Wave Systems Corp. (fka WAVXQ)

[Genz2]

US Cyber Command starts uploading foreign APT malware to VirusTotal

https://www.zdnet.com/article/us-cyber-command-starts-uploading-foreign-apt-malware-to-virustotal/

USCYBERCOM said it plans to regularly upload "unclassified malware samples" to VirusTotal

On Monday, the Cyber National Mission Force (CNMF), a subordinate unit of US Cyber Command (USCYBERCOM), set in motion a new initiative through which the DOD would share malware samples it discovered on its networks with the broader cybersecurity community.

The CNMF kicked off this new project by creating an account on VirusTotal, an online file scanning service that also doubles as an online malware repository, and by uploading two malware samples.

In addition, USCYBERCOM also created a new Twitter account where it would tweet a link to all new VirusTotal malware uploads.

USCYBERCOM's decision was met with universal praise by leading voices from the cybersecurity private sector.

"This is a great initiative and we believe that if more governments would do the same, the world would be safer. We salute their initiative and are of course paying close attention to what they upload," said Costin Raiu, Director of Global Research & Analysis Team at Kaspersky Lab.

"We believe that having more files in VirusTotal increases the value to the entire community," said Mike Wiacek, CSO, and co-founder of Chronicle, Alphabet's cyber-security division and the company behind VirusTotal.

"In fact, the first submission, for LoJack malware, included files that weren't previously in VirusTotal," Wiacek told ZDNet today via email.

That new file was rpcnetp.dll, a file that together with the second --rpcnetp.exe-- have been utilized to infect victims with the Computrace/LoJack/LoJax malware.

Craiu told ZDNet that Kaspersky has been tracking this malware for years; malware which came back to life this year in new campaigns, as detected by Netscout and ESET.

LoJax is currently the first documented case of a UEFI rootkit used in the wild, and the malware has been tied to APT28, a codename used to identify a nation-state cyber-espionage group that has been associated by several Western countries to Russia's military intelligence agency GRU.

USCYBERCOM's decision to make these two particular malware samples its first two uploads didn't go unnoticed by the infosec community. Some sharped-eye pundits immediately categorized it as a new name-and-shame effort on the part of Western governments, which have been very active this year in exposing and indicting Chinese, Russian, Iranian, and North Korean hackers.

"It remains to be seen exactly how this new initiative will unfold," John Hultquist, director of intelligence analysis at FireEye told ZDNet in an email today.

"But what is striking about this initiative is it lacks many of the contextual elements of the name and shame strategy. Whereas that strategy involves a tremendous amount of context which has to be scrutinized throughout the government, this initiative could be less encumbered by those considerations," Hultquist said.

"There will undoubtedly still be a strategy behind these disclosures, since disclosures always have consequences for intelligence operations, but their simplicity may allow for simpler, faster action, something the government has historically struggled with."

On the other hand, there are those security researchers who purposely stay away from politically-charged attributions when dealing with APT malware.

For example, in an interview with ZDNet, Alexis Dorais-Joncas, Security Intelligence Team Lead at ESET, was far more interested in how USCYBERCOM's VirusTotal uploads might influence an APT group's upcoming operations, rather than the political downfall that follows.

"As far as exposing hacking toolsets, it does not necessarily automatically render the tools totally useless, but it is likely to at least cause the attacker to adapt," Dorais-Joncas told us. "For example, ESET has been exposing [APT28]'s toolset evolution for years, and yet the group is still using a lot of the same tools, albeit with additional improvements added over time."

"I would say exposing full [tactics, techniques, and procedures] on top of actual samples would be more harmful to attackers, as they would need to change their entire attack workflow (think spreading and infection mechanisms, persistence, communication protocols, etc)," Dorais-Joncas said. "It does not look like USCYBERCOM is providing such context together with the samples they are sharing, so that might limit the upside of their initiative."

"Only time will tell if samples shared by USCYBERCOM will turn up to be interesting for researchers or not - it really depends on what they choose to share," the ESET researcher added. "I'm inclined to give them the benefit of the doubt for now."

But the infosec community also had another gripe with USCYBERCOM's new sharing practice, and that's with what the DOD considers "unclassified malware samples."

Both ESET's Dorais-Joncas and FireEye's Hultquist shared the same opinion on this topic --that even if the agency used the term "unclassified malware samples," this doesn't necessarily mean we'll get your run-of-the-mill malware such as adware and basic downloaders.

"This effort may very well expose us to new threats, which require serious analysis," Hultquist said.

"I would also not presume that unclassified malware will automatically already be known to researchers," Dorais-Joncas also added.

"In general, I would say more sample sharing can only lead to equal or better protection because any new sample security vendors can obtain helps them improve their detection databases and thus better protect their respective customers."

As for Wiacek, the Chronicle CSO would more than love to see other intelligence and law enforcement agencies to follow in the DOD's footsteps.

"We invite other U.S. and international agencies to participate in a similar manner," Wiacek said. "We are happy to see new members in the VirusTotal community."
=================================================================
The government, if it were privy to all the anti-malware solutions in the marketplace, would see that a white listing product like Wave Endpoint Monitor is so much more effective than loading foreign APT malware in Virus Total. imo.
==================================================================
https://www.wavesys.com/malware-protection

Excerpt:

Software can’t always detect malware

The big problem with malware is that antivirus software doesn’t always detect it. Anti-malware software is based on signatures of known bad software. However, there always needs to be a patient 0 that discovers he is infected, for the rest of the world to benefit from it. In the case of APTs (Advanced Persistent Threats), your organization may be the only target for the specific strand of malware. In that case, the signature detection process will not protect you. Modern anti-malware and other software packages that promise cyber security or protection from APTs would use various heuristics and "AI" (Artificial Intelligence) to detect malware based on a predefined set of behavioral parameters. A sophisticated attacker is able to fine tune the behavior of the malware he is writing against various known anti-malware software solutions, so that it can evade detection for long periods of time.

==================================================================
https://www.wavesys.com/products/wave-endpoint-monitor

Detect attacks before it’s too late

Malware can do its work for weeks or months before you ever know it’s there. But with Wave Endpoint Monitor, you can spot malware before it has a chance to cause damage.

Antivirus software can’t detect rootkits and other malware; it works at the level of the OS and isn’t very good at seeing deeper into the system. For example, it can’t tell whether the boot record is lying. The Wave alternative is to work with the Trusted Platform Modules (TPMs), or security chips, embedded in your devices. By using the TPM to attest to the security of the device each time that device boots, Wave looks below the operating system and can help detect threats lurking there. Every time a device boots up, Wave Endpoint Monitor makes a comparison against previous boot values, and if anything deviates from the norm, it alerts you immediately.