Search This Blog
Powered by Blogger.

Blog Archive

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label MITRE. Show all posts
Ransomwares
Cyber Security Cyber Security Vendor macOS MacOS Malware Malware attacks MITRE MITRE ATT&CK Ransomwares

MITRE’s Latest ATT&CK Evaluations Reveal Critical Insights into Cybersecurity Solutions

 

MITRE Corporation has published its findings from the latest round of ATT&CK evaluations, offering important insights into the effectiveness of enterprise cybersecurity solutions. This sixth evaluation assessed 19 vendors against two major ransomware strains, Cl0p and LockBit, as well as North Korean-linked malware targeting macOS systems. The advanced malware simulations used during the evaluation highlighted sophisticated tactics, such as exploiting macOS utilities and covert data exfiltration, emphasizing the dynamic nature of modern cyber threats.

The Findings and Their Significance

According to MITRE’s general manager, William Booth, the evaluation revealed notable disparities in vendors’ abilities to detect and distinguish between malicious activities. Some solutions achieved high detection rates but also suffered from alarmingly high false-positive rates, indicating a need for better precision in threat identification. MITRE’s methodology involved a two-phase approach: first, evaluating baseline detection capabilities and then assessing protection performance after vendors adjusted their configurations to improve detection accuracy. This approach highlights the adaptability of vendors in enhancing their solutions to counter emerging threats.

The Struggles with Post-Compromise Detection

A key takeaway from the evaluation was the struggle vendors faced with post-compromise threat detection. MITRE stressed the importance of detecting and mitigating ransomware activities after the initial breach, as ransomware often mimics legitimate system behaviors. Booth emphasized that relying solely on blocking initial infections is no longer sufficient—solutions must also account for activities occurring later in the attack chain. This represents a critical area where cybersecurity solutions need improvement to effectively neutralize threats at all stages of an attack.

Contrasting Detection Strategies

The evaluation also highlighted differences in detection strategies among vendors. Some vendors utilized machine learning and AI-based methods for threat detection, while others relied on more traditional heuristic approaches. These contrasting methodologies led to varying levels of effectiveness, particularly in the detection of false positives and distinguishing between benign and malicious activities. The use of AI-based methods showed promise, but some vendors struggled with accuracy, underscoring the challenges faced by the industry in keeping up with evolving threats.

MacOS Threats: A New Challenge

For the first time, MITRE included macOS threats in its evaluation. Addressing macOS malware posed unique challenges, as there is limited publicly available Cyber Threat Intelligence (CTI) on such threats. Despite these challenges, MITRE’s inclusion of macOS malware reflects its commitment to addressing the evolving threat landscape, particularly as more organizations adopt Apple devices in their enterprise environments. The move signals MITRE’s proactive approach to ensuring that cybersecurity solutions account for all major operating systems in use today.

Looking Ahead: Vendor Transparency and Improvement

Although MITRE refrains from ranking vendors, its evaluation provides transparency that can guide organizations in making informed decisions about their cybersecurity strategies. The findings underscore the importance of refining cybersecurity technologies to meet the demands of a rapidly evolving cyber environment. Booth highlighted that these evaluations encourage vendors to continuously improve their technologies to better counter the increasing sophistication of cyber threats.

By incorporating ransomware and macOS malware into its evaluations, MITRE continues to shed light on the complexities of modern cyberattacks. The insights gained from this evaluation are invaluable for organizations looking to enhance their defenses against increasingly sophisticated threats. As cyberattacks become more advanced, understanding the varying capabilities of enterprise security solutions is essential for building a robust cybersecurity posture.

Read more »
Vulnerabilities and Exploits
APT Backdoor Chinese Actors MITRE Threat Landscape Vulnerabilities and Exploits

Chinese Attackers Deployed Backdoor Quintet to Down MITRE

 

China-linked hackers used a variety of backdoors and Web shells to compromise the MITRE Corporation late last year. 

Last month, it was revealed that MITRE, widely known for its Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK) framework, had been exploited by Ivanti Connect Secure zero-day flaws. The hackers secured access to the Networked Experimentation, Research, and Virtualization Environment (NERVE), an unclassified research and development network.

On May 3, MITRE disclosed further details regarding five distinct payloads used in an attack that spanned from New Year's Eve to mid-March. 

MITRE perpetrators infected it with the "Rootrot" web shell as a New Year's present in 2023. Rootrot is meant to implant itself in a valid Ivanti Connect Secure TCC file, allowing them to conduct reconnaissance and lateral movement within the NERVE system. 

The tool was created by the Chinese advanced persistent threat (APT) group UNC5221, which was also responsible for the first wave of alleged Ivanti-based attacks. Dark Reading had previously linked MITRE's intrusion to UNC5221, but retracted that detail at MITRE's request. 

After getting initial access and probing about, the criminals employed their compromised Ivanti appliance to connect to and ultimately seize control of NERVE's virtual environment. Then they infected several virtual machines (VMs) using multiple payloads. 

There was "Brickstorm," a Golang-based backdoor for VMware vCenter servers that appeared in two versions on MITRE's network. It can configure itself as a Web server, communicate with a command-and-control (C2) server, conduct SOCKS relaying, execute shell commands, and upload, download, and manipulate file systems. 

Following Brickstorm came the Wirefire (or Gifted Visitor) Web shell, a Python-based utility for uploading files and running arbitrary scripts. The attackers first installed it on their compromised Ivanti appliance on January 11, the day after the first batch of Ivanti vulnerabilities were made public. 

MITRE later discovered that the attackers were using the Perl-based Web shell Bushwalk to carry out command-and-control operations. Notably, this was an entirely different type than the Bushwalk, which Mandiant had previously reported on. 

The attack also included a previously undocumented Web shell called "Beeflush," which is renowned for its ability to read and encrypt web traffic data. To conclude its blog post, MITRE emphasised the importance of secure by design and zero trust movements, as well as regular authentication policies and software bill of materials (SBOMs).
Read more »
Subscribe to: Posts (Atom)