Monthly Archives: December 2015

One cyber attack you can definitely expect in 2016

This is part of a series of posts about what security experts think will happen in 2016. Check out more predictions from Mikko, Sean Sullivan and Erka Koivunen.

“Prediction is very difficult,” the Nobel Prize-winning physicist Niels Bohr once said, “especially about the future.”

Security depends on the ability to make reliable predictions using what we know about the past to model the future.

There are some predictions that you can make pretty reliably. People are going to get drunk on New Year’s Eve. There will probably be a line for Star Wars. Your next phone will be faster than your last one.

And based on the past, there’s one prediction for 2016 that our Chief Research Officer Mikko Hyppönen feels confident enough to make with 100 percent confidence.

“The Olympics in Rio will be targeted,” he told us. “This is not a possibility; it’s a certainty. It’s going to happen.”

How does he know this for sure?

“Network systems of all Olympic Games have been targeted since the 1994 winter olympics in Lillehammer.”

What will the attacks look like? That’s where the uncertainty comes in.

“Some of the attackers will be interested in just disrupting the games with DDoS and defacements and so,” he said. “Some of them want to make money with fake ticket shops and credit card phishing.”

The advice our Sean Sullivan gave in 2012 as the London Olympics were approaching still holds: “…be wary of Olympic (and any other current event) themed e-mails.”

Could there be a larger attack on actual infrastructure given that we know that’s a goal of groups like ISIS?

“Islamic State is the first extremist group with a credible cyber offensive capability,” Mikko said. “None of the terrorist groups before have had such specialists in their ranks. Nevertheless, they aren’t yet at the level to do cyber terror attacks. They mostly use the net to organize themselves: to communicate, to spread propaganda and to recruit.”

While they’d like to take down power grids, so far the exploits have been mostly limited to stealing Twitter passwords.

[Image by Brian Godfrey | Flickr]

dnscat2 0.05: with tunnels!

Greetings, and I hope you're all having a great holiday!

My Christmas present to you, the community, is dnscat2 version 0.05!

Some of you will remember that I recently gave a talk at the SANS Hackfest Summit. At the talk, I mentioned some ideas for future plans. That's when Ed jumped on the stage and took a survey: which feature did the audience want most?

The winner? Tunneling TCP via a dnscat. So now you have it! Tunneling: Phase 1. :)

Info and downloads.

High-level

There isn't a ton to say about this feature, so this post won't be particularly long. I'll give a quick overview of how it works, how to use it, go into some quick implementation details, and, finally, talk about my future plans.

On a high level, this works exactly like ssh with the -L argument: when you set up a port forward in a dnscat2 session, the dnscat2 server will listen on a specified port. Say, port 2222. When a connection arrives on that port, the connection will be sent - via the dnscat2 session and out the dnscat2 client - to a specified server.

That's pretty much all there is to it. The user chooses which ports to listen on, and which server/port to connect to, and all connections are forwarded via the tunnel.

Let's look at how to use it!

Usage

Tunneling must be used within a dnscat2 session. So first you need one of those, no special options required:

(server)

# ruby ./dnscat2.rb
New window created: 0

[...]

dnscat2>
(client)

$ ./dnscat --dns="server=localhost,port=53"
Creating DNS driver:
 domain = (null)
 host   = 0.0.0.0
 port   = 53
 type   = TXT,CNAME,MX
 server = localhost

Encrypted session established! For added security, please verify the server also displays this string:

Encode Surfs Taking Spiced Finer Sonny

Session established!

We, of course, take the opportunity to validate the six words - "Encode Surfs Taking Spiced Finer Sonny" - to make sure nobody is performing a man-in-the-middle attack against us (considering this is directly to localhost, it's probably okay :) ).

Once you have a session set up, you want to tell the session to listen with the listen command:

New window created: 1
Session 1 security: ENCRYPTED BUT *NOT* VALIDATED
For added security, please ensure the client displays the same string:

>> Encode Surfs Taking Spiced Finer Sonny

dnscat2> session -i 1
[...]
dnscat2> listen 8080 www.google.com:80
Listening on 0.0.0.0:8080, sending connections to www.google.com:80

Now the dnscat2 server is listening on port 8080. It'll continue listening on that port until the session closes.

The dnscat2 client, however, has no idea what's happening yet! The client doesn't know what's happening until it's actually told to connect to something with a TUNNEL_CONNECT message (which will be discussed later).

Now we can connect to the server on port 8080 and request a page:

$ echo -ne 'HEAD / HTTP/1.0\r\n\r\n' | nc -vv localhost 8080
localhost [127.0.0.1] 8080 (http-alt) open
HTTP/1.0 200 OK
Date: Thu, 24 Dec 2015 16:28:27 GMT
Expires: -1
Cache-Control: private, max-age=0
[...]

On the server, we see the request going out:

command (ankh) 1> listen 8080 www.google.com:80
Listening on 0.0.0.0:8080, sending connections to www.google.com:80
command (ankh) 1>
Connection from 127.0.0.1:60480; forwarding to www.google.com:80...
[Tunnel 0] connection successful!
[Tunnel 0] closed by the other side: Server closed the connection!
Connection from 123.151.42.61:48904; forwarding to www.google.com:80...

And you also see very similar messages on the client:

Got a command: TUNNEL_CONNECT [request] :: request_id 0x0001 :: host www.google.com :: port 80
[[ WARNING ]] :: [Tunnel 0] connecting to www.google.com:80...
[[ WARNING ]] :: [Tunnel 0] connected to www.google.com:80!
[[ WARNING ]] :: [Tunnel 0] connection to www.google.com:80 closed by the server!

That's pretty much all you need to know! One more quick example:

To forward a ssh connection to an internal machine:

command (ankh) 1> listen 127.0.0.1:2222 192.168.1.100:22

Followed by ssh -p2222 root@localhost. That'll connect to 192.168.1.100 on port 22, via the dnscat client!

Stopping a session

I frequently used auto-commands while testing this feature:

ruby ./dnscat2.rb --dnsport=53531 --security=open --auto-attach --auto-command="listen 2222 www.javaop.com:22;listen 1234 www.google.ca:1234;listen 4444 localhost:5555" --packet-trace

The problem is that I'd connect with a client, hard-kill it with ctrl-c (so it doesn't tell the server it's gone), then start another one. When the second client connects, the server won't be able to listen anymore:

Listening on 0.0.0.0:4444, sending connections to localhost:5555
Sorry, that address:port is already in use: Address already in use - bind(2)

If you kill a session from the root window with the 'kill'
command, it will free the socket. You can get a list of which
sockets are being used with the 'tunnels' command!

I realize this is super awkward.. don't worry, it'll get
better next version! Stay tuned!

If you know which session is the problem, it's pretty easy.. just kill it from the main window (Window 0 - press ctrl-z to get there):

dnscat2> kill 1
Session 1 has been sent the kill signal!
Session 1 killed: No reason given

If you don't know which session it is, you have to go into each session and run tunnels to figure out which one is holding the port open:

dnscat2> session -i 1
[...]
command (ankh) 1> tunnels
Tunnel listening on 0.0.0.0:2222
Tunnel listening on 0.0.0.0:1234
Tunnel listening on 0.0.0.0:4444

Once that's done, you can either use the 'shutdown' command (if the session is still active) or go back to the main window and use the kill command.

I realize that's super awkward, and I have a plan to fix it. It's going to require some refactoring, though, and it won't be ready for a few more days. And I really wanted to get this release out before Christmas!

Implementation details

As usual, the implementation is documented in detail in the protocol.md and command_protocol.md docs.

Basically, I extended the "command protocol", which is the protocol that's used for commands like upload, download, ping, shell, exec, etc.

Traditionally, the command protocol was purely the server making a request and the client responding to the request. For example, "download /etc/passwd" "okay, here it is". However, the tunnel protocol works a bit differently, because either side can send a request.

Unfortunately, the client sending a request to the server, while it was something I'd planned and written code for, had a fatal flaw: there was no way to identify a request as a request, and therefore when the client sent a request to the server it had to rely on some rickety logic to determine if it was a request or not. As a result, I made a tough call: I broke compatibility by adding a one-bit "is a response?" field to the start of request_id - responses now have the left-most bit set of the request_id.

At any time - presumably when a connection comes in, but we'll see what the future holds! - the server can send a TUNNEL_CONNECT request to the client, which contains a hostname and port number. That tells the client to make a connection to that host:port, which it attempts to do. If the connection is successful, the client responds with a TUNNEL_CONNECT response, which simply contains the tunnel_id.

From then on, data can be sent in either direction using TUNNEL_DATA requests. This is the first time the client has been able to send a request to the server, and is also the first time a message was defined that doesn't have a response - neither side should (or can) respond to a TUNNEL_DATA message. Which is fine, because we have guaranteed delivery from lower level protocols.

When either side decides to terminate the connection, it sends a TUNNEL_CLOSE request, which contains a tunnel_id and a reason string.

One final implementation detail: tunnel_ids are local to a session.

Future plans

As I said at the start, I've implemented ssh -L. My next plans are to implement ssh -D (easysauce!) and ssh -R (hardersauce!). I also have some other fun ideas on what I can do with the tunnel protocol, so stay tuned for that. :)

The tricky part about ssh -R is keeping it secure. The client shouldn't be able to arbitrarily forward connections via the server - the server should be able to handle malicious clients securely, at least by default. Therefore, it's going to require some extra planning and architecting!

Conclusion

And yeah, that's pretty much it! As always, if you like this blog or the work I'm doing on dnscat2, you can support me on Patreon! Seriously, I have no ads or monetization on my site, and I spend more money on hosting password lists than I make off it, so if you wanna be awesome and help out, I really, really appreciate it! :)

And as always, I'm happy to answer questions or take feature requests! You're welcome to email me, reply to this blog, or file an issue on Github!

SANS Hackfest writeup: Hackers of Gravity

Last weekA few weeks ago, SANS hosted a private event at the Smithsonian's Air and Space Museum as part of SANS Hackfest. An evening in the Air and Space Museum just for us! And to sweeten the deal, they set up a scavenger hunt called "Hackers of Gravity" to work on while we were there!

We worked in small teams (I teamed up with Eric, who's also writing this blog with me). All they told us in advance was to bring a phone, so every part of this was solved with our phones and Google.

Each level began with an image, typically with a cipher embedded in it. After decoding the cipher, the solution and the image itself were used together to track down a related artifact.

This is a writeup of that scavenger hunt. :)

Challenge 1: Hacker of Tenacity

The order of the challenges was actually randomized, so this may not be the order that anybody else had (homework: there are 5040 possible orderings of challenges, and about 100 people attending; what are the odds that two people had the same order? The birthday paradox applies).

The first challenge was simply text:

Sometimes tenacity is enough to get through a difficult challenge. This Hacker of Gravity never gave up and even purposefully created discomfort to survive their challenge against gravity. Do you possess the tenacity to break this message? 

T05ZR1M0VEpPUlBXNlpTN081VVdHMjNGT0pQWEdaTEJPUlpRPT09PQ==

Based on the character set, we immediately recognized it as Base64. We found an online decoder and it decoded to:

ONYGS4TJORPW6ZS7O5UWG23FOJPXGZLBORZQ====


We recognized that as Base32 - Base64 will never have four "====" signs at the end, and Base32 typically only contains uppercase characters and numbers. (Quick plug: I'm currently working on Base32 support for dnscat2, which is another reason I quickly recognized it!)

Anyway, the Base32 version decoded to spirit_of_wicker_seats, and Eric recognized "Spirit" as a possible clue and searched for "Spirit of St Louis Wicker Seats", which revealed the following quote from the Wikipedia article on the Spirit of St. Louis: "The stiff wicker seat in the cockpit was also purposely uncomfortable".

The Spirit of St. Louis was one of the first planes we spotted, so we scanned the QR code and found the solution: lots_of_fuel_tanks!

Challenge 2: Hacker of Navigation

We actually got stuck on the second challenge for awhile, but eventually we got an idea of how these challenges tend to work, after which we came back to it.

We were given a fragment of a letter:

The museum archives have located part of a letter in an old storage locker from some previously lost collection. They'd REALLY like your help finding the author.

You'll note at the bottom-left corner it implies that "A = 50 degrees". We didn't notice that initially. :)

What we did notice was that the degrees were all a) multiples of 10, and b) below 260. That led us to believe that they were numbered letters, times ten (so A = 10, B = 20, C = 30, etc).

The numbers were: 100 50 80 90 80 100 50 230 120 130 190 180 130 230 240 50.

Dividing by 10 gives 10 5 8 9 8 10 5 23 12 13 19 18 13 23 24 5.

Converting that to the corresponding letters gave us JEHIH JEWLMSRMWXE. Clearly not an English sentence, but it looks like a cryptogram (JEHIH looks like "THERE" or "WHERE").

That's when we noticed the "A = 50" in the corner, and realized that things were probably shifted by 5. Instead of manually converting it, we found a shift cipher bruteforcer that we could use. The result was: FADED FASHIONISTA

Searching for "Faded Fashionista Air and Space" led us to this Smithsonian Article: Amelia Earhart, Fashionista. Neither of us knew where her exhibit was, but eventually we tracked it down on the map and walked around it until we found her Lockheed Vega, the QR code scanned to amelias_vega.

Challenge 3: Hacker of Speed

This was an image of some folks ready to board a plane or something:

This super top secret photo has been censored. The security guys looked at this SO fast, maybe they missed something?

Because of the hint, we started looking for mistakes in the censoring and noticed that they're wearing boots that say "X-15":

We found pictures of the X-15 page on the museum's Web site and remembered seeing the plane on the 2nd floor. We reached the artifact and determined that the QR code read faster_than_superman.

Once we got to the artifact, we noticed that we hadn't broken the code yet. Looking carefully at the image, we saw the text at the bottom, nbdi_tjy_qpjou_tfwfo_uxp.

As an avid cryptogrammer, I recognized tfwfo as likely being "never". Since 'e' is one character before 'f', it seemed likely that it was a single shift ('b'->'a', 'c'->'b', etc). I mentally shifted the first couple letters of the sentence, and it looked right, so I did the entire string while Eric wrote it down: mach_six_point_seven_two.

The funny thing is, the word was "seven", not "never", but the "e"s still matched!

Challenge 4: Hacker of Design

While researching some physics based penetration testing, you find this interesting diagram. You feel like you've seen this device before... maybe somewhere or on something in the Air and Space museum?

The diagram reminded Eric of an engine he saw on an earlier visit, we found the artifact on the other side of the museum:

Unfortunately there was no QR code so we decided to work on decoding the challenge to discover the location of the artifact.

Now that we'd seen the hint on Challenge 2, we were more prepared for a diagram to help us! In this case, it was a drawing of an atom and the number "10". We concluded that the numbers probably referred to the atomic weight for elements on the periodic table, and converted them as such:

10=>Ne
74=>W
... and so on.

After decoding the full string, we ended up with:

new_plan_schwalbe

We actually made a mistake in decoding the string, but managed to find it anyways thanks to search autocorrect. :)

After searching for "schwalbe air and space", we found this article, which led us to the artifact: the Messerschmitt Me 262 A-1a Schwalbe (Swallow). The QR code scanned revealed the_swallow.

Challenge 5: Hacker of Distance

While at the bar, listening to some Dual Core, planning your next conference-fest with some fellow hackers, you find this interesting napkin. Your mind begins to wander. Why doesn't Dual Core have a GOLDEN RECORD?! Also, is this napkin trying to tell you something in a around-about way?

The hidden text on this one was obvious… morse code! Typing the code into a phone (not fun!), we ended up with .- -.. .- ... - .-. .- .--. . .-. .- ... .--. . .-. .-, which translates to ADASTRAPERASPERA

According to Google, that slogan is used by a thousand different organizations, none of which seemed to be space or air related. However, searching for "Golden Record Air and Space" returned several results for the Voyager space probe. We looked at our map and scurried to the exhibit on the other side of the museum:

Once we made it to the exhibit finding the QR code was easy, scanning it revealed, the_princess_is_in_another_castle. The decoy flag!

We tried searching keywords from the napkin but none of the results seemed promising. After a few frustrating minutes we saw the museum banquet director and asked him for help. He told us that the plane we were looking for was close to the start of the challenge, we made a dash for the first floor and found the correct Voyager exhibit:

Scanning the QR code revealed the code, missing_canards.

Challenge 6: Hacker of Guidance

The sixth challenge gave us a map with some information:

You have intercepted this map that appears to target something. The allies would really like to know the location of the target. Also, they'd like to know what on Earth is at that location.

We immediately noticed the hex-encoded numbers on the left:

35342e3133383835322c
31332e373637373235

Which translates to 54.138852,13.767725. We googled the coordinates, and it turned out to be a location in Germany: Flughafenring, 17449 Peenemünde, Germany.

After many failed searches we tried "Peenemünde ww2 air and space", which led to a reference to the German V2 Rocket. Here is the exhibit and QR code:

Scanning the QR code revealed aggregat_4, the formal name for the V-2 rocket.

Challenge 7: Hacker of Coding

This is an image with a cipher on the right:

Your primary computer's 0.043MHz CPU is currently maxed out with other more important tasks, so converting all these books of source code to assembly is entirely up to you.

On the chalkboard is a cipher:

We couldn't remember what it was called, and ended up searching for "line dot cipher", which immediately identified it as a pigpen cipher. The pigpen cipher can be decoded with this graphic:

Essentially, you find the shape containing the letter that corresponds to the shape in that graphic. So, the first letter is ">" on the chalkboard, which maps to 'T'. The second is the upper three quarters of a square, which matches up with 'H', and the third is a square, which matches to E. And so on.

Initially we found a version that didn't map to the proper English characters, and translated it to:

Later, we did it right and found the text "THE BEST SHIP TO COME DOWN THE LINE"

To find the artifact, we googled "0.043MHz", and immediately discovered it was "Apollo 11".

The QR code scanned to the_eleventh_apollo

And that's it!

And that's the end of the cipher portion of the challenge! We were first place by only a few minutes. :)

The last part of the challenge involved throwing wood airplanes. Because our plane didn't go backwards, it wasn't the worst, but it's nothing to write home about!

But in the end, it was a really cool way to see a bunch of artifacts and also break some codes!

XXX is Angler EK


Snipshot of MonterAV Affiliate


As I got many questions about an EK named XXX (that is said to be better than Angler ;) ) I decided to share some data here.

XXX Control Panel
Login Page.


XXX is Angler EK ( it's the real name of its most documented instance at least)

Angler EK / XXX  IE sploit only Stats on 2015-07-25
(for some reason Flash Exploits were not activated on that thread)
Note the Chase Logo >> JPMorgan  >>  Cool EK's Exploit Buyer ;)

You might want to read "The Transition - "Reveton Team" or "Mr.J/Monster AV" from :
Paunch's arrest...The end of an Era ! (2013-10-11) . This is where I first wrote the defense chosen name for this Exploit Kit. The name is chosen after a logo from the Reveton Affiliate.

Snipshot of "The Transition" after Paunch's Arrest

But Angler was around before the Reveton team started to use it.

Here is one used against Ukrainian that i captured  in August 2013

2013-08-27 - Exploit Kit unknown to me at that time
Ancestor of Angler EK as we know it
[Payload here is most probably Lurk]
when Reveton Team was still on Cool EK. It appears that instance had already Fileless capabilities.

A Russian researcher friend connect that instance back to this Securelist post from 2012-03-16 : A unique ‘bodiless’ bot attacks news site visitors

So the (c) 2010 at the bottom of the control panel is probably...the real birth year of Angler.

This indexm.html variant of Angler EK is most probably still being used in RU/UA and was one of the early adopter of CVE-2015-0311 (a flash 0day from January) before many "standard" instances of Angler. There was still java exploit inside in march

2015-01-27 - Angler EK "indexm" exploiting CVE-2015-2551 and firing Java exploits
[Payload here is most probably Lurk]

Angler EK has been briefly mentioned (translation here ) as part of a "partnerka" by a user using Menatep as Nickname in February 2014

Conclusion : xxx is what we call Angler EK and Angler EK (indexm instance) is not that young!

Files : 2 Fiddler pass of Angler EK "indexm" from 2013 and 2015 (Password : malware)

Read More :
Police Locker land on Android Devices - 2014-05-04
Paunch's arrest...The end of an Era ! - 2013-10-11
Crimeware Author Funds Exploit Buying Spree - 2013-01-07 - KrebsOnSecurity
Cool Exploit Kit - A new Browser Exploit Pack on the Battlefield with a "Duqu" like font drop - 2012-10-09
A unique ‘bodiless’ bot attacks news site visitors - 2012-03-16 - Sergey Golovanov - Securelist

Post publication Reading :
Russian hacker gang arrested over $25m theft - 2016-06-02 - BBC News [Cf Lurk]
Is it the End of Angler ? - 2016-06-11
How we helped to catch one of the most dangerous gangs of financial cybercriminals - 2016-08-30 - SecureList

This is what’s so unique about the cyber threat from ISIS

Our Chief Research Officer Mikko Hyppönen recently made news from pointing out that terrorists probably won’t try to take down the United Kingdom’s internet.

That’s because the power grid is a better target.

“Why bother toying around taking down the net if you could take down the electric grid?”Mikko told cable.co.uk.

“If the net is down, people won’t die. If electricity is down, people will die.”

That doesn’t mean such a catastrophic attack is imminent. 

“Executing such an attack would be far from easy,” he said and it isn’t likely that terrorists yet have the capability to pull it off. 

But if there is a terror organization that’s most likely to pull such an offensive strike it would be the Islamic State.

“The Islamic State has demonstrated that they have the most credible offensive cyber capability of any of the jihadist extremist movements, and even they are far away from having this level of operational skills in their disposal.”

The group has specialists in its ranks that are likely working on attacks that would target crucial infrastructure and “are doing their best to build it.”

Why would ISIS want to take the internet down when its been such a potent tool for the group?

“They mostly use the net to organize themselves: to communicate, to spread propaganda and to recruit.”

In September, the New York Times reported that ISIS had recruited 30,000 foreign fighters in the last year.

[Image via Erik Drost | Flickr]

CVE-2015-8446 (Flash up to 19.0.0.245) And Exploit Kits




One week after patch Flash 19.0.0.245 is being exploited by Angler EK via CVE-2015-8446

Angler EK :
2015-12-14
CVE identification by Anton Ivanov ( Kaspersky ) and FireEye  (Thanks !)
Angler EK exploiting Flash 19.0.0.245 via CVE-2015-8446
2015-12-14


Sample in that pass : b5920eef8a3e193e0fc492c603a30aaf
Sample from other Angler EK instance : 0615fb9e037b7bf717cc9b04708e51da 720089b93a0f2bb2a72f1166430de522



Fiddler sent to VT.
(Not replayable. You know how to contact me to land on live instances. I might not reply to mail coming from gmail,live,yahoo etc...  mailboxes)

Out of topic : in that pass Bedep BuildID 5004 is loaded in Memory and is then grabbing those 2 dll in a stream
f5c1a676166fe3472e6c993faee42b34
d65f155381d26f8ddfa304c83b1ad95a (Credential Stealer)
and after that performing Adfraud


Last safe version of Flash against commercial exploit kit  was 19.0.0.226 fixing CVE-2015-7645


Post publication readings :
(Google Translate) Angler EK latest CVE-2015-8446 Flash Exploit analysis - 2015-12-19 - Qihoo360

Backdoors in messaging apps – what’s really going on?

We are in one of those phases again. The Paris attacks caused, once again, a cascade of demands for more surveillance and weakening of encryption. These demands appear every time, regardless of if the terrorists used encryption or not.

The perhaps most controversial demand is to make backdoors mandatory in communication software. Encryption technology can be practically unbreakable if implemented right. And the use of encryption has skyrocketed after the Snowden revelations. But encryption is not only used by terrorists. As a matter of fact, it’s one of the fundaments we are building our information society on. Protection against cybercrime, authentication of users, securing commerce, maintaining business secrets, protecting the lives of political dissidents, etc. etc. These are all critical functions that rely on encryption. So encryption is good, not bad. But as any good thing, it can be both used and misused.

And beside that. As people from the Americas prefer to express it: encryption is speech, referring to the First Amendment that grant people free speech. Both encryption technology and encrypted messages can be seen as information that people are free to exchange. Encryption technology is already out there and widely known. How on earth can anyone think that we could get this genie back in the bottle? Banning strongly encrypted messages would just harm ordinary citizens but not stopping terrorists from using secure communications, as they are known to disregard laws anyway. Banning encryption as an anti-terror measure would work just as well as simply banning terrorism. (* So can the pro-backdoor politicians really be that stupid and ignorant?

Well, that might not be the whole truth. But let’s first take a look at the big picture. What kind of tools do the surveillance agencies have to fight terrorism, or spy on their enemies or allies, or anybody else that happen to be of interest? The methods in their toolboxes can roughly be divided in three sections:

  • Tapping the wire. Reading the content of communications this way is becoming futile thanks to extensive use of encryption, but traffic analysis can still reveal who’s communicating with whom. People with unusual traffic patterns may also get attention at this level, despite the encryption.
  • Getting data from service provider’s systems. This usually reveals your network of contacts, and also the contents unless the service uses proper end-to-end encryption. This is where they want the backdoors.
  • Putting spying tools on the suspects’ devices. This can reveal pretty much everything the suspect is doing. But it’s not a scalable method and they must know whom to target before this method can be used.

And their main objectives:

  • Listen in to learn if a suspect really is planning an attack. This require access to message contents. This is where backdoors are supposed to help, according to the official story.
  • Mapping contact networks starting from a suspect. This requires metadata from the service providers or traffic analysis on the cable.
  • Finding suspects among all network users. This requires traffic analysis on the cable or data mining at the service providers’ end.

So forcing vendors to weaken end-to-end encryption would apparently make it easier to get message contents from the service providers. But as almost everyone understands, a program like this can never be water-tight. Even if the authorities could force companies like Apple, Google and WhatsApp to weaken security, others operating in another jurisdiction will always be able to provide secure solutions. And more skillful gangs could even use their own home-brewed encryption solutions. So what’s the point if we just weaken ordinary citizens’ security and let the criminals keep using strong cryptography? Actually, this is the real goal, even if it isn’t obvious at first.

Separating the interesting targets from the mass is the real goal in this effort. Strong crypto is in itself not the intelligence agencies’ main threat. It’s the trend that makes strong crypto a default in widely used communication apps. This makes it harder to identify the suspects in the first place as they can use the same tools and look no different from ordinary citizens.

Backdoors in the commonly used communication apps would however drive the primary targets towards more secure, or even customized, solutions. These solutions would of course not disappear. But the use of them would not be mainstream, and function as a signal that someone has a need for stronger security. This signal is the main benefit of a mandatory backdoor program.

But it is still not worth it, the price is far too high. Real-world metaphors are often a good way to describe IT issues. Imagine a society where the norm is to leave your home door unlocked. The police is walking around and checking all doors. They may peek inside to check what you are up to. And those with a locked door must have something to hide and are automatically suspects. Does this feel right? Would you like to live in a society like that? This is the IT-society some agencies and politicians want.

 

Safe surfing,
Micke

 

(* Yes, demanding backdoors and banning cryptography is not the same thing. But a backdoor is always a deliberate fault that makes an encryption system weaker. So it’s fair to say that demanding backdoors is equal to banning correctly implemented encryption.

Why I love working at F-Secure

I never imagined I would work for a tech company like F-Secure until I received a phone call back in 2009.

Though I work in communications, I have always had a slightly geeky soul. Yes, I was that kid with a Commodore 64 and in 1995 IRC was my Facebook.

From the moment I arrived in the F-Secure headquarters on the edge of the Baltic Sea, I felt that I had taken on more than a job. We are on a mission. Knowing that we are protecting tens of millions of people around the world keeps me motivated to do my job well every day. It’s important for me to be able to take pride in what I do every morning when I open the office door.

Safe&Savvy-ATP2

In exchange for my commitment, I am treated like a professional with a life outside the office. And though the tech industry is male-dominated, I’ve never felt that my expertise has been questioned because I’m a female.

I could give you tens of reasons why to work at F-Secure everything from our massage benefit to having fresh fruit to great occupational healthcare, fitness benefits and bicycle policy or good fun office parties, but I’ll rather give a word to my colleagues of what it’s like to work at F-Secure.

Christine works as a Service Lead for Online Protection Team at our Labs. She was originally hired in our Malaysian office but has transferred to our Helsinki headquarters in 2011. Christine has worked at F-Secure since 2008.

“If you are an idealist who has a passion for security and feel like you want to do something that not only makes money, but also makes a difference, then F-Secure is a good place to be in. I have to say that working in this industry has enabled me to keep some idealistic parts of me. It feels good to know that the input that you do in your work is relevant and can provide immediate protection for the users. I feel fortunate that in my day job I work on something that matters.

Safe&Savvy-ATP3

Jukka is a Senior Manager at our Labs. He has been with F-Secure since 2011.

“I have always been interested in security, especially in the IT world. That fact itself got me super excited almost five years ago when I got a job offer at F-Secure. The Labs is definitely the most interesting working environment I’ve been in. I get fresh insight into all the cyber security news and the imminent threats. I also hear the success stories of bringing down bad stuff out there. It’s really an interesting and constantly evolving field.

“All of that combined with the company culture, what we call fellowship, makes it a great combination. Though I now work at the Labs I joined the company in R&D services and worked there the first three years. Rotating jobs within the company really enables professional growth. I’ve got even more great colleagues, definitely the best people in the industry. I currently don’t see a better place to work at. F-Secure has absolutely the best people to work with! I really love the industry too. It’s about seeing the Internet as is, without wearing a pair of pink, rosy glasses.”

Safe&Savvy-ATP5

After four years at F-Secure, my family decided we need a break.

I can’t explain how grateful I was that I was that I worked at a company that was willing to grant me a one-year leave of absence to make a dream come true. Truly, I was not running away from work, but toward something I had to do for my husband, my daughter and myself. We spend a whole year traveling and adventuring around the world. Not only did we get to experience fantastic things, like hike the Himalayas, snorkel with manta rays and turtles, watch amazing sunrises and sunsets, I also learned so much of the world, helping me achieve even better also in my professional life.

working at F-Secure, F-Secure recruitment

To sum the whole thing up: it was awesome.

I was happy with my job and position before I left. But things got better when I was making my plans to return. An even better position had opened and my boss decided it was tailor-made for me.

I agreed.

It’s this kind of opportunity that makes me want to continue my work at F-Secure, even though—to be honest—it isn’t quite as awesome as adventuring around the world.

Does this sound like the kind of mission and culture you’d like to join?

If you answered yes, this is your lucky day. We are recruiting superstars to work with us. Have a look at our open positions, and if you’re into cybersecurity we have some pretty extraordinary opportunities for you right now.

Cheers,

Gia

How to show a little extra love with your tech gifts

The holiday shopping season is now in full swing. Cyber Monday sales surpassed three billion dollars in the US for the first time ever, essentially meeting earlier projections for the supposed biggest online shopping day of the year.

Adobe’s projections, published earlier in the year, say that one percent of available products account for 76 percent of holiday sales (up from 65 percent during the rest of the year). Furthermore, sixty percent of that one percent consists of electronic products, including things like smartphones, tablets, and PCs. These days, smartphones and tablets can be bought at a wide range of prices, making it easy to find something to suit your budget.

Now, if you’re like me, you probably struggle a bit with finding the right gifts for people. I’ll probably spend many hours browsing for the perfect gifts online, and then wind up buying a tablet (at least one) for someone around December 23rd, when I’ve essentially run out of time to find the more personal gifts I try to buy.

Don’t get me wrong. Tablets, smartphones, PCs, etc. These are great gifts. There’s a lot of different things people can do with them. And everyone, from students to grandparents, can use them. But if I were to buy a new tablet for my 92-year-young grandfather, I would want to make sure he’s protected from using the device for doing something dangerous online, like visiting malicious websites or getting involved in a phishing scam.

That’s why something like F-Secure SAFE is a great add-on for holiday gifts. SAFE is a multi-device security service that can cover different combinations of smartphones, tablets, laptops or desktops, so it’s an easy way to protect different people that use different devices for different reason. SAFE lets users create their own “safe circle”, where they can invite people to use the service to secure their devices. So you can share it with family members or friends anywhere in the world, making it a great way to look after the people in your life.

Are you getting a new Windows 10 laptop for a student you know? SAFE will work for that.

Maybe you’re getting a child their first smartphone, and you’re worried that they might lose it or have it stolen? SAFE has a Finder feature that can help locate missing devices.

Maybe you just have a desktop of your own that you use around the house, but you want to keep it around to do banking and other organizing? SAFE has Banking Protection that makes sure your financial information stays protected when you’re signed in to online banking.

F-Secure’s latest version of SAFE (launched today) has been redesigned to make it even easier for people to use and protect devices and other people, so it’s a perfect add-on for any tech gifts you might buy this holiday season. It makes these gifts a little more personal, and lets the recipients know you care. And according to Antero Norkio, F-Secure Director, Device Security, it makes it easy for you to be the “go-to” security guy in your family, which is something he says is a role many tech people take within their social circles.

MASSCAN Web Interface

A couple of weeks ago, we had the opportunity to scan and map a large IP address space covering just over 3 million hosts. Our tool of choice for this was the fast and capable masscan, which is packaged in Kali. While masscan has several convenient output formats, such as binary and XML, one feature we were missing was an easy way to search our results. We quickly whipped up a little web interface that would allow us to import and search within a masscan XML output file. This feature proved very useful for us - as once we identified a specific vulnerable pattern on a machine, we could easily cross reference this pattern with over the millions of discovered hosts in our database.

How cyber criminals use Twitter to run their attacks

Over the past decade billions of us have taken to using third-party services — which we often get access to for free in exchange for our privacy — to promote ourselves, our businesses or to even launch new businesses.

Cyber criminals never miss an opportunity. So as social networks have improved their encryption to protect users’ personal data, attackers have used the platforms as a means to stay in contact with their malware, F-Secure Labs Researcher Artturi Lehtiö has discovered.

“If I had to put it in a nutshell, I’d say that attackers are using certain third party services to help them fly under the radar of corporate security,” he explained.

Lehtiö is the author of a new white paper on the phenomenon of attackers — including the Russian-backed criminals who authored the family of advanced persistent threats known as The Dukes — abusing third-party web services as command and control channels for malware. (If you’re interested in a top-level introduction to his findings, check out his presentation from VB2015 in Prague.)

So, yes, criminals are using sites like Twitter to tell their malware what data to steal.

Here’s what that looks like on the site:

APT threats, Using Twitter Onion Duke, Malware on Twitter

These aren’t the bad links that lead to infections that used to plague Twitter, they’re something far more devious.

“If OnionDuke is unable to contact the primary C&C server specified in its configuration, it will attempt to search for Tweets from the configured Twitter account, expecting them to contain links to image files embedded with updated versions of itself,” Artturi writes in the white paper.

Artturi explained to me that these images are “valid, functioning image files that just have extra data at the end. That data looks like garbage unless you know to look for it and know how to decrypt it.”

As he explained, the point of the strategy is to fly under the radar.

“It’s highly unlikely for anyone to accidentally come across these things,”Artturi said. “Even if you’re looking for them, they can be hard to find. And, attackers often try to make the tweets look as innocuous as possible, so you might not realize there is something fishy going on even if you saw it.”

This is wily yet public strategy offers certain disadvantages, of course.

“Once attacker-controlled Twitter accounts, Tumblr accounts, or whatever the attackers are using, are identified, defenders and researchers can monitor them just as easily as the malware can.”

And that’s exactly what Artturi has been doing.

Nuclear Pack loads a fileless CVE-2014-4113 Exploit



Yesterday's Nymaim spam campaign was also redirecting to Nuclear Pack.
Without big surprise the sample ( 592899e0eb3c06fb9fda59d03e4b5b53 ) dropped by Nuclear is the same as the fake update proposed.

But there was an additionnal 11kb payload call for which i could not find sample on drive

Nuclear Pack dropping Nymaim in the 2015-11-30 Spam Campaign
It was also unusually encoded with two XOR pass and first part of the decoded stream is a Shellcode.

Friends (who don't want to be mentioned) figured a privilege escalation was in use there :

According to Kaspersky and Timo Hirvonen (F-Secure) it's CVE-2014-4113 ( Win32k.sys Elevation of Privilege Vulnerability )

I did not got to see the privilege escalation in live condition.

Note: it's not the first time a public Exploit Kit is integrating an exploit to escalates right on dropped payload (Cf CVE-2015-2426 in Magnitude )

Files : Fiddler and Dll here (password is malware - XOR key : 56774347426F664767  then  213404052d09212031)
Thanks : Kaspersky,  Timo Hirvonen , Malc0de and 2 other friends for taking some time and use their wizardness  on this.

Read More :
An Analysis of A Windows Kernel-Mode Vulnerability (CVE-2014-4113) - 2014-10-29 - TrendMicro