Monthly Archives: March 2017

Introducing Monitor.app for macOS

UPDATE 2 (Oct. 24, 2018): Monitor.app now supports macOS 10.14.

UPDATE (April 4, 2018): Monitor.app now supports macOS 10.13.

As a malware analyst or systems programmer, having a suite of solid dynamic analysis tools is vital to being quick and effective. These tools enable us to understand malware capabilities and undocumented components of the operating system. One obvious tool that comes to mind is Procmon from the legendary Sysinternals Suite from Microsoft. Those tools only work on Windows though and we love macOS.

macOS has some fantastic dynamic instrumentation software included with the operating system and Xcode. In the past, we have used dynamic instrumentation tools such as Dtrace, a very powerful tracing subsystem built into the core of macOS. While it is very powerful and efficient, it commonly required us to write D scripts to get the interesting bits. We wanted something simpler.

Today, the Innovation and Custom Engineering (ICE) Applied Research team presents the public release of Monitor.app for macOS, a simple GUI application for monitoring common system events on a macOS host. Monitor.app captures the following event types:

  • Process execution with command line arguments
  • File creates (if data is written)
  • File renames
  • Network activity
  • DNS requests and replies
  • Dynamic library loads
  • TTY Events

Monitor.app identifies system activities using a kernel extension (kext). Its focus is on capturing data that matters, with context. These events are presented in the UI with a rich search capability allowing users to hunt through event data for areas of interest.

The goal of Monitor is simplicity. When launching Monitor, the user is prompted for root credentials to launch a process and load our kext (don’t worry, the main UI process doesn’t run as root). From there, the user can click on the start button and watch the events roll in!

The UI is sparse with a few key features. There is the start/stop button, filter buttons, and a search bar. The search bar allows us to set simple filters on types of data we may want to filter or search for over all events. The event table is a listing of all the events Monitor is capable of presenting to the user. The filter buttons allow the user to turn off some classes of events. For example, if a TimeMachine backup were to kick off when the user was trying to analyze a piece of malware, the user can click the file system filter button and the file write events won’t clutter the display.

As an example, perhaps we were interested in seeing any processes that communicated with xkcd.com. We can simply use an “Any” filter and enter xkcd into the search bar, as seen in Figure 1.

Figure 1: Monitor.app User Interface

We think you will be surprised how useful Monitor can be when trying to figure out how components of macOS or even malware work under the hood, all without firing up a debugger or D script.

Click here to download Monitor.app. Please send any feature requests/bugs to monitorapp-bugs@fireeye.com.

Apple, Mac and MacOS are registered trademarks or trademarks of Apple Inc.

Reflection on Working From Home – The Falcon’s View

In a moment of introspection last night, it occurred to me that working from home tends to amplify any perceived slight or sources of negativity. Most of my "human" interactions are online only, which - for this extrovert - means my energy is derived from whatever "interaction" I have online in Twitter, Facebook, email, Slack, etc.

It turns out that this can be highly problematic. Last year I turned off Facebook for months at a time because of all the negativity. I constantly felt myself slipping into depression because everything weighed me down. And don't get me wrong, I'm as much a source of negative posts as anyone else. I don't think we can help it in this political environment.

However, where this gets particularly challenging is around non-internet interactions. Whether it be having tea with a friend or just chatting with them on the phone... I've come to realize that a lot of my happiness ends up hanging on these very rare interactions, which can be highly problematic when folks are busy or when unexpected events conspire to prevent such meetings. The negative side of my brain then latches onto these as "proof" that I'm unworthy of friends or friendship and starts trying to commence the dark downward spiral.

To that end, now that I'm aware of these feelings, I can start developing mechanisms to cope with them. I think one of the big challenges for someone my age, with a family and working from home, is trying to find new opportunities for interaction. Real interactions - not phony interactions via "networking" events and BS like that. We're kind of at that point in the parenthood cycle where the kids' schedules tend to dominate our lives.

Anyway... this is my observation for the morning. I need to find new forms of positive human interactions. Preferably real human interactions. And, in the meantime, I need to stop letting negative interactions and disappointments amplify disproportionately to the degree that it triggers a major downward swing. This is not an easy thing to do, but in seeing the pattern, at least now I can tackle it.

Miele Professional PG 8528 Vulnerability

NCCIC/ICS-CERT is aware of a public report of a directory traversal vulnerability with proof-of-concept (PoC) exploit code affecting the embedded webserver (“PST10 WebServer”) in Miele Professional PG 8528, a large capacity washer and disinfector used in hospitals and laboratory settings to disinfect medical and laboratory equipment. According to this report, the vulnerability is remotely exploitable.

InsomniaHack Trip Report


Insomni'Hack Info:
https://insomnihack.ch/



Favorite talks
Bridging the gap between ICS(IoT?) and corporate IT security
Stefan Lüders

I really enjoyed this talk hearing how an organization defends in a BYOD & academic environment. Defense is difficult when you control the hosts, even more so when you you cant instrument the host and have to rely on network controls only.

My favorite slide was their alerting stack:


Not sure when the slides will be released but here is an older version of the talk I found:
https://www.blackhat.com/docs/us-14/materials/us-14-Luders-Why-Control-System-Cyber-Security-Sucks.pdf

How we hacked Distributed Configuration Management Systems
Francis Alexander & Bharadwaj Machiraj

Awesome talk on breaking into 

  • HashiCorp Consul
  • Apache Zookeeper
  • CoreOS etcd
Tool they created:
https://github.com/torque59/Garfield


Modern reconnaissance phase on APT – protection layer
Paul Rascagnères

Fun talk on how APT have been implementing some checks to make sure the targets are valid prior to sending down the final stage of the attack. 

CERN
@cktricky and I also were able to give the talk at CERN. Background info on CERN: https://en.wikipedia.org/wiki/CERN

Archive of the talk:

Cool Pix:
Dropping Knowledge


Synchrocyclotron


Outside the Antimatter Factory

Thanks Twitter :-)

CNIL Unveils 2017 Inspection Program and 2016 Annual Activity Report

On March 28, 2017, the French Data Protection Authority (“CNIL”) published its Annual Activity Report for 2016 (the “Report”) and released its annual inspection program for 2017.

The Report presents the main accomplishments in 2016 and highlights the diversified activity at both the national and EU level with the adoption of two major pieces of legislation, namely:

  • The EU General Data Protection Regulation (“GDPR”), which imposes new accountability obligations, including the obligation to (1) keep records of data processing activities, (2) notify data breaches and (3) in some cases, appoint a data protection officer. The CNIL estimates that the GDPR will lead to the appointment of a data protection officer in at least 80,000 to 100,000 organizations in France.
  • French Law of October 7, 2016 for a Digital Republic, which created new data protection rights, such as (1) the right for individuals to give instructions relating to the storage, erasure and disclosure of their personal data after their death, (2) the right to be forgotten for minors and (3) the possibility to exercise data protection rights by electronic means. This legislation strengthens the transparency requirements and increases the maximum level of fines from €150,000 to €3 million for data protection infringements.

Against that background, the Report highlights that the CNIL received a high number of complaints in 2016 (7,703 complaints, a similar number to the record number of 7,900 complaints in 2015). These complaints mainly concerned the following issues or sectors:

  • dissemination of personal data on the Internet (e.g., blogs, websites or social networks), and in particular, the erasure or rectification of personal data (33 percent of complaints). The Report emphasizes that the CNIL received a total of 410 complaints, following delisting refusals from search engines;
  • marketing issues, and in particular, direct marketing by email, telephone or regular mail (33 percent of complaints);
  • human resources issues such as excessive video surveillance and refusal to grant access to the employee file (14 percent of complaints);
  • bank and credit issues such as failure to cancel the registration in the National Database on Household Credit Repayment Incidents (9 percent of complaints); and
  • health and social sector issues such as difficulties accessing medical or social records, and the creation of pharmaceutical records without consent (3 percent of complaints).

The Report further presents the first results of the inspections conducted by the CNIL in 2016, (i.e., 430 inspections, including 100 inspections conducted remotely). The CNIL announced that the inspections for 2017 will focus on the following topics:

  • confidentiality of health data processed by insurance companies;
  • files of French intelligence services; and
  • smart TVs.

Finally, the Report outlines some of the topics that the CNIL will further consider in 2017, including algorithms and the place of citizens in smart cities.

Managing Privacy and Data Security Risks in M&A Transactions

On April 5, 2017, Hunton & Williams LLP and Stroz Friedberg will host a webinar on managing privacy and data security risks before, during and after an M&A transaction. Join Lisa J. Sotto, partner and chair of Global Privacy and Cybersecurity at Hunton & Williams; Rocco Grillo, Cyber Resilience Global Leader from Stroz Friedberg; and Keith O’Sullivan, CISO from Time Inc., for a discussion on how to prepare for and understand privacy and data security challenges in the context of corporate transactions.

Hunton & Williams also recently announced the formation of a cross-disciplinary legal team dedicated to guiding companies through the minefield of regulatory and cyber-related risks associated with high-stakes corporate mergers and acquisitions. Read more on the initiative.

Three privacy tools that block your Internet provider from tracking you

It's official: Congress has sold you out to Internet service providers, passing a bill that dismantles Internet privacy rules and allows ISPs to sell your web history and other personal information without your permission. Assuming President Trump signs the bill into law, it means anyone concerned about privacy will have to protect themselves against over zealous data collection from their ISP.

Some privacy-conscious folks are already doing that—but many aren’t. If you want to keep your ISP from looking over your shoulder for data to sell to advertisers, here are three relatively simple actions you can take to get started.

To read this article in full, please click here

Hack Naked News #117 – March 28, 2017

LastPass fixes vulnerabilities, Instagram adds 2FA, scammers target iOS porn viewers, and more. Israel Barak of Cybereason joins us to deliver expert commentary on unifying industrial control system security operations into an enterprise SOC. Stay tuned!

How to keep a private stash of bookmarks in Chrome

Incognito Mode in Chrome can keep your browsing history secret unless you have a nosy Internet Service Provider, and you’re not using a VPN. But one thing incognito doesn’t keep secret are any bookmarks you’ve got. If you’ve ever wanted to keep a private collection of bookmarks the Chrome extension Hush is one solution.

The extension only works in incognito mode and encrypts your store of private bookmarks that can only be accessed with the password.

To read this article in full, please click here

QOTD – Hubbard on the Risk Management Method

The single most important metric in all of risk management is the performance of the risk management method itself. The list of risks identified can be no more valid than the entire process of identifying risks. I would think that also applies to the method of "approving" mechanisms of measurement.
-- Douglas W. Hubbard, President of Hubbard Decision Research

[Source: statement made by the author on a closed mailing list.Posted with permission of the author.]

Toolsmith #124: Dripcap – Caffeinated Packet Analyzer

Dripcap is a modern, graphical packet analyzer based on Electron.
Electron, you say? "Electron is a framework for creating native applications with web technologies like JavaScript, HTML, and CSS. It takes care of the hard parts so you can focus on the core of your application."
We should all be deeply familiar with the venerable Wireshark, as it has long been the forerunner for packet analysts seeking a graphical interface to their PCAPs. Occasionally though, it's interesting to explore alternatives. I've long loved NetworkMiner, and the likes of Microsoft Message Analyzer and Xplico each have unique benefits.
For basic users comfortabel with Wireshark, you'll likely find Dripcap somewhat rudimentary at this stage, but it does give you opportunities to explore packet captures at fundamental levels and learn without some of the feature crutches more robust tools offer.
However, for JavaScript developers,  Dripcap opens up a whole other world of possibilities. Give the Create NTP dissector package tutorial a read, you can create, then publish and load dissector (and others) packages of your choosing.

Installation
I built Dripcap from source on Windows as follows, using Chocolatey.
From a administrator PowerShell prompt (ensure Get-ExecutionPolicy is not Restricted), execute the following (restart your admin PS prompt after #2):
  1. iwr https://chocolatey.org/install.ps1 -UseBasicParsing | iex
  2. choco install git make jq nodejs
  3. git clone https://github.com/dripcap/dripcap.git
  4. cd dripcap
  5. npm install -g gulp node-gyp babel-cli
  6. npm install
  7. gulp
Step 1 installs Chocolatey, step 2 uses Chocolatey to install tools, step 3 clones Dripcap, steps 5 & 6 install packages, and step 7 builds it all.    
Execute dripcap, and you should be up and running.
You can also  use npm, part of Node.js' package ecosystem to install Dripcap CLI with npm install -g dripcap, or just download dripcap-windows-amd64.exe from Dripcap Releases.

Experiment 

I'll walk you through packet carving of sorts with Dripcap. One of Dripcap's strongest features is its filtering capabilities. I used an old PCAP with an Operation Aurora Internet Explorer exploit (CVE-2010-0249) payload for this tool test.
Ctrl+O will Import Pcap File for you.

Click Developer, then Toggle Log Panel for full logging.

Figure 1: Dripcap
You'll note four packets with lengths of 1514, as seen in Figure 1. Exploring the first of these packets indicates just what we'd expect: an Ethernet MTU (maximum transmission unit) of 1500 bytes, and a TCP payload of 1460 bytes, leaving 40 bytes for our header (20 byte IP and 20 byte TCP).

Figure 2: First large packet
 Hovering your mouse over the TCP details in the UI will highlight all the TCP specific data, but you can take such actions a step further. First, let's filter down to just the large packets with tcp.payload.length == 1460.
Figure 3: Filtered packets
 With our view reduced we can do some down and dirty carving pretty easily with Dripcap. In each of the four filtered packets I hovered over Payload 1460 bytes as seen in Figure 4, which highlighted the payload-specific hex. I then used the mouse to capture the highlighted content and, using Dripcap's Edit and Copy, grabbed only that payload-specific hex and pasted it to a text file.
Figure 4: Hex payload
I did this with each of these four packets and copied content, one hex blob after the other, into my text file, in tight, seamless sequence. I then used Python Tools for Visual Studio to do a quick hexadecimal to ASCII translation as easily as bytearray.fromhex("my hex snippet here").decode(). The result, in Figure 5, shows the resulting JavaScript payload the exploits CVE-2010-0249.
Figure 5: ASCII results
You can just as easily use online converters as well. I saved the ASCII results to a text file in a directory which I had excluded from my anti-malware protection. After uploading the file to VirusTotal as payload.txt, my expectations were confirmed: 32 of 56 AV providers detected the file as the likes of Exploit:JS/Elecom.D or, more to the point, Exploit.JS.Aurora.a.

In closing
Perhaps not the most elegant method, but it worked quickly and easily with Dripcap's filtering and editing functions. I hope to see this tool, and its community, continue to grow. Build dissector packages, create themes, become part of the process, it's always good to see alternatives in available to security practitioners.
Cheers...until next time.

Hackers Spark Revival of Sticky Keys Attacks

password

Hackers are constantly trying to find new ways to bypass cyber-security efforts, sometimes turning to older, almost forgotten methods to gain access to valuable data. Researchers at PandaLabs, Panda Security’s anti-malware research facility, recently detected a targeted attack which did not use malware, but rather used scripts and other tools associated with the operating system itself in order to bypass scanners.

Using an attack method that has gained popularity recently, the hacker launch a brute-force attack against the server with the Remote Desktop Protocol (RDP) enabled. Once they have access to the log-in credentials of a device, the intruders gain complete access to it.
At this stage, the attackers run the seethe.exe file with the parameter 211 from the computers’ Command Prompt window (CMD) – turning on the ‘Sticky Keys’ feature.

1-1

Next, the hacker initiates Traffic Spirit – a traffic generator application that ensure the attack is lucrative for the cyber-criminals.

2

Once this is complete, a self-extracting file is launched that uncompresses the following files in the %Windows%\cmdacoBin folder:
• registery.reg
• SCracker.bat
• sys.bat

The hacker then runs the Windows registry editor (Regedit.exe) to add the following key contained in the registery.reg file:

3

This key aims at ensuring that every time the Sticky Keys feature is used (sethc.exe), a file called SCracker.bat is run. This is a batch file that implements a very simple authentication system. Running the file displays the following window:

4

The user name and password are obtained from two variables included in the sys.bat file:

5

This creates a backdoor into the device through which the hacker gains access. Using the backdoor, the hacker is able to connect to the targeted computer without having to enter the login credentials, enable the Sticky Keys feature, or enter the relevant user name and password to open a command shell:

6

The command shell shortcuts allow the hacker to access certain directories, change the console colour, and make use of other typical command-line actions.

7

The attack doesn’t stop there. In their attempt to capitalise on the attack, a Bitcoin miner is installed, to take advantage of every compromised computer. This software aims to use the victims’ computer resources to generate the virtual currency without them realising it.
Even if the victim realises their device has been breached and changes their credentials – the hacker is still able to gain access to the system. To enable Sticky Keys, the hacker enter the SHIFT key five times, allowing the cyber-criminal to activate the backdoor one again.

Adaptive Defense 360, Panda Security’s advanced cyber-security solution, was capable of stopping this targeted attack thanks to the continuous monitoring of the company’s IT network, saving the organisation from serious financial and reputational harm. Business leaders need to recognise the need for advanced security, such as AD360, to protect their network from these kinds of attacks.

The post Hackers Spark Revival of Sticky Keys Attacks appeared first on CyberSafety.co.za.

I thought everyone knew this by now

But apparently not. I just saw some “Security Awareness Training” that gave the bad old advice of “look for the padlock” in your web browser. Here’s my answer to that:

image

In a world where most of us face a constant threat from phishing we need to better educate folks, and we need to make it easier to be secure. And since the latter isn’t that easy, we need to teach better. Also, “don’t click stuff” really defeats the point of the web, so while I understand the sentiment, it is not practical advice.

The padlock can mean a variety of things, but what it really signifies is that your web traffic is encrypted. It does not mean that all of the traffic on the page is encrypted, or that it is encrypted well. It also doesn’t assure you that the traffic isn’t being decrypted, inspected, and re-encrypted. Or maybe it isn’t encrypted at all and someone just used a padlock as a favicon on the website (this varies somewhat by web browser). The padlock doesn’t prove the identity of the site owner unless it is an EV(extended validation) certificate, and even then the validation is imperfect. When we just say “look for the padlock” we are giving people bad information and a false sense of security. It makes us less secure, so we need to kill this message. Even though it isn’t entirely true if we are going to oversimplify this I think we’re better off telling folks that the padlock doesn’t mean a damn thing anymore, if it ever did.

While we’re on the subject of browsers, you know the average computer user is just trying to do something, so the warnings they see are mentally translated to “just keep clicking until we let you go where you want”. I did find a few things which made me think of typical browser warnings:

BrowserWarning

This means it’s OK to trespass up to this point, but no further? Is that like this website is unsafe? No, because if you look around this sign you can see the end of the pier is missing, if you click past the browser warning you will not fall into the ocean.

And this, you know what it means, but what does it say?

image

That’s right, it says don’t P on the grass. Just because you know what something means does not mean you can assume others do, we need to do a better job of explaining things. Reminding folks of the invention of indoor plumbing when what you want is to keep cars off the grass, sounds like a browser warning to me.

Jack

Review: Canary Flex security camera lives up to its name

Canary’s initial foray into the networked home security camera space was very impressive – my colleague David Newman touted its high security settings in the wake of revelations about the general insecurity of these types of devices. The Canary camera was also somewhat large – a cylindrical tower that took up some significant space on your desk, cabinet or shelf.

The latest camera the company sent me is the Canary Flex, a much smaller unit meant to be more flexible (hence the name) in terms of placement, but also in power options. Like the Arlo Pro camera, the Canary Flex is powered by an internal battery (it’s charged via USB cable and power adapter). This means you can move the Flex to a location inside or outside your home where there’s no power outlet. The Flex comes with wall mounting screws and a 360-degree magnetic stand so you can position the camera in different spots. Additional accessories, such as a plant mount or twist mount (pictured below), offer even more location choices.

To read this article in full, please click here

NY Attorney General Announces Record Number of Data Breach Notices in 2016

On March 21, 2017, New York Attorney General Eric Schneiderman announced that the New York Office of the Attorney General received over 1,300 data breach notifications in 2016, a 60 percent increase from 2015. The reported breaches led to the exposure of personal information of 1.6 million New York residents. According to the Attorney General’s report, 46 percent of the exposed personal information consisted of Social Security numbers, and 35 percent consisted of financial account information. Attorney General Schneiderman cited the updated New York State Department of Financial Services Cybersecurity Regulation as a means of addressing financial data breaches.

Where’s Jack?

As I mentioned in a post earlier this year I am traveling extensively this year, connecting and reconnecting with a lot of people. And thanks to a lot of wonderful people inside and out of the hacker and security communities I am doing very well after a rough few months. So, it’s time to share my plans and encourage folks to come and chat with me if our paths cross. I know I have a reputation of being a cranky old bastard, one which is well deserved, but I’m really not a miserable person- truly, seek me out and tell me stories, ask questions, whatever. If I can help you I will, or maybe I’ll point you to someone who can help if I can’t. I meant what I said in my recent post about the loss of Becky Bace and others, they set an example for those of us who knew them and I’m not about to let InfoMom down.

So, here’s my schedule as it looks from here:

Tomorrow, Friday March 24 I’ll be speaking at BSidesOK in Tulsa. Yeah, short notice, but there it is.

I’ll be speaking at the North Florida ISSA meeting in Jacksonville on April 6.

I’ll also be speaking at BSides Boston on April 15th.

BSides Nashville on April 22, I’ll be there, not speaking, so I’ll have more time to chat.

May 2 in Denver I’ll be speaking at the EDUCAUSE annual conference.

Later that week I’ll be attending Thotcon (May 4-5) and probably BurbSecCon (May 6) in Chicago.

Then things calm down a little before spending most of June in Europe, but more on that later.

See you on the road

Jack

FTC Announces Settlement Over Alleged Consent Order Violation

On March 17, 2017, the Federal Trade Commission announced that Upromise, Inc., (“Upromise”) agreed to pay $500,000 to settle allegations (the “Settlement”) that it violated the terms of a 2012 consent order (the “2012 Order”) that required Upromise to provide notice to consumers regarding its data collection and use practices, and obtain third-party audits.

Upromise is a membership reward service that provides cash rebates for college savings accounts to members who purchase products and services from its partner merchants. The 2012 Order settled allegations that the company had used a web-browser toolbar to collect consumers’ personal information without providing adequate notice about the extent of the collection. Despite suggestions in the privacy notice that the toolbar would rarely collect personal information and that other security controls would be used to filter or protect such information, the FTC alleged that the toolbar collected extensive information—occasionally including credit card and Social Security numbers—and transmitted it over the Internet in clear text.

Following the 2012 Order, Upromise encouraged consumers to download a toolbar called “RewardU.” The complaint filed on behalf of the FTC by the Department of Justice alleged that the company violated the 2012 Order by failing to make clear and prominent disclosures about RewardU’s data collection and use practices, and not obtaining third-party assessments and certifications of the toolbar evaluating safeguards.

In addition to refraining from violations of the 2012 Order and paying a $500,000 civil penalty, the Settlement requires Upromise to take steps that include: (1) having a qualified third-party certify that Upromise adheres to disclosure and consent requirements prior to any future toolbar launch; (2) obtaining FTC approval of the scope and design of any such assessment; and (3) permanently expiring RewardU-related cookies it had placed and providing consumers with instructions on how to uninstall the toolbar and delete cookies.

Panda Security Rated Top in Antivirus Test

IMG AVComp 03-17 - Blog

A recent study conducted by AV Comparatives recognised Panda Security for having obtained the highest possible score by detecting 100% of the malware samples tested.
 

AV Comparatives most rigorous test ranks Panda Security number one for malware detection

 

The analysis took into account the same infection vectors that a user might experience on an ordinary day. The fundamental objective of AV Comparatives’ Real-World Test is to determine if the security solutions are able to protect the system as it is exposed to an array of malware samples. Panda Security’s Free Antivirus proved it was able to detect 100% of malware to which it had been exposed.

“We are proud of the excellent results we received in the AV-Comparatives Real-World Test – these results validate our efforts to offer our users the best protection against all types of threats under real conditions. Panda Security is fully committed to the constant improvement of our solutions in order to provide maximum security levels with minimum performance impact.” say Jeremy Matthews, Regional Manager Panda Security Africa.
 
Infographic AVComp
 
These results speak to the success of the set of technologies leveraged by Panda Security to develop a solution that is ideal for all types of users – private or public, large or small. Panda Security’s solution comes in response to the rapid evolution of malware in recent years. In this regard, it offers the most effective response to threats such as ransomware, and proves to be the best ally in the prevention, protection and response to the latest attacks.

The post Panda Security Rated Top in Antivirus Test appeared first on CyberSafety.co.za.

Neiman Marcus Agrees to Settlement in Data Breach Class Action

On March 17, 2017, retailer Neiman Marcus agreed to pay $1.6 million as part of a proposed settlement (the “Settlement”) to a consumer class action lawsuit stemming from a 2013 data breach that allegedly compromised the credit card data of approximately 350,000 customers.

The consumer plaintiffs sued Neiman Marcus in March 2014, alleging that the company failed to protect customers’ privacy and waited 28 days to inform affected customers of the breach. Neiman Marcus claimed that, rather than 350,000 customers, the breach affected only 9,200 customers. The case initially was dismissed on the grounds that the affected customers lacked standing, having been reimbursed for their losses; the Seventh Circuit reversed and remanded, finding that costs for preventative measures like credit monitoring sufficiently established standing.

Under the terms of the Settlement, each class member who submits a valid claim is entitled to receive up to $100. Each class representative will receive up to $2,500 in service awards, and class counsel will seek up to $530,000 in attorneys’ fees and costs. The Settlement also requires Neiman Marcus to maintain the data security measures it implemented in the wake of the breach, including the (1) appointment of a Chief Information Security Officer, (2) creation of an Information Security organizational unit, (3) increase in frequency and depth of cybersecurity reporting to the executive team and Board of Directors, (4) use of chip-based payment card infrastructure in stores, (5) education and training of employees on privacy and data security matters, (6) collection and analysis of logs of Neiman Marcus systems for potential security threats and (7) information sharing initiatives. The Settlement awaits preliminary approval from the United States District Court for the Northern District of Illinois.

VirusTotal += Symantec Mobile Insight

We welcome the Symantec Mobile Insight scanner to VirusTotal. This engine is specialized in Android and reinforces the participation of Symantec that already had a multi-platform scanner in our service. In the words of the company:

"Symantec Mobile Insight is a comprehensive mobile security service capable of identifying suspicious and malicious apps using a broad array of endpoint-based and cloud-hosted techniques. These techniques blend traditional code and behavior analysis with cutting edge similarity and machine learning applications. Leveraging analysis of over 50 million apps and telemetry from millions of endpoints on a daily basis, we're able to provide superior protection. Our App Advisor technology can help end users identify malware and other unwanted apps on the App Store, prior to installation.

Symantec has expressed its commitment to follow the recommendations of AMTSO and, in compliance with our policy, facilitates this review by AV-TEST, an AMTSO-member tester.

A quick REVENGE Analysis

Another free weekend, another suspicious link provided by a colleague of mine and another compelling feeling to understand "how it works".  The following analysis is made "just for fun" and is not part of my professional analyses which have to follows a complete different process before being released. So please consider it as a "sport activity".

A colleague of mine provided me a suspicious link which I decided to analyze.

The infection starts by redirecting the browser to the page "see.aliharperweddings.com" through a GET request with the following parameters:
biw=diamonds.104wh99.406v6e7i0&que=diamonds.124if80.406v5h6e9&qtuif=3654&fix=diamonds.108bf93.406p9e7i4&oq=CeliDpvspJOdZNQOyj0SGfwZkm4pcBwhH9Pqqj0bWmxCag57W9CW9UU4HupE&q=z3jQMvXcJwDQDoTBMvrESLtEMU_OHEKK2OH_783VCZ39JHT1vvHPRAPytgW&ct=diamonds&tuif=6124
The page is not build to return rendered content but rather to return three different scripts. Indeed the returned visible page holds a weird displayed content as follows:

Weird visible content by: see.aliharperweddings.com

Getting a little deeper on the page source code it is easy to experience nice obfuscated scripts, which look like (at least to my experience) a first infection stage. Let's have fun and try to understand how this new sample works. The following image shows an obfuscated piece of code portion. We are getting into the first stage of analysis.

First Stage: The fun begins.

Just few steps on google V8 engine to de-obfuscate the first stage which uses a couple of techniques to run VBscript on the target machine. The first implemented trick, as shown in next image, is to use the classic  but "ever green" window.execScript which is no longer supported on Explorer >= 11. execScript takes two parameters: "the code to be run" and the "used programming language". The function invokes the right interpreter depending on "programming language" parameter.

Second Stage: Running VBScript

The second trick is to use eval to de-obfuscate the second stage and later on to run its functions through VBArray technique.  Decoding the second stage was easier if compared to the first stage since less obfuscation rounds are involved. Once de-obfuscated the second stage I've run into another "browser" stage (let's call it Third Stage) written in VisualBasic Language as follows:

Third Stage: The VBScript saving Windows PE
The resulting script is quite simple to read no further obfuscated loops were involved.  The script per se is quite big so I am not going to describe every single line of code but just the most interesting one (at least in my personal opinion), so let's focalize on the "random function" (showed in the following image) which returns strLen number of "random" letters from a well defined alphabet :).

Third Stage: Implemented "random" function

This function is used later on to save the PE FileSystemObject into temporary file by using the number "8" as parameter to the rnds function. A nice and dirty IoC would be: "8 letters" from "abcdehiklmnoprstuw02346" alphabet ".exe" into system temporary directory as shown in the next image. 

Third Stage: Saving PE Object using 8 "random" (not really) characters

The FileSystemObject is then executed through the WScript.Shell technique as shown in the next image.

Third Stage: Running the fake shell32.dll

A key argument is defined as "gexywoaxor" and a stream is taken from an url as shown in the following image.

Third Stage: Key and Stream

A special function is crafted to decrypt the stream having as a key the defined one. The decoded stream is getting saved and launched according to the fake shell32.dll.

Third Stage: Decryption stream function (key= gexywoaxor)
Most of you would recognize RIG Exploit kit which used to decrypt streaming (ADOBE StreamObj) objects through inline xor. That decrypt function would not use a simple xor, and for such a reason I would consider it as new version of RIG Exploit Kit. The overall behavior looks like standard RIG EK having threes infection browser scripts and stream decoding procedure.

Finally I've got a Windows PE on my temporary directory and a script launching it from browser ! 

Let's move on and see what it does. A first run the PE file gets information from its Command and Control server which, on my time, happened to be: 193.70.90.120 (France)
It downloaded a Public Key (maybe for encrypting files ?) as follows:

Fourth Stage: Downloaded Public Key
This behavior reminds me a romantic Ransomware attack, which happens to fit pretty well with RIG distribution rings. The sample starts with simple http GET but later on it keeps trace of its malicious activity (encrypted files) by posting, on the same C&C, the number of encrypted files and a unique serial number as well. The sample returns back two parameters: id and count.

Fourth Stage: POST to C&C

id is different for every infection while it could be consider as a unique constant for a given one. count constantly increases its value as a counter depending to the number of encrypted files.
The sample presents some tricks to control the running environments such as (but not limited to): IsDebugPresent and VolumeChecking. The sample is a multi-thread encryptor which spawns an encrypting thread for each found system folder (limiting to 10 per times). The sample is not packed/encrypted from a well known packer/encryptor as the following image shows, but the real code (payload) is encoded into a Fourth Stage (let me define the Windows PE as fourth stage of infection).

Fourth Stage: No known packers/encrypters are found

The following image shows the real payload dynamically build in the heap of the fourth stage. As analyst I decided to not extract it but rather following on the original sample in order to understand how happens the control flow switch.


Stage Fifth: HEAP built payload 

The fifth stage is run by the following code which after having built the payload straight into the memory gets the control flow by simple dynamic "call" to dynamic memory [ebp+var_4].


Fifth Stage: getting control by call [ebp+var_4]
This is the last stage where the payload runs over the folders, read files and encrypt them by using a dynamically loaded cryptbase.dll and the downloaded public key. The payload per-se saves itself and get persistence by infiltrating on register keys. The following images show where the payload copies itself in the target machine

Fifth Stage: Payload Persistence
Te payload saves itself as svchost file creating a folder named Microsofts\ Windows NT\svchost.exe as the most classic payloads does ! Cryptobase.dll functions are dynamically loaded, only few library functions have been involved which takes easy to track them down (the following images show the tracking down imported libraries).

Stage Fifth: Cryptobase.dll tracking functions
Finally the SaveFile function write the ransom file: # !!!HELP_FILE!!! #.TXT  to physical drives having the following content and encrypts file through .REVENGE extension

Ransom File
Since the implemented languages are: English, Italian, German, Polish and Korean  it is easy t believe this ransomware attack would target European countries mainly.

While the infected website (see.aliharperweddings.com) has promptly been closed (now it belongs to GoDaddy) the Command and Control page is still up and running. Indeed the command and control appears to be an old vulnerable fake website created on 2016-10-07T08:19:40Z weaponized with an ancient content back to November 2014. The website is not a real one, it's a simple "lorem ipsum" with no apparent purpose. The following images shows the apparent not real website.

Command and Control Vulnerable Web Site
Conclusions

Despite the reverse engineering difficulty and/or the technical details I addressed in this quick and dirty post, I found an unusual C&C behavior. Usually attackers want to protect their C&C and are the first system (page, connection, services) to be closed and/or moved after a first disclosure. Indeed the attacker wont be "syncholed" by receiving injection commands into her malicious network. Contrary in this example the current C&C looks to be alive from October 2016. Please note that I am not saying it servers RIG from 2016 but it might have served many different EK over time, which makes me thinking to a well defined operation attributable to a RIG as a service group.

Useful IoC:
- url: see.aliharperweddings.com
- url: far.nycfatfreeze.com
- ip: 193.70.90.120
- ip: 188.225.38.186
- email: rev00@india.com
- email: revenge00@writeme.com
- email: rev_reserv@india.com
- string: 5427136ABEE9451E
- string: # !!!HELP_FILE!!! #.TXT
- string: gexywoaxor 
- file extension: REVENGE
- File Name: 8 characters from {abcdehiklmnoprstuw02346}.exe

BONUS:
A similar dropper (Third Stage) has been published on March 9th 2017 on pastebin.

msfrpcd

Did you forget the PostgresSQLcredentials to start msfrpcd in your Metasploit instance? There's a quick way to recover that username and password. Open up msfconsole, and run the command "load msgrpc". You'll get output like this:


msf > load msgrpc
[*] MSGRPC Service:  127.0.0.1:55552
[*] MSGRPC Username: msf
[*] MSGRPC Password: aKCU4AgT
[*] Successfully loaded plugin: msgrpc
msf >

Now start msfrpcd with -P and you're set. 


Reference https://help.rapid7.com/metasploit/Content/framework/msf-rpc-service.html for more info.

On loss and responsibility

We have lost more great figures in our world of InfoSec, and we are diminished by their loss.

Spaf has written eloquently on the passing of Kevin Ziese, Howard Schmidt, and Becky Bace. I never met Kevin, and I only met Howard a couple of times, but I know of them and their impact on our industry and people in our field.

Becky had become a friend over the past several years, and her loss has hit me hard. Becky has a long and storied history in InfoSec and cybersecurity (and damn, could she tell great stories). Becky was instrumental in nurturing the fledgling fields of network analysis and IDS when she was at NSA, but more importantly than her technical work she was  a great friend and mentor to so many in our field that it is hard to overstate how many people she touched in her life and career. For a glimpse into what Becky was like, check out Avi’s very personal and touching remembrance of meeting Becky.

Once again, we take time to remember lost friends. While natural to mourn their passing we must remember that there are still many in our communities who need the kind of friends and mentors that Kevin, Howard, and Becky were to those of us who knew them. It is our responsibility to them and many others we’ve lost in our young field to remember them, but more importantly to fill those roles of friends and mentors to those who never knew them.

 

Jack

MS16-084 – Critical: Cumulative Security Update for Internet Explorer (3169991) – Version: 1.1

Severity Rating: Critical
Revision Note: V1.1 (March 17, 2017): Bulletin published.
Summary: This security update resolves vulnerabilities in Internet Explorer. The most severe of the vulnerabilities could allow remote code execution if a user views a specially crafted webpage using Internet Explorer. An attacker who successfully exploited the vulnerabilities could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

CNIL Publishes Six Step Methodology and Tools to Prepare for GDPR

On March 15, 2017, the French data protection authority (the “CNIL”) published a six step methodology and tools for businesses to prepare for the EU General Data Protection Regulation (“GDPR”) that will become applicable on May 25, 2018.

The six steps are summarized below.

Step 1: Appointing a Data Protection Officer (“DPO”) or “Pilot”

The CNIL’s methodology first stresses the need for organizations to appoint a leader to pilot governance of data protection within their structure. This person will internally carry out informational, advisory and control tasks. Pending the application of the GDPR in 2018, the CNIL suggests that organizations may appoint a French DPO (Correspondant Informatique et Libertés) now. This will allow them to be one step ahead and better organized to comply with the upcoming GDPR. The CNIL strongly recommends appointing a DPO (with internal relays) who will be in charge of ensuring GDPR compliance, even if the organization is not required to appoint a DPO under the GDPR.

The first step will be completed once organizations have appointed a “pilot” responsible for implementing GDPR compliance measures based on an engagement letter, and have provided that person with human and financial means to perform his/her tasks.

Step 2: Data Mapping

For the second step, organizations are recommended to identify, in detail, their data processing activities. They may do so by preparing and maintaining a register of data processing activities. The CNIL’s methodology notes that, under the GDPR, organizations will have to keep full internal documentation of their data processing activities. The CNIL’s methodology proposes a template register.

Organizations may move to the third step if they:

  • have contacted all the appropriate services and entities that process personal data within their structure;
  • have established a list of their data processing activities per (main) purpose—not per system or application used—and of the types of personal data processed;
  • have identified the vendors/data processors involved in each data processing activity; and
  • know where the data is being transferred and to whom, where it is hosted and for how long it’s retained.

Step 3: Prioritizing Compliance Actions

After preparing the register in the second step, the CNIL’s methodology recommends identifying, for each data processing activity, the actions that will need to be implemented to comply with current and future data protection obligations. This prioritization must be carried out, taking into consideration the risks to the rights and freedoms of the data subjects.

The actions to be implemented will, at a minimum, include:

  • ensuring that only personal data that is strictly necessary is collected and further processed;
  • identifying the legal basis for the data processing;
  • reviewing existing privacy notices to comply with the GDPR notice requirements;
  • verifying that all vendors/data processors are aware of their new obligations and responsibilities under the GDPR and that appropriate privacy clauses are inserted in services agreements;
  • defining a procedure for handling data subjects’ requests for exercising their data protection rights; and
  • verifying the data security measures implemented.

The third step will be completed once organizations have implemented measures to protect data subjects concerned with their data processing activities and have identified those data processing activities that involve a privacy risk.

Step 4: Managing Risks

If, during the previous step, organizations have identified data processing activities that may pose high risks to the rights and freedoms of data subjects, they will need to carry out a privacy impact assessment (“PIA”) for each of these data processing activities. The CNIL’s methodology refers to the CNIL’s 2015 PIA guides as a tool to carry out PIAs under the GDPR.

The fourth step will be completed once organizations have implemented measures to respond to the main risks and threats to data subjects’ privacy.

Step 5: Organizing Internal Processes

Under the fifth step, organizations must implement internal procedures to guarantee data protection at any time, taking into account all events that may occur during the lifetime of a data processing activity (such as a data security breach, management of data subjects’ requests, changes to the data collected, change in vendors, etc.). In particular, this implies the following actions:

  • taking into account data protection principles when designing an application or a data processing activity;
  • increasing employee awareness and ensuring that information is escalated to relevant employees or directors, in particular by developing a training and communications plan;
  • handling data subjects’ complaints and requests for exercising their data protection rights; and
  • anticipating data security breaches by ensuring that, in some cases, the breach will be notified to the data protection authority within 72 hours, and without undue delay, to data subjects affected.

An online notification service will be available on the CNIL’s website in May 2018. Pending that service, organizations may consult, by way of example, the French data breach notification form used by telecommunications providers to notify their breaches.

Organizations may only move to the final step once (1) best practices for data protection are implemented by the services in charge of implementing data processing activities, and (2) personnel know what to do and whom to contact in the event of a data incident.

Step 6: Keeping Documentation on Compliance Measures

For the final step, organizations must compile and group all necessary documentation together. The actions and documents produced at each step must be regularly re-examined and updated to ensure continued data protection. In particular, this documentation will need to include:

  • the register of data processing activities (for data controllers) or the categories of data processing activities (for data processors);
  • PIAs for high risk data processing;
  • data transfer mechanisms (e.g., EU Model Clauses, Binding Corporate Rules and certifications, where applicable);
  • privacy notices;
  • consent forms, as well as evidence that data subjects have given their consent where consent is the legal basis for the data processing;
  • procedures implemented for the exercise of the data subjects’ data protection rights;
  • contracts with vendors/data processors; and
  • internal procedures in the event of a data breach.

The sixth step will be completed once the documentation demonstrates compliance with all of the GDPR obligations.

The CNIL will adapt and complete the above tools when relevant GDPR guidelines are published by the Article 29 Working Party.

Webinar Recording Available on the NYDFS Regulations

On March 9, 2017, AllClear ID hosted a webinar with Hunton & Williams partner and chair of the Global Privacy and Cybersecurity practice Lisa J. Sotto on the new cybersecurity regulations from the New York State Department of Financial Services (“NYDFS”). The NYDFS regulations impose significant cybersecurity requirements on impacted businesses that will dictate how they plan for, respond to and recover from data security events.

Sotto and AllClear ID founder and chief executive officer, Bo Holland, discussed the key areas your business should address first in this new regulatory environment. Sotto points out that these regulations will “affect companies far and wide,” including “any vendor that touches a New York banking, insurance or financial organization.”

View a recording of the webinar and download the presentation materials.

ICO Publishes Guidance on Consent under the EU GDPR

On March 2, 2017, the UK Information Commissioner’s Office (“ICO”) published draft guidance regarding the consent requirements of the EU General Data Protection Regulation (“GDPR”). The guidance sets forth how the ICO interprets the GDPR’s consent requirements, and its recommended approach to compliance and good practice. The ICO guidance precedes the Article 29 Working Party’s guidance on consent, which is expected in 2017.

The ICO guidance emphasizes that the GDPR sets a high standard for individuals’ consent. For organizations to be able to rely on consent as a legal basis for processing, and for that consent to be valid, it must be:

  • Unbundled: Consent requests must be separate from other terms and conditions.
  • Active: Consent can only result from a clear statement or affirmative action of an individual’s wishes; pre-checked opt-in boxes are invalid and, although the ICO does not completely rule out implied consent in specific circumstances, “opt-out is not consent.”
  • Granular: The controller must provide granular options for obtaining consent separately for different processing operations and different purposes.
  • Named: Organizations and any third parties who will be relying on consent must be named in the notice – pursuant to the guidance, even precisely defined categories of third-party organizations will not be acceptable under the GDPR.
  • Documented: Controllers must keep records to demonstrate what the individual has consented to, including what they were told in privacy notices or policies existing at the time of consent, and when and how they consented.
  • Easy to Withdraw: Controllers must tell individuals that they have the right to withdraw their consent at any time, and how to do this with simple and effective withdrawal mechanisms.
  • No Imbalance in the Relationship: Consent cannot be freely given if there is an imbalance in the relationship between the individual and the controller. This will make consent particularly difficult for public authorities and for employers, who should look for an alternative lawful basis.

In providing guidance on the meaning of the term “unambiguous consent,” the ICO has stressed that consent must be demonstrated through a clear, affirmative act. Silence, pre-ticked boxes and inactivity do not represent consent. The affirmative act can be expressed in a written or oral statement, by electronic means, by ticking an opt-in box, by choosing a technical standard, by switching the technical standard from default or by another statement or act which clearly indicates acceptance. The ICO accepts that there may be implied consent in some circumstances, such as when an individual drops a business card to participate in a contest, or by submitting an online survey. The actual act signifies consent to that specific processing of data for these limited purposes.

“Explicit consent” in the GDPR represents an even higher standard than unambiguous consent. It must be separate from any other consents and must be expressly confirmed through the use of words. Explicit consent must specifically refer to the element that requires consent to be explicit (e.g., to sensitive data that is processed or to data transferred outside the EU, along with the underlying risks of the transfer).

Through the guidance, it is clear that the ICO sees consent as a dynamic concept that evolves over time and that is best managed in a proactive way. In addition to keeping a detailed record of consent, controllers are encouraged to ensure ongoing management of consents, choices and controls through privacy dashboards and similar preference and permission management tools. These should include mechanisms for withdrawal of consents and a general “any time opt-out.” In addition, the ICO recommends that controllers review and refresh consents, especially as processing operations and the purposes of processing evolve. In any case, controllers should offer a specific opt-out automatically every two years in reply to individuals with whom they have contact and send occasional reminders about the ability to withdraw consent. The ICO makes it clear that consent will be an appropriate legal basis only where (1) there is a real choice for individuals, (2) the individuals have ability to exercise actual control over data use and (3) it fulfills all of the GDPR’s requirements. If these conditions are not met, the ICO advises controllers to seek an alternative legal basis for their processing activities.

The ICO’s guidance is subject to public consultation until March 31, 2017.

VirusTotal += SentinelOne

We welcome the SentinelOne scanner to VirusTotal. This is a machine learning engine from the US. In the words of the company:

"SentinelOne (Static ML) is a machine learning engine designed to identify unknown malware. It is part of SentinelOne’s unique offering of a multi-layer detection and prevention agent – utilizing behavioral monitoring and static analysis that is capable of keeping organizations ahead of any advanced threat in real-time. SentinelOne protects Windows, OS X and Linux-based endpoint devices against advanced malware, exploits and fileless attacks.

SentinelOne has expressed its commitment to follow the recommendations of AMTSO and, in compliance with our policy, facilitates this review by MRG Effitas, an AMTSO-member tester.

FTC Study Recommends Wider Implementation of DMARC to Combat Phishing Attacks

On March 3, 2017, the FTC announced the results of a study about online businesses’ use of proper email authentication technology to prevent phishing attacks. The study’s sample included 569 large online businesses with strong ties to the U.S. The FTC found that 86 percent of those businesses use Sender Policy Framework—an email authentication technology that enables Internet Service Providers (“ISPs”) to determine whether an email is from a legitimate source (e.g., whether an email that claims to be from a business’s domain in fact came from the business).

Fewer than 10 percent of the businesses evaluated, however, use Domain Message Authentication Reporting & Conformance (“DMARC”)—an email authentication technology which alerts the business about potential spoofing efforts and instructs ISPs to automatically reject unauthenticated messages that claim to be from the business’s email address. In its report, the FTC recommended “wider implementation” of DMARC, noting that using DMARC to reject unauthenticated messages would help businesses “further combat phishing by keeping these scam emails from ever showing up in consumers’ inboxes.”

MS17-008 – Critical: Security Update for Windows Hyper-V (4013082) – Version: 1.0

Severity Rating: Critical
Revision Note: V1.0 (March 14, 2017): Bulletin published.
Summary: This security update resolves vulnerabilities in Microsoft Windows. The most severe of the vulnerabilities could allow remote code execution if an authenticated attacker on a guest operating system runs a specially crafted application that causes the Hyper-V host operating system to execute arbitrary code. Customers who have not enabled the Hyper-V role are not affected.

MS17-016 – Important: Security Update for Windows IIS (4013074) – Version: 1.0

Severity Rating: Important
Revision Note: V1.0 (March 14, 2017): Click here to enter text.
Summary: This security update resolves a vulnerability in Microsoft Windows. The vulnerability could allow remote code execution if an attacker with access to the local system executes a malicious application. An attacker who successfully exploited this vulnerability could gain the same user rights as the current user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.

MS17-011 – Critical: Security Update for Microsoft Uniscribe (4013076) – Version: 1.0

Severity Rating: Critical
Revision Note: V1.0 (March 14, 2017): Bulletin published.
Summary: This security update resolves a vulnerability in Windows Uniscribe. The vulnerability could allow remote code execution if a user visits a specially crafted website or opens a specially crafted document. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

MS17-018 – Important: Security Update for Windows Kernel-Mode Drivers (4013083) – Version: 1.0

Severity Rating: Important
Revision Note: V1.0 (March 14, 2017): Bulletin published
Summary: This security update resolves vulnerabilities in Microsoft Windows. The vulnerabilities could allow elevation of privilege if an attacker logs on to an affected system and runs a specially crafted application that could exploit the vulnerabilities and take control of an affected system.

MS17-0113 – Critical: Security Update for Microsoft Graphics Component (4013075) – Version: 1.0

Severity Rating: Critical
Revision Note: V1.0 (March 14, 2017): Bulletin published.
Summary: This security update resolves vulnerabilities in Microsoft Windows, Microsoft Office, Skype for Business, Silverlight and Microsoft Lync. The most serious of these vulnerabilities could allow remote code execution if a user either visits a specially crafted website or opens a specially crafted document. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

MS17-006 – Critical: Cumulative Security Update for Internet Explorer (4013073) – Version: 1.0

Severity Rating: Critical
Revision Note: V1.0 (March 14, 2017): Bulletin published.
Summary: This security update resolves vulnerabilities in Internet Explorer. The most severe of the vulnerabilities could allow remote code execution if a user views a specially crafted webpage using Internet Explorer. An attacker who successfully exploited these vulnerabilities could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

MS17-009 – Critical: Security Update for Microsoft Windows PDF Library (4010319) – Version: 1.0

Severity Rating: Critical
Revision Note: V1.0 (March 14, 2017): Bulletin published.
Summary: This security update resolves vulnerabilities in Microsoft Windows. The vulnerabilities could allow information disclosure if a user views specially crafted PDF content online or opens a specially crafted PDF document.

MS17-019 – Important: Security Update for Active Directory Federation Services (4010320) – Version: 1.0

Severity Rating: Important
Revision Note: V1.0 (March 14, 2017): Bulletin published.
Summary: This security update resolves a vulnerability in Active Directory Federation Services (ADFS). The vulnerability could allow information disclosure if an attacker sends a specially crafted request to an ADFS server, allowing the attacker to read sensitive information about the target system.

MS17-022 – Important: Security Update for Microsoft XML Core Services (4010321) – Version: 1.0

Severity Rating: Important
Revision Note: V1.0 (March 14, 2017): Bulletin published.
Summary: This security update resolves a vulnerability in Microsoft Windows. The vulnerability could allow information disclosure if a user visits a malicious website. However, in all cases an attacker would have no way to force a user to click a specially crafted link. An attacker would have to convince a user to click the link, typically by way of an enticement in an email or Instant Messenger message.

MEMS Accelerometer Hardware Design Flaws (Update A)

This updated alert is a follow-up to the original alert titled ICS-ALERT-17-073-01 MEMS Accelerometer Hardware Design Flaws that was published March 14, 2017, on the NCCIC/ICS-CERT web site. ICS-CERT is aware of public reporting of hardware design flaws in some capacitive micro-electromechanical systems (MEMS) accelerometer sensors, which are produced by the following manufacturers: Robert Bosch GmbH, STMicroelectronics, InvenSense Inc., Analog Devices Inc., and Murata Manufacturing Company.

Cybersecurity Panel Discussion: A Live Cyber Attack Tabletop Exercise

On March 21, 2017, Hunton & Williams is pleased to host an in-person seminar in its London office featuring seasoned cybersecurity practitioners. Drawing from deep experience in their respective fields, the panel members will discuss the implications of the EU General Data Protection Regulation’s breach notification obligations in the context of a state-of-the-art cyber attack simulation. In doing so, the panelists will share best practices to help protect organizations in the event of a cyber attack.

Our speakers include:

  • Aaron P. Simpson, Partner, Hunton & Williams
  • Lisa J. Sotto, Partner and Chair of the Global Privacy and Cybersecurity practice, Hunton & Williams
  • Anita Bapat, Associate, Hunton & Williams
  • Roger Francis, Senior Strategic Consultant, Mandiant
  • Duncan Gallagher, Europe and CIS Crisis Practice Lead, Edelman

For more information, please contact Vonny Chiu at vchiu@hunton.com.

M-Trends 2017: A View From the Front Lines

Every year Mandiant responds to a large number of cyber attacks, and 2016 was no exception. For our M-Trends 2017 report, we took a look at the incidents we investigated last year and provided a global and regional (the Americas, APAC and EMEA) analysis focused on attack trends, and defensive and emerging trends.

When it comes to attack trends, we’re seeing a much higher degree of sophistication than ever before. Nation-states continue to set a high bar for sophisticated cyber attacks, but some financial threat actors have caught up to the point where we no longer see the line separating the two. These groups have greatly upped their game and are thinking outside the box as well. One unexpected tactic we observed is attackers calling targets directly, showing us that they have become more brazen.

While there has been a marked acceleration of both the aggressiveness and sophistication of cyber attacks, defensive capabilities have been slower to evolve. We have observed that a majority of both victim organizations and those working diligently on defensive improvements are still lacking adequate fundamental security controls and capabilities to either prevent breaches or to minimize the damages and consequences of an inevitable compromise.

Fortunately, we’re seeing that organizations are becoming better are identifying breaches. The global median time from compromise to discovery has dropped significantly from 146 days in 2015 to 99 days 2016, but it’s still not good enough. As we noted in M-Trends 2016, Mandiant’s Red Team can obtain access to domain administrator credentials within roughly three days of gaining initial access to an environment, so 99 days is still 96 days too long.

We strongly recommend that organizations adopt a posture of continuous cyber security, risk evaluation and adaptive defense or they risk having significant gaps in both fundamental security controls and – more critically – visibility and detection of targeted attacks.

On top of our analysis of recent trends, M-Trends 2017 contains insights from our FireEye as a Service (FaaS) teams for the second consecutive year. FaaS monitors organizations 24/7, which gives them a unique perspective into the current threat landscape. Additionally, this year we partnered with law firm DLA Piper for a discussion of the upcoming changes in EMEA data protection laws.

You can learn more in our M-Trends 2017 report. Additionally, you can register for our live webinar on March 29, 2017, to hear more from our experts.

Hunton Releases ‘Seeking Solutions,’ a Report on the Attributes of Effective DPAs

Hunton & Williams LLP, in coordination with the U.S. Chamber of Commerce, recently issued a series of recommendations to enhance the effectiveness of data privacy regulators. The report, Seeking Solutions: Attributes of Effective Data Protection Authorities, identifies seven key attributes of data protection authorities (“DPAs”) that contribute to effective data protection governance. The report also explores how the level of effectiveness varies based on differences in the structure, roles and resources of a DPA.

“The common thread among all the DPAs reviewed is that truly effective DPAs treat those they regulate as partners instead of adversaries,” said Lisa Sotto, partner and chair of Hunton & Williams’ Global Privacy and Cybersecurity practice. “Effective DPAs also demonstrate an understanding of, and ability to adapt to, the evolving business and technology landscape.”

The Chamber of Commerce introduced the report at its February 22, 2017 event, Policies that Promote Growth: Best Practices for Privacy and Cross-Border Data Flows. Acting Federal Trade Commission Chairman Maureen Ohlhausen delivered a keynote address at the rollout event launching the report, and Sotto highlighted key aspects of the study’s findings. Former U.S. Ambassador to the Organisation for Economic Co-operation and Development Karen Kornbluh later moderated a “fireside chat” with Ohlhausen and Sotto.

Zix wins 5-vendor email encryption shootout

Email encryption products have made major strides since we last looked at them nearly two years ago. They have gotten easier to use and deploy, thanks to a combination of user interface and encryption key management improvements, and are at the point where encryption can almost be called effortless on the part of the end user.

Our biggest criticism in 2015 was that the products couldn’t cover multiple use cases, such as when a user switches from reading emails on their smartphone to moving to a webmailer to composing messages on their Outlook desktop client. Fortunately, the products are all doing a better job handling multi-modal email.

To read this article in full, please click here

(Insider Story)

Home Depot Settles Data Breach Claims

On March 9, 2017,  Home Depot Inc. (“Home Depot”) reached an agreement that includes the payment of $25 million and the implementation of new data security measures to resolve a putative class action brought by financial institutions impacted by the company’s 2014 data breach.

The 2014 data breach involved the theft of Home Depot customers’ personal information, including names, payment card numbers, expiration dates and security codes. Approximately 56 million payment card numbers were compromised. This information was sold to identity thieves, who used it to make fraudulent transactions. As a result, financial institutions were required to take steps such as cancelling the compromised cards and reimbursing customers for fraudulent charges.

As part of the settlement, Home Depot will pay $25 million into a fund that will be distributed to financial institutions that have not released all of their claims, and pay up to $2.25 million to certain financial institutions whose claims were released by a sponsor in connection with MasterCard’s Account Data Compromise program. Home Depot also will be required to, for at least two years, implement additional data security measures. Specifically, Home Depot must:

  • implement an appropriate, industry-recognized security control framework;
  • develop a program to ensure that its vendors with access to payment card information treat the information securely; and
  • apply safeguards to address risks identified by its risk assessments, and track and manage such assessments through a process involving Home Depot leadership.

In addition to these settlement terms, in March 2016 Home Depot agreed to settle consumers’ claims by paying $13 million, funding identity protection services and undertaking certain data security measures.

Rosemary Jay Presents at UK House of Lords Sub-Committee Meeting

On March 1, 2017, Hunton & Williams senior consultant attorney Rosemary Jay presented evidence on the data protection reform package and the impact of Brexit to the UK Parliament’s House of Lords EU Home Affairs Sub-Committee meeting. 

The committee invited Rosemary and two other privacy professionals to present evidence on the EU data protection reform package, which includes four elements: the EU General Data Protection Regulation (“GDPR”), the EU Policing and Criminal Justice Directive, the EU-U.S. Privacy Shield and the EU-U.S. Umbrella Agreement. The committee asked the presenters to respond to questions regarding the implications for UK businesses, data controllers and data subjects, particularly in light of Brexit. Rosemary discussed (1) the possibility of adequacy and partial adequacy decisions allowing the UK to transfer data to and from the EU post-Brexit, (2) the difference between the Policing and Criminal Justice Directive and the GDPR, (3) the UK’s ability to influence data protection regulation within the framework of the GDPR and within the context of the EU going forward, and (4) the impact of Brexit on data sharing.

Listen to the full meeting.

Hunton & Williams Launches M&A Privacy and Security Initiative

Hunton & Williams announces the formation of a cross-disciplinary legal team dedicated to guiding companies through the minefield of regulatory and cyber-related risks associated with high-stakes corporate mergers and acquisitions. 

The new team brings together the firm’s renowned capabilities in privacy and cybersecurity with its recognized strength in M&A transactions. The mobilization of this seasoned team responds to a current environment characterized by heightened regulatory pressure and escalated risk of cyber attacks, which have combined to increase demand for the firm’s capabilities in these two areas of strength.

Having counseled global technology companies, retailers, financial institutions and other businesses through some of the most significant, high-profile data breaches in corporate history, the privacy and security in M&A transactions team is well-positioned to help companies evaluate and address any privacy- and data security-related challenges in the time-sensitive period preceding an M&A transaction, as well as in its aftermath.

“Privacy and data security due diligence are essential because left unchecked, vulnerabilities in a company’s security posture or noncompliant privacy practices can jeopardize M&A transactions,” said M&A partner Steven Haas. “Moreover, issues discovered after an M&A transaction has concluded can expose companies to massive liabilities such as expensive consumer class action litigation, intrusive government investigations, hefty remediation costs and other expenses.”

Lisa Sotto, head of the firm’s Global Privacy and Cybersecurity practice, adds: “Personal data is a critical asset that should always be addressed as a key deal point.”

Read the full press release.

The New Cybersecurity Landscape: What the NYDFS Regulations Really Mean for Your Business

On March 9, 2017, AllClear ID will host a webinar with Hunton & Williams partner and chair of the Global Privacy and Cybersecurity practice Lisa J. Sotto on the new cybersecurity regulations from the New York State Department of Financial Services (“NYDFS”). The NYDFS regulations will impose significant cybersecurity requirements on impacted businesses that will dictate how they plan for, respond to, and recover from data security events. To be compliant, businesses will need to rethink their cybersecurity programs in light of the many granular requirements in the NYDFS regulations. Join Lisa J. Sotto and AllClear ID founder and chief executive officer, Bo Holland, for a discussion on the key areas your business should address first in this new regulatory environment, including best practices for breach readiness, response and recovery.

Register for the webinar now.

FIN7 Spear Phishing Campaign Targets Personnel Involved in SEC Filings

In late February 2017, FireEye as a Service (FaaS) identified a spear phishing campaign that appeared to be targeting personnel involved with United States Securities and Exchange Commission (SEC) filings at various organizations. Based on multiple identified overlaps in infrastructure and the use of similar tools, tactics, and procedures (TTPs), we have high confidence that this campaign is associated with the financially motivated threat group tracked by FireEye as FIN7.

FIN7 is a financially motivated intrusion set that selectively targets victims and uses spear phishing to distribute its malware. We have observed FIN7 attempt to compromise diverse organizations for malicious operations – usually involving the deployment of point-of-sale malware – primarily against the retail and hospitality industries.

Spear Phishing Campaign

All of the observed intended recipients of the spear phishing campaign appeared to be involved with SEC filings for their respective organizations. Many of the recipients were even listed in their company’s SEC filings. The sender email address was spoofed as EDGAR <filings@sec.gov> and the attachment was named “Important_Changes_to_Form10_K.doc” (MD5: d04b6410dddee19adec75f597c52e386). An example email is shown in Figure 1.

Figure 1: Example of a phishing email sent during this campaign

We have observed the following TTPs with this campaign:

  • The malicious documents drop a VBS script that installs a PowerShell backdoor, which uses DNS TXT records for its command and control. This backdoor appears to be a new malware family that FireEye iSIGHT Intelligence has dubbed POWERSOURCE. POWERSOURCE is a heavily obfuscated and modified version of the publicly available tool DNS_TXT_Pwnage. The backdoor uses DNS TXT requests for command and control and is installed in the registry or Alternate Data Streams. Using DNS TXT records to communicate is not an entirely new finding, but it should be noted that this has been a rising trend since 2013 likely because it makes detection and hunting for command and control traffic difficult.
  • We also observed POWERSOURCE being used to download a second-stage PowerShell backdoor called TEXTMATE in an effort to further infect the victim machine. The TEXTMATE backdoor provides a reverse shell to attackers and uses DNS TXT queries to tunnel interactive commands and other data. TEXTMATE is “memory resident” – often described as “fileless” malware. This is not a novel technique by any means, but it’s worth noting since it presents detection challenges and further speaks to the threat actor’s ability to remain stealthy and nimble in operations.
  • In some cases, we identified a Cobalt Strike Beacon payload being delivered via POWERSOURCE. This particular Cobalt Strike stager payload was previously used in operations linked to FIN7.
  • We observed that the same domain hosting the Cobalt Strike Beacon payload was also hosting a CARBANAK backdoor sample compiled in February 2017. CARBANAK malware has been used heavily by FIN7 in previous operations.
Victims

Thus far, we have directly identified 11 targeted organizations in the following sectors:

  • Financial services, with different victims having insurance, investment, card services, and loan focuses
  • Transportation
  • Retail
  • Education
  • IT services
  • Electronics

All these organizations are based in the United States, and many have international presences. As the SEC is a U.S. regulatory organization, we would expect recipients of these spear phishing attempts to either work for U.S.-based organizations or be U.S.-based representatives of organizations located elsewhere. However, it is possible that the attackers could perform similar activity mimicking other regulatory organizations in other countries.

Implications

We have not yet identified FIN7’s ultimate goal in this campaign, as we have either blocked the delivery of the malicious emails or our FaaS team detected and contained the attack early enough in the lifecycle before we observed any data targeting or theft.  However, we surmise FIN7 can profit from compromised organizations in several ways. If the attackers are attempting to compromise persons involved in SEC filings due to their information access, they may ultimately be pursuing securities fraud or other investment abuse. Alternatively, if they are tailoring their social engineering to these individuals, but have other goals once they have established a foothold, they may intend to pursue one of many other fraud types.

Previous FIN7 operations deployed multiple point-of-sale malware families for the purpose of collecting and exfiltrating sensitive financial data. The use of the CARBANAK malware in FIN7 operations also provides limited evidence that these campaigns are linked to previously observed CARBANAK operations leading to fraudulent banking transactions, ATM compromise, and other monetization schemes.

Community Protection Event

FireEye implemented a Community Protection Event – FaaS, Mandiant, Intelligence, and Products – to secure all clients affected by this campaign. In this instance, an incident detected by FaaS led to the deployment of additional detections by the FireEye Labs team after FireEye Labs Advanced Reverse Engineering quickly analyzed the malware. Detections were then quickly deployed to the suite of FireEye products.

The FireEye iSIGHT Intelligence MySIGHT Portal contains additional information based on our investigations of a variety of topics discussed in this post, including FIN7 and the POWERSOURCE and TEXTMATE malware. Click here for more information.

VirusTotal += Palo Alto Networks

We welcome Palo Alto Networks (Known Signatures) to VirusTotal. This scanner was developed by Palo Alto Networks, headquartered in Santa Clara, CA. In the words of the company:

"Palo Alto Networks is the next-generation security company, leading a new era in cybersecurity by safely enabling applications and preventing cyber breaches for tens of thousands of organizations worldwide. Built with an innovative approach and highly differentiated cyberthreat prevention capabilities, our game-changing security platform delivers superior security, safely enables daily business operations, and protects an organization's most valuable assets. The Palo Alto Networks (Known Signatures) scanner was built for VirusTotal to identify malicious files by comparing Windows portable executables (PE) file indicators against antivirus signatures from the Palo Alto Networks Threat Intelligence Cloud. The scanner is not a commercially available product, but leverages all of Palo Alto Networks known malicious antivirus signatures.

Palo Alto Networks has expressed its commitment to follow the recommendations of AMTSO and, in compliance with our policy, facilitates this review by SE Labs, an AMTSO-member tester.

Rosemary Jay’s Guide to the General Data Protection Regulation Released

On February 21, 2017, Sweet & Maxwell published a Guide to the General Data Protection Regulation, written by Hunton & Williams senior consultant attorney Rosemary Jay. The book was released as a companion to Data Protection Law and Practice.

In the book, Rosemary provides a detailed and “stand-alone” account of the EU General Data Protection Regulation’s (“GDPR’s”) impact on EU data protection law. The book features an analysis of the structure and scope of the GDPR and the new obligations imposed on data processors and controllers, including breach notification requirements. In addition, Rosemary provides summaries on the broader definitions of personal data, profiling, pseudonymization and consent, and describes regulators’ increased power under the GDPR. She also analyzes the interplay between the GDPR and the EU-U.S. Privacy Shield framework.

You may purchase the book here.

VirusTotal += Check Point

We welcome ZoneAlarm to VirusTotal. This is a consumer security solution developed by Check Point Software Technologies. Ltd., a company with worldwide headquarters in Tel Aviv, Israel, and US headquarters in San Carlos, CA. In the words of the company:

"ZoneAlarm is a comprehensive, multilayered security suite that stops the toughest viruses, spyware and hackers. Award-winning protection includes Advanced Real-Time Antivirus, Advanced Firewall, Anti-Spyware, Enhanced Browser Protection, Threat Emulation, Find My Laptop, Anti-Keylogger, Parental Controls, PC Tune-up and more.

Check Point has expressed its commitment to follow the recommendations of AMTSO and, in compliance with our policy, facilitates these reviews by NSS Labs, an AMTSO-member tester.

Securing autonomous vehicles

Roborace unveiled the design for their autonomous race car at Mobile World Congress in Barcelona this week. Without a driver the car is lightweight and high performing. Powered by four 300kW motors which run off a 540kWh battery, the vehicle is capable of speeds up to 200 mph. Last month, an FIA Formula E event …

FCC Stays Implementation of Data Security Rules

On March 1, 2017, the Federal Communications Commission (“FCC”), under the new leadership of Chairman Ajit Pai, voted 2-1 to issue a temporary stay of the data security obligations of the FCC’s Broadband Consumer Privacy Rules (the “Rules”), which were to go into effect March 2, 2017. The temporary stay will remain in place until the FCC is able to act on pending petitions for reconsideration.

A joint press release by FCC Chairman Pai and Acting FTC Chairwoman Maureen K. Ohlhausen describes the stayed provisions as not consistent with the FTC’s privacy framework. The press release expresses the agency heads’ disagreement with the “FCC’s unilateral decision in 2015 to strip the FTC of its authority over broadband providers’ privacy and data security practices” and their belief that “jurisdiction over broadband providers’ privacy and data security practices should be returned to the FTC.” The temporary stay is described as “a step forward” in filling a consumer protection gap that was created by the FCC in 2015. The press release also announces the agencies’ plan to create a “technology-neutral privacy framework for the online world” that would do away with two distinct frameworks—one for Internet service providers and one for all other online companies.

Other elements of the Rules are still scheduled to go into effect later this year and are unaffected by the temporary stay.

Bye Empire, Hello Nebula Exploit Kit.

Nebula Logo




While Empire (RIG-E) disappeared at the end of December after 4 months of activity

Illustration of  the last month of witnessed Activity for Empire
on 2017-02-17 an advert for a new exploit kit dubbed Nebula appeared underground.

------
Selling EK Nebula
------
Nebula Exploit kit

Features:
-Automatic domain scanning and generating (99% FUD)
-API rotator domains
-Exploit rate tested in different traffic go up 8/19%
-knock rate tested whit popular botnet go 30/70%
-Clean and modern user interface
-Custom domains & server ( add & point your own domains coming soon...)
-Unlimited flows & files
-Scan file & domains
-Multiple payload file types supported (exe , dll , js, vbs)
-Multi. geo flow (split loads by country & file)
-Remote file support ( check every 1 minute if file hash change ; if changed replace ) for automatic crypting
-Public stats by file & flow
-latest CVE-2016 CVE-2017
-custom features just ask support

Subscriptions:
24h - 100$
7d - 600$
31d - 2000$

Jabber - nebula-support@xmpp.jp


Offering free tests to trusted users 
------

In same thread some screenshots were shared by a customer.







Earlier that same day, colleagues at Trendmicro told me they were seeing activity from a group we are following under the name "GamiNook" (illustration coming later) in Japan redirecting traffic to a variation of Sundown.

"GamiNook" redirecting to a Sundown Variation in Japan - 2017-02-17
Payload : Pitou (6f9d71eebe319468927f74b93c820ce4 ) 

This Sundown variation was not so much different from the mainstream one.
No "index.php?" in the landing URI, different domain pattern but same landing, exploits, etc... Some payload sent in clear (01.php) other RC4 encoded (00.php) as for Sundown.

Digging more it appeared it was featuring an Internal TDS (as Empire). 
The same exact call would give you a different payload in France or in United Kingdom/Japan.
"GamiNook" traffic with geo in France - 2017-02-17
Identicall payload call gives you Gootkit instead of Pitou
Payload : Gootkit (48ae9a5d10085e5f6a1221cd1eedade6)
Note: to be sure that the payload difference is tied to Geo and not time based (rotation or operator changing it ) you need to make at least a third pass with first Geo and ensure dropped sample is identical as in first pass.


At that point you can only suspect this Sundown variant might be Nebula (even if clues are multiple, a funny one being that the traffic illustrated in the advert thread is quite inline with the one captured in France).

So I was naming that variation: Sundown-N. Intel shared by Frank Ruiz (FoxIT) on the 21st allowed me to know for sure this traffic was indeed Nebula.

The following days i saw other actor sending traffic to this EK.
Taxonomy tied to Nebula Activity in MISP - 2017-03-02
Taxonomy tied to GamiNook traffic activity, EK and resulting payload

Today URI pattern changed from this morning :

/?yWnuAH-XgstCZ3E=tCi6ZGr10KUDHiaOgKVNolmBgpc3rkRp-weok1A2JV-gkpS0luBwQDdM
/?yXy3HX2F=tCu_Mj322aEBSXjYhatLoVmBgZJh_0Fg_wX_zQYxIg6nksDowOciFzNB
/?yXzbGV2jkcB_eU8=4ya6MDz31KdQTi7ahapLolnWjJdj_EJt-VT4mwQxIQ6gksTllrB3EGRM
/?ykjaKniEk6ZhH1-P=si-8YGj_1aANTynfh6Ye81mHhZE0_RNs_gn5nAExcV6okpTknOQgEmNN
/?z0vDa0iBu-Q=tHnqNT_-1KcGGCzfhqVKoVmB08dm_BJt-QKumQEwJA2nksGyk-QhQDRA
/?z13qMVqqoKRvTw=5S--Y2uk0apQGiyOhvdI81nQhZMwqxVo9FSsmVAyIgiokpPnl-V0QDIf
/?z1fECTiT=sy7tYmz206FUGCvagKpK9VmGhMAxrxZq_1CungQwdF71ksDowOciFzNB
/?zVnra0OCs9k=syjqMjel06ADFHuP0qNKolmGgsdh9BZq_geizlFkcQ2gksTllrB3EGRM
/?zVnra0OCs9k=syjqMjel06ADFHuP0qNKolmGgsdh9BZq_geizlFkcQ2gksW2w7QsRTIf
/?zWnBFniM=4Ca9Zjej0PRTGC3e06FJp1nVjJA1rBRpqleumABkJF2hksTllrB3EGRM
/?zn3iKU_xjeNxWw=sHu7MTry2aoAFCyKgKUY8FmF0ZZi_kFg9ASimVQ2cl-lksTllrB3EGRM
/?zy3jN0Gvi9RjY02F2g=4H27Yjn-0_EBHSrc26MfoVnV15Yx-hJqrwWrnwJjcVqnkpTknOQgEmNN

(which is Sundown/Beps without the index.php) to

/86fb7c1b/showpost.php?s=af75b6af5d0f08cf675149da13b1d3e4&p=13&postcount=8
/641222267738845/thumb/6456dac5bc39ec7/comment_post.php?ice=bDaE06lCQU
/507728217866857/9ecc534d/bug_report/media/pr.php?id=b38cb0526f8cd52d878009d9f27be8f4
/gu/Strategy/qNXL8WmQ6G/rss.php?cat=MSFT
/moddata/a9/showpost.php?s=0d2d722e1a2a625b3ceb042daf966593&p=13&postcount=1
/2003/01/27/exchange-monday-wilderness
/46198923243328031687/applications/blockStyle.php?last-name=6419f08706689953783a59fa4faeb75c
/5wtYymZeVy/LKYcSFhKOi/showpost.php?s=2e3e8a3c3b6b00cd3033f8e20d174bf5&p=8&postcount=7
/2006/08/05/fur-copper-shark
/48396170957391254103/XD25OYwON1/showpost.php?s=abf72cd40a08463fad0b3d153da66cae&p=27&postcount=7
/tV9FnNwo4h/b303debe9a6305791b9cd16b1f10b91e/promotion.php?catid=h
/ef131fb2025525a/QLGWEFwfdh/550991586389812/core.write_file.php?lawyer=9H6UhvusOi
/aPKr0Oe5GV/23861001482170285181/showpost.php?s=e74b32ba071772d5b55f97159db2e998&p=2&postcount=1
/2/eb799e65a412b412ee63150944c7826d61cd7a544f7aa57029a9069698b4925b2068ed77dea8dc6210b933e3ecf1f35b/showthread.php?t=18024&page=14
/js/archives/3f635a090e73f9b/showthread.php?t=6636&page=18
/59cdf39001a623620bd7976a42dde55f190382060a264e21809fc51f/ff0a503d59ddb4d5e1fb663b6475dfe0ba08f0b84ce8692d/viewtopic.php?f=84&t=48361
/615147354246727/339824645925013/nqHgct4sEE/showthread.php?t=51299&page=20
/2012/04/22/present-measure-physical-examination



(for those who would like to build their regexp, more pattern available here : https://raw.githubusercontent.com/Kafeine/public/master/Nebula_URI )


2017-03-02 Nebula with its new pattern used here to drop Ramnit via Malvertising in NA - 2017-03-02

This landing pattern change triggered the publication of this post. Nebula might end up not being a "vapor" EK but let's wait and see. The only difference with Sundown till today was its internal TDS.

Exploits:
CVE-2014-6332 + CVE-2015-0016
CVE-2013-2551
CVE-2016-0189 godmode
CVE-2015-8651
CVE-2015-7645
CVE-2016-4117

Files:  Nebula_2017-03-02 (2 fiddler - password is malware)

Acknowledgement :
Thanks Joseph C Chen and Brooks Li (Trendmicro),  Frank Ruiz (Fox-IT InTELL) and Andrew Komarov ( InfoArmor Inc. ) for the help on different aspect of this post.

Edit:
2017-03-03 Corrected some CVE id + not all payload are in clear
---
Some IOCs

DateSha256Comment
2017/02/17f4627005c018071f8ec6b084eef3936e3a267660b0df99ffa0d27a8d943d1af5Flash Exploit (CVE-2016-4117)
2017/02/27be86dc88e6337f09999991c206f890e0d52959d41f2bb4c6515b5442b23f2eccFlash Exploit (CVE-2016-4117)
2017/02/1767d598c6acbd6545ab24bbd44cedcb825657746923f47473dc40d0d1f122abb6Flash Exploit (CVE-2015-7645 Sample seen previously in Sundown)
2017/02/1704fb00bdd3d2c0667b18402323fe7cf495ace5e35a4562e1a30e14b26384f41cFlash Exploit (CVE-2015-8651 Sample seen previously in Sundown)
2017/02/17b976cf6fd583b349e51cb34b73de6ef3a5ee72f86849f847b9158b4a7fb2315cPitou
2017/02/176fe13d913f4d3f2286f67fbde08ab17418ba8370410e52354ffa12a0aaf498f8Gootkit
2017/02/221a22211d01d2e8746efe0d14ab7e1e547c3e30863a83e0884a9d90325bd7b64bRamnit
2017/03/026764f98ba6509b3351ad2f960dcc47c27d0dc00d53d7e0ae132a7c1d15067f4aDiamondFox


DateDomainIPComment
2017/02/17tci.nhnph.com188.209.49.135Nebula Payload Domain
2017/02/22gnd.lplwp.com188.209.49.135Nebula Payload Domain
2017/02/24qcl.ylk8.xyz188.209.49.23Nebula Payload Domain
2017/02/28hmn.losssubwayquilt.pw93.190.141.166Nebula Payload Domain
2017/03/02qgg.losssubwayquilt.pw93.190.141.166Nebula Payload Domain
2017/02/17agendawedge.shoemakerzippersuccess.stream188.209.49.135Nebula
2017/02/17clausmessage.nationweekretailer.club217.23.7.15Nebula
2017/02/17equipmentparticle.shockadvantagewilderness.club217.23.7.15Nebula
2017/02/17salaryfang.shockadvantagewilderness.club217.23.7.15Nebula
2017/02/22deficitshoulder.lossicedeficit.pw188.209.49.135Nebula
2017/02/22distributionjaw.hockeyopiniondust.club188.209.49.135Nebula
2017/02/22explanationlier.asiadeliveryarmenian.pro188.209.49.135Nebula
2017/02/23cowchange.distributionstatementdiploma.site188.209.49.151Nebula
2017/02/23instructionscomposition.pheasantmillisecondenvironment.stream188.209.49.151Nebula
2017/02/23paymentceramic.pheasantmillisecondenvironment.stream188.209.49.151Nebula
2017/02/23soldierprice.distributionstatementdiploma.site188.209.49.135Nebula
2017/02/23swissfacilities.gumimprovementitalian.stream188.209.49.135Nebula
2017/02/23transportdrill.facilitiesturkishdipstick.info188.209.49.135Nebula
2017/02/24authorisationmessage.casdfble.stream188.209.49.151Nebula
2017/02/24cowchange.distributionstatementdiploma.site188.209.49.151Nebula
2017/02/24departmentant.distributionstatementdiploma.site188.209.49.151Nebula
2017/02/24disadvantageproduction.brassreductionquill.site188.209.49.151Nebula
2017/02/24disadvantageproduction.casdfble.stream188.209.49.151Nebula
2017/02/24europin.pedestrianpathexplanation.info188.209.49.151Nebula
2017/02/24hygienicreduction.brassreductionquill.site188.209.49.151Nebula
2017/02/24hygienicreduction.casdfble.stream188.209.49.151Nebula
2017/02/24instructionscomposition.pheasantmillisecondenvironment.stream188.209.49.151Nebula
2017/02/24jobhate.pedestrianpathexplanation.info188.209.49.151Nebula
2017/02/24limitsphere.pheasantmillisecondenvironment.stream188.209.49.151Nebula
2017/02/24paymentceramic.pheasantmillisecondenvironment.stream188.209.49.151Nebula
2017/02/24penaltyinternet.asiadeliveryarmenian.pro188.209.49.151Nebula
2017/02/24phonefall.asiadeliveryarmenian.pro188.209.49.151Nebula
2017/02/24printeroutput.pheasantmillisecondenvironment.stream188.209.49.151Nebula
2017/02/24redrepairs.distributionstatementdiploma.site188.209.49.151Nebula
2017/02/24soldierprice.distributionstatementdiploma.site188.209.49.151Nebula
2017/02/24suggestionburn.distributionstatementdiploma.site188.209.49.151Nebula
2017/02/25advertiselaura.bubblecomparisonwar.top188.209.49.49Nebula
2017/02/25apologycattle.gramsunshinesupply.club188.209.49.151Nebula
2017/02/25apologycattle.gramsunshinesupply.club188.209.49.49Nebula
2017/02/25apologycattle.gramsunshinesupply.club93.190.141.39Nebula
2017/02/25apologycold.shearssuccessberry.club188.209.49.151Nebula
2017/02/25authorizationmale.foundationspadeinventory.club188.209.49.151Nebula
2017/02/25birthdayexperience.foundationspadeinventory.club188.209.49.151Nebula
2017/02/25confirmationaustralian.retaileraugustplier.club188.209.49.151Nebula
2017/02/25dancerretailer.shearssuccessberry.club188.209.49.151Nebula
2017/02/25employergoods.deliverycutadvantage.info188.209.49.151Nebula
2017/02/25fallhippopotamus.deliverycutadvantage.info188.209.49.151Nebula
2017/02/25goallicense.shearssuccessberry.club188.209.49.151Nebula
2017/02/25goalpanda.retaileraugustplier.club188.209.49.151Nebula
2017/02/25holidayagenda.retaileraugustplier.club188.209.49.151Nebula
2017/02/25marketsunday.deliverycutadvantage.info188.209.49.151Nebula
2017/02/25penaltyinternet.asiadeliveryarmenian.pro188.209.49.151Nebula
2017/02/25phonefall.asiadeliveryarmenian.pro188.209.49.151Nebula
2017/02/25purposeguarantee.shearssuccessberry.club188.209.49.151Nebula
2017/02/25rainstormpromotion.gramsunshinesupply.club188.209.49.151Nebula
2017/02/25rainstormpromotion.gramsunshinesupply.club188.209.49.49Nebula
2017/02/25rainstormpromotion.gramsunshinesupply.club93.190.141.39Nebula
2017/02/25rollinterest.asiadeliveryarmenian.pro188.209.49.151Nebula
2017/02/25startguarantee.gramsunshinesupply.club188.209.49.151Nebula
2017/02/25startguarantee.gramsunshinesupply.club188.209.49.49Nebula
2017/02/26advantagelamp.numberdeficitc-clamp.site93.190.141.39Nebula
2017/02/26apologycattle.gramsunshinesupply.club93.190.141.39Nebula
2017/02/26budgetdegree.maskobjectivebiplane.trade93.190.141.200Nebula
2017/02/26competitionseason.numberdeficitc-clamp.site93.190.141.39Nebula
2017/02/26customergazelle.cyclonesoybeanpossibility.bid93.190.141.39Nebula
2017/02/26decembercommission.divingfuelsalary.trade93.190.141.200Nebula
2017/02/26distributionfile.edgetaxprice.site93.190.141.45Nebula
2017/02/26equipmentwitness.maskobjectivebiplane.trade93.190.141.200Nebula
2017/02/26invoiceburst.cyclonesoybeanpossibility.bid93.190.141.39Nebula
2017/02/26invoicegosling.edgetaxprice.site93.190.141.45Nebula
2017/02/26jailreduction.edgetaxprice.site93.190.141.45Nebula
2017/02/26rainstormpromotion.gramsunshinesupply.club93.190.141.39Nebula
2017/02/26startguarantee.gramsunshinesupply.club93.190.141.39Nebula
2017/02/27afforddrill.xzv4rzuctndfo.club93.190.141.45Nebula
2017/02/27approveriver.jsffu2zkt5va.trade93.190.141.45Nebula
2017/02/27burglarsatin.jsffu2zkt5va.trade93.190.141.45Nebula
2017/02/27distributionfile.edgetaxprice.site93.190.141.45Nebula
2017/02/27invoicegosling.edgetaxprice.site93.190.141.45Nebula
2017/02/27jailreduction.edgetaxprice.site93.190.141.45Nebula
2017/02/27lipprice.edgetaxprice.site93.190.141.45Nebula
2017/02/27marginswiss.divingfuelsalary.trade93.190.141.200Nebula
2017/02/27outputfruit.divingfuelsalary.trade93.190.141.200Nebula
2017/02/27rainstormpromotion.gramsunshinesupply.club93.190.141.39Nebula
2017/02/27reindeerprofit.divingfuelsalary.trade93.190.141.200Nebula
2017/02/27reminderdonna.divingfuelsalary.trade93.190.141.200Nebula
2017/02/27startguarantee.gramsunshinesupply.club93.190.141.39Nebula
2017/02/27supplyheaven.gramsunshinesupply.club93.190.141.39Nebula
2017/02/27transportbomb.gramsunshinesupply.club93.190.141.39Nebula
2017/02/28afforddrill.xzv4rzuctndfo.club93.190.141.45Nebula
2017/02/28agesword.alvdxq1l6n0o.stream93.190.141.166Nebula
2017/02/28authorparticle.390a20778a68d056c40908025df2fc4e.site93.190.141.45Nebula
2017/02/28bakermagician.alvdxq1l6n0o.stream93.190.141.166Nebula
2017/02/28bombclick.alvdxq1l6n0o.stream93.190.141.166Nebula
2017/02/28burglarsatin.jsffu2zkt5va.trade93.190.141.45Nebula
2017/02/28certificationplanet.87692f31beea22522f1488df044e1dad.top93.190.141.45Nebula
2017/02/28chooseravioli.87692f31beea22522f1488df044e1dad.top93.190.141.45Nebula
2017/02/28coachadvantage.reportattackconifer.site93.190.141.39Nebula
2017/02/28databasesilver.reportattackconifer.site93.190.141.39Nebula
2017/02/28date-of-birthtrout.87692f31beea22522f1488df044e1dad.top93.190.141.45Nebula
2017/02/28dependentswhorl.jsffu2zkt5va.trade93.190.141.45Nebula
2017/02/28derpenquiry.87692f31beea22522f1488df044e1dad.top93.190.141.45Nebula
2017/02/28domainconsider.mxkznekruoays.trade93.190.141.200Nebula
2017/03/01agesword.alvdxq1l6n0o.stream93.190.141.166Nebula
2017/03/01authorparticle.390a20778a68d056c40908025df2fc4e.site93.190.141.45Nebula
2017/03/01bakermagician.alvdxq1l6n0o.stream93.190.141.166Nebula
2017/03/01bombclick.alvdxq1l6n0o.stream93.190.141.166Nebula
2017/03/02actressheight.knowledgedrugsaturday.club93.190.141.45Nebula
2017/03/02agesword.alvdxq1l6n0o.stream93.190.141.166Nebula
2017/03/02applywholesaler.tboapfmsyu.stream93.190.141.200Nebula
2017/03/02approvepeak.knowledgedrugsaturday.club93.190.141.45Nebula
2017/03/02bakermagician.alvdxq1l6n0o.stream93.190.141.166Nebula
2017/03/02bombclick.alvdxq1l6n0o.stream93.190.141.166Nebula
2017/03/02borrowfield.77e1084e.pro93.190.141.45Nebula
2017/03/02boydescription.356020817786fb76e9361441800132c9.win93.190.141.39Nebula
2017/03/02buglecommand.textfatherfont.info93.190.141.39Nebula
2017/03/02buysummer.77e1084e.pro93.190.141.45Nebula
2017/03/02captaincertification.77e1084e.pro93.190.141.45Nebula
2017/03/02chargerule.textfatherfont.info93.190.141.39Nebula
2017/03/02cityacoustic.textfatherfont.info93.190.141.39Nebula
2017/03/02clickbarber.356020817786fb76e9361441800132c9.win93.190.141.39Nebula