The banned user list is kept in the kernel, and used by Antivirus, Data Leak Prevention (DLP), DoS, and Intrusion Prevention System (IPS). Any policies that use any of these features will block traffic from the attacker's IP address.

Further pointing to a compromise at the site is the presence of a vulnerability in its implementation of ColdFusion, a Web application platform that has become a favorite target of the attackers thought to be responsible for this and other aforementioned breaches of late.

NetBot Attacker VIP 60

Such information would be extremely useful in the hands of nation-state level attackers. For a very relevant and timely example of this, consider the cyber spying story printed last month by Foreign Policy magazine. That piece featured an interview with Kevin Mandia, the chief executive of Mandiant, an Alexandria, Va. based firm that specializes in helping companies defend against cyber espionage attacks. In the FP story, Mandia said he recently was the target of a targeted cyber attack that tried to foist malicious spyware on him via an email with a booby-trapped PDF copy of a recent limo invoice.

The Citrix bot trap technique randomly or periodically inserts a trap URL in the server response. You can also create a trap URL list and add URLs for that The URL appears invisible and not accessible if the client is a human user. However, if the client is an automated bot, the URL is accessible and when accessed, the attacker is categorized as bot and any subsequent request from the bot is blocked. The trap technique is effective in blocking attacks from bots.

Although the bot trap URL is auto-generated, the Citrix ADC bot management still allows you to configure a customized trap URL in the bot profile. This is done to strengthenthe bot detection technique and make it harder for attackers to access the trap URL.

An attacker might attempt to impersonate a good bot and send requests to your application server. Such bots are identified as spoofed bots using the bot signature. Configure the following actions against spoofed bots to protect your application server:

This is a pretty simple function which can mess with the user on a LOT of levels; it basically allows the attacker (or Administrator) to create a custom message box to the user, like an error or informative notice that one would normally see. The interesting thing about this feature is that not only are you able to create a message box belonging to the system but also to any active Windows on the system, for example notepad or Windows Media Player. The messages then appear to be coming from the application and that might make the user believe the application is malicious rather than the actual malware running behind the scenes.

Unfortunately, we need to stray from the lighthearted side of this blog post and talk about some of the more scary functionality that DarkComet has. A very powerful and dangerous function of this RAT is the ability to uninstall applications at a whim. The attacker will receive a listing of all installed applications and be given the option to uninstall them. This could be used for multiple reasons; however one of the big ones is to disable security products. Here is an example of the worst possible situation:

The possible use of these webcam videos/images, which can be obtained from the webcam control function, range from cyber espionage, victim blackmailing, the normal perversion of spying on people while they don't know it and the worst one of all child pornography. Although not the intention of every attacker using this tool, it can be used to spread or sell child pornography and therefore make this function, in my opinion, the worst one out of the bunch.

Drive-By attacks mean that when visiting a web page, a malicious script embedded in the page will execute and usually exploit some kind of vulnerability on your system, dropping malware and executing it without you ever knowing. Drive-by attacks are usually used by cyber-criminals for the purpose of spreading malware. The use of drive-by attacks to spread DarkComet doesn't seem to make a lot of sense since it is easily detected and removed. However, as noted on the DarkCoderSC web site for DarkComet, purchasing a VIP account will provide the attacker with version updates of DarkComet before it is released to the public. Therefore the new version or variant hasn't been seen and has a greater chance of getting past AV scanners, so it makes sense to try and infect as many systems as possible with it before it's too late.

Threat actors are also leveraging malicious files attached to phishing emails embedded with macros. Attached files download and execute the Raccoon Stealer on the targeted systems. Once the Raccoon Stealer is injected, it targets all the applications that contain credentials. Then, it dumps the credentials in a zip file and sends the zip file back to the C2 server of the attacker.

Denial of service, or DoS, attacks emerged in the early days of the web and commercialization of the internet. These attacks literally deny service and make a resource scarce; in many cases, attackers simply ping a network or server to busy it out.

On the defense, enterprises and service providers responded by blocklisting devices where the attacks originated. As the cat-and-mouse games became more sophisticated, attackers started to use thousands of bots to create what are now called distributed DoS (DDoS) attacks.

Traditional defenses use a layered security approach, combining numerous defenses including firewalls, intrusion detection, intrusion prevention, filters, anti-virus, encryption, and event logging/analysis. Because system defense is well-understood by attackers, the attackers and defenders are forced into a continuing process of modifying their behavior in response to the actions of the adversary. Attackers and defenders are locked in a continuing cycle of measure-countermeasure.[8] In this on-going cycle, attackers have perfected a highly effective attack methodology - spearphishing. Spearphishing attacks consistently reach their objectives by exploiting users. The user exploitation is created by email technology which enables attackers to communicate directly with authorized users. Email is a standards based system which uses well-known rules to enable honest email senders to deliver email.[9] Gaming the email system provides a reliable attack vector for sophisticated attackers who cleverly manipulate attacks employing the tools of email marketing to deliver email to targeted users. When a spearphishing attack reaches its objectives, defenders are left to engage in retrospective analysis, mitigation and remediation.[10]

The recent theft of tens of millions of dollars from Ubiquiti Networks is a simple, yet highly effective, example of a spearphishing information operation. [23] Ubiquiti is one of the many victims of the Man-in-the-Email method which has netted attackers almost $215M between 01 October 2013 and 01 December 2014.[24] In this type of cyberattack, the attacker sends an email impersonating an employee or vendor which email contains fraudulent payment instructions. The recipient of the email sends money according to the fraudulent instructions. This spearphishing attack is an example of the general structure of the spearphishing information operation because it:

Choosing to substitute a series of assumptions about human cognition in place of human performance research has resulted in a system that is highly vulnerable to attacks against human cognitive processes. In the measures-countermeasures cybersecurity engagement, attackers have focused their attacks on HF while defenders have not. Because the attackers leverage the capacities and performance limitations of the human targets and defenders do not, it is clear that email is a system which favors the attackers, not the defenders.

In the spearphishing engagement, the attacker uses the HF tool of system, interface, and task design to engineer the HSI result of a compromised system. In response, none of the HF tools are being used effectively by the defenders. In order to take email back from the attackers, defenders must address the HSI factors that make email a malicious interface. [70]

In this example, all of the senders that information assurance deems trustworthy have a trust indicator in the inbox. This trust indicator is reinforced in the message with additional iconography and a hover-over information window. The last message in the inbox is a spearphishing attack in which the attacker is attempting to be perceived as the HR Department. The display now integrates the knowledge of information assurance (the attacker is not the trusted HR Department) with the perception of the victim (the sender is the trusted HR Department), thereby revealing the Spearphishing Incongruity and uncovering the attack. The security information is presented without a large Compliance Budget task cost and can quickly become the foundation of improved email processing habits.

His recommended solution is a monitoring tool like Sucuri SiteCheck, which scans your website for known malicious content and malware injections and allows you to see what attackers want your information for.

Cross-Site Scripting (XSS) happens when an attacker places malicious code into the backend code of the chosen website. XSS attacks are similar to database injections in that attackers try to plant code that runs in your files, but XSS primarily targets web page functionality. Once they get access to your front-end display, hackers might try to harm visitors by, for example, posting a disguised link to a faulty website or displaying a fake contact form to steal user information.

For example, using CSRF, attackers can induce users to change their email addresses, transfer funds, change passwords, or take another action. Depending on the action the user takes, the attacker can gain control of the user account and wreak havoc. If the user is an admin, then the attacker can take complete control of the website. 2ff7e9595c