Aggregator

January 14, 2025 10 Minute Read

In 2015, we published a blog post about the recruitment challenges we devised for cand

2025-01-145 min readIn today’s rapidly evolving digital landscape, securing software systems has nev

January 14, 2025 3 Minute Read

The Digital Operational Resilience Act (DORA), a European Union (EU) regulation, supersedes and surpasses previous directives and regulations such as the European Central Bank (ECB) Cyber Resilience Oversight Expectations (CROE) and the EU Network and Information Security (NIS2) directive. Its objective is to guarantee...

Written by: Josh Triplett

Executive Summary

Backscatter is a tool developed by the Mandiant FLARE team that aims to automatically extract malware configurations. It relies on static signatures and emulation to extract this information without dynamic execution, bypassing anti-analysis logic present in many modern families. This complements dynamic analysis, providing faster threat identification and high-confidence malware family attribution. Google SecOps reverse engineers ensure precise indicators of compromise (IOC) extraction, empowering security teams with actionable threat intelligence to proactively neutralize attacks.

Overview

The ability to quickly detect and respond to threats has a significant impact on potential outcomes. Indicators of compromise (IOCs) serve as crucial breadcrumbs, allowing cybersecurity teams to identify and mitigate potential attacks while expanding their search for related activity. VirusTotal's existing suite of tools to analyze and understand malware IOCs, and thus the Google Threat Intelligence platform by extension, is further enhanced with Backscatter.

VirusTotal has traditionally utilized dynamic analysis methods, like sandboxes, to observe malware behavior and capture IOCs. However, these methods can be time-consuming and may not yield actionable data if the malware employs anti-analysis techniques. Backscatter, a service developed by the Mandiant FLARE team, complements these methods by offering a static analysis capability that directly examines malware without executing it, leading to faster and more efficient IOC collection and high-confidence malware family identification. Additionally, Backscatter is capable of analyzing sandbox artifacts, including memory dumps, to improve support for packed and obfuscated malware that does successfully execute in dynamic environments.

Within the Google Threat Intelligence platform, Backscatter shines by identifying configuration data, embedded IOCs, and other malicious artifacts hidden within malware uploaded by users. It can pinpoint command-and-control (C2 or C&C) servers, dropped files, and other signs of malware presence, rapidly generating actionable threat intelligence. All of the extracted IOCs and configuration attributes become immediately pivotable in the Google Threat Intelligence platform, allowing users to identify additional malware related to that threat actor or activity.

Complementing Dynamic Analysis

Backscatter enables security teams to quickly understand and defend against attacks. By leveraging Backscatter's extracted IOCs in conjunction with static, dynamic, and reputational data, analysts gain a more comprehensive view of potential threats, enabling them to block malicious communication, detect and remove dropped files, and ultimately neutralize attacks.

Backscatter's static analysis approach, available in Google Threat Intelligence, provides a valuable addition to the platform's existing dynamic analysis capabilities. This combination offers a more comprehensive threat intelligence strategy, allowing users to leverage the strengths of both approaches for a more robust security posture.

Backscatter in GTI and VirusTotal

Backscatter is available to Google SecOps customers, including VirusTotal Enterprise and its superseding long-term Google Threat Intelligence platform. While detecting a file as malicious can be useful, more clarity about the specific threat provides defenders with actionable intelligence. By providing a higher confidence attribution to a malware family, capabilities and behaviors can be approximated from previous reporting without requiring manual analysis.

Figure 1: Google Threat Intelligence identifies that a service has extracted DONUT and ASYNCRAT malware configurations from the file (link)

Embedded data such as C2 servers, campaign identifiers, file paths, and registry keys can provide analysts with additional contextual information around a specific event. Google Threat Intelligence helps link that event to related activity by providing pivots to related IOCs, reports, and threat actor profiles. This additional context allows defenders to search their environment and expand remediation efforts.

Figure 2: Google Threat Intelligence displays that Backscatter was able to extract the DONUT payload

Figure 3: Google Threat Intelligence displays that Backscatter was able to extract the DONUT payload's ASYNCRAT configuration

By taking a static approach to extracting data from malware, Backscatter is able to handle files targeting different environments, operating systems, and execution mechanisms. In the previous example, the DONUT malware sample is x86 shellcode and was not able to be executed directly by a sandbox.

Backscatter in the Field

Mandiant Managed Defense leverages Backscatter to deliver faster and more accurate identification and analysis of rapidly emerging malware families. This enables them to more quickly scope threat activity and more rapidly provide customers with pertinent contextual information. From distribution campaigns providing initial access, to ransomware operations, to targeted attacks by state-sponsored actors, Backscatter aims to provide actionable threat intelligence to enable security teams and protect customers.

Figure 4: Google Threat Intelligence displays a phishing campaign involving UNC2500 using the BLACKWIDOW and DARKGATE backdoors

One example threat group is UNC2500, which primarily distributes malware via email attachments and links to compromised websites. Many of the malware families used by this group, such as QAKBOT and DARKGATE, are supported by Backscatter, allowing Managed Defense customers to proactively block IOCs extracted by Backscatter.

Figure 5: UNC2500 provides initial access to UNC4393 to deploy BASTA ransomware

Looking Ahead

Backscatter stands as a testament to Google SecOps' commitment to providing cutting-edge tools for combating cyber threats. By offering a fast and efficient way to extract IOCs through static analysis, Backscatter empowers security teams to stay one step ahead of attackers. Incorporating Backscatter into their workflow, Google Threat Intelligence customers can strengthen their cybersecurity defenses and safeguard their valuable assets.

Cloudflare strengthens its commitment to cybersecurity by joining CISA's "Secure by Design" pledge. In line with this, we're reducing the prevalence of vulnerability classes across our products.

A vulnerability was found in Dahua IPC-HDW1X2X, IPC-HFW1X2X, IPC-HDW2X2X, IPC-HFW2X2X, IPC-HDW4X2X, IPC-HFW4X2X, IPC-HDBW4X2X, IPC-HDW5X2X and IPC-HFW5X2X. It has been rated as problematic. Affected by this issue is some unknown functionality. The manipulation as part of Packet leads to information disclosure (IP Address). This vulnerability is handled as CVE-2019-9680. The attack may be launched remotely. There is no exploit available. It is recommended to upgrade the affected component. Our investigation indicates that a second CVE-2024-13131 was assigned to this entry.

Как «неустранимая» уязвимость способна похоронить индустрию стартапов.

Commvault introduced an expansion of its platform to provide full and automated forest recovery for the world’s most widely used enterprise identity and access solution, Microsoft Active Directory. As organizations continue to combat non-stop cyberattacks and threats, Commvault Cloud Backup & Recovery for Active Directory Enterprise Edition is the latest addition to the Commvault Cloud platform, which already protects a vast array of workloads and is designed to keep customers resilient, operational, and in a … More →

The post Commvault strengthens Microsoft Active Directory protection appeared first on Help Net Security.

NATO allies bordering the Baltic Sea issued a statement on Tuesday warning they reserve the right t

A vulnerability classified as problematic has been found in Dahua IPC-HFW1200S, IPC-HFW2300R-Z, IPC-HFW5220E-Z and IPC-HDW1200S up to 20241222. This affects an unknown part of the file /web_caps/webCapsConfig of the component Web Interface. The manipulation leads to information disclosure. This vulnerability is uniquely identified as CVE-2024-13131. It is possible to initiate the attack remotely. Furthermore, there is an exploit available. It is recommended to apply restrictive firewalling. The analysis of our data team indicates that this CVE might be a duplicate of CVE-2019-9680.

去年 11 月 Linux 6.13 合并窗口期间，微软工程师贡献的一组补丁允许 Linux x86_64 将只读执行（ROX)大页用于分配可执行内核。然而距离 Linux 6.13 发布还剩下一周时间（预计本周日也就是 1 月 19 日释出），这组代码被发现会破坏部分启用 Control Flow Integrity (CFI)的设置，以及导致部分英特尔笔记本电脑在休眠后无法恢复。英特尔工程师 Peter Zijlstra 准备递交一个补丁暂时禁用 EXECMEM_ROX 支持。而 EXECMEM_ROX 支持补丁被发现在合并到内核主线前没有获得 Linux x86/x86_64 维护者的签名。

去年 11 月 Linux 6.13 合并窗口期间，微软工程师贡献的一组补丁允许 Linux x86_64 将只读执行（ROX)大页用于分配可执行内核。然而距离 Linux 6.13 发布

Commvault today added an abil

Commvault today added an ability to automatically recover the instances of Microsoft Active Directory (AD) that have become primary targets of cybersecurity attacks.

The post Commvault Adds Ability to Recover Entire Instances of Active Directory appeared first on Security Boulevard.

一款功能强大的Credential Guard安全测试工具，该工具可以帮助广大研究人员测试Credential Guard的安全态势。

In this episode, host Pe