To support and retain the people who protect assets against bad actors, organizations should create a more defensible environment. Read More
Related Posts
GoRed Using DNS & ICMP Tunneling For C2 Server Communication
GoRed Using DNS & ICMP Tunneling For C2 Server Communication
Hackers often abuse DNS and ICMP tunneling to transmit data and bypass network security measures covertly.
All these protocols, which are often enabled by poorly protected firewalls, can be manipulated to create hidden communication routes for transferring sensitive data out or creating entry points for unauthorized users.
This evasion technique enables threat actors to maintain persistence and avoid detection within compromised networks.
Positive Technologies researchers recently discovered that ExCobalt’s new tool, GoRed, uses DNS and ICMP tunneling for C2 server communication.
GoRed Using DNS & ICMP Tunneling
ExCobalt, a group of cyber criminals likely to be an extension of Cobalt, notoriously known for attacks on financial institutions, has been using a newly discovered Go backdoor.
The PT ESC CSIRT team came across this while responding to an incident in one of their customers’ organizations.
Free Webinar on API vulnerability scanning for OWASP API Top 10 vulnerabilities -> Book Your Spot
ExCobalt is a cyber espionage group that has, at least since 2016, probably coming from the Cobalt gang.
However, ExCobalt adopted the tool CobInt, which will be synonymous with Cobalt by 2022.
PT ESC reported several attacks and investigated other incidents connected to ExCobalt against Russian entities in different industries in the previous year.
Here below we have mentioned all the key features of the GoRed backdoor:-
C2 framework for executing commands
RPC protocol for C2 communication
DNS/ICMP tunneling, WSS, and QUIC for communication
Credential harvesting from compromised systems
Data collection
Reconnaissance capabilities on victim networks
Data serialization, encryption, archiving, and exfiltration to a dedicated server
An incident on a Linux host of a client in March 2024 was being investigated, which resulted in the identification of a Go-based tool known as GoRed compressed in a UPX file called scrond that could be associated with 2019’s “Red Team” site.
However, there were cases where multiple variants of this backdoor were encountered during previous client incident responses, such as in July 2023 and October 2023, when it was found together with other tools like Mimikatz, ProcDump, SMBExec, Metasploit, and Rock.
GoRed’s C2 servers included leo.rpm-bin.link, sula.rpm-bin.link, lib.rest and rosm.pro while ExCobalt used domains like lib.rpm-bin.link, get.rpm-bin.link, and leo.rpm-bin.link.
This is a control flow that depends on CLI, and it first initializes commands then transfers control to the latter.
Firstly, the service command for gain persistence is initialized, giving us system persistence.
To maintain its presence, it creates environment variables that begin with “BB.” Also, the control flow switches to the gecko command which acts as an entry point in beacon mode.
Depending on the protocol option, it fetches C2 from the transport configuration and initiates beacon activity. To identify victims, this malware generates an ID by hashing computer information.
After initializing and connecting with C2, the RPC protocol is used to register for beacon functionality.
Runs birdwatch to monitor the file system, sets the heartbeat period, monitors, and initializes available commands to enter heartbeat mode.
The C2 communication employs RPC using custom CBOR serialization with AES-256-GCM encryption.
The configuration includes built-in (Base64 encoded, msgpack serialized) and transport blocks. DNS tunneling uses Base64 or Base32, and the background commands run continuously.
ExCobalt continues enhancing GoRed with new features for data collection, secrecy, and leveraging vulnerabilities.
Free Webinar! 3 Security Trends to Maximize MSP Growth -> Register For Free
The post GoRed Using DNS & ICMP Tunneling For C2 Server Communication appeared first on Cyber Security News.
Achieving 24/7 Threat Monitoring & Response for Small IT Security Teams – Free Guide
Achieving 24/7 Threat Monitoring & Response for Small IT Security Teams – Free Guide
Maintaining continuous vigilance is essential for organizations of all sizes in the face of increasing cyber threats. However, lean IT security teams often face the challenge of providing 24/7 threat monitoring and response with limited resources.
For lean IT security teams, achieving continuous threat monitoring and response requires a strategic blend of automation, outsourcing, and efficient use of resources. Here’s a detailed approach to building an effective 24×7 cybersecurity defense against APT attacks.
This necessitates a strategic approach that leverages automation, managed services, and efficient processes to ensure comprehensive security coverage around the clock. Even small teams can effectively protect their organizations from cyber threats by implementing these strategies
Cynet Security Provides a free Guide for Achieving 24×7 Threat Monitoring and Response for Lean IT Security Teams.
1. Leveraging Automation and AI
Automation is a key enabler for lean teams, allowing for the efficient handling of routine security tasks. Automated threat detection tools like Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS) can continuously monitor network traffic and identify suspicious activities.
Security Information and Event Management (SIEM) systems are also vital, as they aggregate and analyze data from various sources, enabling real-time threat detection and response.
AI and machine learning enhance these systems by identifying patterns and predicting potential threats, significantly reducing the number of false positives.
This means the limited human resources can focus on actual threats rather than sifting through numerous benign alerts. Moreover, AI-driven analytics can prioritize alerts based on severity and potential impact, ensuring critical threats are promptly addressed.
2. Utilizing Managed Security Service Providers (MSSPs)
Outsourcing certain aspects of cybersecurity can be an effective strategy for lean teams. Managed Security Service Providers (MSSPs) offer 24×7 monitoring and alerting services, leveraging their expertise and infrastructure to complement in-house efforts.
MSSPs can manage and monitor security technologies, provide real-time alerting, and even support incident response efforts.
This partnership allows lean teams to benefit from advanced threat detection technologies and expertise that might otherwise be unaffordable. Additionally, MSSPs often have access to global threat intelligence, providing insights into emerging threats that an internal team might not readily have.
3. Establishing Clear Incident Response Procedures
A well-defined Incident Response Plan (pdf) is crucial for effective threat management. This plan should detail specific procedures for detecting, responding to, and recovering from security incidents.
Key components include defining roles and responsibilities, establishing communication protocols, and outlining steps to contain and mitigate threats.
Regular training and incident response drills are essential to ensure all team members understand their roles and act swiftly and effectively during security events. This not only improves the response time but also minimizes the potential damage caused by a breach.
4. Implementing Security Orchestration, Automation, and Response (SOAR) Tools
SOAR tools can automate the response to common security incidents, such as isolating compromised systems or blocking malicious IP addresses. These tools streamline the incident response process, reducing the security team’s manual workload and allowing them to focus on more complex issues.
SOAR platforms also offer centralized incident management, providing a unified view of all security alerts and enabling better coordination. This centralized approach simplifies incident tracking and resolution, ensuring nothing is overlooked.
5. Enhancing Network and Endpoint Security
Network and endpoint security are foundational components of a robust cybersecurity strategy. Network monitoring tools, such as firewalls and traffic analysis systems, are essential for detecting and responding to suspicious activities within the network.
These tools help identify and mitigate threats before they can cause significant damage.
Endpoint Detection and Response (EDR) solutions are equally important, as they provide visibility into activities on end-user devices. EDR tools can detect and respond to threats at the endpoint level, such as malware infections or unauthorized access, and often include capabilities for isolating compromised systems to prevent further spread.
Looking for a cost-effective, full-featured EDR solution? See how Cynet provides EDR and much more. – Free Trial
Full-featured EDR
Threat Hunting & Deception
SSPM and CSPM
24/7 MDR Service
6. Prioritizing Threat Intelligence and Analysis
Access to up-to-date threat intelligence is vital for staying ahead of cyber threats. By subscribing to threat intelligence feeds, lean IT teams can receive real-time information about emerging threats, vulnerabilities, and attack patterns.
This intelligence helps proactively adjust defenses and prioritize security efforts based on the most relevant threats to the organization.
Regular threat analysis is also necessary to understand the organization’s specific risks. This involves assessing the threat landscape, identifying potential vulnerabilities, and prioritizing security measures accordingly. A clear understanding of the most likely threats allows for more effective allocation of limited resources.
7. Adopting a Layered Security Approach
A multi-layered security strategy, often called “defense in depth,” is critical for robust protection. This approach involves implementing multiple layers of security controls across different areas, such as physical, network, application, and endpoint security.
Each layer acts as a barrier against potential threats, ensuring that if one defense is breached, others remain in place to mitigate the attack.
User education is another vital layer in this approach. Training users on security best practices, such as recognizing phishing attempts and using strong passwords, can significantly reduce the risk of successful attacks. User awareness programs are an ongoing effort, as the threat landscape continually evolves.
8. Utilizing Cloud Security Services
Cloud security services offer scalable and flexible solutions for threat monitoring and response. Many security tools, including SIEMs, firewalls, and EDR solutions, are cloud-based services.
These tools often come with built-in monitoring and alerting capabilities, which can benefit lean teams.
Cloud-based security solutions can also reduce the need for on-premises infrastructure and the associated maintenance overhead.
This is especially valuable for small teams, allowing them to focus more on strategic security initiatives rather than managing and maintaining hardware.
9. Regularly Reviewing and Updating Security Policies and Procedures
Security policies and procedures must be regularly reviewed and updated to ensure continued effectiveness. This includes access control policies, data protection guidelines, and incident response procedures.
Keeping these documents up to date ensures that they reflect the latest security threats and best practices.
Compliance with relevant regulations and standards is also essential. Regular audits can help identify gaps in security posture and ensure that all necessary controls are in place.
This proactive approach not only enhances security but also helps in avoiding potential legal and regulatory penalties.
10. Leveraging Community and Open-Source Resources
Engaging with cybersecurity communities and forums can provide valuable insights and support. These communities often share information on the latest threats, vulnerabilities, and security best practices.
For lean teams, participating in such forums can be an invaluable resource for staying informed and connected with the broader security community.
Open-source security tools can also be a cost-effective way to enhance your security posture. Many open-source projects, such as IDS/IPS, EDR, and SIEM systems, offer robust security solutions.
These tools can be customized and integrated into existing infrastructure, providing powerful capabilities without the cost of commercial solutions.
By combining these strategies, lean IT security teams can build an effective 24×7 threat monitoring and response system. This approach ensures the organization remains resilient against cyber threats, even with limited resources.
How to Build a Security Framework With Limited Resources IT Security Team (PDF) – Free Guide
The post Achieving 24/7 Threat Monitoring & Response for Small IT Security Teams – Free Guide appeared first on Cyber Security News.