Security Boulevard

via the comic & dry wit of Randall Munroe, creator of XKCD

Permalink

The post Randall Munroe’s XKCD ‘Matter’ appeared first on Security Boulevard.

Tenable this week at the Black Hat USA 2024 conference added an ability to identify the vulnerabilities in an IT environment that should be remediated first based on the actual threat they represent.

The post Tenable Adds Ability to Prioritize Vulnerabilities by Threat Level appeared first on Security Boulevard.

• HYAS Protect protective DNS uses advanced data analytics to proactively block cyber threats, a feature unavailable in legacy systems relying on static DNS filtering.
• AV-TEST, one of the cybersecurity industry’s most trusted evaluators, rates HYAS as the most effective protective DNS solution on the market.
• With quick deployment and numerous integrations, HYAS Protect works out of the box for organizations of any size.

Protective DNS Is Trusted by Governments Worldwide

Protective DNS is one of the most effective strategies in modern cybersecurity. The National Security Agency (NSA) recently named it as one of the best defenses against evolving phishing attacks. As cyber threats become more sophisticated, organizations find an increasingly pressing need for advanced, proactive solutions.

While DNS filtering has existed for decades, legacy systems rely on static blocklists that bad actors can circumvent simply by switching domains. A protective DNS (PDNS) solution, however, uses advanced algorithms and data analytics to pinpoint a threat before it becomes damaging. Protective DNS from HYAS takes a proactive approach by identifying and blocking malicious activity dynamically.

Read on to see what makes HYAS Protect protective DNS a standout security solution and trusted tool of governments worldwide.

What Is HYAS Protect?

HYAS Protect is a machine-learning-powered threat intelligence tool that uses advanced telemetry and authoritative domain based intelligence to proactively block malicious infrastructure. Put another way, it detects network breaches before they cause damage.

Like all PDNS systems, HYAS Protect blocks requests to potentially harmful domains, but it doesn’t require a predetermined list of domain names. Built on the advanced threat intelligence platform HYAS Insight, HYAS Protect uses aggregated data from leading cybersecurity sources around the globe and real-time, dynamic analysis to identify a threat days, weeks or even months before it is activated.

If a particular DNS request is potentially harmful, the HYAS Protect system blocks the query. To identify these threats, HYAS Protect runs a pattern analysis across IP addresses, name servers, registrars, and other factors to determine how closely a potentially harmful domain aligns known adversarial infrastructure — even if that domain has never before appeared in a cyberattack.

The HYAS solution doesn't care if a suspicious domain is on a list or if it's been seen yet. We know that based on specific telemetry, even if it hasn't been used or weaponized, it most likely will in the future.

How Does HYAS Protect Work?

No matter how a network breach occurs—whether through ransomware, phishing, or another cyberattack—the malicious software needs to “beacon out” to the attack’s infrastructure, also known as command-and-control (C2). HYAS Protect detects this C2 beacon and terminates the connection before the attack can continue. For security-minded organizations, HYAS brings three core advantages.

1. Predictive Threat Detection

Firstly, the domain filtering in HYAS Protect is based on predictive data, leveraging advanced analytics to identify and block potentially malicious DNS requests before they can cause harm. This predictive approach uses a variety of data points and threat intelligence to assess the risk associated with each DNS query. If a request appears unusual or aligns with patterns often seen in cyberattacks, it is proactively blocked. By predicting and preventing threats at this early stage, HYAS Protect helps to secure the network against a wide range of potential cyber threats, from ransomware to phishing and beyond. This approach is designed to provide robust security by stopping threats before they can gain a foothold in the network.

Additionally, HYAS Protect also allows for active list management and advanced rule sets that users can configure to allow acceptable traffic while still dynamically blocking suspicious domains. There’s even an inspection mode that provides platform analytics and telemetry without actually blocking any sites — this can be useful when organizations first start with HYAS to understand the system without interrupting any workflows.

2. Customized Analytics

HYAS Protect also offers insightful analysis that increases overall traffic visibility. Although people usually think of web browsing and clicking on email links as the biggest cybersecurity threats, Internet of Things (IoT) and operational technology (OT) devices are also at risk of compromise. Because they often run in the background, suspicious beaconing from IoT or OT devices may otherwise go undetected.

That’s where HYAS steps in. This isn't just user-generated traffic – this is machine-driven traffic, too. HYAS analytics identifies an organization’s riskiest users, riskiest devices and which domains are triggering the most blocked queries. The data gives a more comprehensive, security-focused picture than a typical static blocklist, and the detailed logs can expedite an investigation if needed.

3. Easy Integration Into Your Existing Stack

Lastly, HYAS Protect is designed to work right out of the box. Our DNS resolver is fully cloud-based; it takes only a few minutes to deploy across your organization’s infrastructure. HYAS Protect also has an agent version compatible with all major operating systems, which is useful if you have company devices frequently roaming off the global network. With device-level installation, HYAS can still work even on public Wi-Fi networks in coffee shops or airport lounges.

HYAS also offers third-party integrations with major endpoint protection solutions including SentinelOne and Microsoft Defender. These systems work together — HYAS Protect parses data from endpoint detection and response programs to identify any DNS requests to suspicious infrastructure.

HYAS Protect Is the Public Sector Solution of Choice

Recent recognition for HYAS includes the prestigious 2024 Govies Awards for the public Sector, 2024 Globee Cybersecurity Awards, and the 2024 Global InfoSec Awards.

In 2023, AV-TEST, considered the industry’s most rigorous third-party evaluator, gave HYAS Protect the highest efficacy rating of all PDNS solutions tested. This is particularly relevant in the public sector as cyberattacks increasingly target government agencies. To combat these threats, the NSA recommends PDNS as a core component of a multilayered security strategy, and HYAS is one of the providers meeting the NSA’s specifications.

Being effective in blocking the unknown and known threats is what HYAS is all about. No matter how sophisticated cyberattacks become, HYAS Protect keeps organizations one step ahead.

Additional Learning

How to Select a Protective DNS Solution

Watch a Demo of HYAS Protect Protective DNS

Guide to Protective DNS Security

Protective DNS eBook

AV-TEST evaluation of HYAS Protect

Want to talk to an expert to learn more about how Protective DNS can transform your organization? Contact us today to find out what HYAS security solutions can do for you.

The post Why Governments Worldwide Recommend Protective DNS appeared first on Security Boulevard.

The Amazon Web Services (AWS) Service Delivery designation is a specialized program designed to validate AWS Partners that have experience, deep technical expertise, and proven success delivering specific AWS services for clients. In October 2022, AWS announced a new designation for Amazon Elastic Kubernetes Service (Amazon EKS) that focuses on the proven ability to architect, run, and operate containerized workloads on Amazon EKS.

The post How Fairwinds Delivers On EKS Internally, AWS EKS Delivery Designation appeared first on Security Boulevard.

Authors/Presenters:Wen-jie Lu, Zhicong Huang, Qizhi Zhang, Yuchen Wang, Cheng Hong

Many thanks to USENIX for publishing their outstanding USENIX Security ’23 Presenter’s content, and the organizations strong commitment to Open Access. Originating from the conference’s events situated at the Anaheim Marriott; and via the organizations YouTube channel.

Permalink

The post USENIX Security ’23 – Squirrel: A Scalable Secure Two-Party Computation Framework for Training Gradient Boosting Decision Tree appeared first on Security Boulevard.

C-level executives have insights, access and control over privileged company data, systems and finances. Such information and access are highly coveted by cybercriminals, due to their potential for exploitation and illicit gain.

The post The C-Suite Conundrum: Are Senior Executives the Achilles’ Heel of Cybersecurity? appeared first on Security Boulevard.

AWS details Mithra, its massive neural network graph model that runs on its internal systems and is used to identify and rank malicious domains that threaten the cloud giants systems that hold its customers' data.

The post AWS’ Mithra Neural Network Detects, Ranks Malicious Domains appeared first on Security Boulevard.

The post How AHEAD Enhanced SecOps Efficiency with Low-code Security Automation appeared first on AI-enhanced Security Automation.

The post How AHEAD Enhanced SecOps Efficiency with Low-code Security Automation appeared first on Security Boulevard.

Ace AI is a collection of new capabilities for D3’s Smart SOAR™ platform that leverages artificial intelligence to make SecOps faster & intuitive

The post D3 to Introduce “Ace AI”, with AI-Generated Playbooks, at Black Hat USA 2024 appeared first on D3 Security.

The post D3 to Introduce “Ace AI”, with AI-Generated Playbooks, at Black Hat USA 2024 appeared first on Security Boulevard.

Every month, the Pondurance team hosts a webinar to keep clients current on the state of cybersecurity. In June, the team discussed threat intelligence, notable vulnerabilities and trends, threat hunting, security operations center (SOC) engineering insights, and deception technologies. Threat Intelligence The Assistant Vice President of Digital Forensics and Incident Response discussed June’s heavy threat...

The post Novel Threat Tactics, Notable Vulnerabilities, and Current Trends for June 2024 appeared first on Pondurance.

The post Novel Threat Tactics, Notable Vulnerabilities, and Current Trends for June 2024 appeared first on Security Boulevard.

In the realm of cybersecurity, brute force attacks are a persistent threat, exploiting the weaknesses of traditional rule-

The post Why Rule-Based Systems Fails to detect attacks and breaches? appeared first on Seceon.

The post Why Rule-Based Systems Fails to detect attacks and breaches? appeared first on Security Boulevard.

Authors/Presenters:Antigoni Polychroniadou, Gilad Asharov, Benjamin Diamond, Tucker Balch, Hans Buehler, Richard Hua, Suwen Gu, Greg Gimler, Manuela Veloso

Many thanks to USENIX for publishing their outstanding USENIX Security ’23 Presenter’s content, and the organizations strong commitment to Open Access. Originating from the conference’s events situated at the Anaheim Marriott; and via the organizations YouTube channel.

The post USENIX Security ’23 – Prime Match: A Privacy-Preserving Inventory Matching System appeared first on Security Boulevard.

The post Joint Certification Program (DD 2345) appeared first on PreVeil.

The post Joint Certification Program (DD 2345) appeared first on Security Boulevard.

via the inimitable Daniel Stori at Turnoff.US!

Permalink

The post Daniel Stori’s ‘The chroot Case’ appeared first on Security Boulevard.

In July, Guardio Labs reported they had detected “EchoSpoofing,” a critical in-the-wild exploit of Proofpoint’s email protection service. This sophisticated phishing campaign highlights the vulnerabilities of robust security systems and underscores the importance of comprehensive security measures of SSPM in alerting on misconfigurations in email systems that can be exploited in such attacks. Overview of […]

The post Breach Debrief Series: EchoSpoofing Phishing Campaign Exploiting Proofpoint’s Email Protection appeared first on Adaptive Shield.

The post Breach Debrief Series: EchoSpoofing Phishing Campaign Exploiting Proofpoint’s Email Protection appeared first on Security Boulevard.

Our new Keycloak integration is the latest in a range of 50+ integrations that ensure DataDome stops bad bots & fraud on any infrastructure.

The post DataDome Now Protects Keycloak IAM appeared first on Security Boulevard.

Threat Intelligence Report

Date: August 6, 2024

Prepared by: David Brunsdon, Threat Intelligence - Security Engineer, HYAS

Dynamic DNS (DDNS) is a service that automatically updates the Domain Name System (DNS) in real-time to reflect changes in the IP addresses of a domain. Unlike traditional static DNS, where the IP address associated with a domain remains constant, dynamic DNS allows for the association between a domain and an IP address to be updated frequently. This capability is particularly useful for devices or networks with frequently changing IP addresses, such as home networks, small businesses, or mobile devices.

Dynamic DNS services are widely used for legitimate purposes, including remote access to home networks, managing internet-connected devices, and enabling consistent access to websites or services hosted on networks with dynamic IP addresses. However, the same features that make dynamic DNS useful for legitimate users can also be exploited by threat actors for malicious purposes.

Using dynamic DNS for command and control (C2) infrastructure in cyberattacks offers several benefits for threat actors, including:

1. Easy Access to Domain Name: Registering a domain at a traditional registrar requires providing personal information and usually a credit card number which is undesirable when trying to hide one's identity.
2. Evasion of IP-based Blocking: Dynamic DNS allows attackers to frequently change the IP address associated with their C2 domain. This makes it harder for defenders to block C2 traffic based solely on IP addresses, as the domain can resolve to different IPs over time.
3. Persistence and Resilience: By using dynamic DNS, attackers can maintain control over their C2 infrastructure even if specific IP addresses are taken down or blacklisted. They can simply update the DNS records to point to a new IP address, ensuring continuous communication with their malware.
4. Global Reach: Dynamic DNS services often have servers and points of presence worldwide, enabling attackers to distribute their C2 infrastructure globally, making it more challenging to track and disrupt.
5. Flexibility: Dynamic DNS allows attackers to quickly move their C2 infrastructure across different networks and hosting providers, adapting to defensive measures and maintaining control over infected machines.
6. Reduced Downtime: In the event of a takedown or disruption of a C2 server, dynamic DNS enables attackers to quickly re-establish communication with compromised systems by updating the DNS records, minimizing downtime and the risk of losing control over their botnet or malware network.

Dynamic DNS Services Used by Threat Actors

Dynamic DNS services have many benign users but they can also be used by threat actors in phishing attacks and within malware to communicate with command and control (C2) infrastructure.

Using HYAS Insight threat intelligence, the HYAS team was able to analyze some dynamic DNS registrations from Q1 and Q2 of 2024 that originated in Turkey. The registration data we analyzed contained the registered domain name, the A record IP, and the IP address used when opening an account with the provider. We then identified which domains were malicious by cross-referencing this data against our malware data to determine which have been used this year in command and control.

An interesting trend was found in the malware families identified: Most of the malware were identified to be remote access trojans (RATs), and DarkComet malware was represented in over 50% of the malicious domains we identified. DarkComet has been available for download for over a decade, and has been researched thoroughly over the years. It has the typical RAT capabilities including keylogging, microphone capture, webcam capture, and remote access control. It’s also been used in numerous high-profile incidents, such as the 2012 attack on Miss Teen USA.

In data analyzed in the 2020 paper Dark Matter: Uncovering the DarkComet RAT Ecosystem, Turkey is identified as the country with the highest number of DarkComet C2 deployments. From our perspective, the popularity of DarkComet in Turkey seems to continue to today.

Deploying DarkComet Malware

DarkComet malware deployment is typically conducted using several methods:

1. Phishing Emails: Attackers often use phishing emails to trick victims into downloading and executing DarkComet. These emails might contain malicious attachments or links to websites hosting the malware. The malware can be hidden in seemingly benign files such as Word documents, PDFs, or executable files. When the victim opens the attachment, the malware is executed.
2. Bundling with Legitimate Software: Attackers sometimes bundle DarkComet with legitimate software, especially on unofficial download sites. When the user installs the software, DarkComet is installed as well.
3. Social Engineering: Attackers may use various social engineering techniques to convince victims to run the malware. This can include posing as technical support, fake software updates, or other ruses.
4. Exploiting Vulnerabilities: Exploiting software vulnerabilities in the victim's system to install DarkComet without user interaction is another method. This can include exploiting

 

Risks to a Compromised System

DarkComet is a serious threat because it can download additional files to extend the impact and level of compromise. When a system has been compromised the threat actor could download additional malware to:

1. Extend Functionality: By downloading additional malware, attackers can extend the functionality of the initial infection, adding new capabilities such as data exfiltration, credential theft, or further system manipulation.
2. Establish Persistence: Downloading additional components can help establish and maintain persistence on the infected system. For instance, installing rootkits or other persistent backdoors ensures continued access even if the initial RAT is detected and removed.
3. Create a Botnet: DarkComet can be used to turn infected machines into part of a botnet. The additional malware files can include other RATs or bots that connect to a command-and-control server, allowing coordinated attacks or data harvesting from multiple compromised systems.
4. Spread Laterally: Downloading additional tools can facilitate lateral movement within a network, enabling attackers to compromise more machines and escalate privileges within the targeted environment.
5. Conduct Specific Attacks: Attackers can download specialized malware to conduct specific attacks, such as ransomware to encrypt files and demand a ransom, spyware to monitor user activities, or wipers to destroy data.

IOCs

Using HYAS Insight threat intelligence, we collected a list of domains registered by actors in Turkey in 2024 that include details such as, A Records, emails, and Actor IPs involved with specific domains. Due to the sensitive nature of these IOCs, we have withheld them from this report. If you would like access to these IOCs, please contact HYAS directly for more information.

Want more threat intel on a weekly basis?

Follow HYAS on LinkedIn
Follow HYAS on X

Read recent HYAS threat reports:

Caught in the Act: StealC, the Cyber Thief in C 

HYAS Protects Against Polyfill.io Supply Chain Attack with DNS Safeguards

StealC & Vidar Malware Campaign Identified

Sign up for the (free!) HYAS Insight Intel Feed

Disclaimer: This Threat Intelligence Report is provided “as is” and for informational purposes only. HYAS disclaims all warranties, express or implied, regarding the report’s completeness, accuracy, or reliability. You are solely responsible for exercising your own due diligence when accessing and using this Report's information. The analyses expressed in this Report reflect our current understanding of available information based on our independent research using the HYAS Insight platform. The Report’s inclusion of any companies, organizations, or ASNs does not imply any wrongdoing on their part; it is simply an indication of where digital threat activities have been observed. HYAS reserves the right to update the Report as additional information is made known to us.

Learn More About HYAS Insight

An efficient and expedient investigation is the best way to protect your enterprise. HYAS Insight provides threat and fraud response teams with unparalleled visibility into everything you need to know about the attack.This includes the origin, current infrastructure being used and any infrastructure.

Read how the HYAS Threat Intelligence team uncovered and mitigated a Russian-based cyber attack targeting financial organizations worldwide.

More from HYAS Labs

Polymorphic Malware Is No Longer Theoretical: BlackMamba PoC.

Polymporphic, Intelligent and Fully Autonomous Malware: EyeSpy PoC.

The post The Prevalence of DarkComet in Dynamic DNS appeared first on Security Boulevard.

Authors/Presenters:Chong Fu, Xuhong Zhang, Shouling Ji, Ting Wang, Peng Lin, Yanghe Feng, Jianwei Yin

Many thanks to USENIX for publishing their outstanding USENIX Security ’23 Presenter’s content, and the organizations strong commitment to Open Access.
Originating from the conference’s events situated at the Anaheim Marriott; and via the organizations YouTube channel.

The post USENIX Security ’23 – FreeEagle: Detecting Complex Neural Trojans in Data-Free Cases appeared first on Security Boulevard.

Understand the Dark Web's complex character. The practical implications for cybersecurity and the importance of using this intelligence.

The post Understanding the Dark Web: A Hidden Realm appeared first on Security Boulevard.

Active Directory (AD) lies at the heart of your organization’s Windows network, silently orchestrating user access, authentication, and security. But do you truly understand its workings? This blog peels back...

The post Securing from Active Directory Attacks appeared first on Strobes Security.

The post Securing from Active Directory Attacks appeared first on Security Boulevard.