Cybersecurity

AI vs AI: The Emerging Battleground of Cyber Offensive and Defensive Strategies

/ Miguel Antonio Bigueur / 3 Comments

10 Minutes

The rapid evolution of artificial intelligence (AI) is transforming the landscape of cybersecurity, bringing both exciting opportunities and daunting challenges. As AI systems grow more advanced, they are being harnessed by both cyber attackers and defenders, creating a dynamic and complex battle of wits. This report delves into the intricate dance of AI versus AI in the realm of cybersecurity, offering an in depth overview of offensive and defensive strategies. Explore the profound implications and future possibilities of this high-stakes technological showdown.

The AI Arms Race

The interplay between offensive and defensive AI strategies has given rise to an AI versus AI arms race, where both attackers and defenders are continuously evolving their tactics and techniques. This arms race presents several challenges and implications:

Continue reading

Chinese APT30 Cyber Espionage: Long-Term Tactics and Targets

/ Miguel Antonio Bigueur / Leave a comment
china-internet-outage

8 Minutes

APT30 is a Chinese based, well organized, state sanctioned Cyber Espionage operation. The group is most notably known for its decade long use of the same sets of tools and tactics. The group’s main objective is the acquisition of private government information relating to socio and geo-political influence as conducted through long duration cyber espionage campaigns. APT30’s targets predominantly consist of organizations that satisfy its own governmental requirements for intelligence gathering. Some of the earliest domain registrations and malware compilation times date as far back as 2004 with its associated use of C2 server domains dating back to 2005.

Continue reading

Russian APT29 Cyber Espionage: Tactics, Motivations, and Mitigation Strategies

/ Miguel Antonio Bigueur / Leave a comment
the-dukes-apt29-one-of-russia-s-cyber-espionage-hacking-squads-492021-2

10 Minutes

APT29, The Dukes, a term coined by security researchers at Kaspersky Labs, are a well funded, highly resourceful and dedicated group of organized cyber espionage hackers that have been linked to the Russian Federation dating back as far as 2008. Their primary mission traditionally has been to perform intelligence gathering in an effort to support Russian foreign and security policies. The Dukes have access to a vast arsenal of malware toolsets, which have been identified as OnionDuke, CosmicDuke, MiniDuke, GeminiDuke, HammerDuke, PinchDuke, SeaDuke, and CloudDuke to name a few.

Continue reading

Methbot: Russian Cyber Fraud Targeting U.S. Advertisers

/ Miguel Antonio Bigueur / Leave a comment
WhatIsMethbot

7 Minutes

The biggest names in U.S. media and brand name advertising are losing millions in advertising dollars on a dally basis due to a Russian underground of cyber criminals. This operation in particular targets video ads by producing massive volumes of fraudulent video ads through the misappropriation of various parts of critical Internet infrastructure then targeting premium-advertising space. As revealed by security experts, a new and very successful click fraud, as perpetrated by Russian cyber miscreants, has resulted in the loss of millions of dollars on a day-to-day basis.

Although the lone group of Russian misfits operate out of Russia, they controls that extends far beyond their borders and oceans by controlling malicious web browsers installed on web servers harbored within legitimate data centers located mainly in the U.S. and Netherlands. This global botnet farm tricks advertising networks into believing that real human beings are viewing hundreds upon millions of video ads daily. Methbot’s Russian cyber syndicate controls these data centers by acquiring troves of legitimately owned Internet service provider IP addresses then creating fake documents claiming the rights to using them at which point they given the authority to access video ads through the use of a custom web browser.

Continue reading

Malware Analysis & Reverse Engineering (Case Study)

/ Miguel Antonio Bigueur / Leave a comment

 

malware.png

Summary of Findings 

  • Testbook3.xlsm.mlw: 64f129da1ab476723f147ec9ad92ad0d
  • Malware creation Date: 2017-04-24 01:53:22Z
  • Malware Type: Downloader Trojan

VirusTotal resulted in 27/ 57 detections as malicious. This dropper steals username and password information from the SAM database of the victim. This is evidenced by API calls made using SAMSRV.DLL. The stolen data is then sent across an encrypted communications link using  SSLv2 encryption.

The malware begins to enumerate SAM hashes from the SAM database and encrypts them before transmitting the stolen data. The malware makes use of several APIs in this process including: crypt32.dll, bcrypt.dll, ncrypt.dll, cryptdll.dll, secure32.dll.  Continue reading

Identifying Prosium Bot Files with Yara Rules for Malware Detection

/ Miguel Antonio Bigueur / Leave a comment

5 Minutes

In an effort to help identify and classify malware samples, Yara rules have been specifically written to help identify if a computer or system is infected, and if so, uncover the location of potentially infected files.

The first Yara rule, as seen below, was written to identify any files and their location on disk that could potentially be infected with the Prosium Bot. The following strings have been optimized to help minimize false positives while providing the most effective file identification possible.

Continue reading

Python Security Scripting

/ Miguel Antonio Bigueur / Leave a comment

O05Pwjy

Introduction: (Problem description)

There are a large number of reasons why it’s a good idea to keep apprised of when, where, why, and how a computer is used on a frequent basis. There could be critical indicators of compromise “IOCs” and/or indicators of attacks “IOAs” that could possibly help network defenders protect against such activities or perform remediation them after the fact. The proper logging of all user and computer activities is crucial to any network defense program and should be carefully implemented in addition to password policy enforcement.

All scripts in this post can be found at:

https://github.com/SmokeDog88/InfoSec_Ops

Continue reading