April 13, 2018

By: Spencer Walden, Justin Warner
  • Tags:
  • Click-Fraud
  • Threat Research

In January, ICEBRG disclosed the presence of malicious Google Chrome extensions that were impacting over a half-million endpoints worldwide, enabling a massive click-fraud campaign and exposing significant risk to enterprises. After notifying Google, these extensions were removed from the Chrome store from users as well. Over the past two months, ICEBRG’s Security Research Team (SRT) continued to monitor for and identify new Chrome extensions suspected of engaging in similar click-fraud activity. This resulted in the identification of 35 additional extensions impacting at least 153,000 additional victims.

Intelligent Detections—The Kobayashi Maru of Security

April 13, 2018

By: Dan Caselden, Jason Rebholz
  • Tags:
  • Threat Detection

While “alert fatigue” may sound like a trendy catchphrase, it is a real issue that security analysts face every day. The ever-increasing number of security alerts from a growing number of devices often results in more noise than useful detections. The unfortunate truth is that many of these alerts are not real security issues nor do they necessarily align with the organization’s strategy to reduce risk. Furthermore, the sheer volume of this noise is costly, leading to complacency, lost productivity, and ultimately increased vulnerability to attacks. This puts the organization’s security team in a “Kobayashi Maru” no-win situation. Course correcting out of this situation, or avoiding it altogether, requires a new approach with a focus on data quality fundamentals and more intelligent detections.

Evolve Your Detection Capabilities With Threat Hunting

March 28, 2018

By: Justin Warner, Stephen Hinck
  • Tags:
  • Threat Hunting

Highly motivated threat actors continue to evolve their tactics, techniques, and procedures (TTPs) to better evade traditional defenses and hide in the noise of your environment. Organizations must evolve their defenses and step past relying solely on traditional defenses and maximize their visibility to incorporate proactive detection methodologies—the prime example being threat hunting, which is the process of searching your environment for threat activity based on attacker tactics.

Solve the Equation to a More Secure Environment

March 14, 2018

By: Jason Rebholz
  • Tags:
  • Network Visibility
  • Thought Leadership

Imagine driving a car where you could only see through your front windshield and you’re seconds away from merging onto a busy highway. That moment, where you lack the proper visibility when you need it most, creates an unsafe situation where a collision is imminent. Unfortunately, that type of visibility is a common theme that organizations encounter while defending their networks. The solution—maximize the field of vision in your environment and its surroundings. Let’s break that down.

Malicious Chrome Extensions Enable Criminals to Impact Over Half a Million Users and Global Businesses

January 18, 2018

By: ICEBRG SRT, Justin Warner, Contributor: Mario De Tore
  • Tags:
  • Click Fraud
  • Threat Research

Most leading web browsers, including Google Chrome, offer users the ability to install extensions. While these web-based applications can enhance the user's overall experience, they also pose a threat to workstation security with the ability to inject and execute arbitrary code. Coupling an extension marketplace style “easy install” for users, limited understanding of the underlying risks, and few compensating controls leaves organizations vulnerable to a serious and easily overlooked attack vector. To a motivated threat actor, this approach presents a range of opportunities, from co-opting enterprise resources for advertising click-fraud to leveraging a user’s workstation as a foothold into the enterprise network.

Coin Mining by Opportunistic and Automated Threats

January 12, 2018

By: Justin Warner
  • Tags:
  • coin mining
  • Cryptocurrency
  • Threat Research

With the recent surge in popularity and increasing value of cryptocurrency, it should be no surprise that financially motivated threat actors have begun leveraging their victims to contribute to “mining” efforts, where the computing resources of the victim are used to generate cryptocurrency for the threat actor. To succeed in making a large profit, the actors must continually compromise a large number of victims and utilize significant computing resources. This demand for mass compromise has forced these threat actors to adopt automated methods that rely on opportunistic exploitation to outpace defenders, increasing the number of victims as quickly as possible with minimal cost.

Exploiting Apache Struts: A Case Study in Writing Better Detections

November 16, 2017

By: Chenming Xu, Dan Caselden, Justin Warner, Stephen Hinck
  • Tags:
  • Case Study
  • Detection
  • Struts
  • Threat Research

In researching available detection logic for three well-known Apache Struts vulnerabilities (CVE-2017-5638, CVE-2017-9791, CVE-2017-9805), ICEBRG’s Security Research Team (SRT) discovered that most publicly available detections for these vulnerabilities failed to identify or prevent successful attacks in the wild. Publicly available detection logic focused on implementation details (keywords, paths, network indicators) from available exploits, but not details specific to the vulnerability. These implementation-specific details are easily modified by exploit authors to avoid detection. This case study demonstrates how an understanding of the underlying vulnerability as well as exploitation techniques can be combined and applied to create more robust detections.

FOOTPRINTS OF FIN7: Pushing new techniques to evade detection

October 8, 2017

By: Alex Sirr, Spencer Walden
  • Tags:
  • FIN7
  • Threat Research

ICEBRG's Security Research Team (SRT) actively tracks threat activity associated with FIN7, a financially motivated actor targeting the retail industry. FIN7 has been constantly adapting their phishing documents in order to evade detection — their latest update has initial detections on VirusTotal of 0/59 and 1/59 for the RTF and DOCX formats, respectively.

Network Forensic Analysis in an Encrypted World

  • Tags:
  • bsides
  • network security
  • research
  • talks

ICEBRG attended a set of information security conferences in Las Vegas, including Black Hat USA, BSidesLV and DEFCON. At BSidesLV, one of our founders (William Peteroy) and principal security engineers (Justin Warner) presented research and methodologies for performing network forensic analysis of encrypted communications streams. Thanks to everyone who attended the talk and special thanks to the folks who stayed and asked questions or were part of the hallway conversations that followed! For those of you who couldn’t make it, please feel free to view the talk in its entirety via the link above or check out the brief summary below.

Footprints of FIN7: Tracking Actor Patterns (IOCs)

August 9, 2017

By: Spencer Walden, Alex Sirr, Dan Caselden
  • Tags:
  • FIN7
  • network security

In our initial two-part blog series on FIN7 we covered network activity patterns, payloads, and defensive best practices. FIN7 is a financially-motivated threat actor targeting large organizations that process payment card data or have a significant point of sale environment. In part 1, we documented FIN7 command and control and lateral movement behaviors that historically contained detectable patterns that defenders should deploy. In part 2, we covered specific operational tools and tactics. In this blog, we are sharing additional ongoing research into this actor group, their initial access methods, targeting, and infrastructure for the purposes of providing an extensive indicator set to network defenders. We have collected and analyzed over 60 initial access payloads since early 2017. ICEBRG hopes these IOCs will aid defenders by enabling detection and prevention of known bad phishing lures. More importantly, ICEBRG hopes that this indicator set will empower intel teams and researchers to continue tracking the group as their TTPs evolve to stay ahead of detection capabilities.