Leaderboard

Poti repara formatarea? Pe tema alba e cam ilizibil.

What could be the best way to take over and disrupt cyber espionage campaigns? Hacking them back? Probably not. At least not when it's Microsoft, who is continuously trying to protect its users from hackers, cyber criminals and state-sponsored groups. It has now been revealed that Microsoft has taken a different approach to disrupt a large number of cyber espionage campaigns conducted by "Fancy Bear" hacking group by using the lawsuit as a tool — the tech company cleverly hijacked some of its servers with the help of law. Microsoft used its legal team last year to sue Fancy Bear in a federal court outside Washington DC, accusing the hacking group of computer intrusion, cybersquatting, and reserving several domain names that violate Microsoft's trademarks, according to a detailed report published by the Daily Beast. Fancy Bear — also known as APT28, Sofacy, Sednit, and Pawn Storm — is a sophisticated hacking group that has been in operation since at least 2007 and has also been accused of hacking the Democratic National Committee (DNC) and Clinton Campaign in an attempt to influence the U.S. presidential election. The hacking group is believed to be associated with the GRU (General Staff Main Intelligence Directorate), Russian secret military intelligence agency, though Microsoft has not mentioned any connection between Fancy Bear and the Russian government in its lawsuit. Instead of registering generic domains for its cyber espionage operations, Fancy Bear often picked domain names that look-alike Microsoft products and services, such as livemicrosoft[.]net and rsshotmail[.]com, in order to carry out its hacking and cyber espionage campaigns. This inadvertently gave Microsoft an opportunity to drag the hacking group with "unknown members" into the court of justice. Microsoft Sinkholed Fancy Bear Domains The purpose of the lawsuit was not to bring the criminal group to the court; instead, Microsoft appealed to the court to gain the ownership of Fancy Bear domains — many of which act as command-and-control servers for various malware distributed by the group. "These servers can be thought of as the spymasters in Russia's cyber espionage, waiting patiently for contact from their malware agents in the field, then issuing encrypted instructions and accepting stolen documents," the report reads. Although Microsoft did not get the full-ownership of those domains yet, the judge last year issued a then-sealed order to domain name registrars "compelling them to alter" the DNS of at least 70 Fancy Bear domains and pointing them to Microsoft-controlled servers. Eventually, Microsoft used the lawsuit as a tool to create sinkhole domains, allowing the company's Digital Crimes Unit to actively monitor the malware infrastructures and identify potential victims. "By analyzing the traffic coming to its sinkhole, the company’s security experts have identified 122 new cyber espionage victims, whom it’s been alerting through Internet service providers," the report reads. Microsoft has appealed and is still waiting for a final default judgment against Fancy Bear, for which the hearing has been scheduled on Friday in Virginia court. Sursa

The Cyberprobe project is an open-source distributed architecture for real-time monitoring of networks against attack. The software consists of two components: a probe, which collects data packets and forwards it over a network in standard streaming protocols. a monitor, which receives the streamed packets, decodes the protocols, and interprets the information. These components can be used together or separately. For a simple configuration, they can be run on the same host, for more complex environments, a number of probes can feed a single monitor. For more detail, and to see where we are going, read the architecture page. The probe, cyberprobe has the following features: The probe can be tasked to collect packets from an interface and forward any which match a configurable address list. The probe can be configured to receive Snort alerts. In this configuration, when an alert is received from Snort, the IP source address associated with the alert is dynamically targeted for a period of time. In such a configuration, the system will collect data from any network actor who triggers a snort rule and is thus identified as a potential attacker. The probe can optionally run a management interface which allows remote interrogation of the state, and alteration of the configuration. This allows dynamic alteration of the targeting map, and integration with other systems. The probe can be configured to deliver on one of two standard stream protocols. The monitor tool, cybermon has the following features: Collects packets delivered in stream protocols. Decodes packet protocols in and raises events in near-real-time. Decoded information is made available to user-configurable logic to define how the decoded data is handled. A simple configuration language is used (LUA) and example configurations are provided to monitor data volumes, display data hexdumps, or stash the data in files. Packet forgery techniques are included, which allow resetting TCP connections, and forging DNS responses. This can be invoked from your LUA in order to fight back against attacks on your network. Has a pub/sub delivery mechanism with subscribers for ElasticSearch, Google BigQuery and Gaffer graph store. Supports IP, TCP, UDP, ICMP, HTTP and DNS protocols, currently. The cybermon software includes some support for STIX as a threat indicator specification, and can create alerts on the presence of threats on the network. The code is targeted at the Linux platform, although it is generic enough to be applicable to other UN*X-like platforms. The easiest way to learn about the software is to follow our Quick Start tutorial. Github download page here Operating System Architecture Download Fedora 25 64-bit 64-bit RPM Source Source RPM RHEL 7 / CentOS 7 64-bit 64-bit RPM Source Source RPM Debian 8 64-bit Debian package Ubuntu 64-bit Debian package Anything else Source Source bundle Source: http://cyberprobe.trustnetworks.com/