Tag Archive for: defensive

PM Defensive Cyber Operations Transitions to Army’s PEO IEW&S; Brig. Gen. Ed Barker Quoted

/in


The Program Executive Office Intelligence, Electronic, Warfare and Sensors is building up the U.S. Army’s cyber capabilities with the addition of Project Manager Defensive Cyber Operations.

With the transition, PEO IEW&S is integrating into its portfolio PM DCO’s two key programs: Cyber Platforms and Systems and Cyber Analytics and Detection, the service branch said Thursday.

CPS facilitates the procurement and delivery of cybersecurity tools and related platforms to the armed forces and CAD offers capabilities that enable warfighters to analyze and detect internal and external cyberthreats to the Army.

“The days of the Army being a Kinetic only force are gone. Our ability to operate in multiple domains has become paramount with none more important than mastering the cyber warfare arena,” said Brig. Gen. Ed Barker, PEO for IEW&S.

Celerium Announces Compromise Defender™ Solution with Defensive Support Against Cl0p/MOVEit Ransomware Threats

/in


Compromise Defender is a new Celerium solution that implements in 30 minutes and leverages automation to detect and disrupt cyber compromise activity.

TYSON’S CORNER, June 22, 2023 /PRNewswire/ — Celerium Inc., a leading cyber defense company, today announces the release of its latest cybersecurity solution, Compromise Defender™. As an integral part of Celerium’s Cyber Defense Network™, this innovative solution combines rapid implementation and automation to provide early detection and defense of compromise activity.

Celerium powers active cyber defense solutions to help protect companies and communities from increasing cyberattacks. (PRNewsfoto/Celerium)

Celerium powers active cyber defense solutions to help protect companies and communities from increasing cyberattacks. (PRNewsfoto/Celerium)

Research by IBM found that the average detection time of a data breach is around 200 days, nearly seven months. The need for early detection and defense against compromise activity, which often succeeds the network intrusion phase of a cyber incident and can be a precursor to later-stage ransomware and data breach attacks, is more critical than ever. Celerium created Compromise Defender to address this need.

“Small and medium-sized businesses and local government organizations are overloaded and overwhelmed with cybersecurity challenges,” said Tommy McDowell, General Manager of Celerium. “Our aim with Compromise Defender is to lighten their load by providing a real-time, automated solution that not only detects threats early but also launches an effective defense.”

Celerium specifically designed Compromise Defender for busy and overloaded organizations, with quick setup and easy operation:

  • 30-minute non-intrusive implementation, without any hardware or software to install.

  • Secure connectivity between an organization’s perimeter firewalls to Celerium’s Decision Engine hosted on the AWS cloud.

  • 100% automated, eliminating the need for integration with SIEM or IT security stack solutions.

  • Autonomous operation, requiring no IT staff for day-to-day management.

  • Real-time automated defense mechanisms to block network threats and compromise activity. The real-time mechanism re-optimizes network defense measures every 15 minutes.

  • Integrated automated analysis and reporting platforms show compromise activity (of reconnaissance, C2 server…

Source…

Defensive Considerations for Lazarus FudModule

/in


In February 2023, X-Force posted a blog entitled “Direct Kernel Object Manipulation (DKOM) Attacks on ETW Providers” that details the capabilities of a sample attributed to the Lazarus group leveraged to impair visibility of the malware’s operations. This blog will not rehash analysis of the Lazarus malware sample or Event Tracing for Windows (ETW) as that has been previously covered in the X-Force blog post. This blog will focus on highlighting the opportunities for detection of the FudModule within the Lazarus sample analyzed by X-Force, as well as highlight a strategy of using telemetry stream health as a mode of detecting malware designed to impair defenses through ETW tampering.

One Ring 0 To Rule Them All

The Lazarus FudModule begins with the installation of a Dell driver that is vulnerable to CVE-2021-21551 which allows the malware to elevate privileges to a level where DKOM attacks are possible. This type of attack is referred to as a bring your own vulnerable driver (BYOVD) attack. In a BYOVD attack, an attacker installs a driver that is vulnerable to an exploit that enables the attacker to cross the boundary from administrative access to ring 0 or kernel-mode access. Ring 0 access enables the attacker to bypass or disable security technology and evade detection by security professionals by operating deeper within the operating system.

Can’t Hit What You Can’t See

As detailed in the X-Force blog, after obtaining kernel mode privileges the FudModule begins targeting kernel structures to impair telemetry sources on the host by targeting Event Tracing for Windows (ETW) registration handles. ETW registration handles are used to retrieve configuration information for a specific provider, the handle can test whether a provider is enabled for specific keywords or information levels. Additionally, ETW registration handles are used to call event tracing and logging functions for a specific provider. The FudModule leverages the nt!EtwRegister function to enumerate entries associated with the RegHandle parameter and then updates the value with NULL effectively disabling all system ETW providers for all consuming applications, including those providers used by some…

Source…

Hacking revelations put Mexico military on defensive

/in


Mexican President Andres Manuel Lopez Obrador attends an independence day military parade – Copyright AFP Richard Pierrin

Samir Tounsi with Paulina Abramovich in Santiago and Juan Sebastian Serrano in Bogota

Leaks from a shadowy group of hackers targeting secret files held by the armed forces of several Latin American nations have fueled controversy in Mexico about the military’s growing power.

A trove of sensitive information was stolen from the Mexican defense ministry by the collective called Guacamaya, which has also claimed cyberattacks in Chile, Colombia and Peru.

“Their objectives are more political than economic,” said Diego Macor, a cyber-security expert at US technology giant IBM in Chile, who describes members of the network as “hacker-activists.”

The leaks revealed that the Mexican army continued to use Pegasus spyware developed by Israeli firm NSO Group after President Andres Manuel Lopez Obrador took office in 2018, according to an investigation by the Network in Defense of Digital Rights and its partners.

The targets included journalists and a human rights activist, according to the probe, which was assisted by the University of Toronto’s Citizen Lab.

The army insisted that it had only used spyware to fight organized crime.

The hack also left Mexico’s military facing allegations that some of its members have links to drug cartels, and that it engineered a contentious security reform giving it control of the National Guard, which was previously under civilian command.

Two soldiers sold grenades, other weapons and tactical equipment to drug cartel members, according to analysis of the files by the civil society group Mexicans Against Corruption and Impunity.

The Mexican and Peruvian militaries also allegedly monitored civil society organizations such as Amnesty International, which condemned their actions as “unacceptable.”

“The undue monitoring of civil society organizations identified in the Guacamaya collective leaks is an example of the hostile context in which we work as organizations defending human rights in the Americas,” said Amnesty regional director Erika Guevara-Rosas.

“Instead of monitoring the activities of civil society…

Source…