I'm your host Aaron Lyons and today I'll be covering password re-use attackes, symantec, and another SWIFT bank heist.
Cisco makes an acquisition in cloud security, Palerra claims a first in the same space, Crowdstrike bundles prevent breaches? And Barracuda makes it easier to give them money for Next-Gen firewalls, all that and more so stay tuned!
Full Show Notes: http://wiki.securityweekly.com/wiki/index.php/ES_Episode8
The SANS Pen Test group has a poster they hand out at SANS conferences and put in mailings that has an awesome mind map of hacking challenge/skills sites.
Won't be going to conference soon or not on the mailing list? No worries, the poster can be downloaded here and all of the SANS posters are located here, including DFIR, Threat Intelligence, CIS and some general information posters.
If you're not familiar with SANS posters, they're not just marketing tools (but of course they advertise an event, too) but are full of good, useful information. Like the hack sites mind map.
This episode is dedicated to Jennifer Collis. This week on Security Weekly, Cory Doctorow of craphound.com joins us to discuss all things security! Pentoo dev Rick Farina stops in to talk about the new Pwn Pad4 as well. Stay tuned!
Welcome to another Hack TV, this episode we have a special interview with Don Pezet from IT Pro. Stay Tuned!
Full Wiki Notes: http://wiki.securityweekly.com/wiki/index.php/Hack_Naked_TV_June_23_2016
This week on Enterprise Security Weekly, tenable makes a strategic partnership to ease authenticated vulnerability scanning, avast announces a much faster antivirus engine, Risksense unveils cyber risk scoring that allows some other kind of scoring that you might be familiar with, and alert logic goes into the cloud. All that and more, so stay tuned!
Full Show Notes: http://wiki.securityweekly.com/wiki/index.php/ES_Episode7
Beau teaching SANS SEC504 in Marina del Rey, CA August 15, 2016: http://tinyurl.com/beau-sec504-aug16
This week on Security Weekly, we welcome Paul back to the studio! Doug White and Jeff Mann join us in-studio to pick Russell Beauchemin's brain about his telepresence robot. Security news covers GitHub's password woes, the BadTunnel vulnerability, and Microsoft OLE. All that and more, so stay tuned!
I'm your host Aaron Lyons and today I'll be covering Microsoft, hard drive decryption, ISIS hackers, and GitHub.
If you use the “If I leave my door unlocked you don;t have the right to walk in…” analogy when discussing web disclosures, you really need to stop. Bad analogies are bad.
You know the cases, folks find things on the Internet that people didn’t mean to make public, and a storm ensues and all kinds of people say all kinds of naïve stuff, including people who should know better.
Your website is not a house, and not just because of the physical vs. virtual difference. If we have to use this analogy, let’s at least get it more accurate.
You live on a road, it may be public, or it may be private, but either way it is open to the public- in fact public use is encouraged. That’s why you put your house there, because of good access in and out to the rest of the world. You put sensitive data on signs in your yard, visible from the road. There might even be a sign that says “only read your own data”, but it is all visible. Someone drives by and reads someone else’s sign from the road. Maybe they take pictures of the signs.
Still imperfect, but much more accurate. And so convoluted it doesn’t help make any point. These issues are not simple and misrepresenting them and oversimplifying things does not help.
Note that I have not made any judgements about who exposed what where, and who drove by and looked at it. If it is your house and you post my data in an irresponsible manner, you are being irresponsible. If someone feels the need to copy everything to prove a point, that causes problems, even when their intentions are good.
Without picking any specific cases, most of the ones that make the news are a combination of errors on both sides. You should act like sensitive data is, I don’t know, sensitive. And when you stumble across things like that (and you will if you use the Internet and pay attention), you should think about how folks will react, and keep the CFAA in mind. Right or wrong, that’s the world we live in. I think the CFAA is horrible and horribly out of date, as is the DMCA- but while they are the law and enforced, ignore them at your peril. It is worth considering that when people find stuff that shouldn’t be posted publicly, it generally doesn’t require downloading the entire dataset to report the problem, in fact that is likely to create problems for everyone.
And yes, that’s a gross oversimplification from me in a post where I decry gross oversimplification. Literary license or something.
And because I actually care about this mess we’re in, I’ll make an offer I hope I don’t regret: if you stumble across things which are exposed and you really don’t know how to handle it please pause and reach out to me. I’ll ask friends in law enforcement for guidance for you if you wish to remain anonymous, or I’ll try to help you find the right folks to work with. If you are outside of the US, I’m unlikely to be if much help, but I’ll still make inquiries.
Note that if you are on any side of one of these situations and act like a dumbass, I reserve the right to call you a dumbass. I’ll still try to help, but I’m calling you a dumbass if you deserve it. That’s as close to idealistic as you’ll get from me.
Welcome to another episode of Hack Naked TV. Recorded June 14th 2016. Aaron Lyons will be covering Symantec buying Bluecoat, Microsoft buying linkedin, Michael Thomas and the CFAA, and the Pentagon bug Bounty.
Please take a look and apply if interested. Or if you know anyone interested, please pass the word along.
This week on Security Weekly, Larry serves as our interim host alongside co-host Russell Beauchemin, who will be in studio with our guest Chris Poulin. Larry will discuss with Russell about his new Hololens! They talk about Typo squatting package managers, 20 years of red teaming, Spear Phishing, how InfoSec is a sham, and GPS DoS.
Everyone looking at the DriveBy landscape is seeing the same : as Nuclear disappeared around April 30th, Angler EK has totally vanished on June 7th. We were first thinking about Vacation as in January 2016 or maybe Infrastructure move. But something else is going on.
On the Week-End of the 4-5th of June I noticed that the ongoing malvertising from SadClowns was redirecting to Neutrino Exploit Kit (dropping Cerber)
|EngageBDR malvertising redirecting to SadClowns infra pushing traffic to Neutrino to Drop Cerber Ransomware|
But I got speechless when I noticed that GooNky had switched to Neutrino to spread their CryptXXX U000001 and U000006.
They were sticking exclusively to Angler EK since years and their vacation were synchronized with Angler's in January.
Checking all known to me infection path I could hardly find some Angler....last one were behind the EItest infection chain on the night of the 6th to 7th of June.
|Last Angler pass I captured on 2016-06-07|
EITest into Angler dropping CryptXXX 3.200 U000017
|Last Hit in my Angler tracker.|
After that...RIG, Neutrino instead of Angler almost everywhere.[Side note: Magnitude is still around...But as mentioned earlier it's a One Actor operation since some time]
Aside SadClowns and GooNky here are two other big (cf traffic volume) group which transition has not been covered already
|"WordsJS" (named NTL/NTLR by RiskIQ) into Neutrino > CryptXXX U000010|
"ScriptJS" (Named DoublePar by RiskIQ and AfraidGate by PaloAlto) into Neutrino > CryptXXX U000011
This gang was historically dropping Necurs, then Locky Affid13 before going to CryptXXX
|MISP : select documented EK pass with associated tags.|
1 arrow where you would have find Angler several days before.
(+ SadClowns + GooNky not featured in that selection)
With the recent 50 arrests tied to Lurk in mind and knowing the infection vector for Lurk was the "Indexm" variant of Angler between 2012 and beginning of 2016...we might think there is a connection and that some actors are stepping back.
Another hint that this is probably not vacation "only" for Angler is that Neutrino changed its conditions on June 9th. From 880$ per week on shared server and 3.5k$ per month on dedicated, Neutrino doubled the price to 7k$ on dedicated only (no more per week work). Such move were seen in reaction to Blackhole's coder (Paunch) arrest in October 2013.
So is this the End of Angler ? The pages to be written will tell us.
“If a book is well written, I always find it too short.”― Jane Austen, Sense and Sensibility
Post publication notes:
RIG : mentioned they were sill alive and would not change their Price.
Maybe unrelated to RIG mention, Neutrino updated his thread as announced previously on underground but conditions are revisited :
Our exploit kit stats for the last two weeks… Angler dives, Neutrino soars. pic.twitter.com/RcYAH6tVck— News from the Lab (@FSLabs) June 13, 2016
Thanks to Will Metcalf (Emerging Threats/Proofpoint) who made the replay of SadClowns' malvertising possible. Thanks to EKWatcher and Malc0de for their help on several points.
Read More :
XXX is Angler EK - 2015-12-21
Russian hacker gang arrested over $25m theft - 2016-06-02 - BBC News
Neutrino EK and CryptXXX - 2016-06-08 - ISCSans
Lurk Banker Trojan: Exclusively for Russia - 2016-06-10 - Securelist - Kaspersky
How we helped to catch one of the most dangerous gangs of financial cybercriminals - 2016-08-30 - SecureList
Welcome to another episode of Hack Naked TV recorded June 9th 2016. I’m your host Aaron Lyons and today I’ll be talking about Ransomare, Angler, and the Swift Network.
TeslaCrypt is yet another ransomware taking the cyber world by storm. It is mostly distributed via a spear phishing email and through the Angler exploit kit. The Angler exploits vulnerability in Adobe Flash. The Angler exploit downloads a variant of the ransomware upon success.
TeslaCrypt 3.0 possesses various updates, one of which renders encrypted files irrecoverable via normal means.
Machines infected by TeslaCrypt will usually have the following files present in almost every directory:
The recovery instructions for the encrypted files can be found inside these files.
Note: The file used for this analysis has an MD5 value of 1028929105f1e6118e06f8b7df0b3381.
The malware starts by ensuring it’s in its intended directory. For this sample, it checks if it is located in the Documents directory. If it’s not, it copies itself to that directory and executes its copy from there. It deletes itself after executing the copy.
The ransomware creates multiple threads that do the following:
- Monitors processes and terminates those that contain the following strings:
- Contacts the C&C server and sends certain information like system information and the unique system ID.
- File encryption routine
TeslaCrypt is not immune to recycling code from older malware families. The initial code is an encryption of the compressed binary. Upon decryption, the malware will call the RtlDecompressBuffer API and finally write the decompressed data into its own memory.
The malware also uses a technique to obscure API calls by using the hash of the API name and passing it to a function that retrieves the API address.
TeslaCrypt uses AES encryption and will send one part of the key to its C&C server, which will render the files irrecoverable on its own.
It will start by checking if the system already has its own recovery key. If not, it will begin generating the necessary encryption keys. These keys will be used for the encryption routine.
TeslaCrypt will traverse all fixed, remote and removable drives for files with the following extensions:
.3FR .7Z .ACCDB .AI .APK .ARCH00 .ARW .ASSET .AVI .BAK .BAR .BAY .BC6 .BC7 .BIG .BIK .BKF .BKP .BLOB .BSA .CAS .CDR .CER .CFR .CR2 .CRT .CRW .CSS .CSV .D3DBSP .DAS .DAZIP .DB0 .DBA .DBF .DCR .DER .DESC .DMP .DNG .DOC .DOCM .DOCX .DWG .DXG .EPK .EPS .ERF .ESM .FF .FLV .FORGE .FOS .FPK .FSH .GDB .GHO .HKDB .HKX .HPLG .HVPL .IBANK .ICXS .INDD .ITDB .ITL .ITM .IWD .IWI .JPE .JPEG .JPG .JS .KDB .KDC .KF .LAYOUT .LBF .LITEMOD .LITESQL .LRF .LTX .LVL .M2 .M3U .M4A .MAP .MCMETA .MDB .MDBACKUP .MDDATA .MDF .MEF .MENU .MLX .MOV .MP4 .MPQGE .MRWREF .NCF .NRW .NTL .ODB .ODC .ODM .ODP .ODS .ODT .ORF .P12 .P7B .P7C .PAK .PDD .PDF .PEF .PEM .PFX .PKPASS .PNG .PPT .PPTM .PPTX .PSD .PSK .PST .PTX .PY .QDF .QIC .R3D .RAF .RAR .RAW .RB .RE4 .RGSS3A .RIM .ROFL .RTF .RW2 .RWL .SAV .SB .SID .SIDD .SIDN .SIE .SIS .SLM .SNX .SQL .SR2 .SRF .SRW .SUM .SVG .SYNCDB .T12 .T13 .TAX .TIFF .TOR .TXT .UPK .VCF .VDF .VFS0 .VPK .VPP_PC .VTF .W3X .WALLET .WB2 .WMA .WMO .WMV .WPD .WPS .X3F .XF .XLK .XLS .XLSB .XLSM .XLSX .XXX .ZIP .ZTMP
The exception, however, is if the file contains the string “recove” or if it is found in the following directories:
- %WINDIR% (C:\Windows)
- %PROGRAMFILES% (C:\Program Files)
- %COMMONAPPDATA% (C:\Documents and Settings\All Users\Application Data for Windows XP and C:\ProgramData for Windows Vista and above)
- %LOCALAPPDATA%\Temporary Internet Files (C:\Documents and Settings\[USERNAME]\Local Settings for Windows XP and C:\Users\[USERNAME]\AppData\Local for Windows 7 and above)
Once a file passes the extension check, the malware will proceed with the encryption. The ransomware variant first checks for its encryption header. If the file is not yet encrypted, it will proceed with the encryption.
Encrypted files’ headers contain data that includes – but isn’t limited to – the global recovery key, the global public key, the original file size and the encrypted data itself.
The malware tries to connect to one of the following domains:
If it manages to connect to a server, it then sends a POST request using encoded data. The data it will send includes the following:
- The shared key for the encryption
- Bitcoin address
- OS version
- TeslaCrypt version
- Unique ID for the infected system
To ensure the malware only has one instance running, it creates a mutex as “8_8_8_8.”
It creates an auto start registry entry to ensure execution every startup.
It also adds a policy in the registry to remove permission restrictions on network drives, essentially allowing any user to access these network drives.
Interestingly enough, though, it appears the gang behind TeslaCrypt has had a change of heart and have publicly shared their master decrypt key. Before they shut down, the now-defunct payment site required a minimum of $500 in the form of bitcoin.
Advanced threat defense products like those used in this analysis help avoid ransomware infection. The advanced solutions catch the emerging threat before it can do any damage. You’ve got two great lines of defense: The first is via email and the next is your network.
Advanced email defense solutions like ThreatSecure Email are designed to catch malware that evades traditional defenses. It’s a great tool to help stop attacks by detecting phishing links and exploits that deliver ransomware. That can stop TeslaCrypt from encrypting and taking the data from you.
The next stop is bolstering your network. Adding an advanced defense solution that identifies and correlates discovered threats with anomalous network activity is an invaluable tool to guard your data. ThreatTrack’s ThreatSecure Network, for instance, provides end-to-end network visibility and real-time detection to catch traffic hitting known malicious IPs associated with ransomware distribution and C&C.
Hack Naked News covers Team Viewer, Myspace gets hacked, Infoblox, Ransomware, and Darkode! Here on Hack Naked TV!
This week is, well, rough, ServiceNow buys threat intelligence company, memory scanning in the hypervisor, and next-generation network segmentation and NAC, and John and I discuss the evolution of IDS and IPS!
Full Show Notes Here: http://wiki.securityweekly.com/wiki/index.php/ES_Episode6
Visit http://securityweekly.com/esw for all the latest episodes!
Hack Naked TV, hosted by yours truly, Aaron Lyons! This week he will bring up the Bangladesh Heist, the battle between Google VS Oracle, Rob Graham's Port Scanning, and he'll rant on Ransomware!
This week on Security Weekly, we interview Wade Baker, Vice President of ThreatConnect! Paul, Jack, Jeff, and Larry address listener feedback and questions. Paul discusses, Jeremiah Grossman, Apple hiring crypto-wizard Jon Callas to beef up security, Google killing passwords on Android, and lots more in Security News.
Do you know who Guccifer is? He could hack your email! Aaron Lyons talks about Guccifer, the Bangladesh Heist, and $12 million was stolen from an Ecuadorean bank.