Monthly Archives: October 2017

National Cyber Security Awareness Month

Although National Cyber Security Awareness Month is coming to a close, COMPASS maintains a commitment to raising cyber security awareness throughout the year. The following are this year’s top blog posts that demonstrate ways to implement cyber security risk management in your organization and minimize the threats you may face.

  1. A Risk Manager’s Approach to Cyber Security 

Cyber security threats arguably pose the greatest danger to an organization’s risk management strategy. Risk managers should leverage their organization’s existing risk governance processes and methodologies to effectively analyze and manage cyber threats.

  1. Top 10 Assessment Findings

Although COMPASS’ client base is highly diverse, there are common findings we encounter on almost every single engagement. They are grouped by our approach to cyber security risk management which focuses on the 3 pillars of cyber security – people, policy and technology.

It is important for organizations to regularly assess not only their technical infrastructure, but also their organizational security awareness and policies. Organizations that fail to perform periodic assessments risk leaving themselves exposed to hackers who can exploit these vulnerabilities or negligent insiders who expose data unintentionally.

  1. 5 Steps to Develop a Security Program

Developing a practical and effective cyber security plan is vital to incorporating security into your organization’s risk management strategy. A common misconception is that a cyber security plan is lengthy and difficult to follow. However, that does not have to be the case. COMPASS recommends 5 steps for your cyber security plan.

  1. Business Email Compromise

BECs remain a prominent threat and will continue to be used in targeted scams. The victims of BEC attacks range from small business to large corporations and all employees should be aware of the dangers. Organizations that utilize robust prevention techniques have proven highly successful in recognizing and deflecting BEC attempts.


If you have any questions or would like to discuss the unique cyber threats your organization faces, please CONTACT US.

Protecting Critical Infrastructure from Cyber Threats

We’ve made it to week five of National Cyber Security Awareness Month (NCSAM)! The theme this week is “Protecting Critical Infrastructure from Cyber Threats.” The basic infrastructure that supports our daily lives is deeply dependent on the Internet, and, therefore, continually exposed to the risk of new threats and cyber attacks. As security breaches grow in frequency and sophistication every day, it’s crucial to build resiliency and then take steps to protect critical infrastructure to remain safe and secure online.

During the last week of NCSAM, the experts at Connection would like to remind you of the importance of identifying current and future strategies to protect your infrastructure and manage your risk. Cyber security is one of the biggest challenges organizations face today. Regardless of size or industry, every organization must ask themselves, is my security strategy up to date? If your organization is looking to stay on the front line of cyber security, it’s imperative to know how an end-to-end risk management strategy can help you properly secure your infrastructure.

Our security experts have an abundance of experience, and several areas of expertise we can put to work for you. We are committed to keeping your organization safe and secure, and can help design, deploy, and support solutions to address your critical risks and defend your critical infrastructure. For more information, contact one of our security experts today!

The post Protecting Critical Infrastructure from Cyber Threats appeared first on Connected.

NCSAM, Week Five: Protecting Critical Infrastructure

It’s Week 5 of National Cyber Security Awareness Month (NCSAM). This week, the focus is on protecting critical infrastructure—the essential systems that support our daily lives such as the electric grid, financial institutions, and transportation. Unfortunately, attacks on critical infrastructure have become a concern worldwide. A devastating attack isn’t just a theoretical possibility anymore. As we’ve recently seen with Equifax, and other security breaches in healthcare and other industries, the growing threat of serious attacks on critical infrastructure is real. These days, hackers have become much more formidable, and we will undoubtedly see more of these attacks in the future. It’s no longer a matter of if there will be another attack, but when. Let’s celebrate this last week of NCSAM by staying aware and being prepared.

Protecting your infrastructure requires constant vigilance and attention to evolving cyber attacks. Risk is inherent in everything we do, so trying to stay ahead of the cyber security curve is key. Our team of security experts can help you build a security strategy to detect, protect, and react to the complete threat lifecycle. The threats we all need to manage today evolve quickly, and we can help you minimize your risk and maximize your defenses to improve your cyber resiliency. For some expert insight on securing your critical infrastructure, give us a call and discover the Connection difference.

The post NCSAM, Week Five: Protecting Critical Infrastructure appeared first on Connected.

Introducing GoCrack: A Managed Password Cracking Tool

FireEye's Innovation and Custom Engineering (ICE) team released a tool today called GoCrack that allows red teams to efficiently manage password cracking tasks across multiple GPU servers by providing an easy-to-use, web-based real-time UI (Figure 1 shows the dashboard) to create, view, and manage tasks. Simply deploy a GoCrack server along with a worker on every GPU/CPU capable machine and the system will automatically distribute tasks across those GPU/CPU machines.

Figure 1: Dashboard

As readers of this blog probably know, password cracking tools are an effective way for security professionals to test password effectiveness, develop improved methods to securely store passwords, and audit current password requirements. Some use cases for a password cracking tool can include cracking passwords on exfil archives, auditing password requirements in internal tools, and offensive/defensive operations. We’re releasing GoCrack to provide another tool for distributed teams to have in their arsenal for managing password cracking and recovery tasks.

Keeping in mind the sensitivity of passwords, GoCrack includes an entitlement-based system that prevents users from accessing task data unless they are the original creator or they grant additional users to the task. Modifications to a task, viewing of cracked passwords, downloading a task file, and other sensitive actions are logged and available for auditing by administrators. Engine files (files used by the cracking engine) such as Dictionaries, Mangling Rules, etc. can be uploaded as “Shared”, which allows other users to use them in task yet do not grant them the ability to download or edit. This allows for sensitive dictionaries to be used without enabling their contents to be viewed.

Figure 2 shows a task list, Figure 3 shows the “Realtime Status” tab for a task, and Figure 4 shows the “Cracked Passwords” tab.

Figure 2: Task Listing

Figure 3: Task Status

Figure 4: Cracked Passwords Tab

GoCrack is shipping with support for hashcat v3.6+, requires no external database server (via a flat file), and includes support for both LDAP and database backed authentication. In the future, we plan on adding support for MySQL and Postgres database engines for larger deployments, ability to manage and edit files in the UI, automatic task expiration, and greater configuration of the hashcat engine. We’re shipping with Dockerfile’s to help jumpstart users with GoCrack. The server component can run on any Linux server with Docker installed. Users with NVIDIA GPUs can use NVIDIA Docker to run the worker in a container with full access to the GPUs.

GoCrack is available immediately for download along with its source code on the project's GitHub page. If you have any feature requests, questions, or bug reports, please file an issue in GitHub.

ICE is a small, highly trained, team of engineers that incubate and deliver capabilities that matter to our products, our clients and our customers. ICE is always looking for exceptional candidates interested in solving challenging problems quickly. If you’re interested, check out FireEye careers.


Nchini Tanzania Matumizi ya TEHAMA yame endelea kukua katika maeneo mbali mbali. Hii ime endelea kurahisisha upatikananaji wa huduma muhimu na kuwezesha watu kuendelea kuwasiliana kwa urahisi.

Viwanda na Taasisi mbali mbali zimeendelea kutumia TEHAMA ili kukuza ufanisi na kufikia watu wengi kwa kipindi kifupi. Miamala ya kifedha, ukusanyaji kodi, pamoja na mawasiliano ni baadhi tu ya mambo yanayo wezeshwa na TEHAMA nchini.

Usalama wa mifumo ya TEHAMA ni moja ya jambo muhimu sana ambapo Tanzania inapaswa kuwekeza ili kujilinda na aina zozote za kialifu mtandao ambazo zinaweza kupelekea huduma muhimu kutopatikana na hatimae uchumi wa Nchi kuyumba.

STATISTICS: Tanzania installed 27,000 KMSof optic fiber connecting all regions and it has 7 mobile operators – About 94%network coverage, 85% SIM penetration and 40% internet users.
Mkutano mkuu wa mwaka wa wataalam wa TEHAMA nchini Tanzania ulio fanyika mwishoni mwa wiki iliyopita (26 – 27, Octoba – 2017) jijini Dar-es salaam ulipata kujadili usalama mtandao ambapo mada kadhaa zilizo jikita katika kutoa elimu ya namna bora za kuimarisha usalama wa mifumo yetu zili wasilishwa na kujadiliwa.

Binafsi, Nilizungumza na washiriki kuhusiana na namna bora ya kulinda taarifa zinazo patikana kwenye simu zetu na komputa mpakato (Protecting Mobile devises Data) ambapo vifaa hivi vimekua vikitumika katika utendaji wa shughuli za kiofisi na kufanya miamala ambapo taarifa hizo zimekua muhimu kulindwa dhidi yawahalifu mtandao.
QUOTE: “Companies today allow Individuals to make use of their own mobile devises to perform their jobs with direct access to organization’s sensitive data – Therefore, Data in our mobile device are very important for the operations and financial well-being of our business.” – Yusuph Kileo.

Kumekua na kawaida ya kusoma barua pepe za ofisini kupitia simu zetu za viganjani, Kufanya kazi za kiofisi kupitia komputa mpakato binafsi tukiwa maeneo mbali mbali huku yote haya yakipelekea kuweka taarifa muhimu za kikazi kua hatarini kuweza kuingia katika mikono ya wahalifu mtandao endapo hatua stahiki ya kuzilinda hazitachukuliwa.

KUTOEA KUSHOTO: Yusuph Kileo (Mjumbe wa bodi ya wakurugenzi AfICTA), Prof. Mike Hinchey (Raisi wa IFIP) , Samson Mwela (Mkurugenzi Mkuu Tume ya TEHAMA), Prof. Rai (Mkuu wa chou kikuu cha zanzibar - SUZA) na Neema Sinare (Raisi wa ISACA)

Aidha, Vifaa hivi vinaweza kuibiwa na taarifa hizi muhimu kuwa katika hatari ya kutumika vibaya. Hivyo umuhimu wa kuzilinda taarifa hizi muhimu ni wajibu wa kila mtumiaji.

Umakini wa Programu tumishi, tunazo zi weka kwenye simu zetu ni wa kuzingatiwa kwa kiasi kikubwa kwani kutokana na chunguzi mbali mbali ambazo tumeendelea kuzifanya katika ngazi ya kidunia, umebaini asilimia kubwa ya program tumishi kua na tabia ya kuiba taarifa za watumiaji na kuzitumia watakavyo.

Non-sanctioned applications create a risk to the mobile devises and for enterprises.
October, 2016 – The Top 10 flash App were discovered as Malware.
Feb, 2017 – According to Cisco, 27% of 222,000 assessed applications present a high-risk.
May, 2017 –100’s of Apps investigated were all found with serious Snooping and spying Characteristics.


Jitihada mbali mbali zimechukuliwa ikiwa ni pamoja na makubaliano ya mwaka 2014 yaliyo elekeza kila program tumishi kueleza kwa ufupi kila watakacho toa bure kwa mtumiaji na watakacho chukua kwa mtumiaji sanjari na kutoa fursa ya mtumiaji kukubali au kukataa. Aidha, Tuliasa watengenezaji wa Program tumishi kuhakiki wanazilinda ili kutoruhusu wahalifu mtandao kuziingilia na kuzitumia vibaya kwa kufanya uhalifu.

Wazungumzaji wengine walionyesha mapungufu mbali mbali ya kiusalama mtandao yanayo patikana nchini na kuasa taifa kufunga mikanda zaidi.

Kiujumla, Kukuza uelewa kwa watumiaji mitandao kua na matumizi bora, Kuongezea wataalam wetu ujuzi, Kuimarisha mashirikiano katika kudhibiti matukio ya kihalifu mtandao, Kuondoa urasimu usio wa lazima katika kukabiliana na uhalifu mtandao, Kuwa na watu sahihi maeneo sahihi ya kudhibiti uhalifu mtandao, na kua na vifaa sahihi na madhubuti vya kukabiliana na uhalifu mtandao ni miongoni mwa mambo yaliyo onekana kutakiwa kufanyiwa kazi ili kuweza kupiga hatua dhidi ya kukabiliana na uhalifu mtandao nchini.

Matukio ya kihalifu mtandao yanayo kumba taasisi moja hayapaswi kujirudia kwenye taasisi nyingine – huo ulikua wito wangu kwa washiriki wote. Utoaji wa taarifa za kialifu mtandao ili ziweze kupatiwa suluhu ni muhimu pia kwani kuficha taarifa hizi huku matukio kuendelea kuonekana yakijirudia kunaweza kupelekea changamoto za upotevu wa fedha kimtandao kuendelea kukua nahii ina athari kubwa kwa uchumi wa taifa.

Wito ulitolewa kwa vyuo vyetu Nchini kuondokana na mifumo ya kizamani iliyo nyuma na wakati kwa kujitazama upya na kuandaa mitaala itakayo weza kutengeneza wataalam wenye uwezo wa kukabiliana na uhalifu mtandao nchini.

The New Security Reality

It’s week 4 of National Security Awareness Month (NCSAM). Each week of NCSAM is dedicated to a specific cybersecurity theme. The theme this week is “The Internet Wants YOU: Consider a Career in Cyber Security.”

With the continuous state of change in the global threat landscape, organizations face cyber attacks and security breaches that are growing in frequency and sophistication every day. But now, consider this: according to a study by the Center for Cyber Safety and Education, there will be a shortage of 1.8 million information security workers by 2022. This gap should be of great concern to organizations.

Skilled people make the difference in protecting sensitive data, so it’s more critical than ever that organizations begin to attract and retain the cybersecurity talent needed to defend against the evolving threat landscape. At Connection, we help inspire individuals coming out of universities to engage in co-op or intern-related opportunities, and I strongly encourage other organizations to see what they can do to help young people today who are really interested in building their skills in this area.

The figures don’t lie. The demand for cyber security will only continue to grow. Through local collaborative efforts between employers, training providers, and community leaders, we can ensure individuals have the opportunity to build on their tech knowledge and participate in a secure, thriving economy.

The post The New Security Reality appeared first on Connected.

Employee Security Awareness Training

Because humans are often the weakest link when it comes to cyber security, it is critically important to integrate employee security awareness training into your cyber security action plan. By educating employees on best practices, policies, procedures, popular attack methods and trends, organizations can significantly reduce their risk of a data breach.

Increasing your investment in cyber security awareness training can decrease the threat of a cyberattack by 45% to 70%. Common and effective employee training methods include:

  • On-boarding – When a new employee joins your organization, immediately make them aware of cyber security best practices your organization requires. This will create a strong cyber security posture throughout the employee’s lifespan.
  • Mock phishing exercises – Phishing attacks are one of the most common forms of social engineering that can harm businesses. By employing these exercises organizations can test their email platform and see how their employees would react in a real-life scenario.
  • Webinars – Webinars on cyber security trends give employees a chance to ask questions and hear firsthand of the importance of keeping data secure. These interactive sessions empower employees with the information necessary to support the organization’s goal of protecting its sensitive data.
  • Policy check surveys – Regularly testing the knowledge of employees is important to their understanding of company policies and procedures. These can identify and prioritize gaps that should be addressed in further employee training sessions. In addition, these surveys and their results will be important if your organization is audited or breached.
  • Regularly discuss cyber security with employees – Make cyber security part of your workplace culture so that employees are regularly acting with the organization’s best interests in mind. Proactively address employee negligence as it is one of the top causes of security incidents.
  • Incident response plan –Ensure employees are aware of their role in the company’s incident response plan. Practice this plan quarterly so in the event of a breach your organization can respond quickly and comprehensively to minimize the impact and associated costs.
  • Onsite training – Providing face-to-face security awareness training on cyber best practices and company policies and procedures gives employees an opportunity to ask questions and learn from experienced personnel.

Proactively training employees before an information security incident is critical to protecting the future of your business. Create policies and guidelines that assume your company will be targeted by cybercriminals and make sure employees know the appropriate actions that are necessary to keep the company’s data safe. Implementing employee training in your organization at least quarterly is one of the best and most cost-effective ways to reduce cyber security risks.

For more information on employing training in your workplace, please contact us.

Cyber Security Careers Are in High Demand

October is National Cyber Security Awareness Month, which is an annual campaign to raise awareness about the importance of cyber security. Week 4 of NCSAM is all about the growing field of cyber security and why you might want to consider this career.

It’s impossible to overstate the importance of security in today’s digital world. Cyber attacks are growing in frequency and sophistication every day, and a key risk to our economy and security is the lack of professionals to protect our growing networks. According to a study by the Center for Cyber Safety and Education, by 2022, there will be a shortage of 1.8 million information security workers. So, it’s critical that that we begin now to prepare our students—and any others who are interested in making a career move—to fill these gaps. Many colleges and universities have developed information assurance programs that help technical, security-minded students achieve a great foundation in this industry. We also challenge corporations to offer intern and co-op opportunities for students in these degree programs, so they can see what security looks like in practical, business-world applications.

Connection is committed to promoting cyber security and online safety. Join Connection during Week 4 of NCSAM, as we explore cyber security as a viable and rewarding profession and encourage people from all backgrounds to see information security as an essential career path.

Read this next:


The post Cyber Security Careers Are in High Demand appeared first on Connected.

New FakeNet-NG Feature: Content-Based Protocol Detection

I (Matthew Haigh) recently contributed to FLARE’s FakeNet-NG network simulator by adding content-based protocol detection and configuration. This feature is useful for analyzing malware that uses a protocol over a non-standard port; for example, HTTP over port 81. The new feature also detects and adapts to SSL so that any protocol can be used with SSL and handled appropriately by FakeNet-NG. We were motivated to add this feature since it was a feature of the original FakeNet and it was needed for real world malware.

What is FakeNet-NG

FakeNet-NG simulates a network so malware analysts can run samples with network functionality without the risks of an Internet connection. Analysts can examine network-based indicators via FakeNet-NG’s textual and pcap output. It is plug-and-play, configurable, and works on both Windows and Linux. FakeNet-NG simulates common protocols to trick malware into thinking it is connected to the Internet. FakeNet-NG supports the following protocols: DNS, HTTP, FTP, POP, SMTP, IRC, SSL, and TFTP.

Previous Design

Previously FakeNet-NG employed Listener modules, which were bound to configurable ports for each protocol. Any traffic on those ports was received by the socket and processed by the Listener. 

In the previous architecture, packets were redirected using a Diverter module that utilized WinDivert for Windows and netfilter for Linux. Each incoming and outgoing packet was examined by the Diverter, which kept a running list of connections. Packets destined for outbound ports were redirected to a default Listener, which would respond to any packet with an echo of the same data. The Diverter also redirected packets based on whether FakeNet-NG was run in Single-Host or Multi-Host mode, and if any applications were blacklisted or whitelisted according to the configuration. It would simply release the packet on the appropriate port and the intended Listener would receive it on the socket.

New Design

My challenge was to eliminate this port/protocol dependency. In order to disassociate the Listeners from the corresponding ports, a new architecture was needed. The first challenge was to maintain Listener functionality. The original architecture relied on Python libraries that interact with the socket. Therefore, we needed to maintain “socket autonomy” in the Listener, so we added a “taste()” function for each Listener. The routine returns a confidence score based on the likelihood that the packet is associated with the protocol. Figure 1 demonstrates the taste() routine for HTTP, which looks for the request method string at the beginning of the packet data. It gives an additional point if the packet is on a common HTTP port. There were several choices for how these scores were to be tabulated. It could not happen in the Diverter because of the TCP handshake. The Diverter could not sample data from data-less handshake packets, and if the Diverter completed the handshake, the connection could not easily be passed to a different socket at the Listener without disrupting the connection.

Figure 1: HTTP taste() example


We ultimately decided to add a proxy Listener that maintains full-duplex connections with the client and the Listener, with both sides unaware of the other. This solves the handshake problem and maintains socket autonomy at the Listener. The proxy is also easily configurable and enables new functionality. We substituted the proxy for the echo-server default Listener, which would receive traffic destined for unbound ports. The proxy peeks at the data on the socket, polls the Listeners, and creates a new connection with the Listener that returns the highest score. The echo-server always returns a score of one, so it will be chosen if no better option is detected. The analyst controls which Listeners are bound to ports and which Listeners are polled by the proxy. This means that the listeners do not have to be exposed at all; everything can be decided by the proxy. The user can set the Hidden option in the configuration file to False to ensure the Listener will be bound to the port indicated in the configuration file. Setting Hidden to True will force any packets to go through the proxy before accessing the Listener. For example, if the analyst suspects that malware is using FTP on port 80, she can ‘hide’ HTTP from catching the traffic, and let the proxy detect FTP and forward the packet to the FTP Listener. Additional configuration options exist for choosing which protocols are polled by the proxy. See Figure 2 and Figure 3 for configuration examples. Figure 2 is a basic configuration for a Listener, and Figure 3 demonstrates how the proxy is configurable for TCP and UDP.

Figure 2: Listener Configuration Options

Figure3: Proxy Configuration Options

The proxy also handles SSL detection. Before polling the Listeners, the proxy examines the packet. If SSL is detected, the proxy “wraps” the socket in SSL using Python’s OpenSSL library. With the combination of protocol and SSL detection, each independent of the other, FakeNet-NG can now handle just about any protocol combination.

The proxied SSL implementation also allows for improved packet analysis. The connection between the proxy and the Listener is not encrypted, which allows FakeNet to dump un-encrypted packets to the pcap output. This makes it easier for the analyst to examine the packet data. FakeNet continues to produce pcap output that includes packet data before and after modification by FakeNet. While this results in repetitive data, it is often useful to see the original packet along with the modification.


Figure 4 shows verbose (-v) output from FakeNet on Windows responding to an HTTP request on port 81 from a clowncar malware variant (SHA-256 8d2dfd609bcbc94ff28116a80cf680660188ae162fc46821e65c10382a0b44dc). Malware such as clowncar use traditional protocols over non-standard ports for many reasons. FakeNet gives the malware analyst the flexibility to detect and respond to these cases automatically.

Figure 4: clowncar malware using HTTP on port 81


FLARE’s FakeNet-NG tool is a powerful network-simulation tool available for Windows and Linux. The new content-based protocol detection and SSL detection features ensure that FakeNet-NG remains the most useful tool for malware analysts. Configuration options give programmers the flexibility necessary to respond to malware using most protocols on any port.

WPA2 Hacks and You

The world has been rocked once again with a serious flaw in a basic security mechanism that we all take for granted to keep us safe and secure. According to Dark Reading, researchers at Belgium’s University of Leuven have uncovered as many as 10 critical vulnerabilities in the Wi-Fi Protected Access II (WPA2) protocol used to secure Wi-Fi networks. This is a protocol that—as we have all learned over the last several years—must be configured to keep us safe.

The key reinstallation attack—or KRACKs—impacts all modern wireless networks using the WPA2 protocol. The flaw gives attackers the ability to decrypt data packets that make all private (encrypted) communication no longer private. Although the flaw requires the attacker to have close proximity to the network to execute, this is especially bad news for those with far-reaching wireless signals—such as hotel and hospital lobbies—where an attacker can just sit down and work their trade.

The Vulnerability Notes Database provides a summary and detailed description of the vulnerabilities. It includes a list of vendors who may be affected by the vulnerability, and a status field indicating whether the vendor has any products that are affected.

What can you do?

Vendors are currently identifying their affected products and working on patches to address this attack. In the meantime, here are a few things you can do to keep your information safe:

  1. Apply patches as they are released
  2. Pay careful attention to your wireless environment
  3. Watch for people and technology that look out of place
  4. Utilize a trusted VPN solution
  5. When possible, transfer data over an encrypted channel—such as HTTPS
  6. Restrict sensitive information that would normally pass over a wireless network
  7. And, as always, it’s a good practice to monitor access logs and wireless traffic to look for anomalies in standard business communication

How has this WiFi vulnerability affected your organization? Leave a comment bellow to share your experience and any additional advice you have for staying protected.

Read this next:


The post WPA2 Hacks and You appeared first on Connected.

Shut Down Unlikely Attack Vectors in Your Organization

As a security professional, I probably take security more seriously than most. But when we start talking about the Internet of Things (IoT), the science fiction buff in me comes to the forefront a little bit. While we don’t want any kind of attacks to happen to our organizations, it can be a little fun to imagine the crazy ways hackers can use mundane appliances to hack into a network.

For example, earlier this year, a North American casino was hacked through a smart fish tank. Since the equipment in the tank was connected to the Internet, attackers were able to use that as their vector for network access. Fortunately, the breach was discovered quickly afterward—and you never want to hear about security breaches like this, but it certainly does make for a unique story.

That highlights the risks that are out there today. If you’re connected to the Internet, you are vulnerable to attacks. With IoT and the proliferation of smart devices, we’re starting to see some creativity from hackers that is not necessarily being counteracted with the appropriate level of security controls. That fancy fish tank certainly didn’t have the appropriate level of security controls. Having “regular” devices connect to the Internet can bring flexibility and manageability, but it also opens up more vulnerabilities.

That risk is something that everybody needs to understand. Basically, like any good risk owner, you need to think about what device you have, how it’s connecting, where it’s connecting to, and whether or not that connection has a level of security that meets your policy and control expectations. Honestly, what I’ve seen is that because of the easy and seamless connectivity of these smart devices, a lot of organizations are not thinking about necessary security measures. They aren’t quite seeing that a fish tank or a biomedical device or even an HVAC system can be just as vulnerable to attack as a server or application.

So how do you keep your network and data safe and still take advantage of the benefits of the IoT? Employ the same techniques I spoke of last week: protect, detect, and react. Assess, document, and validate risks. Make sure that you have a complete and total information security risk management or risk governance program. Apply these techniques and programs to every single device on your network, no matter how low-level it may seem. Something as normal as a thermostat or refrigerator could be a gateway for a hacker.

Our experts can help you assess your environment for risks and vulnerable points in your network, and help you put together a comprehensive security program that doesn’t leave out anything—even your lobby fish tank or break room fridge.

The post Shut Down Unlikely Attack Vectors in Your Organization appeared first on Connected.

Mobile Device Management

Mobile Device Management (MDM) is a great method to ensure that your employees remain productive and do not violate any corporate policies. In the ever-expanding Bring Your Own Device (BYOD) world, more organizations are allowing employees the freedom to work from their own mobile devices. Tablets, smart phones, and personal laptops are taking a larger and larger space on corporate networks.

While there are numerous advantages to a BYOD environment, allowing personal devices onto a corporate network introduces a variety of security threats. A Mobile Device Management solution helps in securing that environment.

Here are 5 Tips you should implement when securing your devices with a MDM approach:

  1. Require standards for password strength – Make sure that your MDM is configured to require device passcodes that meet or exceed guidelines concerning length, complexity, retry and timeout settings for the appropriate device.
  2. Device Update Compliance – Set a minimum required version for employee mobile devices. This will require that employee devices are kept updated and restrict devices that do not comply with this setting.
  3. Prevent Jail-breaking – Prevent jail-broken or ‘rooted’ mobile devices. Allowing these devices could add an additional attack vector as many ‘rooted’ or jail-broken devices install third-party app stores that may contain malicious apps. Preventing these devices helps secure access to company data.
  4. Require usage of signed apps and certificates – Use your MDM to screen any mobile devices for suspicious applications before allowing access to company resources. These could be email programs, mobile apps, and networks (Wi-Fi or company VPN access). As with jail-broken devices, unsigned apps and certificates may allow malware to infect the device.
  5. Seek Employee BuyIn – Prior to allowing a user device onto your network, require the user acknowledge and accept basic corporate policies. Make sure that the user understands that company administrators will be able to revoke and/or restrict access to devices that don’t comply with company policy.

The best idea is to decide your corporate strategy and then choose a MDM solution that fits your project. For more information on mobile device security, download our iPhone and Android Security Guides. If you would like to begin a conversation about Mobile Device Management, please CONTACT US.

A Massive Cyber Breach at a Company Whilst it was Considering the ‘Cloud’

(A Must-Read for all CEOs, CFOs, CIOs, CISOs, Board Members & Shareholders Today)


Today was supposed to be an exciting Friday morning at a Multi-Billion $ organization since the world's top Cloud Computing companies were going to make their final pitches to the company's C-Suite today, as it was considering moving to the "Cloud."

With Cloud Computing companies spending billions to market their latest Kool-Aid to organizations worldwide (even though much of this may actually not be ready for mission-critical stuff), how could this company too NOT be considering the Cloud?

The C-Suite Meeting

Today was a HUGE day for this multi-billion dollar company, for today after several months of researching and evaluating their choices and options, the company's leadership would finally be deciding as to which Cloud Computing provider to go with.

This meeting is being chaired by the Chairman of the Board and attended by the following organizational employees -

  1. Chief Executive Officer (CEO)

  2. Chief Financial Officer (CFO)
  1. Chief Information Officer (CIO)

  2. Chief Information Security Officer (CISO)

 Also in attendance are about a dozen Vice Presidents, representing Sales, Marketing, Research and Development etc.

Meeting In-Progress

After breakfast, the presentations began at 9:00 am. The organization's CIO kicked off the meeting, rattling off the numerous benefits that the company could enjoy by moving to the Cloud, and minutes later the Vice President of Cloud Computing from the first Cloud Computing company vying for their business started his presentation. His presentation lasted two hours.

The C-Suite then took a break for lunch.

The next presentation began at 1:00 pm and was expected to last till about 4:00 pm. The Vice President of Cloud Computing from the second Cloud Computing company had started her presentation and was almost an hour into it, when all of a sudden this happened...

... the CISO's assistant unexpectedly entered the room, went straight to the CISO and whispered something into his ear.

Everyone was surprised, and all eyes were on the CISO, who grimly asked his assistant - "Are you 100% sure?"  He said "Yes."

Houston, We Have a Problem

The CISO walked up to the CIO and whispered something into his ear. The CIO sat there in complete shock for a moment!

He then gathered himself and proceeded to request everyone except the C-Suite to immediately leave the conference room.

He told the Vice President of this Cloud Computing company - "Hopefully, we'll get back to you in a few weeks."

He then looked at the CEO and the Chairman of the Board, and he said - "Sir, we have a problem!"

Its Over

The CEO asked the CIO - "What's wrong? What happened?"

The CIO replied - "Sir, about 30 minutes ago, an intruder compromised the credentials of each one of our 20,000 employees!"

The CEO was almost in shock, and just couldn't believe what he had just heard, so he asked - "Everyone's credentials?!"

The CIO replied - "I'm afraid yes Sir, yours, mine, literally everyone's, including that of all our privileged users!"

The CEO could sense that there was more bad news, so he asked - "Is there something else I should know?"

The CIO replied - "Sir, 15 minutes ago, the intruder logged on as an Enterprise Admin, disabled the accounts of each one of our privileged users, and used Group Policy to deploy malicious software to each one of our 30,000 domain-joined computers! By now, he could have stolen, exfiltrated and destroyed the entirety of our digital assets! We may have lost literally everything!"

The CEO was shocked! They'd just been breached, and what a massive breach it was - "How could this have happened?"

Mimikatz DCSync 

The CIO turned to the CISO, who stepped in, and answered the question - "Sir, an intruder used a tool called Mimikatz DCSync to basically request and instantly obtain the credentials of every single user from our foundational Active Directory deployment."

The CEO asked - "What is Active Directory?"

The CISO replied - "Sir, simply put, it is the very foundation of our cyber security"

The CEO then asked - "Wait. Can just anyone request and extract credentials from Active Directory?"

The CISO replied - "Sir, not everyone can. Only those individuals whose have sufficient access to do so, and by that I mean, specifically only those who have Get-Replication-Changes-All effective-permissions on the domain root object, can do so."

The CEO then said - "This does not sound right to me. I'm no technical genius, but shouldn't we have known exactly who all have this, whatever you just said, er yes that Get-Replication-Changes-All effective permissions in our Active Directory?!"

The CISO replied - "Sir, it turns out that accurate determination of effective permissions in Active Directory is actually very difficult, and as a result it is almost impossible to figure out exactly who has this effective permissions on our domain root!"

The CEO figured it out - "So you're saying that the intruder had compromised the account of someone who was not on your radar and not supposed to have this access, but actually did, and the intruder used that access to steal everyone's credentials?"

The CISO replied - "That's right. It appears we did not know that this someone had sufficient access (i.e. effective permissions) to be able to replicate secrets from Active Directory, because it is very difficult to accurately figure this out in Active Directory."

The CEO was furious! - "You're kidding right?! Microsoft's spent billions on this new fad called the "Cloud", yet it doesn't even have a solution to help figure out something as vital as this in Active Directory? How long has Active Directory been around ?!

The CISO replied - "Seventeen years."

The CEO then said in disbelief - "Did you just 17 years, as in S-E-V-E-N-T-E-E-N years?!  Get Satya Nadella on the line now! Perhaps I should #REFRESH his memory that we're a customer, and that we may have just lost a few B-I-L-L-I-O-N dollars!"

This is for Real

Make NO mistake about it. As amusing as it might sound, the scenario shared above is very REAL, and in fact today, most business and government organizations worldwide that operate on Active Directory have no idea as to exactly who has sufficient effective permissions to be able to replicate secrets out of their Active Directory. None whatsoever!

We can demonstrate the enactment of this exact scenario, and its underlying cause, to any organizations that wishes to see it.

This Could've Been (and Can Be) Easily Prevented 

This situation could easily have been prevented, if this organization's IT personnel had only possessed the ability to adequately and accurately determine effective permissions in their foundational Active Directory deployments.

Sadly, since Microsoft apparently never educated its customers about the importance of Active Directory effective permissions, most of them have no clue, and in fact have no idea as to exactly who can do what across their Active Directory deployments!

Unfortunately, Mimikatz DCSync is just the Tip of the Iceberg. Today most organizations are likely operating in the dark and have no idea about the actual attack surface, and thus about exactly who can create, delete and manage the entirety of their domain user accounts, domain computer accounts, domain security groups, GPOs, service connection points (SCPs), OUs etc. even though every insider and intruder could try and figure this out and misuse this insight to compromise their security.

Technically speaking, with even just minimal education and the right tooling, here is how easy it is for organizations to figure this out and lock this down today, i.e. to lock this down before an intruder can exploit it to inflict colossal damage - RIGHT HERE.

Oh, and you don't need to call Microsoft for this, although you certainly can and should. If you do, they'll likely have no answer, yet they might use even this to pitch you their latest toy, Microsoft ATA, and of course, their Cloud offering, Microsoft Azure.

Wait, weren't these C*O discussing the Cloud (and likely Microsoft Azure) just a few hours (and a few billion dollars) ago?!

Fast-Forward Six Months

Unfortunately, given the massive scale of this breach, the company did not survive the attack, and had to declare bankruptcy. The C*Os of this company are still looking for suitable employment, and its shareholders ended up losing billions of dollars.

All of this could've been prevented, if they only knew about something as elemental as this, and had the ability to determine this.


The moral of the story is that while its fine to fall for the latest fad, i.e. consider moving to the "Cloud" and all, but as AND while you consider and plan to do so, you just cannot let you on-prem cyber defenses down even for a moment, because if you do so, you may not have a company left to move to the Cloud. A single excessive effective permission in Active Directory is all it takes.

I'll say this one more time and one last time - what I've shared above could easily happen at almost any organization today.

Best wishes,

CEO, Paramount Defenses

PS: If this sounds too simple and high-level i.e. hardly technical, that is by intent, as it is written for a non-technical audience. This isn't to showcase our technical depth; examples of our technical depth can be found here, here, here, here, here  etc.  etc.

PS2: Note for Microsoft - This may be the simplest example of "Active Directory Access Control Lists - Attack and Defense."

Here's why - Mimikatz DCSync, which embodies the technical brilliance of a certain Mr. Benjamin Delpy, may be the simplest example of how someone could attack Active Directory ACLs to instantly and completely compromise Active Directory. On the other hand, Gold Finger, which embodies the technical expertise of a certain former Microsoft employee, may be the simplest example of how one could defend Active Directory ACLs by being able to instantly identify/audit effective permissions/access in/across Active Directory, and thus lockdown any and all unauthorized access in Active Directory ACLs, making it impossible for an(y) unauthorized user to use Mimikatz DCSync against Active Directory.

PS3: They say to the wise, a hint is enough. I just painted the whole picture out for you. (You may also want to read this & this.)

PS4: If you liked this, you may also like - How To Easily Identify & Thwart Sneaky Persistence in Active Directory


FINANCIAL threats are still profitable for cyber criminals and, therefore, continue to be an enduring part of the threat landscape. From financial Trojans that attack online banking, to attacks against automated teller machines (ATMs) and fraudulent interbank transactions, there are many different attack vectors utilised by criminals.

Symantec predicted in 2015, there was an increase in attacks against corporations and financial institutions during 2016. This was evident from a series of high-value heists targeting Society for Worldwide Interbank Financial Telecommunication (Swift) customers. While there is no evidence of any such high value heists on Swift customers this year, the 2016 attacks saw several such institutions lose millions of dollars to cyber criminals and nation state-supported attackers such as the Lazarus group.

On average, 38 per cent of the financial threats we detected in 2016 were found in large business locations. Most of these infection attempts were not targeted attacks but were instead due to widespread email campaigns. Although we have seen a 36 per cent decrease in detection numbers for financial malware in 2016, this is mainly due to earlier detection in the attack chain and more focused attacks.

With more than 1.2 million annual detections, the financial threat space is still 2.5 times bigger than that of Ransomware. The financial Trojan threat landscape is dominated by three malware families: Ramnit, Bebloh (Trojan.Bebloh), and Zeus (Trojan.Zbot). These three families were responsible for 86 per cent of all financial.

Trojan attack activities in 2016. However, due to arrests, takedowns, and regrouping, we have seen a lot of fluctuations over the last year. Globally, financial institutions in the US were targeted the most going by the samples analysed by Symantec, followed by Poland and Japan.

Infection vectors for financial Trojans haven't changed much in the past year and are still identical to other common Trojans. Distribution mainly relies on spam email with malicious droppers attached and web exploit toolkits. The use of scam emails was the most prevalent method of distribution for financial Trojans in 2016.

The already well-known Office document attachment with malicious macros continued to be widely used. However, Microsoft Visual Basic Scripting (VBS) and JavaScript (JS) files in various attachment forms have also been used in massive spam runs to distribute malware.

We have also seen Office documents without macros, and instead with embedded OLE objects and instructions for the user to double-click the payload. The Necurs botnet (Backdoor.Necurs), which sent out more than 1.8 million JS downloaders in one day alone in November 2016, highlights the magnitude of some of these campaigns.

Phishing emails, where the victim is lured to fake websites that trick them into revealing their account details, decreased to just one in 9,138 emails in March 2017. In 2016, the average number of phishing emails was slightly higher than one in 3,000 emails. Simple phishing no longer works against most banks and financial institutions, as they rarely rely on static passwords alone. But phishing attacks can still be successful in stealing online retail account credentials and credit card details.

Equifaxhas revealed 2.5 million more Americans than previously thought may have had information compromised in a huge cyber security breach at the firm.
The credit report giant said, about 145.5 million of its US customers might have been affected, up from a previous estimate of 143 million.

ATM and point of sales (POS) attacks continued to increase in 2016. ATM malware has been around for 10 years but is still effective. With the increase of targeted attacks aimed at banks, we also saw an increase in attacks against ATMs from within the financial network. Since the adoption of Chip & PIN has begun to spread outside of Europe, we have seen a decrease of classic memory scraping threats, as they are no longer efficient for the attackers.

There are various degrees of sophistication seen in the wild when it comes to ATM attacks. For some attacks, the criminals need physical access to the ATM computer and they get this by opening the cover with a stolen key or picking the lock.

Once they have access to a USB port or the CD-ROM, they can install malware and attach a keyboard to issue commands (the Ploutus malware uses this attack vector).

Similar attacks have been reported in hotels where attackers used the often exposed USB ports on the backside of the check-in computers to install malware.

 In retail stores the attackers added their sniffer to an exposed network port inside the shop. This allows them to compromise any attached POS device and scrape the memory for payment card information.

With physical access to the ATM, another attack vector is possible. As reported in April 2017, some attackers discovered they could drill a hole into the ATM casing in order to access the internal bus system. Once access is obtained, a cheap microcomputer is all that is needed to send commands to the bus in order to make the ATM dispense its cash.

We have also seen trends in financial malware attempting to hide configuration files from researchers as well as the move to redirect attacks or even manually log into the system to issue large transactions if interesting financial software is detected.

Mobile threats on Android are mainly focusing on form overlay attacks or fake online banking apps. We have seen more than 170 mobile apps targeted by mobile malware. Mobile threats are still relevant as many financial institutions have deployed two-factor authentication through mobile phone applications.

As it has become more difficult to conduct such attacks on the latest Android OS, we have seen attackers reverting to social engineering attacks, where they trick victims into authorising fraudulent transactions. The end-user still remains the weakest link in the chain during an online transaction, which means even the strongest technologies are susceptible to social engineering attacks.

When a cyberattacker successfully compromises an internal network, he can steal any credentials that will help maximise his profits. This could mean stealing online banking credentials, sensitive personal data or other passwords. It is common for financial threats to steal any other account information that they can find on a compromised computer.

Once compromised, cyberattackers can use any stolen information to spread their malware further, or even sell them on underground forums. Credit card details are still the most sold digital goods on the underground forums, while bank account access information is priced according to the account balance.

For example, an account with US$1,000 in it can be sold for US$10. An account with a greater balance will be on sale for a larger sum.

The attacks are not only targeting the banks' customers. We have seen several attacks against the financial institutions themselves, with attackers attempting to transfer large sums in fraudulent inter-bank transactions. Financial institutions are confronted with attacks on multiple fronts. The main two types are attacks against their customers and attacks against their own infrastructure.

In the event of a cyber breach, companies' losses extend far beyond just monetary value. Their reputation and customers' trust - areas that take time and effort to develop - will also be damaged. We expect financial threats to remain a problem for end-users in the future, but attackers will likely increase their focus on corporate finance departments and using social engineering against them. Prevention is by far the best outcome, so it pays to pay attention to how cyber breaches can be avoided. Emails and infected websites are the most common infection vectors for malware. Adopting a robust defence against both these infection vectors will help reduce the risk of infection.

We expect financial threats to remain a problem for end-users in the future, but attackers will likely increase their focus on corporate finance departments and using social engineering against them.

Significant FormBook Distribution Campaigns Impacting the U.S. and South Korea

We observed several high-volume FormBook malware distribution campaigns primarily taking aim at Aerospace, Defense Contractor, and Manufacturing sectors within the U.S. and South Korea during the past few months. The attackers involved in these email campaigns leveraged a variety of distribution mechanisms to deliver the information stealing FormBook malware, including:

  • PDFs with download links
  • DOC and XLS files with malicious macros
  • Archive files (ZIP, RAR, ACE, and ISOs) containing EXE payloads

The PDF and DOC/XLS campaigns primarily impacted the United States and the Archive campaigns largely impacted the Unites States and South Korea.

FormBook Overview

FormBook is a data stealer and form grabber that has been advertised in various hacking forums since early 2016. Figure 1 and Figure 2 show the online advertisement for the malware.

Figure 1: FormBook advertisement

Figure 2: FormBook underground pricing

The malware injects itself into various processes and installs function hooks to log keystrokes, steal clipboard contents, and extract data from HTTP sessions. The malware can also execute commands from a command and control (C2) server. The commands include instructing the malware to download and execute files, start processes, shutdown and reboot the system, and steal cookies and local passwords.

One of the malware's most interesting features is that it reads Windows’ ntdll.dll module from disk into memory, and calls its exported functions directly, rendering user-mode hooking and API monitoring mechanisms ineffective. The malware author calls this technique "Lagos Island method" (allegedly originating from a userland rootkit with this name). 

It also features a persistence method that randomly changes the path, filename, file extension, and the registry key used for persistence. 

The malware author does not sell the builder, but only sells the panel, and then generates the executable files as a service.


FormBook is a data stealer, but not a full-fledged banker (banking malware). It does not currently have any extensions or plug-ins. Its capabilities include: 

  • Key logging

  • Clipboard monitoring

  • Grabbing HTTP/HTTPS/SPDY/HTTP2 forms and network requests 
  • Grabbing passwords from browsers and email clients 
  • Screenshots 

FormBook can receive the following remote commands from the C2 server: 

  • Update bot on host system
  • Download and execute file
  • Remove bot from host system
  • Launch a command via ShellExecute
  • Clear browser cookies
  • Reboot system
  • Shutdown system
  • Collect passwords and create a screenshot
  • Download and unpack ZIP archive


The C2 domains typically leverage less widespread, newer generic top-level domains (gTLDs) such as .site, .website, .tech, .online, and .info.

The C2 domains used for this recently observed FormBook activity have been registered using the WhoisGuard privacy protection service. The server infrastructure is hosted on, a Ukrainian hosting provider. Each server typically has multiple FormBook panel installation locations, which could be indicative of an affiliate model.

Behavior Details

File Characteristics

Our analysis in this blog post is based on the following representative sample:


MD5 Hash

Size (bytes)

Compile Time




2012-06-09 13:19:49Z

Table 1: FormBook sample details


The malware is a self-extracting RAR file that starts an AutoIt loader. The AutoIt loader compiles and runs an AutoIt script. The script decrypts the FormBook payload file, loads it into memory, and then executes it.


The FormBook malware copies itself to a new location. The malware first chooses one of the following strings to use as a prefix for its installed filename:

ms, win, gdi, mfc, vga, igfx, user, help, config, update, regsvc, chkdsk, systray, audiodg, certmgr, autochk, taskhost, colorcpl, services, IconCache, ThumbCache, Cookies

It then generates two to five random characters and appends those to the chosen string above 

followed by one of the following file extensions:

  • .exe, .com, .scr, .pif, .cmd, .bat

If the malware is running with elevated privileges, it copies itself to one of the following directories:

  • %ProgramFiles% 
  • %CommonProgramFiles%

If running with normal privileges, it copies itself to one of the following directories:

  • %TEMP%


The malware uses the same aforementioned string list with a random string to create a prefix, appends one to five random characters, and uses this value as the registry value name.

The malware configures persistence to one of the following two locations depending on its privileges:

  • (HKCU|HKLM)\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
  • (HKCU|HKLM)\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run


The malware creates two 16-byte mutexes. The first mutex is the client identifier (e.g., 8-3503835SZBFHHZ). The second mutex value is derived from the C2 information and the username (e.g., LL9PSC56RW7Bx3A5). 

The malware then iterates over a process listing and calculates a checksum value of process names (rather than checking the name itself) to figure out which process to inject. The malware may inject itself into browser processes and explorer.exe. Depending on the target process, the malware installs different function hooks (see the Function Hooks section for further detail).


The malware uses several techniques to complicate malware analysis: 

  • Timing checks using the RDTSC instruction
  • Calls NtQueryInformationProcess with InfoClass=7 (ProcessDebugPort)
  • Sample path and filename checks (sample filename must be shorter than 32 characters)
  • Hash-based module blacklist
  • Hash-based process blacklist
  • Hash-based username blacklist
  • Before communicating, it checks whether the C2 server is present in the hosts file

The results of these tests are then placed into a 16-byte array, and a SHA1 hash is calculated on the array, which will be later used as the decryption key for subsequent strings (e.g. DLL names to load). Failed checks may go unnoticed until the sample tries to load the supporting DLLs
(kernel32.dll and advapi32.dll).

The correct 16-byte array holding the result of the checks is: 

  • 00 00 01 01 00 00 01 00 01 00 01 00 00 00 00 00 

Having a SHA1 value of:

  • 5b85aaa14f74e7e8adb93b040b0914a10b8b19b2 

After completing all anti-analysis checks, the sample manually maps ntdll.dll from disk into memory and uses its exported functions directly in the code. All API functions will have a small stub function in the code that looks up the address of the API in the mapped ntdll.dll using the CRC32 checksum of the API name, and sets up the parameters on the stack. 

This will be followed by a direct register call to the mapped ntdll.dll module. This makes regular debugger breakpoints on APIs inoperable, as execution will never go through the system mapped ntdll.dll.

Process Injection

The sample loops through all the running processes to find explorer.exe by the CRC32 checksum of its process name. It then injects into explorer.exe using the following API calls (avoiding more commonly identifiable techniques such as WriteProcessMemory and CreateRemoteThread):

  • NtMapViewOfSection
  • NtSetContextThread
  • NtQueueUserAPC

The injected code in the hijacked instance of explorer.exe randomly selects and launches (as a suspended process) a built-in Windows executable from the following list: 

  • svchost.exe, msiexec.exe, wuauclt.exe, lsass.exe, wlanext.exe, msg.exe, lsm.exe, dwm.exe, help.exe, chkdsk.exe, cmmon32.exe, nbtstat.exe, spoolsv.exe, rdpclip.exe, control.exe, taskhost.exe, rundll32.exe, systray.exe, audiodg.exe, wininit.exe, services.exe, autochk.exe, autoconv.exe, autofmt.exe, cmstp.exe, colorcpl.exe, cscript.exe, explorer.exe, WWAHost.exe, ipconfig.exe, msdt.exe, mstsc.exe, NAPSTAT.EXE, netsh.exe, NETSTAT.EXE, raserver.exe, wscript.exe, wuapp.exe, cmd.exe 

The original process reads the randomly selected executable from the memory of explorer.exe and migrates into this new process via NtMapViewOfSection, NtSetContextThread, and NtQueueUserAPC. 

The new process then deletes the original sample and sets up persistence (see the Persistence section for more detail). It then goes into a loop that constantly enumerates running processes and looks for targets based on the CRC32 checksum of the process name. 

Targeted process names include, but are not limited to: 

  • iexplore.exe, firefox.exe, chrome.exe, MicrosoftEdgeCP.exe, explorer.exe, opera.exe, safari.exe, torch.exe, maxthon.exe, seamonkey.exe, avant.exe, deepnet.exe, k-meleon.exe, citrio.exe, coolnovo.exe, coowon.exe, cyberfox.exe, dooble.exe, vivaldi.exe, iridium.exe, epic.exe, midori.exe, mustang.exe, orbitum.exe,
palemoon.exe, qupzilla.exe, sleipnir.exe, superbird.exe, outlook.exe, thunderbird.exe, totalcmd.exe

After injecting into any of the target processes, it sets up user-mode API hooks based on the process. 

The malware installs different function hooks depending on the process. The primary purpose of these function hooks is to log keystrokes, steal clipboard data, and extract authentication information from browser HTTP sessions. The malware stores data in local password log files. The directory name is derived from the C2 information and the username (the same as the second mutex created above: LL9PSC56RW7Bx3A5). 

However, only eight bytes from this value are used as the directory name (e.g., LL9PSC56). Next, the first three characters from the derived directory name are used as a prefix for the log file followed by the string log. Following this prefix are names corresponding to the type of log file. For example, for Internet Explorer passwords, the following log file would be created:

  • %APPDATA%\LL9PSC56\LL9logri.ini.

The following are the password log filenames without the prefix:

  • (no name): Keylog data
  • rg.ini: Chrome passwords
  • rf.ini: Firefox passwords
  • rt.ini: Thunderbird passwords
  • ri.ini: Internet Explorer passwords
  • rc.ini: Outlook passwords
  • rv.ini: Windows Vault passwords
  • ro.ini: Opera passwords

One additional file that does not use the .INI file extension is a screenshot file:

  • im.jpeg

Function Hooks

Keylog/clipboard monitoring:

  • GetMessageA
  • GetMessageW
  • PeekMessageA
  • PeekMessageW
  • SendMessageA
  • SendMessageW

Browser hooks:

  • PR_Write
  • HttpSendRequestA
  • HttpSendRequestW
  • InternetQueryOptionW
  • EncryptMessage
  • WSASend

The browser hooks look for certain strings in the content of HTTP requests and, if a match is found, information about the request is extracted. The targeted strings are:

  • pass
  • token
  • email
  • login
  • signin
  • account
  • persistent

Network Communications

The malware communicates with the following C2 server using HTTP requests: 

  • www[.]clicks-track[.]info/list/hx28/


As seen in Figure 3, FormBook sends a beacon request (controlled by a timer/counter) using HTTP GET with an "id" parameter in the URL.

Figure 3: FormBook beacon

The decoded "id" parameter is as follows:

  • FBNG:134C0ABB 2.9:Windows 7 Professional x86:VXNlcg==


  • "FBNG" - magic bytes

  • "134C0ABB" - the CRC32 checksum of the user's SID 
  • "2.9" - the bot version

  • "Windows 7 Professional" – operating system version
  • "x86" – operating system architecture

  • "VXNlcg==" - the Base64 encoded username (i.e., "User" in this case)

Communication Encryption

The malware sends HTTP requests using hard-coded HTTP header values. The HTTP headers shown in Figure 4 are hardcoded.

Figure 4: Hard-coded HTTP header values

Messages to the C2 server are sent RC4 encrypted and Base64 encoded. The malware uses a slightly altered Base64 alphabet, and also uses the character "." instead of "=" as the pad character:

  • Standard Alphabet: 
    • ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/
  • Modified Alphabet: 
    • ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789-_

The RC4 key is created using an implementation of the SHA1 hashing algorithm with the C2 URL. The standard SHA1 algorithm reverses the DWORD endianness at the end of the algorithm. This implementation does not, which results in a reverse endian DWORDs. For example, the SHA1 hash for the aforementioned URL is "9b198a3cfa6ff461cc40b754c90740a81559b9ae," but when reordering the DWORDs, it produces the correct RC4 key: 3c8a199b61f46ffa54b740cca84007c9aeb95915. The first DWORD "9b198a3c" becomes "3c8a199b."

Figure 5 shows an example HTTP POST request.

Figure 5: Example HTTP POST request

In this example, the decoded result is: 

  • Clipboard\r\n\r\nBlank Page - Windows Internet Explorer\r\n\r\ncEXN{3wutV,

Accepted Commands

When a command is sent by the C2 server, the HTTP response body has the format shown in Figure 6.

Figure 6: FormBook C2 server response with command

The data begins with the magic bytes "FBNG," and a one-byte command code from hex bytes 31 to 39 (i.e., from "1" to "9") in clear text. This is then followed by the RC4-encoded command data (where the RC4 key is the same as the one used for the request). In the decrypted data, another occurrence of the magic FBNG bytes indicates the end of the command data. 

The malware accepts the commands shown in Table 2.


Parameters (after decryption)


'1' (0x31) 


Download and execute file from %TEMP% directory 

'2' (0x32) 


Update bot on host machine 

'3' (0x33) 


Remove bot from host machine 

'4' (0x34) 


Launch a command via ShellExecute 

'5' (0x35) 


Clear browser cookies 

'6' (0x36) 


Reboot operating system 

'7' (0x37) 


Shutdown operating system 

'8' (0x38) 


Collect email/browser passwords and create a screenshot

'9' (0x39) 


Download and unpack ZIP archive into %TEMP% directory

Table 2: FormBook accepted commands

Distribution Campaigns

FireEye researchers observed FormBook distributed via email campaigns using a variety of different attachments:

  • PDFs with links to the "" URL-shortening service, which then redirected to a staging server that contained FormBook executable payloads
  • DOC and XLS attachments that contained malicious macros that, when enabled, initiated the download of FormBook payloads
  • ZIP, RAR, ACE, and ISO attachments that contained FormBook executable files

The PDF Campaigns

The PDF campaigns leveraged FedEx and DHL shipping/package delivery themes (Figure 7 and Figure 8), as well as a document-sharing theme. The PDFs distributed did not contain malicious code, just a link to download the FormBook payload.

The staging servers (shown in Table 3) appeared to be compromised websites.

Figure 7: Example PDF campaign email lure with attachment

Figure 8: Example PDF campaign attachment

Sample Subject Lines

Shorted URLs

Staging Servers

<Recipient’s_Name> - You have a parcel awaiting pick up

<Recipient’s_Name> – I shared a file with you

















Table 3: Observed email subjects and download URLs for PDF campaign

Based on data from the links, there were a total of 716 hits across 36 countries. As seen in Figure 9, most of the malicious activity from the PDF campaign impacted the United States.

Figure 9: Geolocation statistics from URL shortener

The DOC/XLS Campaigns

The email campaigns distributing DOC and XLS files relied on the use of malicious macros to download the executable payload. When the macros are enabled, the download URL retrieves an executable file with a PDF extension. Table 4 shows observed email subjects and download URLs used in these campaigns.

Sample Subject Lines

Staging Server

URL Paths


ACS PO 1528















Table 4: Observed email subjects and download URLs for the DOC/XLS campaign

FireEye detection technologies observed this malicious activity between Aug. 11 and Aug. 22, 2017 (Figure 10). Much of the activity was observed in the United States (Figure 11), and the most targeted industry vertical was Aerospace/Defense Contractors (Figure 12).

Figure 10: DOC/XLS campaign malicious activity by date

Figure 11: Top 10 countries affected by the DOC/XLS campaign

Figure 12: Top 10 industry verticals affected by the DOC/XLS campaign

The Archive Campaign

The Archive campaign delivered a variety of archive formats, including ZIP, RAR, ACE, and ISO, and accounted for the highest distribution volume. It leveraged a myriad of subject lines that were characteristically business related and often regarding payment or purchase orders:

Sample Subject Lines


MT103 PAYMENT CONFIRMATION Our Ref: BCCMKE806868TSC Counterparty:.

Fwd: INQUIRY RFQ-18 H0018

Fw: Remittance Confirmation


PO. NO.: 10701 - Send Quotaion Pls

Re: bgcqatar project

Re: August korea ORDER

Purchase Order #234579

purchase order for August017

FireEye detection technologies observed this campaign activity between July 18 and Aug. 17, 2017 (Figure 13). Much of the activity was observed in South Korea and the United States (Figure 14), with the Manufacturing industry vertical being the most impacted (Figure 15).

Figure 13: Archive campaign malicious activity by date

Figure 14: Top 10 countries affected by the Archive campaign

Figure 15: Top 10 industry verticals affected by the Archive campaign 


While FormBook is not unique in either its functionality or distribution mechanisms, its relative ease of use, affordable pricing structure, and open availability make FormBook an attractive option for cyber criminals of varying skill levels. In the last few weeks, FormBook was seen downloading other malware families such as NanoCore.  The credentials and other data harvested by successful FormBook infections could be used for additional cyber crime activities including, but not limited to: identity theft, continued phishing operations, bank fraud and extortion.

Penetration Testing vs. Vulnerability Scanning

Frequently, new or existing clients will come to us requesting a penetration test. Usually, one of the first things we tell them is that they do not need a penetration test done…yet. Within IT, and within InfoSec specifically, there is a disconnect between terms used by industry professionals, their clients, and the media/public. Two of the most confusing terms are:

  • Penetration Testing
  • Vulnerability Scanning

Most clients will seek out security consulting services to have a ‘pen test’ performed, without knowing what a penetration test entails. Too often they picture a scene from Mr. Robot, or Hackers – someone in a darkened room, in front of a console, furiously typing away to hack into servers.

Most of our clients are organizations that have not worked with a security consulting firm before, but are used to working with managed service providers, so they expect to be sold hardware or software solutions. Because COMPASS is vendor agnostic, we evaluate what our clients’ needs are, and then offer a series of services that we think will help our clients achieve their goals.

As previously mentioned, we almost always have the conversation about Penetration Testing. Whenever we discuss this with our clients we try to help them understand the difference between a penetration test and a vulnerability scan. So, let us get into defining the two:

Penetration Test

A Penetration Test has a specific goal, to exploit weaknesses and gain access to data within your network, to achieve administrator privileges or possibly alter financial data. A Penetration Test should not be performed as a start to your information security program. It should be something performed when you have a security configuration in place that needs to be tested for example; once you have established a patch management process, hardened network devices and essentially closed any known gaps within your network architecture.

A Penetration Test should only be performed once vulnerability assessments have been executed and all remediations implemented, since they can be expensive and should be employed when you want to test security that is already assumed to be in place and adequate.

Vulnerability Scan/Assessment

A Vulnerability Scan or Assessment, whichever flavor you prefer, should be an organization’s first step in building a strong security stance. Vulnerability scans are technical assessments that that are designed to discover as many vulnerabilities as possible within a target network. Vulnerability scan reports include severity ratings for the discovered vulnerabilities, remediation/mitigate instructions and allows for prioritization of vulnerability remediation.

A Vulnerability Scan/Assessment should be performed at the start of your security journey. It will help you to generate a prioritized list of things wrong with the network, from OS patches and third-party vulnerabilities to open ports and services running on perimeter devices. The goal of a vulnerability scan should always be to fix as many findings as possible.

For more information on how to get started with your security assessment, download our Cyber Security Assessment Checklist or CONTACT US for a deeper discussion.