auditing user accounts at regular intervals, limiting access to RDPs, deploying email threat monitoring solutions on network servers and disabling links embedded in the mail will help in reducing the spread of ransomware say cyber experts from FBI.

Note- In November 2019, FBI issued a press update notifying companies not to pay a ransom to hackers, if in case, their data is compromised by malware as it encourages crime and also doesn’t guaranty a decryption key in return as soon as the ransom is paid.

The post Ranzy Locker Ransomware warning issued by FBI appeared first on Cybersecurity Insiders.

October 29, 2021 at 11:04AM

Read More

Ransomware attack on National Rifle Association of America

National Rifle Association, shortly referred as NRA, was reportedly hit by a ransomware attack stealing data and leaking it on the dark web. The details of the ransomware gang that breached the gun rights advocacy group’s network are yet to be out.

However, sources reporting to our Cybersecurity Insiders have revealed that Grief gang linked to Evil Corp funded by the Russian intelligence could be behind the attack and are reportedly demanding millions to free the database from encryption.

NRA mentioned in one of its recent tweets that it has taken the incident seriously and will take all necessary measures to protect the information of its user base here-on.

Coming to the Evil Corp ransomware gang, it has a history of stealing credentials of 100s of banks and financial institutions in over 40 countries and has also targeted the US Treasury Department recently with a $100 million theft.

According to the researchers of Cybereason, Grief Ransomware spread by Russia-based Evil Corp has a custom of threatening its victims with serious consequences if they approach law enforcement or a security firm for data recovery.

The gang follows a practice of leaking the stolen details one at a time, to prove their authenticity of hacking into the network and to pressurize the victim for paying up the mentioned ransom.  

Note- Founded in 1871 and evolving as per the time, the NRA is a gun rights protection group that also teaches firearm safety and competency to individual/s possessing arms and ammunition.

The post Ransomware attack on National Rifle Association of America appeared first on Cybersecurity Insiders.

October 29, 2021 at 11:01AM

Read More

New! Improvements to Your (ISC)² Cybersecurity Online Continuing Education

Growing your knowledge and earning continuing professional education (CPE) credits has never been easier. The education platform (ISC)² Learn has been fully revised to provide an updated and improved user experience. This refresh includes an improved navigation process with easier access to your courses and support. When you sign in to your (ISC)² member account, visit My Courses to see the changes and view instructional videos designed to help you navigate your courses.

Homepage Highlights

• The new navigation bar and welcome banner link to store, awards, support and FAQs.
• Courses are now sortable, allowing you to pin your favorites and prioritize courses based on your certification or professional development interests.
• Tracking achievements is easier with the new awards widget.

Course Customizations

• Banners are now shown in custom certificate branding for each course.
• The New Course information widget shows instructor information and course times. 
• You can stay organized with a new display feature that shows upcoming sessions, plus a visual table of contents.

(ISC)² Learn is your go-to resource for relevant and challenging online, expert-instructed cybersecurity courses taking you beyond your certification. Gain valuable knowledge and earn additional CPE Credits, with a portfolio of more than 50 on-demand, self-paced courses available at your convenience. These professional development courses are free to members and Associates of (ISC)² and available for purchase if you’re not a member yet.

If you need assistance with accessing your online courses, please contact learn@isc2.org.

The post New! Improvements to Your (ISC)² Cybersecurity Online Continuing Education appeared first on Cybersecurity Insiders.

October 29, 2021 at 09:09AM

Read More

Spok Sets Date to Report Third Quarter 2021 Results

ALEXANDRIA, Va.–(BUSINESS WIRE)–Spok Holdings, Inc. (NASDAQ: SPOK), a global leader in healthcare communications, today announced it will report operating results for the third quarter 2021 ended September 30, 2021, on Wednesday, November 3, 2021, after market close, at approximately 4:30 pm Eastern Time (ET).

In addition, the Company will not be hosting a conference call for investors to discuss third quarter 2021 results due to the Company’s strategic alternatives review process, which was announced on September 3, 2021. The Company will keep all stakeholders apprised of the status of the process as and when it is appropriate.

About Spok

Spok, Inc., a wholly owned subsidiary of Spok Holdings, Inc. (NASDAQ: SPOK), headquartered in Alexandria, Virginia, is proud to be a global leader in healthcare communications. We deliver clinical information to care teams when and where it matters most to improve patient outcomes. Top hospitals rely on the Spok Go® and Spok Care Connect® platforms to enhance workflows for clinicians and support administrative compliance. Our customers send over 100 million messages each month through their Spok® solutions. When seconds count and patients’ lives are at stake, Spok enables smarter, faster clinical communication. For more information, visit spok.com or follow @spoktweets on Twitter.

Spok is a trademark of Spok Holdings, Inc. Spok Go and Spok Care Connect are trademarks of Spok, Inc.

Safe Harbor Statement under the Private Securities Litigation Reform Act:

Statements contained herein or in prior press releases which are not historical fact, such as statements regarding Spok’s future operating and financial performance are forward-looking statements for purposes of the safe harbor provisions under the Private Securities Litigation Reform Act of 1995. These forward-looking statements involve risks and uncertainties that may cause Spok’s actual results to be materially different from the future results expressed or implied by such forward-looking statements. Factors that could cause actual results to differ materially from those expectations include, but are not limited to, declining demand for paging products and services, continued demand for our software products and services, our ability to develop additional software solutions for our customers and manage our development as a global organization, the ability to manage operating expenses, particularly third party consulting services and research and development costs, future capital needs, competitive pricing pressures, competition from traditional paging services, other wireless communications services and other software providers, many of which are substantially larger and have much greater financial and human capital resources, changes in customer purchasing priorities or capital expenditures, government regulation of our products and services and the healthcare and health insurance industries, reliance upon third-party providers for certain equipment and services, unauthorized breaches or failures in cybersecurity measures adopted by us and/or included in our products and services, the effects of changes in accounting policies or practices, adverse economic, political or market conditions in the U.S. and international markets and other factors such as natural disasters, pandemics and outbreaks of contagious diseases and other adverse public health developments, such as coronavirus disease 2019 (COVID-19), as well as other risks described from time to time in our periodic reports and other filings with the Securities and Exchange Commission. Although Spok believes the expectations reflected in the forward-looking statements are based on reasonable assumptions, it can give no assurance that its expectations will be attained. Spok disclaims any intent or obligation to update any forward-looking statements.

The post Spok Sets Date to Report Third Quarter 2021 Results appeared first on Cybersecurity Insiders.

October 29, 2021 at 09:08AM

Read More

6 Business functions that will benefit from cybersecurity automation

This blog was written by an independent guest blogger.

Enterprises and small businesses alike are facing challenges that impact their ability to maintain adequate cybersecurity. Budget constraints and limited staff are just a couple of reasons why businesses have become more susceptible to cyberattacks. Hackers are becoming smarter, and the tools that teams deploy are growing in number, leading to fragmentation and increased vulnerabilities. 

According to the IBM data breach report, the average cost of a data breach has reached $4.24 million per incident, an all-time high. There are many reasons for this increase, but one reason that businesses must confront recently is the drastic operational shifts during the pandemic that have led to higher recovery costs. 

Cybersecurity automation trained with machine learning and powered by AI is helping to close vulnerability gaps and lower the cost of cybersecurity incidents. If your organization is new to automated security, then it's best to start small and increase the scope of your implementation over time. Use this guide to help navigate the needs of your organization and decide what next steps to take in order to implement an automated cybersecurity protocol. 

The business case for automation

The upcoming holiday season presents a unique cybersecurity threat for businesses in addition to individual consumers. More online retailers are offering Black Friday, Small Business Saturday and Cyber Monday deals to maximize profits and expect to see a 107% revenue boost over the holiday shopping weekend. This increased traffic presents an opportunity for hackers and fraudsters to slip under the radar and execute devastating cyberattacks. 

The number one reason why more companies are turning to cybersecurity automation is due to the rise of advanced persistent threats. APTs most commonly describe an attack campaign where a team of attackers establishes a prolonged presence within a network that is difficult to discover without continuous monitoring tools. This kind of presence is easy to establish in an organization that has suffered attacks before or is otherwise focused on other business operations. 

Because of this, organizations are pushing for more automation to secure their networks and assets. According to a recent report on cybersecurity adoption, 95% of businesses have already automated some of their cybersecurity processes and 98% are planning to automate even more of their processes in the upcoming year. Of those who have already started, 40% have automated at least half of their processes.

Business functions to automate for better security 

Automating business functions helps increase security while also streamlining workflows and freeing up employees to focus on productivity and revenue-based activities. Without the help of AI, many companies are struggling to keep up with rising customer demands for speed as well as the rising need for privacy and security. 

Here are just some of the functions that businesses can automate to increase overall cybersecurity: 

Incident response

Cybersecurity automation gives organizations the ability to perform threat detection and incident response at scale. AI-powered intelligent automation requires large amounts of data in order to be most effective, so machines that have been developed over time are becoming powerful enough to analyze vulnerabilities and respond to incidents in real time. By automating tedious and repetitive security tasks, response time is expedited while reducing alert fatigue and human error. 

Data management

Many security professionals spend hours each day manually administering tools to protect enterprise data. For many organizations, spending so much time collecting data is not conducive to innovation and growth. Automating tasks such as data collection and log and asset management can make security operations more efficient by freeing up skilled employees to work on high-level tasks that require a human touch. 

Data privacy

Another way for businesses to streamline workflows is to automate data privacy functions such as compliance. AI-powered tools have the ability to navigate your ecosystem and discover non-compliant processes and activities without the need for a full-scale audit. Regulations are beginning to catch up with those in the EU, so staying on top of regulatory compliance is essential to prevent disruptions and down time as well as keep systems secure from prying eyes. 

Attack simulations

Another part of cybersecurity that is traditionally very time consuming is testing. Conducting simulated attacks and vulnerability tests is crucial for maintaining a secure cybersecurity ecosystem, but the time consuming process causes many organizations to put it off or test less frequently than they should. 

But now, continuous attack simulations can be used to increase data center security. These automated simulations recreate adversarial behavior in order to discover processes and controls that are performing well and which need to be patched up. 

APIs and certificates

Enterprises have no choice but to manage upwards of thousands of security certificates. This volume of certificates is virtually impossible for teams to manage without the help of AI-powered tools. Because of this, it is not uncommon for businesses to experience outages caused by certificates expiring unexpectedly. That’s why most companies are now looking to automate their PKI certificate management processes. 

Application security

Cybersecurity automation also allows companies to secure all of their applications easily. This includes checking for authentication, authorization, and even encryption protocols. Automated tools can also scan business applications for known security vulnerabilities.

A manual approach is no longer sustainable. This is due to DevOps deployments continuing to increase as more companies are utilizing low code and no code tools and APIs. Additionally, each manual step creates unnecessary risk through human error that can lead to a security breach. 

Tips for implementing cybersecurity automation

1. Implement zero trust protocols. A restrictive policy when it comes to network access protects business data from internal and external threats. 
2. Keep your certificates up to date. As web developer Nathan Finch from Best Web Hosting Australia makes note of, ensuring your web hosting provider comes with SSL is absolutely essential. “SSL or Secure Socket Layer protection creates an encrypted tunnel from your user’s computer to the web servers,” says Finch. This protects their information from hackers and other malicious forces. It has become a requirement for any financial transaction online as well as any payment processor worth using. These processors will flat out reject any websites that don’t have SSL.”
3. Utilize managed services. In the event that a threat is detected, managed security services can automate and orchestrate rules to accelerate incident response time. In addition, your organization will also have a team of security professionals that can help your IT security identify and mitigate threats in real time. 

Conclusion

While technologies like cloud computing and 5G were created with security in mind, there are still a number of ways that businesses can fall victim to costly cyberattacks. By automating business processes such as incident response, data management, data privacy, attack simulations, APIs, certificates, and application security can all lead to a more efficient and secure business environment.

The post 6 Business functions that will benefit from cybersecurity automation appeared first on Cybersecurity Insiders.

October 28, 2021 at 09:09PM

Read More

Developer-First Application Security Platform Tromzo Nabs $3.1 Million From Leading CISOs

Innovation Endeavors and more than 25 CISOs including Robinhood’s Caleb Sima, SimpliSafe’s Adam Glick (SimpliSafe) and ICE/NYSE’s Steve Pugh have invested $3.1 million in Tromzo, a new developer-first application security management platform that launched this week with a mission to support application security teams who the company says are overwhelmed, frustrated, and struggling to keep up with the pace of modern software development.

“Modern AppSec teams are spending all their time trying to convince developers and chasing them to fix security issues . This makes scaling their application security program practically impossible and they constantly feel they are being left behind, said Harshil Parikh Tromzo’s co-founder and CEO who previously led security for Medallia where he experienced these challenges first-hand.

According to the press release, Tromzo’s Developer-first Application Security Management promises users complete end to end visibility, reduces noise, eliminates manual work, and drives security ownership.

Commenting on the platform, early customer and investor, Ralph Pyne, Head of Security at NextRoll said: “Tromzo enables my team to partner with the Dev team at scale to reduce our overall risk. Both teams benefit with my security engineers freed up to focus on higher value tasks and the dev team given rapid intelligence on prioritized vulnerabilities.

The startup plans to use the funds to expand their team, further develop the product, and bring the platform to market. More information can be found at www.Tromzo.com

The post Developer-First Application Security Platform Tromzo Nabs $3.1 Million From Leading CISOs appeared first on Cybersecurity Insiders.

October 28, 2021 at 08:51PM

Read More

What is GLBA Compliance related to Data Security

According to the Gramm Leach Bliley Act (GLBA) of 1999, all financial institutions and those in lending stream should follow certain rules that help protect customer’s sensitive data. At the same time, they should maintain transparency while sharing information with other institutions and should evaluate their data security & protection practices from time to time to avoid any cyber incidents such as data breach and malware attacks.

Interestingly, the law also applies to all third parties and affiliates linked to the financial institutions that is covered under the GLBA Compliance.

Therefore, all businesses such as payday lending institutions, professional tax service firms, mortgage loan offering institutes, banks, and others dealing with critical data like social security numbers, phone numbers, addresses, banks, credit card info and income related information along with credit monitoring companies should select 3rd party service providers(Cloud service providers- CSPs) who have the operational ability to safeguard sensitive information only.

Companies adhering to the laws of GLBA Compliance should also hire dedicated team of professionals to supervise data protection and data destruction process as soon as the data reaches its end of life-cycle.

Also, as most data centers or server farms provide remote access to information to companies, it is better they set-up their own data destruction machinery at their premises as it helps them have full control of the sensitive information that is flowing out for termination.

While the data destruction process is being implemented, the client who owns the data and the data center that stores the information should indulge in the mechanism under supervision of both parties.

The post What is GLBA Compliance related to Data Security appeared first on Cybersecurity Insiders.

October 28, 2021 at 08:46PM

Read More

Over two-thirds of workers are at risk of a cyber security attack

A recent study by telecommunications provider, TextAnywhere, looked into the screen habits of 1,000 employees in the UK and revealed that over two-thirds (67.4%) are using their mobiles for work, imposing a serious threat to business security. 

Businesses need to ensure they work hard to educate their employees around safe practices when accessing platforms via mobile. Third-party applications and unsecured WIFI can be easy gateways for cybercriminals to access sensitive information via business emails or chat messages. According to Carbon Black reports, 88% of UK companies suffered security breaches last year.

Raphael Waller from Cardonet, an IT Service Provider, comments: “Most businesses and industries are now reliant on technology and because of this, the impacts of a cyber attack are more harmful than ever. Cybercrime has become a key focus for criminals because the financial gain is so high when holding organisations to ransom.”

“Regular cybersecurity training is vital in helping your team better understand how they can protect the organisation from threats and what they can do to be more alert. Keeping organisations safe is something that everyone has a role to play in, no longer just IT or Security.”

James Bosley, Marketing Manager at TextAnywhere added: “Today almost everyone uses a smartphone in their day to day life, both for work and personal use. They help to keep us connected at all times, but arguably, more could be done by business leaders to ensure safe and secure practice.”

“The past 18 months have presented multiple challenges. As employees return to the office, it’s important that healthy business communication is established and all staff feel supported. Business should prioritise ensuring all employees are aware of the remote access policies, procedure and best practice – the most effective way to do this is through the device they are using most, their phone.”

Working from home has increased the likelihood of cyber-attacks but has improved work-life balance for many and increased productivity in businesses that don’t rely on central office space. With effective employee communication and training, organisations can substantially reduce the risk of cyber-attacks while building a healthy and effective remote culture.

For a full look at the research, see here.

The post Over two-thirds of workers are at risk of a cyber security attack appeared first on Cybersecurity Insiders.

October 28, 2021 at 06:56PM

Read More

New certification in Network Defense, Ethical Hacking and Digital Forensics

EC Council, that can smartly abbreviated as the International Council of Electronic Commerce Consultants, has started a new certification program that offers MOOC certification series.

Mooc stands for massive open online course, a training program that offers essential certifications in cybersecurity that includes courses related to network defense, ethical hacking and digital forensics.

It will be a virtual education series, where students need to attend video lectures, lab tutorials and syllabi related security eCourseware and related to the EC-Council Academia Division.

FYI, the educative material related to the Essential Series, was developed by those who also drafted the syllabus of approved Certified Network Defender (CND) taken up by the United States Department of Defense (DOD).

Wesley Alvarez, the director of EC-Council’s Academics division said that the open source online course will act as a learning model and approach to industry workforce by brushing up their skills. The Essential Series helps students take up self- paced learning in Cybersecurity- independent of the classroom attendance and grasping skills.

EC Council will also host several cyber competitions, flag submissions, and industry feeds in coming months that will help the course participants to check for their technical skills from time to time.

So far, the EC Council that is based in New Mexico has certified over 237,000 professionals hailing from over 43 countries, out of which most have taken certification as a Certified Ethical Hacker (CEH).

The post New certification in Network Defense, Ethical Hacking and Digital Forensics appeared first on Cybersecurity Insiders.

October 28, 2021 at 09:56AM

Read More

Ransomware news trending on Google

First is the news related to a ransomware attack on a Candy maker that trade experts say could lead to chocolate scarcity when it is most needed by/for kids. And with only few days left for events such as Trick and Treat and Halloween night, Candy maker Brachs is making all arrangements that the malware attack doesn’t affect its production as the peak of the Christmas 2021 season on its way.

Brachs spokesperson released a media update admitting the ransomware attack that took place on October 9th of this year, affecting the production severely at the Ferrara’s factories since then.

But the good news is that the recovery plan works excellently and so the everyday candy maker is sure that all its operations will report normalcy by this weekend.

Coming to the second news that is trending on Google news headlines, a study made by European Union Agency for Cybersecurity (ENISA) says that hackers for hire have emerged as the biggest cyber threat in the last 15 months to take full advantage of the work from home culture because of the COVID-19 Pandemic spread.

ENISA says that between the periods of April 2020 to July 2021, many of the government agencies, along with some companies, were targeted with ransomware attacks by state funded actors.

Security report adds that adversary nations like China took full advantage of the Pandemic to launch email campaigns to spread multiple variant of ransomware and of those the health care sector was most targeted.

Third is the news related to a ransomware attack that hit Papua New Guinea’s finance department in the southwestern Pacific Ocean. Reports are in that the threat actors infiltrated the systems of the Department of Finance’s Integrated Financial Management System (IFMS) locking down access to millions of dollars that was meant as a foreign aid.

On condition of anonymity, a source from the accounting department said that the hackers breached the network through a business email flaw exhibited by the Microsoft servers and were demanding millions of dollars as ransom to clean up the data from the encryption malware.

Papua New Guinea’s Government is taking all security measures to mitigate the risks associated with the cyber incident and has hired a third party firm to investigate the ransomware attack deeply and to avoid such IT embarrassments in the future.

The post Ransomware news trending on Google appeared first on Cybersecurity Insiders.

October 28, 2021 at 09:52AM

Read More

What is 5G shared responsibility and how would it work?

5G is fundamentally different from anything we’ve ever seen. By 2023, the new technology is predicted to host 25 billion device connections, jumping to 75 billion by 2025. That’s more than 9 devices per person on earth. 

5G offers more than just the ability to see videos faster. Compared to 4G, it offers a higher transmission speed, lower latency and increased bandwidth. 

Large-scale implementation of 5G technology will present enormous opportunities for industries. For enterprises and subscribers, 5G will enable exciting high performance and reliable connectivity. It will also benefit mobile operators and every critical infrastructure sector by unlocking significant new revenue-generating opportunities, while maximizing service efficiency. 

However, there is one serious consideration to this new technology – data security. Where and to how many should data security be assigned? Who should hold the responsibility of ensuring data is secure? 

One solution is a ‘shared responsibility’ model. This is where responsibility for cloud security is shared between several parties, including operators, subscribers and the enterprise. 

But how does it work, and how can it be successfully implemented? 

Building a collaborative ecosystem  

Within a shared responsibility model, the cloud service that holds the data, and the service provider that delivers it, are interconnected. However, the shared responsibility model is not only a collaborative network, but a whole ecosystem encompassing several components. 

Multiple parties have to get involved, including cloud service providers, the enterprise and mobile network operators.  Each party is responsible for what data is on the network, and should expect this ecosystem to be secure, reliable and private. 

It is important to educate each party on the importance of 5G security so that both the enterprise and consumers can reap the benefits. A breakdown of even one of these components could have serious consequences for the entire ecosystem. 

Ensuring data privacy

Using 5G, the average person will produce 1 Gigabyte of data per day, and a substantial amount of that data will be sensitive information. This will also be transmitted over a wider variety of devices, leading to billions of them collecting and analyzing information in real time. 

Due to the sensitivity of the data, a global policy will be needed to define how it will be used, handled, and shared between different parties. For example, proposed legislation such as the ePrivacy Regulation, which explains how data should be handled, may need to be clarified or enhanced specifically around data in motion. This could help address increasing demands for privacy for data that is shared between different entities and applications. 

Implementing enhanced security 

Compared to 4G, 5G is fundamentally different and more complex by design. Its entire security core differs from earlier wireless technologies, whilst its virtualization and shared infrastructure aspects are unique. However, these new advances make it more vulnerable to attacks, and every entity involved will have to enhance security to handle the broader responsibilities that make 5G so attractive. 

The hugely anticipated launch of driverless cars is a good example of this. Through vehicle-to-vehicle communication (V2V), autonomous cars can share information between other vehicles on anything ranging from traffic and weather conditions to pedestrian safety. This data will then be fed from disparate systems, and the vehicles will generate data back to those systems. 

However, this means that driverless cars could also pose a huge security risk within the shared security model. They could become a target of cyberattacks, with attackers potentially being able to increase vehicle speed and cause an accident. Therefore, a robust security system should be at the heart of the 5G shared responsibility model in order to protect users from hostile cyber actors. 

The implementation of 5G technology will not only benefit industries, but transform our lives. However, we cannot enter into this new arena without a well-planned security model. Shared responsibility offers an opportunity for the enterprise, cloud service providers and 5G manufacturers to reap the benefits of network implementation, whilst also ensuring data is secure. 

Learn more about 5G network connectivity data infrastructures in our Thales Security Sessions Podcast. Or if you’re interested in this type of technology, tweet us @ThalesDigiSec! 

The post What is 5G shared responsibility and how would it work? appeared first on Cybersecurity Insiders.

October 28, 2021 at 09:10AM

Read More

Security does not end with Implementing Controls

In cybersecurity, threat actors are relentless. To keep systems safe, we need a process of controls to oversee the entire chronology of a potential attack scenario – protection before an attack happens, effective mitigation and correction during an attack, and recovery afterwards. The tools of defense are vital, but not enough.

Organizations need to decide how to deploy these tools, how much to spend, how to train people, and how to ensure they maintain compliance with industry standards and governance/risk (GRC) requirements.

Security controls must be organized and described in a way that non-IT people – employees and executives alike – understand and embrace, even if they do not fully grasp all the technical terms, and this is where specialized experts including Certified Authorization Professionals (CAP) play a key role. CAPs can be the vital bridge between technicians, executives, regulators, and others involved in the Security process.

Learn more in our article.

The post Security does not end with Implementing Controls appeared first on Cybersecurity Insiders.

October 28, 2021 at 09:10AM

Read More

Code similarity analysis with r2diaphora

Executive summary

Binary diffing, a technique for comparing binaries, can be a powerful tool to facilitate malware analysis and perform malware family attribution. This blog post describes how AT&T Alien Labs is leveraging binary diffing and code analysis to reduce reverse-engineering time and generate threat intelligence.

Using binary diffing for analysis is particularly effective in the IoT malware world, as most malware threats are variants of open-source malware families produced by a wide range of threat actors. Generating and maintaining static signatures for variations on IoT malware is tedious, as the assembly code often changes across variants and architectures and text strings are subject to modification. For this reason, AT&T Alien Labs created a new open-source tool, r2diaphora, to port Diaphora as a plugin for Radare2, and included some use cases in this blog.

What is binary diffing?

Binary diffing (or program diffing) is a process where two files are compared at instruction level, looking for differences in code. Threat actors can easily transform the assembly code for a program without modifying its actual behaviour, so the typical “line-by-line” diffing is not good enough when looking at malware – a more advanced approach is needed.

There are several binary diffing tools publicly available, such as Diaphora,  BinDiff, and DarunGrim. Alien Labs is using Diaphora, as we believe it is the most advanced of all the available options. Furthermore, Diaphora has the added benefit of being open source, allowing Alien Labs to modify it for our needs.

How can binary diffing be employed to identify malware?

Diaphora works by analyzing each function present in the binary and extracting a set of features from each analyzed function. These features are later used to compare functions across binaries and find matches. If instead of directly comparing features, we leverage them to build a database of malicious functions (indicators) for identification purposes, we can then begin analyzing incoming binaries and try to find matches amongst their functions when comparing to the indicator database.

If enough matches are found in the analyzed binaries, we can safely assume the analyzed sample is a malware sample. We can also note which malware family the functions belong to in the indicator database, thus obtaining family attribution for the analyzed samples.

Porting Diaphora to Radare2

Diaphora works as an IDA Pro plugin. In order to work, it needs a valid IDA license and, consequently, valid Hex-Rays licenses for each CPU architecture you may want to decompile. As this cost of these licenses is quite high, Alien Labs looked for a cheaper alternative, so the community could leverage it.

As such, we decided to port the existing Diaphora to the Radare2 disassembly framework. The ported version of Diaphora, named r2diaphora, is also open source and available here.

Radare2 (r2) is an open-source disassembly framework that supports a very wide range of CPU architectures. It also bundles a capable decompiler and supports the Ghidra decompiler as a plugin. As such, r2 is well suited for our objective of porting Diaphora to an open-source disassembler.

Additional changes made to the original Diaphora included swapping the SQLite3 databases for MySQL. This change was performed for the malware attribution process described previously, as more than one analyst would be writing to the indicator database. With multiple analysts writing to the database, the SQLite database would need to be shared across team members and allow parallel write/read operations. SQLite databases are not made for this kind of usage, so the Alien Labs team swapped it for another database engine better designed for the task.

Installation

As r2diaphora uses Radare2 and MySQL they need to be set-up prior to its usage. Radare2 should be installed locally, while the MySQL server can be remote or local. Once the environment is set up you can install it with pip install r2diaphora. This pip package installs three command line utilities: r2diaphora, r2diaphora-db and r2diaphora-bulk.

• r2diaphora: The main command line utility, analyzes and compares files.
• r2diaphora-db: Performs database management and configuration.
• r2diaphora-bulk: Analyzes binaries in batches.

Further usage options can be obtained with the -h / –help command line option in each of them.

Once the pip package is successfully installed you can input your database credentials with r2diaphora-db config -u -p -hs . If you are using bash or a similar shell and do not want your database password to be saved in the shell history, precede the command with a space.

Finally, if you want to use the r2ghidra decompiler, install it with the r2pm -ci r2ghidra command, if it is not installed already.

Usage

As stated previously, r2ghidra lists all available options if executed with the -h flag. Currently, they are the following:

As an example, we can execute r2diaphora on some test IoT samples. You can find file hashes in the Associated Indicators appendix.

First test – comparing to Sakura (a Gafgyt variant) samples with the same architecture:

r2diaphora 562b4c9a40f9c88ab84ac4ffd0deacd219595ab83ed23a458c5f492594a3a7ef 770363f9fd334c3f3c4ba0e05a2a0d4701f56a629b09365dfe874b2a277f4416

Figure 1. r2diaphora output for Sakura samples with the same architecture.

Observe how r2diaphora could identify the similarities between the two files. The system managed to find 40 matches out of 56 possible (71%). Furthermore, the similarity ratios for the matched functions are close to 1.0, indicating a very close resemblance in the matched functions. Additionally, the results point towards true positive matches since the matched functions have the same name and number of basic blocks.

Second test – comparing Sakura samples with different architectures:

 r2diaphora 17c62e0cf77dc4341809afceb1c8395d67ca75b2a2c020bddf39cca629222161 6ce1739788b286cc539a9f24ef8c6488e11f42606189a7aa267742db90f7b18d

Figure 2. r2diaphora output for Sakura samples with different architecture.

In this case, we see how the number of matches has decreased from the previous test. This was expected as it is harder to match functions across different architectures. The similarity ratios have also decreased as the assembly code differs in all the compared functions. Still, r2diaphora recognized many similarities between both samples and identified correct matches across the compared files.

Third test – comparing a Sakura sample to a Yakuza (another Gafgyt variant) sample, both samples having different architectures:

$ r2diaphora sakura/594a6b2c1e9beac3ad5f84458b71c1b7ec05ee0239808c9a63bc901040e413a3 yakuza/91392f5dbbfd4ad142956983208a484b91ac5e84c4f9a9fcb530a9b085644c93

Figure 3. r2diaphora output for Sakura and Yakuza samples with different architecture.

In this case, observe how the number of matches have decreased even further while the ratios have been maintained mostly steady. This is due to the samples being different variants that perform different modifications over the base Gafgyt source code.

It is also notable that the processCmd function has been able to be matched with a low ratio. processCmd is the function that parses the received commands from the Command & Control server. The low ratio in this match is due to the variants being able to handle different commands, hence their implementation being different. However, the system was able to match it due to a common constant present in both functions.

Conclusion

Code similarity analysis is a powerful tool that can be leveraged to identify and attribute malware. While not flawless, program diffing can bypass many of the weaknesses of static signatures and thus could be used in conjunction with traditional detection methods to build a more robust detection pipeline.

Appendix

Associated Indicators (IOCs)

TYPE	INDICATOR	DESCRIPTION
SHA256	132948bef56cc5b4d0e435f33e26632264d27ce7d61eba85cf3830fdf7cb8056	Sakura sample, Arch: ARM, EABI4
SHA256	136dbd3cfa947f286b972af1e389b2a44138c0013aa8060d20c247b6bcfdd88c	Sakura sample, Arch: Intel 80386
SHA256	17c62e0cf77dc4341809afceb1c8395d67ca75b2a2c020bddf39cca629222161	Sakura sample, Arch: ARM, EABI4
SHA256	19e0f329b5d8689b14d901b9b65c8d4fb28016360f45b3dfcec17e8340e6411e	Sakura sample, Arch: Motorola m68k
SHA256	4cc11ffb3681ebced1f9d88e71b70a87e6d4498abca823245c118afead67b6a5	Sakura sample, Arch: MIPS, MIPS-I version 1
SHA256	562b4c9a40f9c88ab84ac4ffd0deacd219595ab83ed23a458c5f492594a3a7ef	Sakura sample, Arch: ARM, EABI4
SHA256	594a6b2c1e9beac3ad5f84458b71c1b7ec05ee0239808c9a63bc901040e413a3	Sakura sample, Arch: x86-64
SHA256	5fec87479a8d2fa7f0ed7c8f6ba76eeea9e86c45123173d2230149a55dcd760d	Sakura sample, Arch: MIPS, MIPS-I version 1
SHA256	603d14671f97d12db879cc1c7cd6abfa278bf46431ac73aeb6b3a4c4c2b16b9f	Sakura sample, Arch: x86-64
SHA256	6b128a64a497eb123f03b77ef45e99e856282dc9620dc26ab38998627a8f3216	Sakura sample, Arch: Renesas SH
SHA256	6ce1739788b286cc539a9f24ef8c6488e11f42606189a7aa267742db90f7b18d	Sakura sample, Arch: Intel 80386
SHA256	770363f9fd334c3f3c4ba0e05a2a0d4701f56a629b09365dfe874b2a277f4416	Sakura sample, Arch: ARM, version 1
SHA256	7c8ba5f88b1c4689a64652f0b8f5e3922e83f9f73c7e165f3213de27c5fb4d05	Sakura sample, Arch: PowerPC
SHA256	8090c3a1a930849df42f7f796d42e0211344e709a5ac15c2b4aca8ca41de2cd3	Sakura sample, Arch: Intel 80386
SHA256	94a279397b8c19ec7def169884a096d4f85ce0e21ff9df0be3ce264ef4565ea7	Sakura sample, Arch: x86-64
SHA256	96bb3e5209e083544ea6a78bc6fc4ebc456e135a786d747718d936af3b063298	Sakura sample, Arch: ARM, EABI4
SHA256	a079dfd60b55a7d74dd32d49a984bea43665b8b225beceae5b272944889217f6	Sakura sample, Arch: MIPS, MIPS-I version 1
SHA256	b6c2f02b1bed62a6b845d5f13d9003f5aa3f6d0da3e62fa48d9822872453de10	Sakura sample, Arch: Renesas SH
SHA256	cef15aa60dc2c09fe117e37e07399f0ef89dca9f930ce13ac1e29f8cf63d9a31	Sakura sample, Arch: Motorola m68k
SHA256	e984334bbdd1179aadbde949f7c1b0fb02b6c18cb4a56d146150853b18adfa79	Sakura sample, Arch: MIPS, MIPS-I version 1
SHA256	2858982408bf1664b622e830ad83b871749608a7533e94672153ff90caa658a9	Yakuza sample, Arch: ARM, EABI4
SHA256	2b7262cae9e192fa7921f3ec02e0f924b32de3d418842fdad9a51603589a54c7	Yakuza sample, Arch: Intel 80386
SHA256	2faf7437c769abd92347d6f0a77f001523ec41c02d2bf12e3cebf5b950457ba3	Yakuza sample, Arch: Intel 80386
SHA256	4fc23e8409becb028997c2f0f2041e2dc853018b71e009e3d66f33876d5d4e99	Yakuza sample, Arch: Renesas SH
SHA256	6554d5edb401e2def2ef9fbb82b591351d3c8261ce0a20c431470f1c68fa3aea	Yakuza sample, Arch: ARM, version 1
SHA256	8005db9431013f094a2114046679ab971e62a8776639d6c2903fcc5d2fe8065c	Yakuza sample, Arch: x86-64
SHA256	91392f5dbbfd4ad142956983208a484b91ac5e84c4f9a9fcb530a9b085644c93	Yakuza sample, Arch: ARM, version 1
SHA256	b8aadb66183196868a9ff20bebd9c289fbfe2985fb409743bb0d0fea513e9caf	Yakuza sample, Arch: ARM, EABI4
SHA256	d4f223fc5944bc06e12c675f0664509eeab527abc03cdd8c2fbd43947cc6cbab	Yakuza sample, Arch: ARM, version 1
SHA256	f64b5f6dd7f222b7568bba9e05caa52f9e4186f9ba4856c8bf1274f4c77c653c	Yakuza sample, Arch: Intel 80386

The post Code similarity analysis with r2diaphora appeared first on Cybersecurity Insiders.

October 27, 2021 at 09:10PM

Read More