Tuesday, February 10, 2015

Delay in actionable intelligence creating additional risk, additional malware seen

With the recent Anthem incident it goes without saying that organizations need to share information to protect other entities from similar attacks. In the case of Anthem the information has been shared with only 2 organizations and the information being put out by commercial vendors is incomplete and in some cases completely inaccurate. What we are seeing is that many people are making guesses as to what the actual threat is.

It seems like this recent issue and with the Sony issue that in both cases the information coming out of the analysis of these events is being withheld from commercial security vendors. This does nothing to protect others that may face similar attacks. It should be noted however that the attackers in this case have moved on to other attacks.

This is a concerted effort to infiltrate many businesses and Government. As of yet we have not seen any real and meaningful cooperation between Anthem, Sony or the Government. If they really wanted to protect the masses clear and concise information would be put out for everyone.

This leads me to believe that nobody really knows the exact methods. I can tell you that there are zero day attacks being used as well as a known browser flaw that is not being fixed by vendors. If hackers know about it and vendors choose to ignore it there is really nothing the average person can do to protect themselves from the threats that loom.

I have predicted that the educational space will be the next to have issue based on what we have seen. Because of this we will offer educational institutions access to our blocklist in the hope that some will be proactive and save themselves some embarrassment. There have been several attackers on Twitter posting educational information and much of the stolen information is available on Darknet and being shared between hackers.

This open sharing initiative that everybody speaks of is non existent and probably will not come to pass. It's a shame really as there are power in numbers. We need a distributed protection system that can incorporate actual information between vendors in near real time. Until this happens we will continue to see disinformation. In addition the naming conventions between commercial products is horrible and confusing and interoperability between companies is horrible as well.

The additional malware being seen that is NOT being tracked by any of the major vendors was previously posted.

Indicator Information

IP Addresses Involved:
196.203.89.134
194.105.9.85
82.81.128.61
50.56.56.125

Also it goes without saying that certain file extensions should be dropped by your email gateways.

No comments:

Post a Comment