The IT Nerd

HYAS Infosec, leaders in utilizing advanced adversary infrastructure intelligence, detection, and prevention to preemptively neutralize cyberattacks, today announced that globally recognized independent research institute AV-TEST GmbH has independently tested and confirmed that HYAS Protect provides the highest level of cyber security protection achieved to date by a Protective DNS solution.

Specifically, AV-TEST found that HYAS Protect blocked over 87 percent of portable executables (PEs) malware, over 84 percent of non-PE issues (e.g. links pointing to other forms of malicious files), and over 80 percent of phishing URLs, all with incredibly low false positive rates averaging 2 percent. Compared to other Protective DNS solutions tested by AV-TEST, HYAS Protect has achieved the highest efficacy ratings of all protective DNS solutions providers tested to date and results indicate it affords substantially greater protection.

AV-Test has long been viewed as the industry’s go-to leader in rigorous 3rd party testing and evaluation. The complete report is available online at AV-TEST.

CISA endorses Protective DNS, which it recommends in its Shields Up initiative. Protective DNS is also a recommended element of modern secure access service edge (SASE) architectures, and is increasingly factored into cyber security insurance policy decisions.

Regardless of how a bad actor breaks into an organization, the first step in progressing the attack is communication with adversary infrastructure, commonly referred to as command-and-control (C2) for instructions. Protective DNS solutions see this communication, identify it as malicious, and stop the attack by preventing the communication and rendering the attack inert, regardless of whether it originated as a supply-chain, phishing, insider-risk, or something else. Even advanced malware-less attacks still need to beacon out for instructions. At this year’s RSA Conference, CrowdStrike CEO George Kurtz and President Michael Sentonas reported that they have been dealing with an average of one malwareless cyber issue a week during the last couple quarters, reaffirming data reported earlier this year that 71 percent of cyberattacks were carried out without malware, and that malware-less attacks nonetheless need to beacon out for instructions.

Regardless of how a bad actor breaks in or the attack type used, their anomalous communication can be seen by Protective DNS solutions and the attack can then be shut down. The higher the efficacy of a Protective DNS solution, the sooner the infection/identification cycle ends with remediation. CISA’s recommendation reflects the importance of Protective DNS to business resiliency.

HYAS Protect accurately detects and thwarts attacks, with extremely low false positives, through an advanced and patented process.

1. Data Collection and Context: HYAS collects data continuously and without human involvement from authoritative sources around the world. It combines a set of exclusive, private, commercial and open source data into a graph database with a set of proprietary algorithms to build connections between the nodes in the graph.
2. Observation Derived Foresight: Through these connections within the graph database, HYAS drives correlations between what has happened, what is happening now, and what will happen to maintain a real-time view of adversary infrastructure on the Internet. In this way, HYAS can actually observe infrastructure as it is built up and know what is and isn’t adversary infrastructure often weeks or months before it is weaponized.
3. Advanced, Automated Analysis: Through HYAS’ combination of unique data organized into a graph database, and a deep understanding of how the internet functions, HYAS achieves previously unrealized Protective DNS service efficacy results with incredibly low false positive rates.

HYAS Protect is available for commercial use, is easy to deploy and manage, and is pre-integrated with other common components of the cyber security stack including EDR/XDR, SIEM/SOAR, and firewalls. In addition, HYAS Protect is also made available to cybersecurity’s first responders and IT personnel for their home personal use via the completely free HYAS Protect At Home solution which I am testing right now and I will have a review up shortly.

HYAS Infosec, leaders in utilizing advanced adversary infrastructure intelligence and detection to preemptively neutralize cyberattacks, today announced its partnership with RSM, a leader in the professional services industry, to deliver HYAS Protect, which leverages authoritative knowledge of attacker infrastructure to proactively protect enterprises from cyberattacks. 

The partnership enables RSM to now offer a solution to its RSM Defense clients that preemptively identifies communication with malicious or compromised domains and thwart cyberattacks — and neutralize adversary infrastructures before they can get started attacking. Access to malicious domains is blocked at the network level, preventing both unintended connections and actions by adversaries, adding to RSM’s best-in-class cyber threat intelligence and managed detection and response services (MXDR).

Phishing, malware, supply-chain attacks, and other nefarious actions all require communication with malicious domains. HYAS protective DNS provides RSM customers with unprecedented visibility and attribution of the origins of attacks and the infrastructure being used.

HYAS Protect provides the best possible protection at the DNS layer against the malicious infrastructure used by malware, ransomware, phishing, and supply-chain attacks. Actions that can be taken include outright blocking and/or alerting so that further investigation can be taken. HYAS provides protective DNS for devices inside and outside customer networks. Its high-fidelity threat signal reduces alert fatigue and improves network intelligence. HYAS also blocks low-and-slow attacks, supply chain attacks, and other intrusions that can lurk in the network. 

HYAS Infosec, leaders in advanced adversary infrastructure intelligence and detection to preemptively neutralize cyberattacks, today announced HYAS Onpoint Partner Program that goes beyond typical reseller agreements to work with partners towards a platform designed to help customers prevent attackers from damaging their security network infrastructure.

HYAS Onpoint Partner Program will highlight HYAS’s Protective DNS Platform and how partners can incorporate this into their suite of security offerings and open new doors for additional product sales.

The HYAS Onpoint Partner Program features:

• Differentiation: By offering Protective DNS as part of a security solution suite, partners can differentiate their offering from the competition, providing added value to customers.
• Increased revenue: By incorporating Protective DNS into their security product offering, partners can increase their revenue by selling additional security services to end-user customers, improving overall customer satisfaction.
• Enhanced technical expertise: Protective DNS makes it easy to demonstrate technical expertise in security solutions and helps position partners as a trusted advisor to customers while providing a competitive advantage.
• Competitive advantage: By offering Protective DNS, partners can gain a competitive advantage in the market and attract new customers looking for comprehensive security solutions.
• Transformative approach: HYAS’s Protective DNS solution uniquely focuses on mapping attacker infrastructure to enable a next-generation approach to proactively identify, counter, and mitigate attacks.
• More effective: HYAS’s solution is 3-5x more effective at quickly identifying threats than competing solutions.
• Multi-tenant architecture: Enables deployment of multiple clients with logical segregation and centralized management.
• Layered approach: HYAS’s solution integrates with services like Microsoft Defender for Endpoint, making conversations simple, and offering easy upsell opportunities to existing customers.
• Deep discounts: HYAS offers aggressive discounts off retail pricing, allowing partners to increase profit margins. Partners are also provided product trials to demonstrate functionality and value pre-customer sale.
• Robust training and support: Provided for all aspects of sales, onboarding, and ongoing product support, with portal-driven engagement.
• Product white labeling: Provides MSP customers with co-branded HYAS Protect dashboards or fully customized partner dashboards so software is tracked only to the partner.

HYAS Protect can be deployed in minutes to improve organizations’ existing security investments by integrating always-on DNS intelligence into security information and event management systems, firewalls, endpoint solutions, and more. HYAS Protect combines authoritative knowledge of attacker infrastructure and unrivaled domain-based intelligence to proactively enforce security and block the command and control (C2) communication used by malware, ransomware, phishing, supply-chain, and other forms of cyber attacks, thereby rendering the attack inert before it can do significant damage.

For more information visit HYAS.com.

In an interesting move, HYAS Infosec today moved to “protect the protectors” by offering them free access to HYAS’s industry-leading protective DNS, which detects and blocks communication to adversarial domains — regardless of whether adversaries have already used the domains operationally. New HYAS Protect At Home provides cybersecurity’s first responders with both an early warning and an additional line of defense to help harden their home networks against cyberattacks.

Exploits are continuously evolving to avoid detection by most cybersecurity solutions designed for the home – where gamers, shoppers, online community members, and other family members are often just one bad click away from unintentionally opening the door to an attacker. HYAS Protect At Home changes that equation and offers cybersecurity pros a new level of protection to proactively mitigate threats in real time.

Protective DNS is endorsed by CISA and considered a best practice in network security, and HYAS Protect protective DNS is increasingly used by security-aware organizations around the world. It combines authoritative knowledge of attacker infrastructure and unrivaled domain-based intelligence to proactively enforce security and block the command and control (C2) communication used by malware, ransomware, phishing, and other forms of cyberattacks. HYAS Protect At Home is a free edition featuring:  

No configuration required – protection is available out-of-the-box, driven by HYAS unique enterprise-grade domain reputation data

• Easy blocking of broadly defined domain categories like gambling, adult websites, etc.
• Configurable allow/block lists, policies, and rules
• Dashboard to visualize blocked sites, threats, and other data

I’ll be trying this and I will be doing a review of it when I get a chance. So stay tuned for that.

Human trafficking is one of the most horrendous yet tragically overlooked crimes of our times. And the practice is unfortunately thriving in the digital age. For example, the BBC recently called out “Pig Butchering” call centers in South East Asia who are luring young people with promises of great jobs and perks “overseas”, only to literally trap them into a life existence they are not allowed to leave, working in criminal fraud call centers.

Charitable organizations such as the Anti-Human Trafficking Intelligence Initiative (ATII) are fighting to put an end to this modern “digital” slavery by donating time and resources to help investigate cases and working with police to shut down this shadow industry. While researching enhanced intelligence solutions to improve upon their mission, they approached HYAS, a world-leading authority on cyber adversary infrastructure, to better leverage their limited resources.

In a blog post, HYAS details how they are working with ATII, donating time and resources and joining in the battle to stop human trafficking. Larry Cameron, CISO for ATII said that HYAS Insight, “Saved us weeks of investigation time.” And when it comes to an industry as nefarious as human trafficking, each minute can mean the difference between life and death.

I encourage you to read the blog post and consider what you can do to fight this crime which is unacceptable by any standard.

To illustrate what AI-based malware is capable of, the team at HYAS Labs has just released a proof of concept (PoC) exploiting a large language model to synthesize polymorphic keylogger functionality on-the-fly, dynamically modifying the benign code at runtime — all without any command-and-control infrastructure to deliver or verify the malicious keylogger functionality. The POC and results are published in the HYAS blog post BlackMamba: Using AI to Generate Polymorphic Malware and whitepaper “HYAS Labs Threat Intelligence: BlackMamba AI-Synthesized, Polymorphic Keylogger with On-the-Fly Program Modification.”

To create the POC, HYAS researchers united two seemingly disparate concepts:

a) eliminating the command and control (C2) channel by using malware that could be equipped with intelligent automation and could push-back any attacker-bound data through some benign communication channel, and

b) leveraging AI code generative techniques that could synthesize new malware variants, changing the code such that it can evade detection algorithms.

BlackMamba utilizes a benign executable that reaches out to a high-reputation API (OpenAI) at runtime, so it can return synthesized, malicious code needed to steal an infected user’s keystrokes. It then executes the dynamically generated code within the context of the benign program using Python’s exec() function, with the malicious polymorphic portion remaining totally in-memory. Every time BlackMamba executes, it re-synthesizes its keylogging capability, making the malicious component of this malware truly polymorphic. BlackMamba was tested against an industry leading EDR which will remain nameless, many times, resulting in zero alerts or detections.

Once a device is infected, BlackMamba uses MS Teams. Using its built-in keylogging ability, BlackMamba can collect sensitive information, such as usernames, passwords, credit card numbers, and other personal or confidential data that a user types into their device. Once this data is captured, the malware uses MS Teams webhook to send the collected data to the malicious Teams channel, where it can be analyzed, sold on the dark web, or used for other nefarious purposes.

Delivery uses auto-py-to-exe, an open-source Python package that lets developers convert Python scripts into standalone executable files that can be run on Windows, macOS, and Linux operating systems. As the HYAS blog notes: “The threats posed by this new breed of malware are very real. By eliminating C2 communication and generating new, unique code at runtime, malware like BlackMamba is virtually undetectable by today’s predictive security solutions.”

The HYAS BlackMamba Blog and the full whitepaper are linked here.

UPDATE: I have two comments on this. The first is from Matt Mullins, Senior Security Researcher at Cybrary

   “The BlackMamba sample is very interesting due to its integration of ChatGPT to “prompt hack” as part of its initial payload. The malware sends a prompt to ChatGPT, then using that returned information as part of the python code (the exec function) creates the code, which is then injected and subsequently communicates back via teams webhook. This is a very simple yet very advanced piece of malware because it flies under most detection radars by simply using the same applications that users would (either out of curiosity or by job necessity).

   “The article says that it doesn’t have a C2, but technically it is using teams for the communication so what (in my opinion) would be a better term is the use of high reputation servers for the “C2” comms (Teams and the Microsoft infrastructure). This strategy isn’t entirely new as it has been used before with things like CDNs to bypass filters. Teams has been adopted by a large number of organizations, and also has a couple of issues beyond this that should warrant a serious conversation about its viability as a secure communications channel.

   “The BlackMamba malware is thoughtfully crafted, simple, and elegant. Thus it passes the sniff test of “KISS” or keep-it-simple-stupid when it comes to engineering. The creative use of ChatGPT with the injection code, along with the use of Teams, creates a really great 1-2 punch for bypassing most EDR and detections (human and machine based) as it allows the malware to “swim with the people.” This is a gold-standard for good OpSec, typically.”

Morten Gammelgaard, EMEA, co-founder of BullWall follows up with this: 

   “Truly unnerving. AI controlled Polymorphic malware without the need of command & control. This is a slam dunk – preventative measures will never be able to keep up and therefore will continue to be less and less effective. 

   “This particular approach is one example of how the malware never looks the same (the AI regenerates it on each attack) so defenders cannot establish a model to defend against as they now do with known attack methods. The “keystroke” example here takes a common approach to how credentials are stolen and then used for access and shows how that approach can be made much more effective, ie: bypass defenses.  Not to mention that this approach did not even require a dedicated C2 server that could be tracked.

   “Also, Polymorphic viruses historically rely on mutation engines to alter their decryption routines. If publicly available AI engines enable script kiddies to create these viruses, that’s a real problem.

   “When stealing system specific credentials becomes easy, then access and lateral movement is easy and Bam! they have your data. At that point how they harm you is almost moot. Data theft and ransomware are a popular abuses when that happens. So yeah, easier access is a very big deal.”