Seculert

Seculert
Private company
Industry IT Security
Founded 2010
Headquarters Petah Tikva
Israel
Key people
 Dudi Matot - Co-founder and CEO
Aviv Raff - Co-founder and CTO
Alex Milstein - Co-founder and COO
Website http://www.seculert.com

Seculert is a cloud-based cyber security technology company based in Israel. The company’s technology is designed to detect breaches and Advanced Persistent Threats (APTs), attacking networks. Seculert’s business is based on malware research and the ability to uncover malware that has gone undetected by other traditional measures.[1]

In 2012, the company was named one of the hottest new security start-ups by The New York Times,[2] and a finalist in the SC Magazine awards for Rookie Security Company of the Year.[3]

History

Seculert was founded in 2010 by former RSA FraudAction Research Lab Manager Aviv Raff, former SanDisk Product Marketing Manager Dudi Matot and former Finjan VP of Operations Alex Milstein. In 2011, the company launched their first offering, Seculert Echo.[4] Their Seculert Sense, traffic log analysis, was released in October 2012. At the RSA Conference in February 2013 Seculert unveiled the Beta version of Seculert Swamp, a malware analysis sandbox.

In August 2013, the company announced and updated version of their product.[5]

Seculert is privately funded and headquartered in Petah Tikva, Israel. In July 2012, the company announced $5.35M in venture funding from YL Ventures and Norwest Venture Partners.[6] In July 2013, Seculert announced that they raised an additional $10 million in Series B funding from Sequoia Capital.[7]

Awards

Gartner "Cool Vendor" - selected by Gartner Inc., as a “Cool Vendor” in the May 2, 2014 report “Security Infrastructure Protection, 2014.”[8]

Innovation in Enterprise Security- Bronze Award, 10th Annual 2014 Info Security's Global Excellence Awards[9]

SINET 16 Innovator Finalist, SINET Workshops and Showcase[10]

2013 Rookie Security Company, Awards Finalist - SC Magazine[11]

2013 Red Herring, Europe Finalists[12]

Advanced Threat Protection Product

Several detection and protection technologies are combined in a cloud-based solution that works to proactively identify new threats as they emerge.

Automated Traffic Log Analysis is a cloud-based analysis engine that leverages HTTP/S gateway traffic logs collected over time, analyzing petabytes of data to identify malware activity. It automatically identifies unknown malware by detecting malicious patterns and anomalies. Seculert Traffic Log Analysis pinpoints evidence of targeted attacks.[13][14]

Proactive Botnet Interception tracks communication between live botnets and command and control servers, also known as C&Cs and C2s. It searches botnet traffic for mentions of company's IP address and domains. This product is also able to detect malware on devices belonging to a company's internal and external employees, partners, and customers. Seculert Botnet Interception analyzes botnet traffic to identify infected users and endpoints-inside and outside the corporate network. Device agnostic.[15]

Elastic Sandbox is an elastic, cloud-based automated malware analysis environment. The Seculert Elastic sandbox includes automatic analysis and classification of suspicious files over time. It analyzes potentially malicious files on different platforms and can simulate different geographic regions. The Seculert Elastic Sandbox generates malware behavioral profiles by crunching over 40,000 malware samples on a daily basis and by leveraging data from its crowdsourced threat repository.[16]

Protection API can integrate Seculert's Solution with pre-existing on-premises products and devices giving customers the ability to augment their current perimeter security defenses.

Ramnit

In January 2012, Seculert discovered that Ramnit[17] started targeting Facebook accounts with considerable success, stealing over 45,000 Facebook login credentials worldwide, mostly from people in the UK and France.[18][19][20]

Kelihos.B

In March 2012, Seculert reported that Kelihos botnet,[21] which was distributed as a Facebook worm, was still active and spreading - even after the shutdown attempt by CrowdStrike and Kaspersky Labs.[22][23][24]

Ma(h)di malware

In July 2012, Seculert, in conjunction with Kaspersky Labs uncovered an ongoing cyber espionage campaign targeting Iran and other Middle Eastern countries dubbed Mahdi (malware).[25] This was the first such operation using communications tools written in Persian. The targets included critical infrastructure companies, engineering students, financial services firms and government embassies located in five Middle Eastern countries, with the majority of the infections in Iran.[26][27][28]

Shamoon malware

In August 2012, Seculert, Kaspersky Lab and Symantec revealed the discovery of Shamoon,[29] a sophisticated malware that attacked Qatar's natural gas firm, Rasgas and the Saudi Arabian Oil Company, ARAMCO. U.S. Defense Secretary Leon Panetta later called Shamoon the most destructive attack the business sector has seen to date[30][31][32]

Dexter malware

In December 2012, Seculert uncovered Dexter,[33] a new malware that steals payment card data from point-of-sale terminals used by stores, hotels, and other businesses. Most of the victim businesses were English-speaking, with 42 percent based in North America, and 19 percent in the U.K. Dexter infected systems running a variety of different versions of Windows, including XP, Home Server, Server 2003, and Windows 7.[34][35][36][37]

Read an analysis of the Dexter malware.

Red October Java Exploit

In January 2013, Kaspersky Labs (KL) revealed a cyber espionage operation dubbed Red October. The next day, Seculert identified a special folder used by the attackers for an additional attack vector.[38] In this vector, the attackers sent an email with an embedded link to a specially crafted PHP web page. This webpage exploited a vulnerability in Java, and in the background downloaded and executed the malware automatically.[39][40]

Read the blog post on Red October.

PinkStats

In June 2013, Researchers from Seculert have shared details on the malware behind a string of attacks used by several Chinese-speaking groups over the last four years to target different worldwide organizations and nation-states. The most recent set of attacks targeted dozens of organizations in South Korea.

Called "PinkStats", the malware is a downloader, or rather one of its primary functions is to act as a gateway for additional malicious payloads. Depending on the type of attack, PinkStats will communicate with the Command & Control server once installed and receive any additional malware that’s required.[41]

Sazoora.B

In October 2013, the experts at Seculert’s Research Lab identified a new version of the malware known as Sazoora. The first variant, Sazoora.A, was first detected in August 2012. The new version of Sazoora- Sazoora.B has evolved, making it harder for traditional security solutions to detect by going through minor packing and technical changes aimed at avoiding on-premises sandboxes. Instead of immediately launching like Sazoora.A, Sazoora.B waits for 15 minutes before becoming active. This dormant phase makes it undetectable.[42]

Report on Sazoora by the Research Lab.

DGA.Changer

Based on the extensive coverage of an October 24 a php.net hack where an exploit kit was deployed, which servered 5 different malware types, Seculert's Research Lab took a closer look at the malware used.

The investigation yielded new information about one of the types of malware used, DGA.Changer.[43] The malware DGA.Changer uses an infinite Domain Generation Algorithm but has the ability to receive a command from a command and control server to change the DGA seed. This allows the malware to evade sandboxing.[44][45][46][47]

More information on the new downloader called, "DGA.Changer."

Xtreme RAT

On January 15, the Seculert Research Lab identified a new targeted attack that used Xtreme RAT. This attack used spear phishing emails to target Israeli organizations and deploy the piece of advanced malware. To date, 15 machines have been compromised including ones belonging to the Civil Administration of Judea and Samaria.[48][49][50][51][52][53][54]

Read the Research Lab's report here.

Geodo

The data stealing worm Cridex (a.k.a. Feodo, Bugat) crept out of the cyber underground and into threat bulletins back in 2012, after demonstrating an unnerving capacity to spread by copying itself to mapped and removable drives, and opening back doors and downloading potentially malicious files onto compromised computers.

Seculert’s Research Lab kept Cridex on the radar screen, and led the discovery of a new version — dubbed Geodo — that combined a self-spreading infection method, which effectively turned each bot within the botnet into a vehicle for infecting new targets. Plus through additional analysis, our researchers found that Geodo had provided its command and control (C&C) server with approximately 50,000 stolen account credentials.

Click here to learn more about Geodo.

Tinba Trojan

In the summer of 2014, the original source code and full documentation for the banking trojan Tinba (a.k.a. aka Tinybanker) was leaked to the public via an underground forum –raising fears that it would inspire bad actors to create new, more insidious versions.

Well, it didn’t take long for Seculert’s Research Lab to discover Tinba’s predecessor, which boasted some even nastier features including: new detection evasion tactics, the ability to 64 bit operating systems, new DGA (domain generating algorithm) capabilities, and the use of both signed and unsigned executables.

Learn more about this Seculert Research Lab finding here.


References

  1. "Seculert". Retrieved 22 January 2013.
  2. Perlroth, Nicole (2012-12-31). "Outmaneuvered at Their Own Game, Antivirus Makers Struggle to Adapt". The New York Times. Retrieved 2013-01-22.
  3. "2013 SC Magazine US Awards Finalists". SC Magazine. 2012-11-29. Retrieved 2013-01-22.
  4. Wauters, Robin (2010-10-06). "Seculert Secures Funding For Cloud-Based Threat Detection Software". TechCrunch. Retrieved 2013-01-22.
  5. http://mw.newsblaze.com/story/2013072305000700025.mwir/topstory.html
  6. Williams, Alex (2012-07-10). "Seculert Gets $5.35 Million Investment For Cloud-Based Botnet Detection Service". TechCrunch. Retrieved 2013-01-22.
  7. "Israeli cyber security firm Seculert raises $10 mln in funding". Reuters. 2013-07-08.
  8. http://www.seculert.com/news-media/press-releases/cybersecurity-startup-seculert-named-cool-vendor-gartner-inc/
  9. http://www.infosecurityproductsguide.com/world/
  10. http://www.security-innovation.org/sinet-16.htm
  11. http://www.scmagazine.com/2013-sc-magazine-us-awards-finalists/article/270471/
  12. http://www.redherring.com/events/red-herring-europe/2013_finalists/
  13. Higgins, Kelly (2012-11-07). "Hunting Botnets In The Cloud". Dark Reading. Retrieved 2013-01-22.
  14. Nusca, Andrew (2012-12-05). "Training big data's eye on cybersecurity threats". ZDNet. Retrieved 2013-01-22.
  15. http://www.seculert.com/how-it-works/technology/botnet-interception/
  16. http://www.securityweek.com/seculert-adds-elastic-sandbox-simulate-malware-over-time-geographic-locations
  17. "Ramnit Goes Social". Seculert. 2012-01-05. Retrieved 2013-01-22.
  18. Smith, Catharine (2012-01-05). "Facebook Ramnit Worm Swipes 45,000 Usernames, Passwords". Huffington Post. Retrieved 2013-01-22.
  19. Masters, Greg (2012-01-05). "New Ramnit variant steals Facebook logins". SC Magazine. Retrieved 2013-01-22.
  20. Leyden, John (2012-01-05). "Dammit Ramnit! Worm slurps 45,000 Facebook passwords". The Register. Retrieved 2013-01-22.
  21. "Kelihos.B is still live and social". Seculert. 2012-03-29. Retrieved 2013-01-22.
  22. Leyden, John (2012-03-29). "Kelihos zombies erupt from mass graves after botnet massacre". The Register. Retrieved 2013-01-22.
  23. Colon, Marcos (2012-03-29). "Kelihos lives on thanks to Facebook trojan". SC Magazine. Retrieved 2013-01-22.
  24. Constantin, Lucian (2012-03-30). "Kelihos gang building a new botnet, researchers say". TechWorld. Retrieved 2013-01-22.
  25. "Mahdi - The Cyberwar Savior?". Seculert. 2012-07-17. Retrieved 2013-01-22.
  26. Finkle, Jim (2012-07-17). "Another cyber espionage campaign found targeting Iran". Reuters. Retrieved 2013-01-22.
  27. Zetter, Kim (2012-07-17). "Mahdi, the Messiah, Found Infecting Systems in Iran, Israel". Wired. Retrieved 2013-01-22.
  28. Brumfield, Ben (2012-07-19). "Cyberspy program targets victims in Iran, Israel, companies say". CNN. Retrieved 2013-01-22.
  29. "Shamoon, a two-stage targeted attack". Seculert. 2012-08-16. Retrieved 2013-01-22.
  30. Weitzenkorn, Ben (2012-08-23). "Shamoon Worm Linked to Saudi Oil Company Attack". MSNBC. Retrieved 2013-01-22.
  31. Zetter, Kim (2012-08-30). "Qatari Gas Company Hit With Virus in Wave of Attacks on Energy Companies". Wired. Retrieved 2013-01-22.
  32. Schreck, Adam (2012-09-05). "Virus origin in Gulf computer attacks questioned". Associated Press. Retrieved 2013-01-22.
  33. "Dexter - Draining blood out of Point of Sales". Seculert. 2012-12-11. Retrieved 2013-01-22.
  34. Goodin, Dan (2012-12-11). "Dexter" malware steals credit card data from point-of-sale terminals". Ars Technica. Retrieved 2013-01-22.
  35. Higgins, Kelly (2012-12-11). "'Dexter' Directly Attacks Point-of-Sale Systems". Dark Reading. Retrieved 2013-01-22.
  36. McAllister, Neil (2012-12-14). "Dexter malware targets point of sale systems worldwide". The Register. Retrieved 2013-01-22.
  37. Armerding, Taylor (2012-12-19). "Dexter malware's source still unknown, connection to Zeus disputed". CSO Magazine. Retrieved 2013-01-22.
  38. ""Operation Red October" - The Java Angle". Seculert. 2013-01-15. Retrieved 2013-01-22.
  39. Goodin, Dan (2013-01-15). "Red October relied on Java exploit to infect PCs". Ars Technica. Retrieved 2013-01-22.
  40. McAllister, Neil (2013-01-16). "Surprised? Old Java exploit helped spread Red October spyware". The Register. Retrieved 2013-01-22.
  41. PinkStats In June 2013, Researchers from Seculert have shared details on the malware behind a string of attacks used by several Chinese-speaking groups over the last four years to target different worldwide organizations and nation-states. The most recent set of attacks targeted dozens of organizations in South Korea. Called "PinkStats", the malware is a downloader, or rather one of its primary functions is to act as a gateway for additional malicious payloads. Depending on the type of attack, PinkStats will communicate with the Command & Control server once installed and receive any additional malware that’s required.
  42. http://www.seculert.com/blog/2013/10/sazoora-b-makes-its-anti-sandboxing-debut.html
  43. http://www.seculert.com/blog/2013/12/dga-changer-malware-changing-seed-to-evade-sandbox.html
  44. http://news.softpedia.com/news/Experts-Analyzed-DGA-Changer-Malware-Served-in-PHP-net-Attack-410551.shtml
  45. http://threatpost.com/dga-changer-malware-able-to-modify-domain-generation-seed-on-the-fly/103225
  46. http://www.csoonline.com/article/744862/unique-malware-evades-sandboxes
  47. http://thehackerspost.com/2013/12/dga-changer-malware-unique-malware-evades-sandboxes.html
  48. "Israeli defence computer hacked via tainted email -cyber firm". Reuters. 2014-01-26.
  49. http://www.ynet.co.il/articles/0,7340,L-4481380,00.html
  50. http://www.theguardian.com/world/2014/jan/27/hackers-israeli-defence-ministry-computers
  51. "Israel defence computers hit by hack attack". BBC News. 2014-01-27.
  52. http://www.securityweek.com/israeli-defense-computer-hit-cyber-attack-data-expert
  53. "Israel to Ease Cyber-Security Export Curbs, Premier Says". Bloomberg.
  54. Halpern, Micah D. "Cyber Break-in @ IDF". Huffington Post.

External links