Monthly Archives: July 2018

SN 674: Attacking Bluetooth Pairing

This week we examine still another new Spectre processor speculation attack, we look at the new "Death Botnet", the security of the US DoD websites, lots of Google Chrome news, a push by the US Senate toward more security, the emergence and threat of clone websites in other TLDs, more cryptocurrency mining bans, Google's Titan hardware security dongles, and we finish by examining the recently discovered flaw in the Bluetooth protocol which has device manufacturers and OS makers scrambling. (But do they really need to?)

We invite you to read our show notes.

Hosts: Jason Howell and Steve Gibson

Download or subscribe to this show at https://twit.tv/shows/security-now.

You can submit a question to Security Now! at the GRC Feedback Page.

For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6.

Bandwidth for Security Now is provided by CacheFly.

Sponsor:

GandCrab Ransomware Puts the Pinch on Victims

Update: On August 9 we added our analysis of Versions 4.2.1 and 4.3. 

The GandCrab ransomware first appeared in January and has been updated rapidly during its short life. It is the leading ransomware threat. The McAfee Advanced Threat Research team has reverse engineered Versions 4.0 through 4.3 of the malware.

The first versions (1.0 and 1.1) of this malware had a bug that left the keys in memory because the author did not correctly use the flags in a crypto function. One antimalware company released a free decryption tool, posted on NoMoreRansom.org, with help of Romanian police and Europol.

The hack was confirmed by the malware author in a Russian forum:

Figure 1. Confirmation by the author of the hack of GandCrab servers.

The text apologizes to partners for the hack and temporarily shuts down the program. It promises to release an improved version within a few days.

The second version of GandCrab quickly appeared and improved the malware server’s security against future counterattacks. The first versions of the ransomware had a list of file extensions to encrypt, but the second and later versions have replaced this list with an exclusion list. All files except those on the list were encrypted.

Old versions of the malware used RSA and AES to encrypt the files, and communicated with a control server to send the RSA keys locked with an RC4 algorithm.

The GandCrab author has moved quickly to improve the code and has added comments to mock the security community, law agencies, and the NoMoreRansom organization. The malware is not professionally developed and usually has bugs (even in Version 4.3), but the speed of changes is impressive and increases the difficulty of combating it.

Entry vector

GandCrab uses several entry vectors:

  • Remote desktop connections with weak security or bought in underground forums
  • Phishing emails with links or attachments
  • Trojanized legitimate programs containing the malware, or downloading and launching it
  • Exploits kits such as RigEK and others

The goal of GandCrab, as with other ransomware, is to encrypt all or many files on an infected system and insist on payment to unlock them. The developer requires payment in cryptocurrency, primarily DASH, because it complex to track, or Bitcoin.

The malware is usually but not always packed. We have seen variants in .exe format (the primary form) along with DLLs. GandCrab is effectively ransomware as a service; its operators can choose which version they want.

Version 4.0

The most important change in Version 4.0 is in the algorithm used to encrypt files. Earlier versions used RSA and AES; the latest versions use Salsa20. The main reason is for speed. RSA is a powerful but slow algorithm. Salsa20 is quick and the implementation is small.

The ransomware checks the language of the system and will not drop the malicious payload if the infected machine operates in Russian or certain other former Soviet languages:

Figure 2. Checking the language of the infected system.

GandCrab encrypts any file that does not appear on the following file-extension exclusion list:

The ransomware does not encrypt files in these folders:

GandCrab leaves these files unencrypted:

The ransomware generates a pair of RSA keys before encrypting any file. The public key encrypts the Salsa20 key and random initialization vector (IV, or nonce)) generated later for each file.

The encryption procedure generates a random Salsa20 key and a random IV for each file, encrypts the file with them, and encrypts this key and IV with a pair of RSA keys (with the public RSA key created at the beginning). The private key remains encrypted in the registry using another Salsa20 key and IV encrypted with an RSA public key embedded in the malware.

After encryption, the file key and IV are appended to the contents of the file in a new field of 8 bytes, increasing the original file size.

This method makes GandCrab very strong ransomware because without the private key to the embedded public key, it is not possible to decrypt the files. Without the new RSA private key, we cannot decrypt the Salsa20 key and IV that are appended to the file.

Finally, the ransomware deletes all shadow volumes on the infected machine and deletes itself.

Version 4.1

This version retains the Salsa20 algorithm, fixes some bugs, and adds a new function. This function, in a random procedure from a big list of domains, creates a final path and sends the encrypted information gathered from the infected machine. We do not know why the malware does this; the random procedure usually creates paths to remote sites that do not exist.

For example, one sample of this version has the following hardcoded list of encrypted domains. (This is only a small part of this list.)

The ransomware selects one domain from the list and creates a random path with one of these words:

Later it randomly chooses another word to add to the URL it creates:

Afterward it makes a file name, randomly choosing three or four combinations from the following list:

Finally the malware concatenates the filename with a randomly chosen extension:

At this point, the malware sends the encrypted information using POST to the newly generated URL for all domains in the embedded list, repeating the process of generating a path and name for each domain.

Another important change in this version is the attempt to obfuscate the calls to functions such as VirtualAlloc and VirtualFree.

Figure 3. New functions to obfuscate the code.

Version 4.1.2

This version has appeared with some variants. Two security companies revealed a vaccine to prevent infections by previous versions. The vaccine involved making a special file in a folder with a special name before the ransomware infects the system. If this file exists, the ransomware finishes without dropping the payload.

The file gets its name from the serial number of the Windows logic unit hard disk value. The malware makes a simple calculation with this name and creates it in the %appdata% or %program files% folder (based in the OS) with the extension .lock.

Figure 4. Creating the special file.

The GandCrab author reacted quickly, changing the operation to make this value unique and use the Salsa20 algorithm with an embedded key and IV with text referring to these companies. The text and the value calculated were used to make the filename; the extension remained .lock.

One of the security companies responded by making a free tool to make this file available for all users, but within hours the author released another Version 4.1.2 with the text changed. The malware no longer creates any file, instead making a mutex object with this special name. The mutex remains and keeps the .lock extension in the name.


Figure 5. Creating a special mutex instead of a special lock file.

The vaccine does not work with the second Version 4.1.2 and Version 4.2, but it does work with previous versions.

Version 4.2

This version has code to detect virtual machines and stop running the ransomware within them.

It checks the number of remote units, the size of the ransomware name running compared with certain sizes, installs a VectoredExceptionHandler, and checks for VMware virtual machines using the old trick of the virtual port in a little encrypted shellcode:

Figure 6. Detecting VMware.

The malware calculates the free space of the main Windows installation logic unit and finally calculates a value.

If this value is correct for the ransomware, it runs normally. If the value is less than 0x1E, it waits one hour to start the normal process. (It blocks automatic systems that do not have “sleep” prepared.) If the value is greater than 0x1E, the ransomware finishes its execution.

Figure 7. Checking for virtual machines and choosing a path.

Version 4.2.1

This version appeared August 1. The change from the previous version is a text message to the company that made the vaccine along with a link to a source code zero-day exploit that attacks one of this company’s products. The code is a Visual Studio project and can be easily recompiled. This code has folders in Russian after loading the project in Visual Studio.

Version 4.3

This version also appeared August 1. This version has several changes from previous versions.

  • It removes the code to detect virtual machines and a few other odd things in Version 4.2. This code had some failure points; some virtual machines could not be detected.
  • It implemented an exploit against one product of the antivirus company that made the vaccine against Version 4.0 through the first release of Version 4.1.2. This code appears after the malware encrypts files and before it deletes itself.

Figure 8. Running an exploit against a product of the company that made a vaccine.

  • New code in some functions makes static analysis with Interactive Disassembler more complex. This is an easy but effective trick: The ransomware makes a delta call (which puts the address of the delta offset at the top of the stack) and adds 0x11 (the size of the special code, meaning the malware author is using a macro) to the value in the ESP register. ESP now points to an address after the block of the special code and makes a jump in the middle of the opcodes of this block. This technique makes it appear like another instruction, in this case “pop eax,” which extracts the value after adding 0x11 from the top of the stack (ESP register). The code later makes an unconditional jump to this address in EAX. This way the ransomware follows its normal code flow.

Figure 9. New code to make static analysis more difficult.

Conclusion

GandCrab is the leading ransomware threat for any person or enterprise. The author uses many ways to install it—including exploits kits, phishing mails, Trojans, and fake programs. The developer actively updates and improves the code to make analysis more difficult and to detect virtual machines. The code is not professionally written and continues to suffer from bugs, yet the product is well promoted in underground forums and has increased in value.

McAfee detects this threat as Ran-GandCrab4 in Versions 4.0 and later. Previous ones are also detected.

Indicators of compromise

MITRE ATT&CK

This sample uses the following MITRE ATT&CK techniques:

  • File deletion
  • System information discovery
  • Execution through API
  • Execution through WMIC
  • Application process discovery: to detect antimalware and security products as well as normal programs
  • Query registry: to get information about keys that the malware needs make or read
  • Modify registry
  • File and directory discovery: to search for files to encrypt
  • Encrypt files
  • Process discovery: enumerating all processes on the endpoint to kill some special ones
  • Create files
  • Elevation of privileges

Hashes

  • 9a80f1866450f2f10fa69b1eb8747c344d6ef038468014c59cc50497f9e4675d – version 4.0
  • d9466be5c387eb2fbf619a8cd0922b167ea7fa06b63f13cd330ca974cae1d513 – version 4.0
  • 43b57d2b16c44041916f3b0562712d5dca4f8a42bc00f00a023b4a0788d18276 – version 4.0
  • 786e3c693fcdf55466fd6e5446de7cfeb58a4311442e0bc99ce0b0985c77b45d – version 4.0
  • f5e74d939a5b329dddc94b75bd770d11c8f9cc3a640dccd8dff765b6997809f2 – version 4.1
  • 8ecbfe6f52ae98b5c9e406459804c4ba7f110e71716ebf05015a3a99c995baa1 – version 4.1
  • e454123d852e6a40eed1f2552e1a1ad3c00991541d812fbf24b70611bd1ec40a – version 4.1
  • 0aef79fac6331f9eca49e711291ac116e7f6fbaeb5a1f3eb7fea9e2e4ec6a608 – version 4.1
  • 3277c1649972ab5b43ae9e87087b70ea4825956bfdddd1034f7b0680e6d46efa – version 4.1
  • a92af825bd95b6514f22dea08a4eb6d3491cbad45e69a5b9653b0148ee9f9832 – version 4.1
  • ce093ffa19f020a2b73719f653b5e0423df28ef1d59035d55e99154a85c5c668 – version 4.1.2 (first)
  • a1aae5ae7a3722b83dc1c9b0831c973641b246808de4f3670f2fd916cf498d38 – version 4.1.2 (second)
  • 3b0096d6798b1887cffa1288583e93f70e656270119087ceb2f832b69b89260a – version 4.2
  • e8e948e36fed93061062406693d1b2c402dd8e5788506bfbb50dbd86a5540829 – version 4.2

Domain

http://gandcrabmfe6mnef.onion

The post GandCrab Ransomware Puts the Pinch on Victims appeared first on McAfee Blogs.

Police are threatening free expression by abusing the law to punish disrespect of law enforcement

Policee
Spencer Gallien

In May 2016, a pair of police officers with the New York City Police Department ticketed Shyam Patel for his car’s tinted windows in Times Square. After parking his car, Patel raised his middle finger at them in response.

The NYPD officers then approached Patel and asked for his identification. When Patel asked what crime he was suspected of committing, he alleges that one officer told him, “You cannot gesture as such…”

When Patel insisted that freedom of speech did grant him the right, Patel alleges that the officer said that he could not curse a police officer, grabbed his phone, and again demanded identification. Patel was arrested and charged of disorderly conduct and resisting arrest.

While the charges were later dropped, Patel is suing the officers for violation of his First Amendment right to free expression. No law prohibits swearing at or flipping off a police officer, and it seems clear that law enforcement were in the wrong. But Patel’s case is only the latest incident of police officers abusing the law and their positions of power to punish people critical or disrespectful of law enforcement.

In 2009, a black man returned to his home in Cambridge, Massachusetts from travels abroad to find his door tightly shut. He, along with his taxi driver, forced the door open. Soon after, police arrived to his residence to respond to a reported burglary.

It’s unclear what words exactly were exchanged, but the man was arrested for “loud and tumultuous behavior”. A report by the officer in question indicated that the man merely used harsh language and called the officer a racist.

If the circumstances were different, this incident may not have made the headlines it did—countless people of color are accused of criminal activity for walking upon their own sidewalks or entering into their own homes. But the man was Henry Louis Gates, Jr., a professor at Harvard University and friend of newly elected President Obama. The details of his arrest quickly made waves across the country.

Coverage of the incident focused on concerns of racial profiling, but it was about free speech, too. Gates was arrested not for breaking and entering, but for disorderly conduct after he used harsh language at the officer—just like Patel in New York. Civil liberties attorney Harvey Silverglate has called disorderly conduct law enforcement’s “charge of choice” for when a citizen gives lip to a cop.

These types of cases are a still regular occurrence, despite the landmark 1974 court case Lewis v. New Orleans, where the Supreme Court struck down a city ordinance that outlawed “obscene or opprobrious language toward or with reference to” a police officer. At that time, the court noted that a “properly trained police officer may reasonably be expected to exercise a higher degree of restraint” than private citizens.

Despite the Supreme Court’s clear ruling on this issue, police in Pennsylvania are using the state’s version of a “hate crime” law to prosecute multiple people who say offensive things to them when they are arrested. These laws are intended to protect the vulnerable, but are instead being wielded as a tool by powerful government entities.

Robbie Sanderson, a 52 year old black man, was arrested for retail theft near Pittsburgh in September 2016. During his arrest, he called the police “Nazis” and “skinheads”, and said that “all you cops just shoot people for no reason.” He was charged with felony ethnic intimidation.

Later that year, Senatta Amoroso became agitated at a police station, and was arrested for disorderly conduct and knocked to the ground. According to the ACLU, she yelled while handcuffed in a jail cell: “Death to all you white bitches. I’m going to kill all you white bitches. I hope ISIS kills all you white bitches.” Her six charges included a felony assault charge for hitting an officer in the arm and felony ethnic intimidation.

Sanderson and Amoroso’s cases are just two of many of Pennsylvania law enforcement agents slapping disrespectful arrestees with “hate crime” charges. These people yelled speech that officers found offensive, but they were handcuffed and posed no physical threat to anyone.

Pennsylvania’s “ethnic intimidation” charge works similarly to “hate crime” laws in other states, which generally enhance penalties for perpetrators when victims were targeted for discrimanatory reasons. (“Hate speech” laws technically do not exist in the United States.) Although hate crimes statutes were enacted to protect minorities, they can and are being enforced to protect powerful groups like police.

Nadine Strossen, a professor at New York Law School who was previously president of the ACLU, is not surprised that police are abusing “hate crime” laws to punish disrespect. She thinks these cases, in New York, Massachusetts, and Pennsylvania, all show the same pattern of such laws being wielded against the people they were intended to protect—minorities, and people who lack political power.

She noted that during the civil rights movement, police would charge people protesting injustice with whatever they could—with “resisting arrest”, “disorderly conduct”, or “fighting words”, all of which Strossen calls “catch-all” crimes.

Strossen thinks that the way police abuse “hate crime” laws reveals the inherent problematic nature of legislation that attempts to single out specific identities. “There’s this hydrologic pressure once you have any hate crime or hate speech law. Additional pressures to expand this definition emerge, until the question becomes: ‘Who is not included?'"

In Strossen’s new book, HATE: Why We Should Resist It with Free Speech, not Censorship, she argues that hate speech laws in many European countries have ended up stifling the speech of the vulnerable populations they are intended to protect. She cautions that these recent examples show how hate crime laws can potentially be used for similar purposes in the United States, and that pushing for hate speech laws can backfire.

While the first hate crime laws in the United States were targeted to race and religion, they have expanded to include other categories like gender and sexual orientation. There is concern that powerful groups like police officers are co-opting these laws to shield themselves from scrutiny or criticism. It’s a pattern not unique to the United States—she referenced a recent proposal in South Africa that considered adding “occupation” to a list of protected classes. “Could this include police and politicians, and government officials?”

Some U.S. policymakers are already aiming to officially establish police as a “protected” class of people. This May, the House of Representatives passed the Protect and Serve Act, which would make assaulting a police officer a federal crime. The Senate’s version of this bill even frames attacks on police as federal hate crimes.

These legislative efforts at the federal level follow on the heels of so-called “Blue Lives Matter” bills already passed in states including Kentucky and Louisiana. And while the federal bill applies to physical attacks on police, the state level laws have been enforced upon mere language hostile to police.

During an arrest on unrelated charges in 2016, a man in New Orleans yelled insults at officers and was slapped with additional charges. In a post about this incident, the ACLU of Louisiana wrote that “While racist, sexist, and other similar language may show a lack of respect for law enforcement, it is the job of the police to protect even the rights of those whose opinions they don’t share.”

These bills are not only unnecessary (attacking police officers is already a crime) but also actively harmful.

“The point is clear, especially with regards to the adoption of hate crime statute frameworks: to reinforce the myth of the police as vulnerable and embattled,” Natasha Lennard wrote about “the Protect and Serve Act” for The Intercept.

Recent incidents in Pennsylvania, New York, and Louisiana are part of a long and disturbing history of police abusing the law to punish speech they find unfavorable. It’s deeply concerning for free expression that police feel empowered to add additional charges to arrestees because of the words that they yell while being handcuffed, and legislation that makes police a protected class only amplifies the police’s ability to silence dissent and intimidate critics.

Ransomware Hits Health Care Once Again, 45,000 Patient Records Compromised in Blue Springs Breach

More and more, ransomware attacks are targeting one specific industry – health care. As detailed in our McAfee Labs Threats Report: March 2018, health care experienced a dramatic 210% overall increase in cyber incidents in 2017. Unfortunately, 2018 is showing no signs of slowing. In fact, just this week it was revealed that patient records from the Missouri-based Blue Springs Family Care have been compromised after cybercriminals attacked the provider with a variety of malware, including ransomware.

Though it’s not entirely sure yet how these attackers gained access, their methods were effective. With this attack, the cybercriminals were able to breach the organization’s entire system, making patient data vulnerable. The attack resulted in 44,979 records being compromised, which includes Social Security numbers, account numbers, driver’s licenses, disability codes, medical diagnoses, addresses, and dates of birth.

The company’s official statement notes, “at this time, we have not received any indication that the information has been used by an unauthorized individual.”  However, if this type of data does become leveraged, it could be used by hackers for both identity and medical fraud.

So, with a plethora of personal information out in the open – what should these patients do next to ensure their personal data is secure and their health information is private? Start by following these tips:

  • Talk with your health provider. With many cyberattacks taking advantage of the old computer systems still used by many health care providers, it’s important to ask yours what they do to protect your information. What’s more, ask if they use systems that have a comprehensive view of who accesses patient data. If they can’t provide you with answers, consider moving on to another practice that has cybersecurity more top of mind. 
  • Set up an alert. Though this data breach does not compromise financial data, this personal data can still be used to obtain access to financial accounts. Therefore, it’s best to proactively place a fraud alert on your credit so that any new or recent requests undergo scrutiny. This also entitles you to extra copies of your credit report so you can check for anything suspicious. If you find an account you did not open, report it to the police or Federal Trade Commission, as well as the creditor involved so you can close the fraudulent account.
  • Keep your eyes on your health bills and records. Just like you pay close attention to your credit card records, you need to also keep a close eye on health insurance bills and prescription records, which are two ways that your health records can be abused. Be vigilant about procedure descriptions that don’t seem right or bills from facilities you don’t remember visiting.
  • Invest in an identity theft monitoring and recovery solution. With the increase in data breaches, people everywhere are facing the possibility of identity theft. That’s precisely why they should leverage a solution tool such as McAfee Identity Theft Protection, which allows users to take a proactive approach to protecting their identities with personal and financial monitoring and recovery tools to help keep their identities personal and secured.

 And, of course, to stay on top of the latest consumer and mobile security threats, be sure to follow me and @McAfee_Home on Twitter, listen to our podcast Hackable? and ‘Like’ us on Facebook.

The post Ransomware Hits Health Care Once Again, 45,000 Patient Records Compromised in Blue Springs Breach appeared first on McAfee Blogs.

Onwards and Upwards: Our GDPR Journey and Looking Ahead

At Imperva, our world revolves around data security, data protection, and data privacy.  From our newest recruits to the most seasoned members of the executive team, we believe that customer privacy is key.

For the better part of the last two years, Imperva has laid the foundation for our compliance with the EU General Data Protection Regulation (GDPR).  At roughly ninety pages with 173 recitals and 99 articles, it’s a massive regulation that fundamentally shifts the data privacy and data protection universe.

Also read: Monitoring Data & Data Access to Support Ongoing GDPR Compliance

We at Imperva are proud of what we’ve accomplished in this time.  As the lead for Imperva’s Privacy Office, I can candidly say that our success has been made possible only through the combined efforts of the entire organization. Thank you to our many Privacy Champions that have actively engaged within their departments and teams.

And a special thanks to our many critical internal partners, including our CMO David Gee, for his humorous evangelizing of data privacy initiatives, our Director of InfoSec, Noam Lang, our CIO, Bo Kim, who was also our first-ever privacy champion, and our CEO, Chris Hylen, for all having supported and prioritized data privacy initiatives within Imperva.

Just the beginning

Our work to comply with GDPR represents only the start of Imperva’s journey to protect, and to create products that protect the data privacy of our customers and their users.  Already, Imperva is proactively building on our GDPR work and looking to ‘infinity and beyond’. Part of that ‘beyond’ is our monitoring and preparation for other game-changing regulations such as the EU ePrivacy Regulation and California’s Consumer Protection Act.

A Successful Launch

Imperva has launched significant enhancements to our data privacy and data security programs and environments to account for new obligations under GDPR.

  • Governance: We have formalized and expanded the governance structure of the data privacy function within Imperva, including the creation of a dedicated Privacy Office.  This updated governance structure has been integrated into our annual third-party certification audits and reviews.
  • DPIAs:  We have expanded our standard internal Privacy Impact Assessment process to trigger additional Data Protection Impact Assessments when appropriate.
  • Security Environments: We have long maintained several common certification frameworks via third-party audits, including ISO 27001, the PCI Data Security Standard, and SOC 2 Type II reporting.  As part of ensuring that our robust environments remain secure, we mapped our GDPR infosec obligations to our existing control frameworks to ensure we meet all GDPR obligations on an ongoing basis.
  • Updated Privacy Notices:  We updated the privacy policies on our web properties to reflect the changes we’ve adopted under GDPR. Additionally, we’ve refreshed our cookie consent banners and cookie policies for those in the European Union.
  • Customer Agreements: In order to facilitate streamlined customer onboarding, we’ve created ready-to-sign Data Processing Agreements (DPAs) that provide details about what personal data an Imperva product or service collects in order to provide that service.  These DPAs utilize the controller-processor model clauses approved by the EU Commission and address customer concerns about how cross-border data transfers are GDPR-compliant.
  • Data Subject Requests: We’ve rolled out a new data subject request portal on our web properties.  Additionally, we’ve worked with each Imperva department to ensure smooth operational processing of data subject rights, including access, rectification, and erasure.

To Infinity

We here at Imperva have not been satisfied by merely meeting our obligations.  We are making data privacy a priority. As a security company, data privacy is mission critical.  It’s part of earning and maintaining the trust of our customers and employees.

Even Better Products: Our Product teams have worked hard to re-architect infrastructure to enable regional storage of logs.  This new feature makes compliance with GDPR far easier for customers or their subsidiaries operating primarily within a single geographic region by reducing cross-border data transfers.  Additionally, regional log storage enables genuine conformity with data localization and residence laws, such as those in China, Canada, Germany, Russia, and South Korea.

Embedded Privacy Champions: We’ve ramped up our program to embed mini privacy subject matter experts within each department. Today, three percent of our workforce are privacy champions thinking about how to protect your personal data. And that number is growing.

Privacy Guidance Down to Departments: The Privacy Office has worked with each department to create individual departmental policies and operational guidance to ensure that Imperva employees in every role know how to safeguard and protect personal data.

Vendor Management: We’ve reviewed dozens of vendors across all product lines to ensure we have the appropriate data privacy and security provisions, data processing agreements, and standards in place to safeguard our customers’ personal data.  Our subprocessors page on our web properties provides additional information about third-party service providers.

And Beyond!

Imperva has aimed high when it comes to the obligations created by GDPR, but we’re also looking far beyond.

In particular, Imperva is keeping a close eye on new data privacy laws and updates coming down the line that could impact our customers’ data privacy obligations, and therefore our obligations to you—such as the EU ePrivacy Regulation, which updates the 2009 ePrivacy Directive, as well as the California Consumer Privacy Act, which becomes enforceable on January 1, 2020.

GDPR is a significant milestone in the data privacy universe and so too in Imperva’s journey, yet it’s important to recognize it as a milestone and not as an endpoint.  GDPR represents only the start of Imperva’s journey to protect and to create products that protect the data privacy of our customers and their users.

Multiple Cobalt Personality Disorder

Introduction


Despite the notion that modern cybersecurity protocols have stopped email-based attacks, email continues to be one of the primary attack vectors for malicious actors — both for widespread and targeted operations.

Recently, Cisco Talos has observed numerous email-based attacks that are spreading malware to users at both a large and small scale. In this blog post, we analyze several of those campaigns and their tactics, techniques and procedures (TTPs). These campaigns were all observed between mid-May and early July of this year, and can likely be attributed to one, or possibly two, groups. The attacks have become more sophisticated, and have evolved to evade detection on a continual basis.


Other researchers have attributed these attacks to a group known as the Cobalt Gang, which has continued its activities even after the arrest of its alleged leader in Spain this year.

Simple campaigns typically use a single technique and often embed the final executable payload into the exploit document. However, more complex campaigns require meticulous planning on the part of the attacker and include more sophisticated techniques to hide the presence of the malicious code, evade operating system protection mechanisms and eventually deliver the final payload, likely to be present only in the memory of the infected computer and not as a file on the disk.

The attacks we will be highlighting generally start with an email campaign, often targeted toward financial institutions. The malicious emails display a strong command of the English language, and their content may have been taken from legitimate emails relevant to the business of the targeted organization.

The emails either contain a URL pointing to one of the three document types or have initial attack stages attached outright. They are using Word OLE compound documents with malicious obfuscated VBA macro code, RTF documents containing Microsoft Office exploits or PDF documents that start the next attack stages to eventually deliver a Cobalt Strike beacon binary or a JScript-based backdoor payload.

It is essential to be aware of these attacks as emails look legitimate, but can result in the installation of a payload that can inflict significant financial damage to the targeted organization.

Infection vector — Emails


All observed attacks start with an email message, containing either a malicious attachment or a URL which leads to the first stage of the attack.

The text of the emails is likely taken from legitimate email, such as mailing lists that targeted organisations may be subscribed to.

Below are three examples, with the first one purporting to be sent by the European Banking Federation and is using a newly registered domain for the spoofed sender email address. The attachment is a malicious PDF file that entices the user to click on a URL to download and open a weaponized RTF file containing exploits for CVE-2017-11882, CVE-2017-8570 and CVE-2018-8174. The final payload is a JScript backdoor also known as More_eggs that allows the attacker to control the affected system remotely.


Observed email campaign 1

The second campaign, sent on June 19, appears to be sharing threat intelligence information with the recipient, and the sender seems to be from a newly registered domain that looks like a domain belonging to a major manufacturer of ATMs and other payment systems. This campaign contains a URL, which points to a malicious Word document where the infection chain is triggered by the user allowing the VBA macro code to run.


Observed email campaign 2

The third campaign, sent on July 10, is a more personal campaign that targets a variety of businesses. The subject indicates that this is a complaint about problems with services provided by the target company, allegedly listed in an attached document. The attachment is an RTF document containing exploits that start the chain of several infection stages until the final executable payload is downloaded and loaded in the memory of the infected system. All emails lead to stage 1 of the attack chain.


Observed email campaign 3

Stage 1


Document attacks (PDFs, RTFs, DOCs)


Most commonly, the observed emails have a malicious RTF file as an attachment, but the attachments can also be Word documents with obfuscated VBA macro code, PDF files that redirect to other documents, or even outright binary executable payloads.

Here, we show an example of a PDF campaign as seen from the point of view of the affected user. The user receives an email with a PDF attachment and opens a file that does not contain any exploit code, but relies on the social engineering techniques used in the email, which should convince the user to open the attachment without suspecting that there may be something wrong with it.


This malicious PDF only contains a URL to entice the user to view the file.

If the user chooses to click on the URL link and to read the actual content of the file, the browser will open a legitimate Google location which will redirect the browser to a malicious document.


Browser redirection

Finally, the malicious Word document is opened and the VBA macro code is run after the user allows for the editing of the content within Word. This eventually kickstarts the rest of the infection chain, terminates the Word process to hide the original file and opens a new Word instance to display a non-malicious decoy document dropped to the disk drive by one of the previous stages.


Malicious Word document

The decoy document remains constant throughout the campaign and is likely a side effect of the Threadkit exploit toolkit and cannot be relied upon for attribution.


Decoy document opened in Word

Stage 2 — Exploits and exploit kits

RTF documents sent in the observed campaigns contain exploits for several vulnerabilities in Microsoft Office, and they seem to be created using a version of an exploit toolkit, often referred to as Threadkit. Documents generated by the toolkit typically launch a couple of batch files, task.bat and task (2).bat that drive the rest of the infection process.

Threadkit is not exclusively used by the actors behind the observed attacks but also by other groups utilizing various payloads, including Trickbot, Lokibot, SmokeLoader and some other banking malware.

The actors behind the attacks seem to be using a somewhat modified version of the exploit kit, which relies on launching code through known mechanisms for evading Windows AppLocker protection feature and leveraging legitimate Microsoft applications such as cmstp, regsvr32 or msxsl. We will discuss these mechanisms in more detail later in this post.

At least three vulnerabilities are exploited with these documents, the most common of which is a memory stack buffer overflow in Microsoft Equation Editor (CVE-2017-11882) patched by Microsoft in November 2017, followed by a composite moniker vulnerability (CVE-2017-8570), as well as the very similar, but slightly older, script moniker vulnerability that is very popular among attackers (CVE-2017-0199).

More recent attacks also attempted to exploit an Internet Explorer vulnerability (CVE-2018-8174) triggered by an RTF document and an embedded URL moniker object. The embedded object triggers a download of an HTML page containing the VBScript that exploits the vulnerability and launches the shellcode. The HTML component of the exploit is based on the original exploit code discovered in May this year.


CVE-2018-8174 VB script exploit code

Stage 3 — Scriptlets, scripts and DLLs

AppLocker bypass attempts (cmstp, msxsl, regsvr32)

When Microsoft decided to add the AppLocker feature to Windows to allow defenders to implement holistic protection application control, security researchers began working on the offensive side of security to search for ways to circumvent it.

Windows AppLocker allows administrators to control which executable files are denied or authorized to execute. Administrators can create rules based on file names, publishers or file location that will allow only certain files to execute, but not others.

AppLocker works well for executables and over time it has also been improved to control various script types, including JScript, PowerShell and VBScript. This has significantly reduced the attack surface and forced attackers, including more sophisticated groups, to find new methods of launching executable code.

A number of legitimate Windows executables that are not blocked by the default AppLocker policies has been discovered and various proof of concept AppLocker bypass code became publicly available.

Notable applications used in these attacks are cmstp and msxsl. The Microsoft Connection Manager Profile Installer (cmstp.exe) is a command-line program used to install Connection Manager service profiles. Cmstp accepts an installation information file (INF) as a parameter and installs a service profile leveraged for remote access connections. A malicious INF file can be supplied as a parameter to download and execute remote code.


Example malicious INF file to load a remote SCT file

Cmstp may also be used to load and execute COM scriptlets (SCT files) from remote servers.


Example of malicious scriptlet file used to drop a malicious DLL dropper for the next stage



Microsoft allows developers to create COM+ objects in script code stored in an XML document, a so-called scriptlet file. Although it is common to use JScript or VBScript, as they are available in Windows by default, a scriptlet can contain COM+ objects implemented in other languages, including Perl and Python, which would be fully functional if the respective interpreters are installed.

To bypass AppLocker and launching script code within a scriptlet, the attacker includes the malicious code within an XML script tag placed within the registration tag of the scriptlet file and calls cmstp with appropriate parameters. For example:



Here, the attackers randomize the scriptlet name and use a .txt filename extension, likely in an attempt to bypass fundamental protection mechanisms that attempt to block file types based on the filename extension.


Payload dropper in an XSL file

Another executable used to attempt bypass of the AppLocker feature is msxsl.exe, a Windows utility used to run XSL (eXtensible Stylesheet Language) transformations. Msxsl.exe is dropped together with its parameter by the previous attack stage, a DLL dropper, and run to continue the infection chain.

It takes an XML and an XSL file as a parameter, but it also loads the script engine and runs the script code within the <msxsl:script> tag of the supplied XSL file when invoked through a call placed within the <xsl:value-of> tag.


Invoking the JScript code of the payload dropper within an XSL file

The supplied XML file seems to be randomly generated and used simply because the second parameter is required and is of no further interest for analysis.

DLL dropper


An earlier part of the second stage is implemented as an encrypted JScript scriptlet which eventually drops a randomly named COM server DLL binary with a .txt filename extension, for example, 9242.txt, in the user's home folder and registers the server using the regsvr32.exe utility.

The dropper contains an encrypted data blob that is decrypted and written to the disk. The dropper then launches the next stage of the attack by starting PowerShell, msxsl or cmstp.exe as described above.

Once the DLL dropper is finished with its activity, it will be deleted from the drive, which may be one of the reasons why there are not too many DLL dropper samples available in public malware repositories.


Exported functions of the two observed variations of the dropper DLLs

From the observed samples, it seems that the attacker has access to the source code of two legitimate DLLs which they modify to include the malicious dropper code. They can be distinguished by looking at the names of the exported functions. The exported names seem legitimate and should not be used as a basis for the malware detection.

Stage 4 — Downloaders

PowerShell leading to shellcode

The PowerShell chain is launched from an obfuscated JScript scriptlet previously downloaded from the command and control (C2) server and launched using cmstp.exe.


First PowerShell stage with base64 encoded code

The first PowerShell stage is a simple downloader that downloads the next PowerShell stage and launches a child instance of powershell.exe using the downloaded, randomly named script as the argument.


PowerShell downloader

The downloaded PowerShell script code is obfuscated in several layers before the last layer is reached. The last layer loads shellcode into memory and creates a thread within the PowerShell interpreter process space.


PowerShell stage shellcode loader

This PowerShell code used in the final stage to launch shellcode is publicly available as a part of an open-source antivirus evasion framework DKMC (Don't Kill My Cat) released in 2016, but it is also connected with the Cobalt Strike framework.


Beginning of the "download and load" shellcode

The shellcode is relatively simple and begins with a XOR loop that deobfuscates the rest of the code. The most important function is the one that resolves the various API addresses using a checksum of the API name as the parameter, traverses the PEB linked list of loaded modules to find the required module, traverses the list of module exports to find the required API and finally jumps (calls) the found API function. The main purpose of the shellcode is to download an encrypted payload over HTTPS, decrypt it in memory and launch it.

JScript downloader

As opposed to PowerShell loading a Cobalt Strike beacon, the other observed infection chain continues using JScript to deliver the final payload, which is a JScript backdoor. In this infection chain, the DLL dropper drops a JScript downloader, which eventually downloads the JScript backdoor payload from the C2 server.


JScript downloader which downloads and launches a randomly named backdoor

The final payload is another obfuscated scriptlet file that is started by launching regsvr32.exe with the /U (unregister) command-line option to call into scrobj.dll JScript interpreter with the downloaded scriptlet file as an argument.

Stage 5 — Payloads

JScript backdoor


In the JScript side of the observed campaign's infection chain, the final payload is a fully functional JScript backdoor known as "More_eggs," based on one of the variable names present in its code.

The functionality of the backdoor is somewhat typical for that type of malware and allows the attacker to control the infected machine over an HTTPS-based C2 protocol. The backdoor has its initial gate that it connects to on a regular basis to check for the next commands submitted by the attacker.

The commands are relatively limited, but are sufficient enough to instruct the backdoor to download and execute a new payload, remove itself from the system or download and launch additional scriptlets. During the research, we have not observed other binary payloads downloaded by the JScript backdoor but they are likely to be present in a real environment.

Looking at our Umbrella Investigate telemetry, there was a low level of activity for most of the C2 servers. However, for one of them, api.outlook.kz, we observed a regular pattern of moderate usage over the period of a few weeks with the majority of the queries coming from U.S., followed by Germany and Turkey.


DNS queries for api.outlook.kz backdoor C2 host

The backdoor fingerprints the targeted system and sends back the acquired information, including an installed anti-malware program, a version of the installed operating system, the local IP address, the name of the infected computer, the username and other characteristics that uniquely describe the infected system.


Two More_eggs backdoor versions, possibly two different groups?

There are definite similarities between these attacks — primarily in the type of exploit, but also in the C2 infrastructure and the kind of payload that is used. However, that doesn't mean it can be attributed to a single actor.

There are at least two different versions of the JScript backdoor used, version 2.0 and version 4.4. Interestingly, if an attack used version 4.4, the attackers decided to add a variable "researchers" initialized to the string "We are not cobalt gang, stop associating us with such skids!", which may indicate that there is a more than one actor using very similar TTPs being active during the same period.

Cobalt Strike beacon


On the PowerShell side of the infection chain, the downloaded final payload is a Cobalt Strike beacon, which provides the attacker with rich backdoor functionality.

Cobalt Strike beacons can be compared with Meterpreter, a part of the Metasploit framework. Cobalt Strike is used by penetration testers and offensive security researchers when delivering their services, but it is generally, just as Meterpreter, detected by anti-malware software as it can be easily used by malicious actors.

The beacon payload allows attackers to maintain full control over the infected system and pivot to other systems as they see required, harvest user credentials, execute code with a UAC bypass, escalate the beacon privileges using different mechanisms, and so on. An in-depth analysis of a Cobalt Strike beacon payload is outside of the scope of this post.

Conclusion/Summary


Breadth of the observed campaigns

Attackers have to create a reliable and adaptable infrastructure to be able to continually launch attacks over an extended period of time. This sometimes requires the development of proprietary tools with the advantage of full control over them, but with a higher initial cost of investment.

On the other hand, attackers can choose off-the-shelf tools such as the ones described, which can serve their purposes equally well if they are disguised.

We have documented the activities of several related malware campaigns targeting users in the financial industry, as well as other businesses, with a potential for financial return. We choose to cover these campaigns to showcase the breadth of TTPs required for successful targeted attacks, ranging from proper reconnaissance all the way to delivery of the final payload through several intermediate infection stages.

The TTPs we observed over the past two months are consistent with the previous activity of the so-called Cobalt Group.

However, we have found some payloads that contain a message for researchers stating that the attackers are not the Cobalt group, which may indicate that the attacks are conducted by different actors despite the commonalities in TTPs.

Although the attacks are conducted using readily made tools, the attackers show a high level of technical knowledge judging by their ability to combine those tools into a number of successful campaigns delivering different payloads to gain an initial foothold into their targets and provide attackers with a platform for further attack stages to reach their ultimate goal, which is likely a financial gain.

Coverage


Additional ways our customers can detect and block this threat are listed below.



Advanced Malware Protection (AMP) is ideally suited to prevent the execution of the malware used by these threat actors.

Cisco Cloud Web Secuirty (CWS) or Web Security Alliance (WSA) web-scanning prevents access to malicious websites and detects malware used in these attacks.

Email Security can block malicious emails sent by threat actors as part of their campaign.

Network Security appliances such as Next-Generation Firewall (NGFW), Next-Generation Intrusion Prevention System (NGIPS), and Meraki MX can detect malicious activity associated with this threat.

AMP Threat Grid helps identify malicious binaries and builds protection into all Cisco Security products.

Umbrella, our secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs, and URLs, whether users are on or off the corporate network.

Open Source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org.



IOCs


RTFs

af9ed7de1d9d9d38ee12ea2d3c62ab01a79c6f4b241c02110bac8a53ea9798b5
e4081eb7f47d76c57bbbe36456eaa4108f488ead5022630ad9b383e84129ffa9
bebd4cd9aece49fbe6e7024e239638004358ff87d02f9bd4328993409da9e17c
7762bfb2c3251aea23fb0553dabb13db730a7e3fc95856d8b7a276000b9be1f5
a1f3388314c4abd7b1d3ad2aeb863c9c40a56bf438c7a2b71cbcff384d7e7ded
dc448907dd8d46bad0e996e7d23dd35ebe04873bc4bb7a8d26feaa47d09d1eab
cbbf2de2fbd4bce3f9a6c7c2a3efd97c729ec506c654ce89cd187d7051717289
40f97cf37c136209a65d5582963a72352509eb802da7f1f5b4478a0d9e0817e8

DOC(x)s

e566db9e491fda7a5d28ffe9019be64b4d9bc75014bbe189a9dcb9d987856558
9ddc22718945ac8e29748999d64594c368e20efefc4917d36fead8a9a8151366
1247e1586a58b3be116d83c62397c9a16ccc8c943967e20d1d504b14a596157c

Dropper DLLs

cc2e9c6d8bce799829351bd25a64c9b332958038365195e054411b136be61a4f
0fef1863af0d7da7ddcfd3727f8fa08d66cd2d9ab4d5300dd3c57e908144edb6
74af98fb016bf3adb51f49dff0a88c27bf4437e625a0c7557215a618a7b469a1
844f56b5005946ebc83133b885c89e74bc4985bc3606d3e7a342a6ca9fa1cc0e

Scriptlets

283f733d308fe325a0703af9857f59212e436f35fb6063a1b69877613936fc08
afeabc34e3260f1a1c03988a3eac494cc403a88711c2391ea3381a500e424940
3b73ebb834282ae3ffcaeb3c3384fd4a721d78fff5e7f1d5fd63a9c244d84c48
4afba1aa6b58dc3754fe2ff20c0c23ce6371ba89094827fe83bb994329fa16a3

PDFs

5ac1612535b6981259cfac95efe84c5608cf51e3a49b9c1e00c5d374f90d10b2
9d6fd7239e1baac696c001cabedfeb72cf0c26991831819c3124a0a726e8fe23
df18e997a2f755159f0753c4e69a45764f746657b782f6d3c878afb8befe2b69

Decoy document

f1004c0d6bf312ed8696c364d94bf6e63a907c80348ebf257ceae8ed5340536b

Executable payloads

f266070d4fe999eae02319cb42808ec0e0306125beda92f68e0b59b9f5bcac5a
fc004992ad317eb97d977bd7139dbcc4f11c4447a26703d931df33e72fd96db3

URLs - docs

hxxp(s)://swift-fraud[.]com/documents
hxxp://95[.]142[.]39[.]109/e1.txt
hxxps://kaspersky-security[.]com/Complaint.doc
hxxps://mcafeecloud[.]us/complaints/67972318.doc
hxxps://s3[.]sovereigncars[.]org[.]uk/inv005189.pdf

URLs - JS backdoor

Stage 1 - drop DLL dropper
hxxp://nl.web-cdn.kz
hxxp://mail[.]halcyonih[.]com/m.txt
hxxp://mail[.]halcyonih[.]com/humans.txt
hxxp://secure[.]n-document[.]biz/humans.txt
hxxp://xstorage[.]biz/robots.txt
hxxp://cloud[.]yourdocument[.]biz/robots.txt
hxxp://cloud-direct[.]biz/robots.txt
hxxp(s)://documents[.]total-cloud[.]biz/version.txt
hxxp://cloud[.]pallets32[.]com/robots.txt
hxxp://document[.]cdn-one[.]biz/robots.txt

Backdoor C2
hxxps://api[.]outlook[.]kz
hxxp://api[.]fujitsu[.]org[.]kz
hxxp://api[.]asus[.]org[.]kz
hxxp://api[.]toshiba[.]org[.]kz
hxxp://api[.]miria[.]kz
hxxp(s)://outlook[.]live[.]org[.]kz

Powershell Stage

hxxp://95[.]142[.]39[.]109/driver
hxxp://95[.]142[.]39[.]109/wdriver

Decoy document

hxxp://95[.]142[.]39[.]109/document.doc

Cobalt Strike beacon stage

hxxps://95[.]142[.]39[.]109/vFGY

Why No HTTPS? Questions Answered, New Data, Path Forward

Presently sponsored by: Netsparker - dead accurate web application security scanning solution - Scan websites for SQL Injection, XSS & other vulnerabilities

Why No HTTPS? Questions Answered, New Data, Path Forward

So that little project Scott Helme and I took on - WhyNoHTTPS.com - seems to have garnered quite a bit of attention. We had about 81k visitors drop by on the first day and for the most part, the feedback has been overwhelmingly positive. Most people have said it's great to have the data surfaced publicly and they've used that list to put some pressure on sites to up their game. We're already seeing some sites on the Day 1 list go HTTPS (although frankly, if the site is that large and they've done it that quickly then I doubt it's because of our list), and really, that's the best possible outcome of this project - seeing websites drop off because an insecure request is now redirected to a secure one.

In the launch blog post, I wrote about the nuances of assessing whether a site redirects insecure requests appropriately. The tl;dr of it was that there's a bunch of factors that can lead to pretty inconsistent behaviour. Just read the comments there and you'll see a heap of them along the lines of "Hey Troy, site X is redirecting to HTTPS and shouldn't be on there", followed by me saying "No they're not, here's the evidence". For example, roblox.com:

Why No HTTPS? Questions Answered, New Data, Path Forward

And if you're going to roblox.com over the insecure scheme now and thinking "these guys have got it wrong", look at the requests the browser makes:

Why No HTTPS? Questions Answered, New Data, Path Forward

If we drill into the response of that first request, we can see how it's all tied together:

It's a rather bizarre redirect model where it sets a cookie then reloads the same insecure path but by virtue of having said cookie present, that request then redirects to HTTPS. I'm going to talk more about this later on in terms of why it doesn't warrant removing Roblox from the list, for now I just wanted to highlight how inconsistent redirects can be and how what you observe in the browser may not be consistent with what's on WhyNoHTTPS.com.

Moving on, we wanted to get an updated list out ASAP because there are indeed sites that are going secure and they deserve that recognition. However, that's turned out to be a non-trivial task and I want to explain why here.

What Causes a Site to be Removed From WhyNoHTTPS.com?

Well, when it starts redirecting everyone to HTTPS by default, right? Easy? No.

I ran Scott's latest crawl of the Alexa Top 1M sites and grabbed the JSON for sites served over HTTP (he makes all of these publicly accessible so you can follow along if you'd like). I then pumped it into a local DB and worked out what had dropped off the list from Day 1 and found sites that included the following domains:

  1. sberbank.ru
  2. 360doc.com
  3. ci123.com

Nope, nope and nope. Each one of them still sticks on HTTP, even in the browser which would otherwise follow client-side script redirects. So what gives?

What we have to be conscious of that these 3 sites stuck out because they weren't on Scott's like of HTTP sites. However, they also weren't on his list of HTTPS sites (also available for you to download), so, again, what gives? Quite simply, the crawler couldn't get a response from the site. The site could have been down, the network connection could have dropped or the crawler itself could have been blocked (although note that it should be indistinguishable from a normal browser as far as the server is concerned). So what should we do?

My biggest concern was that now we have a baseline on the site with the Day 1 data, deviations from that state will be seen by many people. If we publish an update and sberbank.ru drops of the list and everyone is like "good on you Sberbank" (and yes, that is a bank), that would be rather misleading and wouldn't do much for confidence in our project.

So what if we go the other way? I mean what if instead of listing everything in the HTTP list, we took the entire 1M list and just subtracted the HTTPS one? This changes the business rule from "the site loaded over HTTP" to "the site didn't load over HTTPS". Anything caught in the gaps between those 2 is then flagged as not doing HTTPS. So I ran the numbers from the latest scan, and here they are:

  1. Of the top 1M sites, there were 451,938 in the HTTP list and 399,179 in the HTTPS list
  2. In total, that means 851,117 sites were logged as loading over either HTTP or HTTPS
  3. Subsequently, 148,883 sites couldn't be accounted for because they simply didn't return a response

Nearly 15% is a lot and that's worrying because there could easily be a heap of false-positives in there. For example, the list includes Instagram, Google in Russia and Netflix. They all do HTTPS.

Consequently, the HTTP list alone won't cut it and the Alexa Top 1M list minus the HTTPS list also won't cut it either, so what are we left with? There was only one way forward:

  1. All the sites explicitly returning content over HTTP to the crawler and not redirecting make the list
  2. All the sites that never returned any response need to be tested entirely independently and if they don't redirect, they make the list

That last point may seem redundant but after some quick checks, I found that I could consistently get responses from sites on the 15% gap list where Scott's crawler couldn't. Maybe it's my location, maybe it's because I wrote my own that inevitably behaves slightly differently, I don't know, the point is that this effectively gives those 148,883 sites a second chance at serving content over HTTPS.

But that doesn't always work either! Of the top 10K Alexa ranked domains in that gap list, I still couldn't get a response from 2,907 of them. I was still finding domains which simply wouldn't resolve at all, for example the top 3 are:

  1. microsoftonline.com
  2. googleusercontent.com
  3. resultieser.com

These were the 81st, 118th and 162nd top ranked sites respectively and even manually testing them in the browser, none of them go anywhere. The first 2 don't resolve at all and the 3rd one redirects to home.resultieser.com which then, itself, doesn't resolve. I don't know why they make the Alexa Top 1M list (certainly not that high in the order) and I've not dug into it any further so if you have ideas on why this is, leave a comment below.

The bottom line is that we're down to about 4% and a bit of the Alexa Top 1M we simply can't account for and a bunch of those definitely don't go anywhere. I'd like to have a perfect list but the reality of it is that we never will so we just need to do our best within the constraints that we have.

As of now, our first revision of sites not supporting HTTPS is now live at whynohttps.com

I would have liked to have gotten a revised list out earlier but it's because of idiosyncrasies like those above that it took a while to get there. This is also the reason we haven't automated it yet; I'd love to rebuild the index on the site nightly, but right now it really needs that extra bit of human validation to make sure everything is spot on. Automation is definitely on the cards though.

Is it OK to Redirect Without a 30X?

I want to touch on a question that came up quite a few times and indeed I showed this behaviour earlier on with Roblox. What happens if a website doesn't respond with a redirect in the HTTP response header? Is an HTTP 200 and a meta refresh tag or some funky JS sufficient? Let's address that by starting with precisely what these response codes mean.

An HTTP 301 is "Moved Permanently", that is forever and a day the client should assume the resource is no longer at the requested location and is instead now at the location returned in the "Location" header. For example, take this request for troyhunt.com over HTTP:

Why No HTTPS? Questions Answered, New Data, Path Forward

You can see "301 Moved Permanently" on the second line then further down,

Location: https://www.troyhunt.com/

I'm telling any client that attempts to request that naked domain name (without www) over the insecure scheme that it should always refer to my site securely and with the www prefix. This is the correct way to redirect from HTTP to HTTPS; a 301 response with the final destination URL in that location header. You'll see sites sometimes doing multiple redirects which doesn't influence how we grade them HTTPS wise, but is inefficient as each redirect requires another request from the client.

Then there's HTTP 302 which is "Found", that is the resource has been temporarily redirected to the location in the response header. This is not want you want when using the status code to redirect people from HTTP to HTTPS because this shouldn't be a temporary situation, it should be permanent. Always do HTTPS all of the time and 301 is the semantically correct response code to do just that. We will still flag the site as redirecting to HTTPS if a 302 is used, but it's not ideal.

As you'll see from the Mozilla articles I linked to on those status codes, this has an impact on SEO. A 301 indicates that crawlers should index the content on the page being redirected to, a 302 indicates that they shouldn't. Browsers will also permanently cache a 301 redirect. Now this actually is important in terms of HTTPS because it ensures the same request for an insecure URL issued at a later date is sent securely before being sent over the wire where it's at risk of interception. (And yes, I'll get to HSTS shortly, let's just finish on status codes first.)

Meta refresh tags and client-side script are not "correct" implementations of redirects from insecure to secure schemes. Yes, they usually work, but they also have exceptions. For example, look at what happens to Roblox if I disable JS in Chrome:

Why No HTTPS? Questions Answered, New Data, Path Forward

This simply isn't a sufficient implementation of HTTPS as it's just served the entire page over HTTP without any redirect. I have no idea why Roblox has taken this approach, it's very unusual and it's hard to see what upside they're gaining from it.

Of course, the other issue is that particularly in a case such as Roblox's, it's extremely difficult for a parser to reliably figure out if HTTPS redirection is happening. We'd have to somehow programmatically work out that there's a cookie being set and the page reloaded then the behaviour changing when the cookie is there. Consequently, a semantically correct redirect is the only thing what will keep the site off the HTTP list.

But a 301 is only the first step, let's talk about HSTS.

HSTS

Let me reiterate that last sentence - a 301 is the first step - because whilst there are other steps after that, you're not going anywhere without first 301'ing insecure requests. I'm going to delve into HSTS now and just in case that's a new acronym for you, have a read of Understanding HTTP Strict Transport Security (HSTS) and preloading it into the browser if need be.

There are a couple of dependencies for properly implementing HSTS and they're worthwhile understanding before we proceed because I'm going to highlight a case where it hasn't been understood. The first is that the browser will only honour the response header when returned over an HTTPS connection. Yes, you can return an HSTS header over HTTP but the browser will ignore it (think of the havoc and MitM could cause if it didn't...)

Next is that if you want to preload HSTS (which is really where you want to be), there are certain criteria to be met:

Why No HTTPS? Questions Answered, New Data, Path Forward

I've highlighted the key one because that speaks to one of the misunderstandings I saw in the wake of us launching the site. Let me illustrate with this site:

Why No HTTPS? Questions Answered, New Data, Path Forward

This is the 4th largest Aussie site to make the list and it's a popular local one with an active forum. A thread sprung up last week about some local media coverage getting its inclusion on WhyNoHTTPS.com wrong which judging by the image above, is clearly not correct. There's some "passionate" backwards and forwards there as people are prone to do on forums, amongst which there's some genuinely insightful commentary. But there's also this from the operator of the site:

Why No HTTPS? Questions Answered, New Data, Path Forward

The first para is best skipped so getting to the HSTS bit, this is missing the most fundamental requirement for HSTS: you must redirect from insecure requests. (There's also the whole point of a 301 putting requests on the secure scheme ASAP in order to dramatically reduce the number of requests sent insecurely.) Just as hstspreload.org explains in the earlier image, without a redirect from HTTP to HTTPS you can't preload. And just in case you're thinking, "ah, but the Whirlpool forum in question is on a subdomain of forums.whirlpool.net.au", firstly, it doesn't redirect from HTTP to HTTPS (that only happens once proceeding to the login page) and secondly, you can't preload subdomains:

Why No HTTPS? Questions Answered, New Data, Path Forward

What you end up with on a site like Whirlpool which isn't consistently redirecting insure requests to secure ones is a bit of a hodgepodge of security postures which leads to things like this:

So I'll end this section the way I began it: HTTP 301 is the first step to doing HTTPS right and if a site can't do that on request to the domain then it deserves a place on WhyNoHTTPS.com.

Giving People Actionable Advice

One change we've made to the site since launch is to address precisely the sort of thing we saw in the Whirlpool case above: help fill knowledge gaps by providing actionable resources. As a result, you'll now see this on the site:

Why No HTTPS? Questions Answered, New Data, Path Forward

If there's other good ones you know that fill in the sorts of knowledge gaps you see people with when going HTTPS, do please let me know in the comments.

Summary

One of the design decisions I made early on was to only show the top 100 sites globally and the top 50 on a country-by-country basis. The reason was simply to avoid getting into all the sorts of nuanced debates that people have already had about a much broader collection of sites. If ever we get a much more reliable means of addressing all the sorts of edge cases I outlined above that might change, but for now keeping it simple is making it easier to manage.

If nothing else, I hope this post illustrates just how much effort has gone into trying to represent fair and accurate accounts of who's doing HTTPS properly and who's not.

NBlog August 1 – insider threats awareness module published

For August, the NoticeBored security awareness spotlight turns towards the threat from within the organization, insiders.

“Insider threats” may be a common term but it's technically incorrect. “Insider risks” is more accurate since there is more to this than just the threats posed by insiders. The NoticeBored materials explore the vulnerabilities and impacts too.

“Insiders” in this context are primarily employees - both staff and management - of the organization, those on its payroll. “Outsiders”, then, are third-party employees (particularly those working for competitors or other adversaries) and unemployed people – a much larger group of course. In the government/military context, ‘foreigners’ (citizens of other nations and cultures, regardless of where they live) are generally considered outsiders too: we’ll have more to say about outsider threats in September’s awareness materials.

Both August and September's modules cover the overlap between insiders and outsiders - the no-mans-land inhabited by contractors, temps, interns etc. plus assorted consultants, professional advisers and maintenance engineers who have 'gone native'. They pose threats too, with divided loyalties facing a hail of bullets from all sides.

Ignore them at your peril. Recall that Ed Snowden was a defense contractor working in a privileged position within the NSA. Insider or outside is a moot point: the damage was immense. The risk is obvious ... once you think about it.

  • Introduce insider threats, providing general context and background information (e.g. who are those threatening insiders, and in what sense do they threaten?);
  • Expand on the information risks (threats, vulnerabilities and impacts) arising from and involving insiders, particularly for the management and professional audiences;
  • Describe and promote the corresponding information security controls, which are numerous and varied (policies, procedures, practices, technologies …);
  • Leave everyone with the lasting impression that insider threats are real, antisocial and unacceptable.
So what about your awareness and learning objectives in relation to insider threats, or information risks involving workers. Are there any business angles or concerns you’d like to emphasize in your awareness program? Any insider issues your organization has resolved, or for that matter is still struggling to address?

Oh, hang on a moment, does “insider threats” feature as a topic in your awareness and training schedule? Do you even have a schedule, a rolling sequence of hot topics delivered continuously throughout the year? Oh. OK then. 

Dixons Carphone admits 2017 hack was bigger than first thought

Dixons Carphone -- owner of major high street brands Currys PC World and Carphone Warehouse -- has confirmed that its 2017 cyber attack was much bigger than first anticipated. In an investor announcement, the company said that the breach affected as many as 10 million customers, up from the 1.2 million it acknowledged back in June.

Via: BBC News

Source: Dixons Carphone

Forcepoint Security Labs at BSides LV, Black Hat USA and Def Con

Forcepoint Security Labs researchers are hitting the road at the start of August to get involved in arguably the three most famous research-driven security conventions in the world. I’ve summarized both what Forcepoint will be up to at all three events as well as highlighting great ways for you to learn more about the

Risky Business #508 — Special guest Greg Shipley of In-Q-Tel’s Cyber Reboot

On this week’s show we hear from Greg Shipley. Greg works at an initiative spun up by In-Q-Tel called Cyber Reboot. Its goal is to develop open source tools that can push things forward in security – things the private sector aren’t doing.

He’ll be telling us about some changes his colleagues have made to tcpdump, which, if they ever manage to get the changes adopted, could actually be quite useful to the security community.

This week’s show is brought to you by Duo Security! And Duo’s very own Dave Lewis will be joining us this week to talk about the roadblocks you might face if you’re trying to head down the BeyondCorp road to the deperimiterised nirvana!

Adam Boileau drops in to discuss the week’s news, including:

  • COSCO shipping ransomwared into oblivion
  • DHS warning on impending ERP attacks
  • Charges against SIM-swap cryptocurrency thief
  • Google’s “Shielded VMs”
  • Google’s launch of its own hardware security tokens
  • Master134 malvertising campaign
  • New Kronos version
  • NetSpectre attacks
  • Bluetooth bugs
  • Much, much more

Links to everything are below, and you can follow Patrick or Adam on Twitter if that’s your thing.

How To Locate Domains Spoofing Campaigns (Using Google Dorks) #Midterms2018

The government accounts of US Senator Claire McCaskill (and her staff) were targeted in 2017 by APT28 A.K.A. “Fancy Bear” according to an article published by The Daily Beast on July 26th. Senator McCaskill has since confirmed the details.

And many of the subsequent (non-technical) articles that have been published has focused almost exclusively on the fact that McCaskill is running for re-election in 2018. But, is it really conclusive that this hacking attempt was about the 2018 midterms? After all, Senator McCaskill is the top-ranking Democrat on the Homeland Security & Governmental Affairs Committee and also sits on the Armed Services Committee. Perhaps she and her staffers were instead targeted for insights into on-going Senate investigations?

Senator Claire McCaskill's Committee Assignments

Because if you want to target an election campaign, you should target the candidate’s campaign server, not their government accounts. (Elected officials cannot use government accounts/resources for their personal campaigns.) In the case of Senator McCaskill, the campaign server is: clairemccaskill.com.

Which appears to be a WordPress site.

clairemccaskill.com/robots.txt

Running on an Apache server.

clairemccaskill.com Apache error log

And it has various e-mail addresses associated with it.

clairemccaskill.com email addresses

That looks interesting, right? So… let’s do some Google dorking!

Searching for “clairemccaskill.com” in URLs while discarding the actual site yielded a few pages of results.

Google dork: inurl:clairemccaskill.com -site:clairemccaskill.com

And on page two of those results, this…

clairemccaskill.com.de

Definitely suspicious.

Whats is com.de? It’s a domain on the .de TLD (not a TLD itself).

.com.de

Okay, so… what other interesting domains associated with com.de are there to discover?

How about additional US Senators up for re-election such as Florida Senator Bill Nelson? Yep.

nelsonforsenate.com.de

Senator Bob Casey? Yep.

bobcasey.com.de

And Senator Sheldon Whitehouse? Yep.

whitehouseforsenate.com.de

But that’s not all. Democrats aren’t the only ones being spoofed.

Iowa Senate Republicans.

iowasenaterepublicans.com.de

And “Senate Conservatives“.

senateconservatives.com.de

Hmm. Well, while being no more closer to knowing whether or not Senator McCaskill’s government accounts were actually targeted because of the midterm elections – the domains shown above are definitely shady AF. And enough to give cause for concern that the 2018 midterms are indeed being targeted, by somebody.

(Our research continues.)

Meanwhile, the FBI might want to get in touch with the owners of com.de.

Google intends to make GCP the most secure cloud platform

I attended my first Google Next conference last week in San Francisco and came away quite impressed. Clearly, Google is throwing its more and more of its engineering prowess and financial resources at its Google Cloud Platform (GCP) to grab a share of enterprise cloud computing dough and plans to differentiate itself based upon comprehensive enterprise-class cybersecurity feature/functionality.

Google Cloud CEO Diane Greene started her keynote by saying Google intends to lead the cloud computing market in two areas – AI and security. Greene declared that AI and security represent the “#1 worry for customers and the #1 opportunity for GCP.” 

Enumall – Subdomain Discovery Using Recon-ng & AltDNS

Enumall – Subdomain Discovery Using Recon-ng & AltDNS

Enumall is a Python-based tool that helps you do subdomain discovery using only one command by combining the abilities of Recon-ng and AltDNS.

This gives you the ability to run multiple domains within the same session. The tool only has one module that needs an API key (/api/google_site) find instructions for that on the recon-ng wiki.

Setting up Enumall for Subdomain Discovery

Install recon-ng from Source, clone the Recon-ng repository:

git clone https://LaNMaSteR53@bitbucket.org/LaNMaSteR53/recon-ng.git

Change into the Recon-ng directory:

cd recon-ng

Install dependencies:

pip install -r REQUIREMENTS

Link the installation directory to /usr/share/recon-ng

ln -s /$recon-ng_path /usr/share/recon-ng

Optionally (highly recommended) download:

– AltDNS
– A good subdomain bruteforce list (example here)

Create the config.py file and specify the path to Recon-ng and AltDNS as it showed in config_sample.py.

Read the rest of Enumall – Subdomain Discovery Using Recon-ng & AltDNS now! Only available at Darknet.

AppSec Mistake No. 1: Using Only One Testing Type

We’ve been in the application security business for more than 10 years, and we’ve learned a lot in that time about what works, and what doesn’t. This is the first in a blog series that takes a look at some of the most common mistakes we see that lead to failed AppSec initiatives. Use our experience to make sure you avoid these mistakes and set yourself up for application security success.

The myth of the AppSec silver bullet

There is no application security silver bullet. Trying to pick the “best” testing type would be like trying to pick the best eating utensil – fork, knife, or spoon? Well, it depends on the meal and, ultimately, each plays a different role, and you need all of them. Morning cereal? Spoon best. Steak dinner? Knife would be good, but not so useful without a fork. Think of application security testing types the same way – each has different strengths and weakness and are better in different scenarios, but you won’t be effective without taking advantage of them all.

Why you need both static and dynamic analysis

Effective application security programs analyze code both statically in development and dynamically in production. Why are both these testing types required? Because each find different types of security-related defects. For example, dynamic testing is better at picking up deployment configuration flaws, while static testing finds SQL injection flaws more easily. We examined this issue in one of our recent State of Software Security reports. These were the top five vulnerability categories we found during dynamic testing:

1.      Information leakage

2.      Cryptographic issues

3.      Deployment configuration

4.      Encapsulation

5.      Cross-Site Scripting

Two of these were not in the top five found by static testing:

  • Encapsulation (dynamic found in 39% of apps; static only in 22%) 
  • Cross-Site Scripting (sixth on the static list)

And one category — deployment configuration — was not found by static at all.

In addition, effective application security secures software throughout its entire lifecycle — from inception to production. With the speed of today’s development cycles — and the speed with which software changes and the threat landscape evolves — it would be foolish to assume that code will always be 100 percent vulnerability-free after the development phase, or that code in production doesn’t need to be tested or, in some cases, patched. 

Why you need software composition analysis

Applications are increasingly “assembled” from open source components, rather than developed from scratch. With the speed of today’s development cycles, developers don’t have time to create every line of code from scratch, and why would they, when so much open source functionality is available? However, neglecting to assess and keep track of the open source components you are using would leave a large portion of your code exposed and leave you open to attack. Effective application security entails both assessement of your first-party code, plus assessing and creating a dynamic inventory of your third-party code.  

Why you need manual penetration testing

Automation alone is not enough to ensure an application is thoroughly tested from a security perspective. Some flaws, such as CSRF (Cross-Site Request Forgery) and business logic vulnerabilities, require a human to be in the loop to exploit and verify the vulnerability. Only manual penetration testing can provide positive identification and manual validation of these vulnerabilities.

Learn from others’ mistakes

Don’t repeat the mistakes of the past; learn from other organizations and avoid the most common AppSec pitfalls. First tip: Don’t rely on one testing type; that’s like trying to eat all your meals with only a spoon. Effective application security combines a variety of testing types and assesses security throughout an application’s lifecycle, from inception to production. Get details on all six of the most popular mistakes in our eBook, AppSec: What Not to Do.

CA Veracode Dynamic Analysis Helps You Check Your Security Headers

CA Veracode Dynamic Analysis helps you follow Google I/O 2018 security recommendations

I've been binging on the Google I/O 2018 videos. I guess every web geek does! One video caught my attention: Google Chrome security team's improvements to fight off the Spectre & Meltdown "celebrity" vulnerabilities. They're using software at the browser level to mitigate against a hardware vulnerability. How cool is that?

Just like Google, CA Veracode has been beating the drum on the importance of security headers here in 2012, 2013 and 2014. Google calls out Site Isolation feature, cross-origin read blocking, cookie restrictions, high resolution timers, and Google V8 JavaScript engine. Read more here

However, Chrome security cannot make the web safer on its own. It needs web developers to help defend against Spectre vulnerability and future software vulnerabilities. For these goals, Chrome security recommends a bunch of website configuration best practices. This is where CA Veracode Dynamic Analysis comes in!

Best part, no new workflows! Just run your Dynamic Analysis scans as usual to verify your web developers are using the website configuration best practices. Checking these security headers is just one of the many vulnerability checks we have to help you safeguard modern web applications.

CA Veracode Dynamic Analysis checks the following security headers are set correctly. Some of these were called out by Google Chrome in their Google I/O 2018 talk.

SECURITY HEADER CWE ID CWE NAME
X-Content-Type-Options 16 Configuration
X-Frame-Options 16 & 693 Configuration & Protection Mechanism Failure
Strict-Transport-Security 16 Configuration
Access-Control-Allow 668 Exposure of Resource to Wrong Sphere
Content Security Policy directives (including SameSite Cookie) 352 Cross-Site Request Forgery (CSRF)

For more information on setting them up correctly and common misconfigurations, check out our blog post here.

How often do you hear the phrases “Zero Trust” or “Trust but Verify” bandied about? It’s so true in application security. We should enable our developers to do the right thing. But we have to verify, either before production releases or on a regular cadence in production. At CA Veracode, we happen to favor using our Dynamic Analysis for such purposes! 

P.s. If you want to watch the Google I/O talk in full, see this YouTube link: https://www.youtube.com/watch?v=dBuykrdhK-A

Risky Biz Soap Box: Zane Lackey of Signal Sciences talks DevOps

What you’re about to hear is a long form interview with Zane Lackey, a former pentester turned director of security engineering for Etsy turned co-founder and CSO of Signal Sciences.

Signal Sciences can be broadly, kinda described as “next generation WAF”. If you do have a requirement for a waffy, raspy thing, then you absolutely need to check out Signal Sciences.

They give you visibility in to attacks against your applications, and even auto-blocking a bunch of them without that turning into a cascading horror-show.

Signal Sciences’ product has a really strong emphasis on assisting organisations who are running DevOps shops. And it makes sense, Zane’s key achievement at Etsy was managing the security of that company’s Devops transition.

He’s actually just written an O’Reilly book, Building a Modern Security Program. So, he joined me to talk about his book, what’s in it, about DevSecOps more generally, and about some new stuff Signal Sciences has been working on.

The Web Application Pentester training path

Designed as a guide to help you become proficient towards the Secure Software Assessor role outlined in the NICE Cybersecurity Framework, the Web Application Pentester training path can also easily be integrated into corporate education plans. Read more about this path.

The Web Application Pentester training path

The Web Application Pentester training path is the most advanced and hands-on training path on web application penetration testing in the market.

This training path starts by teaching you the fundamentals of networking and penetration testing, then provides you with the established web application penetration testing methodology, the latest web attacks, and ultimately showcases how to execute more advanced and complicated attacks by heavily manipulating web application components.

After completing this path, you will be able to perform a professional web application penetration test against any kind of web application or web service, by using your own custom payloads, combining different attacking techniques and evading web application firewalls.

This training path helps develop proficiency towards the NIST role of Secure Software Assessor.

The Secure Software Assessor role

As a Secure Software Assessor, you will be responsible for analyzing the security of new or existing computer applications, software, or specialized utility programs and providing actionable results.

Get started with your professional training

Get started on the Web Application Pentester training path, click on the course icon(s) to request your free trial:

Penetration Testing Student (PTS)
Web Application Penetration Testing (WAPT)
Web Application Penetration Testing eXtreme (WAPTX)

Get 15% off the course fees when you enroll in this training path and lifetime course-updates when you complete it by obtaining all three (3) certifications.

A Solution For Companies Of All Sizes

From Junior to Expert in the world’s largest organizations, we provide each member of your team with relevant practical cybersecurity skills. Have one of our specialists show you what this training path is capable to do for your IT Security team, fill in this form to schedule a demo and know more about our corporate solutions.

You might be interested: “The Network Pentester training path

Connect with us on Social Media

Twitter Facebook LinkedIn Instagram

CLICK TO TWEET 🐦

Historical OSINT – Summarizing 2 Years of Webroot’s Threat Blog Posts Research

It's been several years since I last posted a quality update at the industry's leading threat-intelligence gathering Webroot's Threat Blog following a successful career as lead security blogger and threat-intelligence analyst throughout 2012-2014. In this post I'll summarize two years worth of Webroot's Threat Blog research with the idea to provide readers with the necessary data information

Family Matters: How to Help Kids Avoid Cyberbullies this Summer

The summer months can be tough on kids. There’s more time during the day and much of that extra time gets spent online scrolling, surfing, liking, and snap chatting with peers. Unfortunately, with more time, comes more opportunity for interactions between peers to become strained even to the point of bullying.

Can parents stop their kids from being cyberbullying completely? Not likely. However, if our sensors are up, we may be able to help our kids minimize both conflicts online and instances of cyberbullying should they arise.

Be Aware

Summer can be a time when a child’s more prone to feelings of exclusion and depression relative to the amount of time he or she spends online. Watching friends take trips together, go to parties, hang out at the pool, can be a lot on a child’s emotions. As much as you can, try to stay aware of your child’s demeanor and attitude over the summer months. If you need help balancing their online time, you’ve come to the right place.

Steer Clear of Summer Cyberbullies 

  1. Avoid risky apps. Apps like ask.fm that allow outsiders to ask a user any question anonymously should be off limits to kids. Kik Messenger and Yik Yak are also risky apps. Users have a degree of anonymity with these kinds of apps because they have usernames instead of real names and they can easily connect with profiles that could be (and often are) fake. Officials have linked all of these apps to multiple cyberbullying and even suicide cases.
  2. Monitor gaming communities. Gaming time can skyrocket during the summer and in a competitive environment, so can cyberbullying. Listen in on the tone of the conversations, the language, and keep tabs on your child’s demeanor. For your child’s physical and emotional health, make every effort to help him or her balance summer gaming time.
  3. Make profiles and photos private. By refusing to use privacy settings (and some kids do resist), a child’s profile is open to anyone and everyone, which increases the chances of being bullied or personal photos being downloaded and manipulated. Require kids under 18 to make all social profiles private. By doing this, you limit online circles to known friends and reduces the possibility of cyberbullying.
  4. Don’t ask peers for a “rank” or a “like.” The online culture for teens is very different than that of adults. Kids will be straightforward in asking people to “like” or “rank” a photo of them and attach the hashtag #TBH (to be honest) in hopes of affirmation. Talk to your kids about the risk in doing this and the negative comments that may follow. Remind them often of how much they mean to you and the people who truly know them and love them.
  5. Balance = health. Summer means getting intentional about balance with devices. Stepping away from devices for a set time can help that goal. Establish ground rules for the summer months, which might include additional monitoring and a device curfew.

Know the signs of cyberbullying. And, if your child is being bullied, remember these things:

1) Never tell a child to ignore the bullying. 2) Never blame a child for being bullied. Even if he or she made poor decisions or aggravated the bullying, no one ever deserves to be bullied. 3) As angry as you may be that someone is bullying your child, do not encourage your child to physically fight back. 4) If you can identify the bully, consider talking with the child’s parents.

Technology has catapulted parents into arenas — like cyberbullying — few of us could have anticipated. So, the challenge remains: Stay informed and keep talking to your kids, parents, because they need you more than ever as their digital landscape evolves.

toni page birdsong

 

Toni Birdsong is a Family Safety Evangelist to McAfee. You can find her on Twitter @McAfee_Family. (Disclosures).

The post Family Matters: How to Help Kids Avoid Cyberbullies this Summer appeared first on McAfee Blogs.

Did ICE detain this Mexican journalist for criticizing U.S. immigration policy?

Gutiérrez and Oscar after release

Emilio Gutiérrez-Soto and his son Oscar speak to the press after being released from an ICE detention facility in El Paso, Texas, on July 26, 2018.

Texas Tribune/Julian Aguilar

Late last night, Mexican journalist Emilio Gutiérrez-Soto and his son Oscar were released from an Immigration and Customs Enforcement (ICE) detention facility in El Paso, Texas. The two had been held in ICE detention for more than seven months, ever since being arrested and nearly deported by ICE agents on December 7, 2017.

The United States government has never offered a convincing reason for arresting Gutiérrez and Oscar in December, or for continuing to detain the two. Gutiérrez and his attorneys have argued that ICE targeted him for arrest in retaliation for his criticism of U.S. immigration policy, in violation of his First Amendment rights — and they have internal ICE documents to back up their case. Freedom of the Press Foundation has obtained the documents and is publishing them for the first time.

This is Gutiérrez’s harrowing story.


"Good morning,” the email began. “Attached is a list of 2,718 non-detained cases that may be candidates for arrest.”

Good morning, Attached is a list of 2,718 non-detained cases that may be candidates for arrest

It was early morning on February 1, 2017, just a few days after President Donald Trump’s inauguration, when an ICE supervisory detention and deportation officer sent that email to other agents in ICE’s El Paso field office. The email carried the subject line, “Non-Detained Target List.” A spreadsheet named “ND Target List.xls” was attached to the email.

An assistant field director in ICE’s El Paso office replied on February 13.

“When u get back, forward this list to the National Criminal Analysis and Targeting Center (NCATC) this is the only FOSC [Fugitive Operations Support Center]. They will run this list and provide info on address location etc …”

One of the many names on the targeting list was “GUTIERREZ SOTO, EMILIO.”

The reason that Gutiérrez was included on that list is a mystery.

Screenshot of ICE emails

Eduardo Beckett, one of Gutiérrez’s attorneys, told Freedom of the Press Foundation that there was no “legitimate law enforcement reason” for Gutiérrez to be on an ICE target list.

“It’s fugitive operations,” he said of the targeting list. “It’s people with felonies. Emilio doesn’t fit that mold.”

Gutiérrez is not a fugitive, and he has no criminal record. He is a Mexican journalist who legally applied for asylum in the United States in 2008, after being threatened by elements of the Mexican military.

So why did ICE target him for possible arrest? Beckett believes it was because Gutiérrez had criticized U.S. immigration policy.

“The only reason he was on that list was because he was a journalist who criticized ICE and the Mexican government,” he said.


Gutiérrez and his son Oscar entered the United States on June 16, 2008.

ICE’s official “Record of Deportable / Inadmissible Alien” for Gutiérrez states that he and Oscar appeared at the Antelope Wells Border Crossing station in New Mexico and formally requested asylum. Gutiérrez was taken to an official “port of entry” — one of the sites where immigrants may legally apply for asylum — and interviewed by a Customs and Border Protection officer. 

Gutiérrez CBP interview recordGutiérrez told the CBP officer that Mexican military police officers had threatened his life after he reported on corruption in the Mexican military.

“The subject continued to state that on May 5, 2008 at approximately midnight several armed military police wearing masks and armed with high caliber weapons entered his house without his permission claiming to look for drugs and weapons,” the ICE record of Gutiérrez’s CBP interview states. “Subject Gutierrez further states that on Saturday June 14, 2008 he was warned by a female friend who claims she overheard military police officers making plans to harm the subject.”

Gutiérrez said that he feared that his life would be in danger if he had to return to Mexico, so ICE gave him a form to fill out and sent him to the El Paso processing center in Texas. His son Oscar, who was still a minor at the time, was detained in a separate facility. In El Paso, Gutiérrez was interviewed by an asylum officer, who assessed that he had a “credible fear” of returning to Mexico, and he was placed into asylum proceedings. He was detained in the El Paso detention center for seven months before being released on parole. He and Oscar, who had been released to family friends in the U.S., reunited and moved to Las Cruces, New Mexico.

The subject continued to state that on May 5, 2008 at approximately midnight several armed military police wearing masks and armed with high caliber weapons entered his house without his permission claiming to look for drugs and weapons.

Years passed without any ruling on their asylum claim, and Gutiérrez and Oscar settled into their new life in New Mexico. Gutiérrez bought a food truck. Though he had not worked as a journalist since fleeing Mexico, he was happy to speak to the press, and he did not hesitate to criticize the United States’ broken asylum system.

“We are talking about an immigration judge and an immigration attorney whose job it is … to keep from expanding the abundance of people looking for protection because of the violence in Mexico,” he told the AP in January 2011, after attending a hearing in his asylum case. “We don’t have a country that accepts us with its laws and regulations even after being aware that we fled Mexico because the Mexican state was persecuting us.”

“We are here because we want to save our lives and it just seems so unfair because a country of freedom and human rights … is ignoring us,” he told the AP a month later, after a ruling on his asylum case was delayed. “We were looking for refuge and they put us in prison.”

In July 2017, immigration judge Robert Hough finally ruled on his nine-year-old asylum claim. Hough ruled that Gutiérrez did not present sufficient evidence to prove that he was targeted for his journalistic work or that his life would be in danger if he returned to Mexico. (According to the Committee to Protect Journalists, more than 60 journalists have been killed in Mexico since June 2008, when Gutiérrez fled to the United States and applied for asylum.)

He simply dismissed all the arguments, put them in the trash can and denied the asylum.

Hough seemed unconvinced that Gutiérrez was really a journalist, in part because Gutiérrez had trouble finding copies of his published newspaper clips to show the judge. Hough denied the asylum claim and ruled that Gutiérrez could be removed from the United States.

“He simply dismissed all the arguments, put them in the trash can and denied the asylum,” Gutiérrez said in an interview with the Knight Center for Journalism in the Americas. “I feel very sad and I am very disappointed in the immigration authorities, especially the policies that the United States exercises.”


On October 4, 2017, Gutiérrez accepted the National Press Club’s prestigious John Aubuchon award on behalf of all Mexican journalists. During his acceptance speech at the club’s black-tie awards gala in Washington, D.C., Gutiérrez accused the U.S. government of hypocrisy for advocating for human rights abroad while denying them at home. Gutiérrez was particularly critical of the United States’ asylum policies.

“Those who seek political asylum in countries like the U.S. encounter the decisions of immigration authorities that barter away international laws,” he said.

As Gutiérrez was publicizing the plight of Mexican journalists and asylum seekers, his legal team tried to get the immigration judge’s decision denying him asylum reversed. They appealed to the Board of Immigration Appeals (BIA), which has the power to review immigration court decisions. But on November 2, 2017, the BIA rejected the appeal because it had been filed late. On November 20, Gutiérrez’s attorney Eduardo Beckett asked the court to reopen the appeal.

Those who seek political asylum in countries like the U.S. encounter the decisions of immigration authorities that barter away international laws.

If the BIA reopened the appeal, then Gutiérrez would be safe. He could not be removed from the country while the appeal was pending. But until the court granted his petition to reopen the appeal, Gutiérrez was at the mercy of ICE. He had to ask the agency to grant him a stay of deportation.

Under the Kafkaesque U.S. immigration law system, ICE officials have the power to issue stays of removal, which prevent the agency from deporting someone. If ICE refuses to issue a stay, then the BIA has an opportunity to step in and issue an emergency stay, which prevents ICE from deporting the person. Crucially, though, the BIA does not have the power to issue an emergency stay until after ICE has already refused to issue a stay and taken someone into custody.

Beckett expected that ICE would officially deny the stay on December 7, when Gutiérrez and his son were scheduled to appear at ICE’s El Paso field office for a routine check-in. He knew that once ICE denied the stay, he could call the BIA and request an emergency stay. Then the BIA would either deny the stay and allow ICE to deport Gutiérrez, or it would grant the stay and order ICE not to deport him.

For assistance in dealing with ICE, Gutiérrez’s legal team reached out to members of Congress. Senator Patrick Leahy of Vermont took a particular interest in the case, and his senate office got in touch with ICE’s congressional liaison to ask about the case.

On November 20, a Leahy aide emailed Gutiérrez’s legal team and said ICE’s congressional liaison had assured her that ICE would “likely make their decision after consulting with BIA.”

Beckett said that ICE told him something similar.

“I had assurances from ICE that they would not try to deport him,” he said. “They told me to bring Emilio and Oscar in and if the stay by ICE was not granted, then ICE would get a ruling from the BIA before taking any action.”

“That was a lie,” he added. “That to me shows the bad faith.”

When Beckett, Gutiérrez, and Oscar arrived at ICE’s El Paso field office on December 7, ICE agents arrested Gutiérrez and Oscar immediately after informing them that they had decided not to grant a stay.

I had assurances from ICE that they would not try to deport him. That was a lie. That to me shows the bad faith.


Beckett called the BIA to petition for an emergency stay of removal, and the court told Beckett that it would call him back as soon as it had ruled on his petition. But ICE had no intention of waiting for the court’s ruling. Agents handcuffed Gutiérrez and Oscar, put the two of them in a car, and started driving toward the border.

As ICE raced to deliver Gutiérrez and Oscar to the border, Gutiérrez’s legal team sent an urgent email to Leahy’s office: “ICE did not wait for the BIA decision. He is being escorted to the bridge. Could you all make a call to please try and stop this? The court has not ruled.”

A Leahy aide wrote back that the senator’s office could not stop ICE: “I am so very sorry to hear this!! There is really nothing else that our office can do to intervene or prevent this.”

According to Beckett, Gutiérrez and Oscar were driven to a parking lot outside of a Border Patrol station, where Gutiérrez was told that Mexican immigration agents were on their way to pick them up and take them back to Mexico.

I am so very sorry to hear this!! There is really nothing else that our office can do to intervene or prevent this.

Before Gutiérrez could be handed over to the Mexican government, the BIA called Beckett back with good news — Gutiérrez and Oscar had been granted an emergency stay of deportation. Beckett immediately called ICE and told them to bring Gutiérrez and Oscar back. The agency refused. The BIA’s emergency order might have prevented ICE from deporting Gutiérrez and his son, but it did not prevent the agency from detaining them.

ICE agents took Gutiérrez and Oscar to an immigration detention facility. They would remain in ICE detention for nearly eight months, and Gutiérrez’s food truck would be stolen while he was still detained.

Gutiérrez’s asylum appeal slowly worked its way through the courts. On December 22, 2017, the BIA decided to reopen Gutiérrez’s appeal. On May 15, 2018, it granted his appeal and remanded his asylum case back to immigration judge Robert Hough, with instructions to consider new evidence and then issue a new decision.

By that time, Gutiérrez’s attorneys were pursuing a new legal strategy.


On March 5, 2018, Gutiérrez filed a petition for habeas corpus in the Western District of Texas federal district court. Habeas corpus — one of the oldest and most fundamental rights in the United States — is the right not to be detained arbitrarily.

Gutiérrez’s habeas corpus petition, which was prepared by Rutgers University’s Institute of International Human Rights law clinic, argued that his ongoing detention by ICE was unconstitutional. The habeas petition advanced a number of arguments for why ICE’s detention of Gutiérrez was unlawful, but the most interesting was the claim that it violated his First Amendment rights to free speech and freedom of the press. Gutiérrez argued that ICE had targeted him for detention because he had publicly criticized the agency in his capacity as a journalist.

As evidence, Gutiérrez’s attorneys noted that Gutiérrez had been arrested by ICE just weeks after publicly criticizing U.S. immigration authorities at the National Press Club awards dinner. They also cited the fact that an ICE official reportedly told National Press Club president Bill McCarren to “tone it down” when it came to advocating for Gutiérrez’s case. (ICE has denied saying this.)

This shows that there was secret emails, a target list, and this was done months before he lost his asylum claim.

Later, Gutiérrez's legal team found their key piece of evidence — the internal ICE emails from February 2017.

On April 30, 2018, National Press Club press freedom fellow Kathy Kiely received copies of the ICE emails in response to a Freedom of Information Act request. She passed them on to Gutiérrez’s legal team, who immediately recognized their significance.

“When Kathy did her FOIA, I told her, this is gold,” Beckett said. “This shows that there was secret emails, a target list, and this was done months before he lost his asylum claim.”

Federal district judge David Guaderrama agreed, citing the ICE emails in his order denying the government’s motion to dismiss the habeas corpus case.

“Respondents [ICE] contend that they detained Petitioners [Gutierrez-Soto and his son] based on a warrant issued after the removal order issued by the immigration judge became final in August 2017,” Guaderrama wrote in a July 10 decision. “However, the emails between ICE officials undermine Respondents’ argument. The emails show that ICE officials were already targeting Mr. Gutierrez-Soto in February 2017. … This is significant because it is before the immigration judge issued the removal order in July 2017, which became final in August 2017.”

Guaderrama concluded that there was sufficient evidence to suggest that “Respondents retaliated against [Petitioners] for asserting their free press rights … [and] Respondents’ reason for detaining Petitioners is a pretext.”

Respondents contend that they detained Petitioners based on a warrant issued after the removal order issued by the immigration judge became final in August 2017. However, the emails between ICE officials undermine Respondents’ argument.

Guaderrama ordered the government to bring Gutiérrez and Oscar to an evidentiary hearing on August 1, 2018, so that he could hear Gutiérrez’s testimony and the government’s defense of his continued detention, and then rule on Gutiérrez’s habeas corpus petition. Guaderrama also denied the government’s motion to delay the hearing and ordered the government to provide Gutiérrez’s legal team with more information about the ICE email thread and the targeting list.

Rather than try to defend ICE’s detention of Gutiérrez and Oscar at a federal court hearing, the government opted to release the two of them.

Beckett credited the federal court with forcing the government’s hand.

“The release of Emilio and his son Oscar is a testament that our Federal Courts protect our Constitutional rights,” he said in a statement. “The Constitution is not just an abstract written document but the cornerstone of our liberty and democracy.”


Now that Gutiérrez is free, he plans to move to Michigan. On May 2, 2018, the University of Michigan awarded him a Knight-Wallace fellowship. The one-year fellowship covers full tuition and health benefits, and includes a $75,000 stipend. Perhaps most importantly, the fellowship will allow Gutiérrez to work alongside other journalists for the first time since he fled Mexico in 2008.

Gutiérrez’s asylum case — which is entirely separate from his habeas corpus case — remains unresolved. In May 2018, the BIA remanded the case back to Hough, the immigration judge who previously denied Gutiérrez’s asylum claim, with instructions to rule on it again after considering new evidence.

Once Gutiérrez moves to Michigan for the Knight-Wallace fellowship, it’s possible that his asylum case will be transferred from Hough, who is based in Texas, to an immigration judge in Michigan. Either way, Gutiérrez’s fate will once again be in the hands of an immigration judge.

If he is denied asylum for a second time, he can try to appeal (again) to the BIA. If the BIA refuses the appeal, ICE will finally be free to deport him and his son.

But if Gutiérrez is granted asylum, then his long ordeal will finally be over, and he will be able to live in the U.S. without fear of being detained or deported by ICE.

Idaho inmates hacked prison tablets and stole $225,000

Inmates in five Idaho prisons exploited a vulnerability on their JPay tablets to steal almost $225,000 worth of credits, according to officials. The Idaho Department of Correction said 364 prisoners boosted their JPay account balances, according to The Associated Press. The department unearthed the issue earlier this month, and noted taxpayer dollars were not affected.

Source: The Associated Press

Some changes in how libpcap works you should know

I thought I'd document the solution to this problem I had.

The API libpcap is the standard cross-platform way of sniffing packets off the network. It works on Windows (winpcap), macOS, and all the Unixes. It's better than simply opening a "raw socket" on Unix platforms because it takes advantage of higher performance capabilities of the system, including specialized sniffing hardware.


Traditionally, you'd open an adapter with pcap_open(), whose function parameters set options like snap length, promiscuous mode, and timeouts.

However, in newer versions of the API, what you should do instead is call pcap_create(), then set the options individually with calls to functions like pcap_set_timeout(), then once you are ready to start capturing, call pcap_activate().

I mention this in relation to "TPACKET" and pcap_set_immediate_mode().

Over the years, Linux has been adding a "ring buffer" mode to packet capture. This is a trick where a packet buffer is memory mapped between user-space and kernel-space. It allows a packet-sniffer to pull packets out of the driver without the overhead of extra copies or system calls that cause a user-kernel space transition. This has gone through several generations.

One of the latest generations causes the pcap_next() function to wait forever for a packet. This happens a lot on virtual machines where there is no background traffic on the network.

This looks like a bug, but maybe it isn't.  It's unclear what the "timeout" parameter actually means. I've been hunting down the documentation, and curiously, it's not really described anywhere. For an ancient, popular APIs, libpcap is almost entirely undocumented as to what it precisely does. I've tried reading some of the code, but I'm not sure I've come to any understanding.

In any case, the way to resolve this is to call the function pcap_set_immediate_mode(). This causes libpccap to backoff and use an older version of TPACKET such that it'll work as expected, that even on silent networks the pcap_next() function will timeout and return.

I mention this because I fixed this bug in my code. When running inside a VM, my program would never exit. I changed from pcap_open_live() to the pcap_create()/pcap_activate() method instead, adding the setting of "immediate mode", and now things work. Performance seems roughly the same as far as I can tell.

I'm still not certain what's going on here, and there are even newer proposed zero-copy/ring-buffer modes being added to the Linux kernel, so this can change in the future. But in any case, I thought I'd document this in a blogpost in order to help out others who might be encountering the same problem.






Retired Malware Samples: Everything Old is New Again

I’m always on the quest for real-world malware samples that help educate professionals how to analyze malicious software. As techniques and technologies change, I introduce new specimens and retire old ones from the reverse-engineering course I teach at SANS Institute.  Here are some of the legacy samples that were once present in FOR610 materials. Though these malicious programs might not appear relevant anymore, aspects of their functionality are present even in modern malware.

A Backdoor with a Backdoor

To learn fundamental aspects of code-based and behavioral malware analysis, the FOR610 course examined Slackbot at one point. It was an IRC-based backdoor, which it’s author “slim” distributed as a compiled Windows executable without source code.

Dated April 18, 2000, Slackbot came with a builder that allowed its user to customize the name of the IRC server and channel it would use for Command and Control (C2). Slackbot documentation explained how the remote attacker could interact with the infected system over their designated channel and included this taunting note:

“don’t bother me about this, if you can’t figure out how to use it, you probably shouldn’t be using a computer. have fun. –slim”

Those who reverse-engineered this sample discovered that it had undocumented functionality. In addition to connecting to the user-specified C2 server, the specimen also reached out to a hardcoded server irc.slim.org.au that “slim” controlled. The channel #penix channel gave “slim” the ability to take over all the botnets that his or her “customers” were building for themselves.

Turned out this backdoor had a backdoor! Not surprisingly, backdoors continue to be present in today’s “hacking” tools. For example, I came across a DarkComet RAT builder that was surreptitiously bundled with a DarkComet backdoor of its own.

You Are an Idiot

The FOR610 course used an example of a simple malevolent web page to introduce the techniques for examining potentially-malicious websites. The page, captured below, was a nuisance that insulted its visitors with the following message:

When the visitor attempted to navigate away from the offending site, its JavaScript popped up new instances of the page, making it very difficult to leave. Moreover, each instance of the page played the following jingle on the victim’s speakers. “You are an idiot,” the song exclaimed. “Ahahahahaha-hahahaha!” The cacophony of multiple windows blasting this jingle was overwhelming.

 

A while later I came across a network worm that played this sound file on victims’ computers, though I cannot find that sample anymore. While writing this post, I was surprised to discover a version of this page, sans the multi-window JavaScript trap, residing on www.youareanidiot.org. Maybe it’s true what they say: good joke never gets old.

Clipboard Manipulation

When Flash reigned supreme among banner ad technologies, the FOR610 course covered several examples of such forms of malware. One of the Flash programs we analyzed was a malicious version of the ad pictured below:

At one point, visitors to legitimate websites, such as MSNBC, were reporting that their clipboards appeared “hijacked” when the browser displayed this ad. The advertisement, implemented as a Flash program, was using the ActionScript setClipboard function to replace victims’ clipboard contents with a malicious URL.

The attacker must have expected the victims to blindly paste the URL into messages without looking at what they were sharing. I remembered this sample when reading about a more recent example of malware that replaced Bitcoin addresses stored in the clipboard with the attacker’s own Bitcoin address for payments.

As malware evolves, so do our analysis approaches, and so do the exercises we use in the FOR610 malware analysis course.  It’s fun to reflect upon the samples that at some point were present in the materials. After all, I’ve been covering this topic at SANS Institute since 2001. It’s also interesting to notice that, despite the evolution of the threat landscape, many of the same objectives and tricks persist in today’s malware world.

How Dropbox dropped the ball with anonymized data

Dropbox found itself in hot water this week over an academic study that used anonymized data to analyze the behavior and activity of thousands of customers.

The situation seemed innocent enough at first — an article in Harvard Business Review, researchers at Northwestern University Institute on Complex Systems (NICO) detailed an extensive two-year study of best practices for collaboration and communication on the cloud file hosting platform. Specifically, the study examined how thousands of academic scientists used Dropbox, which gave the NICO researchers project-folder data from more than 1,000 university departments.

But it wasn’t long before serious issues were revealed. The article, titled “A Study of Thousands of Dropbox Projects Reveals How Successful Teams Collaborate,” initially claimed that Dropbox gave the research team raw user data, which the researchers then anonymized. After Dropbox was hit with a wave of criticism, the article was revised to say the original version was incorrect – Dropbox anonymized the user data first and then gave it to the researchers.

That’s an extremely big error for the authors to make (if indeed it was an error) about who anonymized the data and when the data was anonymized — especially considering article was co-authored by a Dropbox manager (Rebecca Hinds, head of Enterprise Insights at Dropbox). I have to believe the article went through some kind of review process from Dropbox before it was published.

But let’s assume one of the leading cloud collaboration companies in the world simply screwed up the article rather than the process of handling and sharing customer data. There are still issues and questions for Dropbox, starting with the anonymized data itself. A Dropbox spokesperson told WIRED the company “randomized or hashed the dataset” before sharing the user data with NICO.

Why did Dropbox randomize *or* hash the datasets? Why did the company use two different approaches to anonymizing the user data? And how did it decide which types of data to hash and which types to randomize?

Furthermore, how was the data hashed? Dropbox didn’t say, but that’s an important question. I’d like to believe that a company like Dropbox wouldn’t use an insecure, deprecated hashing algorithm like MD5 or SHA-1, but there’s plenty of evidence those algorithms are still used by many organizations today.

The Dropbox spokesperson also told WIRED it grouped the dataset into “wide ranges” so no identifying information could be derived. But Dropbox’s explanation of the process is short on details. As a number of people in the infosec community have pointed out this week, anonymized data may not always be truly anonymous. And while some techniques work better than others, the task of de-anonymization appears to be getting easier.

And these are just the issues relating to the anonymized data; there are also serious questions about Dropbox’s privacy policy. The company claims its privacy policy covers the academic research, which has since sparked a debate about the requirements of informed consent. The policy states Dropbox may share customer data with “certain trusted third parties (for example, providers of customer support and IT services) to help us provide, improve, protect, and promote our services,” and includes a list of those trusted third parties like Amazon, Google and Salesforce. NICO, however, is not on the list. It’s also not entirely clear whether the anonymized data was given to NICO to improve the Dropbox service or to advance scientific research.

And while this isn’t close to the gross abuse of personal data we’ve seen with the Cambridge Analytica scandal, it’s nevertheless concerning. These types of questionable decisions regarding data usage and sharing can lead to accidental breaches, which can be just as devastating as any malicious attack that breaches and exposes user data. If companies in the business of storing and protecting data — like Dropbox — don’t have clear policies and procedures for sharing and anonymizing data, then we’re in for plenty more unforced errors.

The post How Dropbox dropped the ball with anonymized data appeared first on Security Bytes.

Threat Roundup for July 20-27


Today, as we do every week, Talos is giving you a glimpse into the most prevalent threats we’ve observed this week — covering the dates between July 20 and 27. As with previous roundups, this post isn’t meant to be an in-depth analysis. Instead, we will summarize the threats we’ve observed by highlighting key behavioral characteristics and indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post isn't exhaustive, and is current as of the date of publication. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

The most prevalent threats highlighted in this roundup are:

  • Win.Malware.Emotet-6622751-0
    Malware
    This cluster provides generic detection for the Emotet trojan downloaded onto a target machine. Emotet has been able to remain relevant because it has evolved over the years to avoid detection.
     
  • Win.Malware.Tinba-6622749-0
    Malware
    Tinba, aka Tiny Banker, is a well-known malware dedicated to stealing banking credentials from victims. It usually uses a domain-generation algorithm to connect to a command and control (C2) server and get further instructions. It injects itself into processes such as explorer.exe, ctfmon or winver. Then, it usually acts as a man-in-the-middle to collect banking information.
     
  • Win.Malware.Zusy-6622958-0
    Malware
    Zusy is a trojan that injects itself in other Windows processes and a web browser to steal valuable information. The malware also has anti-debugging and anti-VM capabilities, and it contacts a hardcoded C2 server.
     
  • PUA.Win.Downloader.Downloadguide-6622941-0
    Downloader
    This malware is a trojan downloader written in C++ that presents itself as an application installer. Downloadguide leverages techniques to hinder dynamic analysis and set up a proxy. Additional components are download and executed.
     
  • Win.Malware.Fareit-6622130-0
    Malware
    Fareit is a malware designed to steal sensitive information such as stored login information. You can read more about it on our blog: https://blog.talosintelligence.com/2015/09/down-rabbit-hole-botnet-analysis-for.html.
     
  • Win.Malware.Autoit-6622832-0
    Malware
    The initial binary contains an AutoIt script. The script is obfuscated. It creates several in-memory DLL structures with AutoIt's DllStructCreate and DllStructSetData. The script then executes the shellcode injected into these DLL structures.
     

Threats

Win.Malware.Emotet-6622751-0


Indicators of Compromise


Registry Keys
  • N/A
Mutexes
  • N/A
IP Addresses
  • 67.68.235.25
  • 187.192.180.144
  • 190.154.42.106
Domain Names
  • N/A
Files and or directories created
  • %WinDir%\SysWOW64\267gKS2.exe
File Hashes
  • 08f0261059671c8d2ce7744b72dafe36380fece3ccec98717a401b61cb09dd67
  • 0a7d5ede4cfe02d2dd8ba3df255573d041e3d00ea68e3f1439d745f57e6e546b
  • 0d37dc0cf1403e6bb4ea16426b690f3408c2b6ead2335f396898f785bca09fb1
  • 1c21bbb0e989bbf1f6ab53092027d95f34b1affa1061ee02c073be3d977761de
  • 2279b51d5a4a71931c1d1653afbcc504ee466c329d3175d4982093dc01e34e4d
  • 2852b604c985a2b7b742c9758cff45e5475a734490af98ec2502f44a21956734
  • 315d74779cf42d6ac4b598d860fa057be7c8c0d5807188553fd355ce607f47e3
  • 3a6ccb939c57c7f449dbdde1dbe82e931c3683f1c41eae9909c5c6f53623e1ce
  • 3f874d1b2adca571aed15ca41aafe083a21696e6079931768314a50e18934ca1
  • 47d1b6bb68b5c8a8fc8abc861902a833850d001bcf69740a6f64f58199976908
  • 51eff2a95e468661d25ad46e3ed576073661725e147b4c1357fea10000eeca39
  • 53424273e648dd42c0939b5c861fa99f317563c4a0b952459cd3492c2a624aea
  • 53a3b12f5be15e8ee4fa7229c02f4be2888093ead63077de2c45a34adbdd15a5
  • 57231565cb69ca9e00e1fceec05df7ddc10594bb5aef6ccf661331a6b4227c27
  • 5f90ec8324a3be0c7da857e54a613161296b3c083e8a668a44c3fd352571439e
  • 65018e87d7d344da69df137669382d70ce04b097e4028b849423b5e06bc7d999
  • 665119775d2b7e5155f855b13dd3e3d69f83de3fff7c24185f19ed7b79be2f1d
  • 68ff0f52a62bc1d87c765fa6c25a3ea873a2e7c6d26e7f4694d614df0cac1d07
  • 718e097a3a20f0e54c96e88e2f931de37291733299f281ff27062117c54c84ce
  • 7232f0954e3a191a30d4dfd0e884f466d8ac15b427adc145f22ed04ee85d81b0
  • 741754b54547cfc847cec859376c77160686853e4fd87ab428f3565359d22784
  • 7be4f453ddc25c7cf6a40bc86886137647f039be4185e149696ecdf854a7e614
  • 7d179994e7a227bd13733265cd4f3c043903c7c987b89dd5a26edbc71fc891fd
  • 7d8796eeab377e45dabfaa365f79af5c86818b8e38c643a97974728b84eb5f8b
  • 890906404fa629983743652be42645d2ee61dfc2f9dad8935cbbff03087567bd

Coverage


Screenshots of Detection

AMP




ThreatGrid



Win.Malware.Tinba-6622749-0


Indicators of Compromise


Registry Keys
  • <HKCU>\Software\Microsoft\Windows\CurrentVersion\Run
Mutexes
  • F5DBF765
  • F5DBF765
IP Addresses
  • 216.218.185.162
Domain Names
  • ynefefyopqvu.com
Files and or directories created
  • %LocalAppData%Low\F5DBF765
  • %AppData%\F5DBF765
  • %AppData%\F5DBF765\bin.exe
  • %AppData%\F5DBF765\bin.exe
File Hashes
  • 00a5a2e2ef5a08795cdb16aaef4c7ad728e5b1a9869b25aeb88f0f6e11d63e60
  • 02c3fea907d36cb1631293539a2d4187028c9468eb2249d156168b7e42c20a6c
  • 02e0bb96c57a60d86c2dcce7e7426dae2087acf3dcedc87156d38a22d37f2b0f
  • 033b94cf05f6f95bc4f42d429e843d9df6062c862fc465730953ec7df02afa02
  • 052d59e7c7d28212d9bd7b820b34f75cd66e6556a1b1cfe5adfa47b8e6389de2
  • 05d7e5f0a473cd973e41fb2f5f879059b4b7619bf426928dd6c13a127b4303b4
  • 063e1824bef20580bd14e18b168f7fd467a517496fae2f5935aa0dc71e55edf2
  • 0693deca032c55dcd733af7bc330c223955587a17aa6a2d185c9a498696cb597
  • 07cdc73fae7b6ed105625e7eff67817f878a30ee7e00ad1ecd85dd785dd4d97c
  • 09cf9fc6d7ac1d2dce60924230949fff9cc41080add8b62b6f2224982c3b9e39
  • 0bdf6536625358ace9e486633b22cadf967ff1bca6347d28af5fd43dca721228
  • 0be0389fbb962fe5dcc2bb380830cd9b0da0ca1dea6570f51cfde5168b0df349
  • 0bff836a0a08f0704e1604b7578efa930cb7e6074f5b03cadf9a423d40907fc8
  • 0c507186da9fb8c3d79274f76c2cb58e585855ec541db5f4be740a292ff3c85f
  • 0dfb17781828f71873bf11277d3f813a47e6408ce1c36f6a5e1e25f359cf5965
  • 10b99c7f4f0d43fc9bcd97d842396afecc4d7ecd5569ffa2e5f1b8b4e4a3f4a1
  • 11eb227dc0783ca787ab12f1cb2f75bde39fd0ced8c7c6174f39e6a579208ad2
  • 12176eaed8e2f480a9ea16b6753ef9d7df7097787e837a940c01df7c586d5907
  • 1503a43aaedaac8b7024a01e8213ddfac39ab02011f1052e0a6b14327670f11e
  • 186a21eff7c970bcd1230225565d4906d354b65ddd9b79f5e7c6239b40600e16
  • 18daccd80418eacab7ec33bc08a1b57d5dc91c98931a8046852be4bfad44956a
  • 1a026c7e2de968f31cf6626b125a6220c80531692a0d6a6387b04a5f2af77a53
  • 1cbf8e44c2096e24951445632090497be01ce2c8169bd11d48d0266279dbaf15
  • 1ea06f5162de7055d581c03af3877a009394fc793d36fa2895ee4e614b68205d
  • 1fb94c74154fcf4c9eabde27e01fd5718833a7e32fbac96839f6b6dbd94dbc8e

Coverage


Screenshots of Detection

AMP



ThreatGrid



Umbrella



Win.Malware.Zusy-6622958-0


Indicators of Compromise


Registry Keys
  • N/A
Mutexes
  • N/A
IP Addresses
  • N/A
Domain Names
  • lyrics-db.org
Files and or directories created
  • %LocalAppData%\Temp\~NwcTemp
  • %AppData%\MICROS~1\mstsc.exe
  • %AppData%\MICROS~1\smss.exe
  • %AppData%\mqtgsvc.exe
  • %WinDir%\RCX190A.tmp
  • %System16%\RCX1DA0.tmp
  • %System16%\wininit.exe
  • %WinDir%\winlogon.exe
File Hashes
  • 33bc057301d62c8c717c735da5de219f7ed0ddb3730232a377d4d471ded6770f
  • 36e59586a1befb28a44ddceaed8b60b849680ae54c0623254fa6edc4298a062f
  • 386c738af602aae637c612ecdb7df491588d8b69d6ebbb97ded359f13e35919b
  • 573a8bed6140ff1206b37e9f18113ed33de17a143da67014192e7cdfc2276d9d
  • 658a26c8e110f33a1062b9392187c42e1654ea10479c716e92639ea322552b2c
  • 7a3e884b95e2ac172ee2e12452f400c73e894213b2f600d9941ca13cc75f9945
  • 971e4fa0ad4ecd6218f9105616ab0ae6fcfb9e71d829be6c977a83570b535be8
  • 9c90a36e7e93cd38e09f373a48c626f2415bec009eaeb080bd9bca7573ea3518
  • b171b8152d85e074b27dba98a7af2fa6fbed2a0dad389ee117cf9dc163b9d3c6
  • cd9b6c1820b5cf352806abdec78b7ba13fed27033e7c4ab3aadac4cf700f6f7d
  • e9d6a93a090c2ec2c5f80bb03dce130d28cdaca2cb3dde5051c44ef47dd78f3a
  • f3a350151059a6b1fa123c6c0911d816602c85566f254e960d17a8dc63ee8f4d

Coverage


Screenshots of Detection

AMP


ThreatGrid


Umbrella


PUA.Win.Downloader.Downloadguide-6622941-0


Indicators of Compromise


Registry Keys
  • <HKCR>\LOCAL SETTINGS\MUICACHE\3E\52C64B7E
    • Value Name: LanguageList
Mutexes
  • N/A
IP Addresses
  • 104.45.146.238
  • 72.21.81.200
  • 104.40.156.71
Domain Names
  • dlg-messages.buzzrin.de
  • dlg-configs.buzzrin.de
  • az687722.vo.msecnd.net
Files and or directories created
  • %LocalAppData%\Temp\DLG\requirements
  • %LocalAppData%\Temp\DLG\ui\common\last\css
  • %LocalAppData%\Temp\DLG\ui\common\last\img
  • %LocalAppData%\Temp\DLG\ui\common\last\img\img1.png
  • %LocalAppData%\Temp\DLG\ui\common\last\index.html
  • %LocalAppData%\Temp\DLG\ui\common\last\js\jquery-1.10.2.min.js
  • %LocalAppData%\Temp\DLG\ui\common\last\last.zip.part
  • %LocalAppData%\Temp\DLG\ui\common\progress
  • %LocalAppData%\Temp\DLG\ui\common\progress\img
  • %LocalAppData%\Temp\DLG\ui\common\progress\img\bar-rb.png
  • %LocalAppData%\Temp\DLG\ui\common\progress\img\br-b.png
  • %LocalAppData%\Temp\DLG\ui\common\progress\img\br-rb.png
  • %LocalAppData%\Temp\DLG\ui\common\progress\img\icon.png
  • %LocalAppData%\Temp\DLG\ui\common\progress\img\img1.png
  • %LocalAppData%\Temp\DLG\ui\common\progress\progress.zip.part
  • %LocalAppData%\Temp\DLG\ui\offers
  • %LocalAppData%\Temp\DLG\ui\offers\7fe97ec50ca64604e0220718c8f8697a\img
  • %LocalAppData%\Temp\DLG\ui\offers\7fe97ec50ca64604e0220718c8f8697a\img\img1.png
  • %LocalAppData%\Temp\DLG\ui\offers\7fe97ec50ca64604e0220718c8f8697a\img\progress-bar.png
  • %LocalAppData%\Temp\DLG\ui\offers\7fe97ec50ca64604e0220718c8f8697a\index.html
  • %LocalAppData%\Temp\DLG\ui\offers\7fe97ec50ca64604e0220718c8f8697a\js\jquery-1.10.2.min.js
  • %LocalAppData%\Temp\DLG\ui\offers\d9d3f9c93703d0824c9ab2b3c9c7f923
  • %LocalAppData%\Temp\DLG\ui\offers\d9d3f9c93703d0824c9ab2b3c9c7f923\css\style.css
  • %LocalAppData%\Temp\DLG\ui\offers\d9d3f9c93703d0824c9ab2b3c9c7f923\img
  • %LocalAppData%\Temp\DLG\ui\offers\d9d3f9c93703d0824c9ab2b3c9c7f923\img\img1.png
  • %LocalAppData%\Temp\DLG\ui\offers\d9d3f9c93703d0824c9ab2b3c9c7f923\index.html
  • %LocalAppData%\Temp\DLG\ui\offers\d9d3f9c93703d0824c9ab2b3c9c7f923\js
  • %LocalAppData%\Temp\DLG\ui\offers\d9d3f9c93703d0824c9ab2b3c9c7f923\js\jquery-1.10.2.min.js
  • %LocalAppData%\Temp\DLG\ui\offers\d9d3f9c93703d0824c9ab2b3c9c7f923\uifile.zip
  • %LocalAppData%\Temp\DLG\ui\common\last\js\jquery-1.10.2.min.js
  • %LocalAppData%\Temp\DLG\ui\common\last\last.zip.part
  • %LocalAppData%\Temp\DLG\ui\common\progress\css\style.css
  • %LocalAppData%\Temp\DLG\ui\common\progress\img\bar-rb.png
  • %LocalAppData%\Temp\DLG\ui\common\progress\img\br-b.png
  • %LocalAppData%\Temp\DLG\ui\common\progress\img\br-bg.png
File Hashes
  • 01254b31bae6080f2c8174aab93cceb34f73371c812b15d8a81d65e606450b06
  • 01457388b9ae551df608961fd80d5e5e3cb10984f075edb934dee4d01808b8d5
  • 024cf1be349c299cceff37b541636017577c34d6611731202a040bbeba715842
  • 028c26f9b89ef8dccf5bdf1f6038b2218453c80077369110a486161315eb0be1
  • 02c5260e5bcb6ee08850372cfbd8e3bb079f1ba8d3a0f5eadb416acd9f311dd3
  • 032156742c5cfbce4fe4a1833edde2c2cdcf705153a0d8632bebfe73436b722b
  • 03a72a7638c4fa08a90162344b17d84fce7f855baed1ed29b7cdec35fb8e916b
  • 041c33c6e89158e7c2235192d3bf1cc63512aa560da39ce414133f296359d8e1
  • 047bdf35fdd28cdc684ddda552a47e1a40b797447236aebc2a42320cbf5f94ce
  • 05983a7aa34da9e2505751b1cea98ce462e230df4d1279be07c9f036b91e15f3
  • 0659ad0c66aeb677e381b89edf442c04821bffed6ec96bcd2a9f774495ccc145
  • 06845c54e04d0828a68a3328320a904165687ae9f93289d79cf75769101093eb
  • 076a87b35cec9825ba9b99ae890ec911582d1ddbfdd56eea37969ab5a01c91ce
  • 083ec0dae285080d95ce30fca8ace09cbdbf8259d1b2787a45a077b5a868f923
  • 08be2a75ed5a08f531a32b229e4a8e77e4ec44ab19136a91fea8f0e1085ddcfb
  • 09c03c9c2e10c08c920b121842163c11655b4e5c4b59f056b33490ee12adb944
  • 0a60a6c39e11cc7da2bb710ed63dca71b8b11c0be810351a63fb2308725974a2
  • 0ab269d61e2fb0a1fb4d48f8a5acff5c96372698543e233da6bc1a0f91a0e71a
  • 0b45096e8b22da648cc9f86c6c0191644de9baaad3b8869c2186717120edbe93
  • 0bded347d6be964d38425d9ac84f533d5ec76720f9691c5a83da2f150e2f809b
  • 0bf53bfabc494b390907d8b91eecef5630ca54631bc9d7ab7df33f1968103bf9
  • 0d18e95860c43ade1616b1de9257f128f0e8c2b44a17be1279a8fd95e87e8361
  • 0e167e32dd2eabb36b9450cb47f41226df2d79aa7159b1df969e1e5691e20ceb
  • 0e6a9843c76fdf516443b8eabf671a9515924898bd5d21940ee8a823f8cff18f
  • 109c7a6a4160095ccf491c5732750b42eaf9e0a57cdd5751977ee8717fa9be39

Coverage


Screenshots of Detection

AMP


ThreatGrid


Umbrella


Win.Malware.Fareit-6622130-0


Indicators of Compromise


Registry Keys
  • N/A
Mutexes
  • N/A
IP Addresses
  • N/A
Domain Names
  • www.lieebherr.com
  • ssleee99.gq
  • checkip.dyndns.org
Files and or directories created
  • %LocalAppData%\Temp\XGY.exe
  • %AppData%\The May Department Stores Company
  • %AppData%\The May Department Stores Company\The May Department Stores Company.exe
  • %LocalAppData%\Temp\XGY.exe
  • %AppData%\The May Department Stores Company\The May Department Stores Company.exe
File Hashes
  • 1a62d9fa23236eebfab27275fcad63e77a35c9d8e9e08e8e54ae1c453a3cd151
  • 3de29be46399420eabcfd88a5c4074972a107a83aae006401d251543089b4d18
  • 416e4ec779d7bdc6369b72c3519131cf3edddd5807897641bb8dd779ebb82861
  • 75f2a610862b4755addcded64a8917ebdd58bef5eeb1cd7384c650ff86782435
  • b3621e28c5f4c4d30eb2cbd4bff9fe9a0c42005610ec18392dce8f60227a24c8

Coverage


Screenshots of Detection

AMP


ThreatGrid


Umbrella


Win.Malware.Autoit-6622832-0


Indicators of Compromise


Registry Keys
  • <HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TREE\WINMGR72
    • Value Name: Id
Mutexes
  • Z1GvCDZ7WjjivTLFlroDIYtChirzywit8riAimZvtJFVwnAGqouOmu1RD2aOhzQjKkCzfBDA
IP Addresses
  • N/A
Domain Names
  • mercipotobibi.crabdance.com
Files and or directories created
  • %AllUsersProfile%\winmgr72.exe
  • %System32%\Tasks\winmgr72
  • \TEMP\16d13c468b4aee0cef0ed6ad496c1f784d0463a008668bb65433b5971f906bcd.exe
File Hashes
  • 00f3401fec2374a115607ca2d5b5686574c93ebda489a045ed44dba9d967597b
  • 083bc23bb6c52c796193de26b738bec11fb8737192cfea6964d6ff30adc11488
  • 0ebe5e0e5ef6b37a5e7026ffa3c5cf7405b5208d73590c7c6486f686106d8660
  • 0fda7143f2dba50c9d04a415208358d5521a83a2935237504bc31f64d18e5578
  • 106417e1fab3a9dbae898aaef07d230e0b401e12e4f4871afef1d224fdb25e43
  • 12d98356631b5bfee4e6f830fea039344dcc152e5c0df790db1be96359082ed6
  • 13035cc21c31465cd585f4cd724d529179578694738cc4f4e6c67284aac595c4
  • 13a16250e80410751d384599db1fec9a5652bc4d618c63d05c936ba73b09f9c4
  • 14df6a49a8300f25a9248bc7b9e9fa9741219f97f9de38efc6fb3175184c6dff
  • 15245e08d5840225b231a0274122f468f1282fdf4711c028448afcdc4fb491df
  • 16236f9899441a6ba6a5d717c946d32ff92d91374d1495637df09564e31e28e5
  • 167e5ded14ddd124ca9fa5ab7320cdd938127353729fe13566028a41a28d61bd
  • 16d13c468b4aee0cef0ed6ad496c1f784d0463a008668bb65433b5971f906bcd
  • 1f6d039036579f5f6c882e83a5955f121b2f029d13eb024d1804e3d60bae70b1
  • 206c768f9bc537a301c60386f5c0691986dfda13415d72d1764f4698b7fcdcd0
  • 222be8b44373f6742bec3f40a1d54346948c1785bb58e753046e6f8117b2b73f
  • 2236b9e9d0de66212e5992c09f95d8b5087242a83e6508147075d6018145af9d
  • 236ed18e2291c2ba7e81e27a5cb1760b29fd7e660c10c581010563c0dd38e4a7
  • 25ae823e0d090494370968f8d8a6ccd7009ba020bdadd621568ed42942d87d62
  • 2682e453c3eacf478a027077d9adad6216152c87e33800c086e0c1a9e7d209d1
  • 2cde45358f868a7aa9ec5509ea99b77c8f19ec113105adebd8dfbc95adb688ca
  • 2e8bfa92d09fa3c6ce6131debfc15f7c12532911dabf9517f68d9f10f23f444e
  • 2ea6a3e9f57626e2f2390dc8e77ca92e610e35cd2ab669b3c4b0ff3042e2f4d8
  • 31c67214842b961675ab240ec05bea05e9d2599030c151c261aaa99cf9e6c23c
  • 33649d53e676469ce642e3bfd5e0c4fb6c8e0a5c3791459de8dc9f3d3982b84d

Coverage


Screenshots of Detection

AMP


ThreatGrid


Umbrella


CVE-2017-2618 (debian_linux, enterprise_linux, enterprise_linux_desktop, enterprise_linux_server, enterprise_linux_server_aus, enterprise_linux_server_eus, enterprise_linux_workstation, linux_kernel)

A flaw was found in the Linux kernel's handling of clearing SELinux attributes on /proc/pid/attr files before 4.9.10. An empty (null) write to this file can crash the system by causing the system to attempt to access unmapped kernel memory.

CVE-2017-7463 (jboss_bpm_suite)

JBoss BRMS 6 and BPM Suite 6 before 6.4.3 are vulnerable to a reflected XSS via artifact upload. A malformed XML file, if uploaded, causes an error message to appear that includes part of the bad XML code verbatim without filtering out scripts. Successful exploitation would allow execution of script code within the context of the affected user.

CVE-2017-2579 (netpbm)

An out-of-bounds read vulnerability was found in netpbm before 10.61. The expandCodeOntoStack() function has an insufficient code value check, so that a maliciously crafted file could cause the application to crash or possibly allows code execution.

Kinetic and Potential Energy Framework: Applying Thermodynamics to Threat Intelligence

ThreatConnect conducts a thought experiment and proposes a framework for evaluating and triaging indicators based on physical energy properties

All variety of scientists, from chemists to physicists and engineers, measure kinetic and potential energies to better understand how objects are acting or will act within a given situation or system. We posit that these energy concepts can be applied to threat intelligence as a framework to better understand and evaluate indicators and the intelligence associated with them.

Cyber threat intelligence consumers or producers can use this kinetic and potential energy framework to accomplish the following:

  • Scrutinize indicators for the relevant context that would ultimately constitute "intelligence."
  • Evaluate and triage indicators, reported activity, and intelligence feeds or reports based on basic, inherent intelligence requirements.
  • Differentiate indicators' scores based on their relevance to a specific industry or set of intelligence requirements.
  • Identify intelligence gaps and collection requirements to further enable a threat intelligence program.
  • Share the necessary context or calculated energies to facilitate a consumer's integration of provided information.

We'll start by describing some common issues with threat intelligence that we hope the application of this framework can mitigate or deter.

Issues with Cyber Threat Intelligence

Intelligence Requirements

At many organizations, incident responders or security operations center (SOC) personnel might be dual-hatted and also serve as threat intelligence analysts. Organizations with dedicated threat intelligence teams or individuals are uncommon, and many times those organizations still have issues integrating intelligence analysts with the typical incident response function and wind up not seeing or realizing the full potential of threat intelligence. Those shortcomings often manifest in specific problems like a lack of intelligence requirements.

If you're asking what are intelligence requirements and why do they matter, don't worry, you're not alone. To summarize, intelligence requirements essentially identify what intelligence analysts at a given organization focus on. If you consider the intelligence cycle, intelligence requirements are a part of the planning and direction step.

The Intelligence Cycle

The Intelligence Cycle

Let's say you're an organization operating in the healthcare sector. A very basic intelligence requirement for your organization might be to identify activity targeting the healthcare sector. That requirement would then dictate the sources of information that you collect or procure, how you would process and exploit that information, the specific intelligence analysis that you produce from exploiting that collection, and what and how you disseminate and integrate that analysis at your organization.

Oftentimes organizations don't have any identified intelligence requirements. When that's the case, threat intelligence research without intelligence requirements is just surfing the web. Conversely some organizations will say that they want to know about everything so "everything" is their intelligence requirement. If everything is your intelligence requirement, you'll end up being inefficient with your defensive resources. Intelligence requirements also have to be relatively specific so that the execution against them within the intelligence cycle can be tracked.

Morpheus Meme

For organizations that are getting started with threat intelligence or don't already have identified intelligence requirements, there are basic intelligence requirements that your organization can use. These might seem overly simplified - which they are - but they are still significantly more specific than "everything" and can give threat intelligence teams a general heading. Those basic intelligence requirements include the following:

  • Activity targeting my sector
  • Activity targeting my organization
  • Activity targeting specific data types that my organization secures (eg. protected health information or PHI)
  • Activity emanating from my known adversaries

"Intelligence" Feeds or Reports

Indicators in and of themselves are not threat intelligence, but too often feeds and reports will claim to be intelligence when really they are only indicators. Context maketh intelligence. Consider the Grizzly Steppe Joint Analysis Report from two years ago. There were hundreds of indicators shared in that report, but the context that was shared with each of those indicators was insufficient to actually qualify them as intelligence. Ideally, cyber threat intelligence feeds and sources would answer all (or at least two) of the following, which generally correspond to the vertices and axes on the Diamond Model of Intrusion Analysis:

  • Who the bad guys are
  • What they are doing
  • How they are doing it
  • Who they are doing it against
  • Why they are doing it
  • What they will do next

Focus on Known Bad

Finally, the last issue worth noting is a general focus on known bad activity or indicators. Don't get us wrong, this is completely necessary. But it fails to recognize the fact that, if we are employing threat intelligence to its fullest extent, we can proactively identify indicators that might be used in malicious activity in the future but aren't yet known to be malicious. What you're left with is playing whack a mole with indicators that possibly are not even being used in operations by the time that you hear about them.

By using this kinetic and potential energy framework, organizations can triage indicators and activity using basic intelligence requirements, scrutinize reports for relevant intelligence, evaluate their intelligence sources or reports, and include a more proactive approach to defense that incorporates suspicious indicators.

A Quick Thermodynamics Lesson

Kinetic and potential are different states of energy that describe the capability of an object to do work. Kinetic energy results from an object in motion, such as a moving car. Potential energy comes from an object's position and may be converted into kinetic energy, such as a ball held above the ground or a compressed spring. To measure and understand these energies over time scientists have to measure things like an object's velocity, vector, height, and compression, while also taking into account energy-degrading factors like friction or gravity.

To better explain kinetic and potential energy, let's consider a bow and arrow. A bow and arrow by themselves have no energy. When a bow is drawn to shoot the arrow, energy is put into the bow and arrow system. This energy is potential energy and is held in the drawn string of the bow. That potential energy can then be transferred into the arrow by releasing the string and shooting the arrow. At that point, the arrow that is flying through the air has kinetic energy while the potential energy in the bow is gone. This kinetic energy will then degrade as friction from the air and gravity act on the arrow until it hits its target or falls to the ground.

Let's now consider that there is an arrow that we have to physically defend our organization against. Generally, this arrow has several characteristics that we want to understand to determine if and how we defend against it:

  • Whether the bow has been drawn
  • Whether the arrow has been shot
  • Where the arrow was shot from
  • What the arrow was shot at
  • How fast the arrow is traveling
  • Who shot the arrow

Correlation to Threat Intelligence

Those characteristics about the arrow that we want to understand are essentially threat intelligence and those arrows aren't significantly dissimilar from indicators. In some cases there are indicators that we aren't going to care about because they weren't shot at our organization or any similar organizations.

Those things that we want to know about arrows relate to our intelligence requirements. Many of those intelligence requirements manifest in the physical energy properties - was the arrow shot, how fast and where is it traveling, is the bow drawn -- so maybe indicators have relatable energies that we can measure to evaluate and better understand them.

Factors to Measure

When considering kinetic and potential energies for indicators there are certain variables that we want to make sure to include in our equations to capture the necessary data points for the indicators we're evaluating. These factors mimic those that scientists measure to calculate energies. For kinetic energy, we want to include velocity, vector (or direction), and it's degradation over time:

  • Velocity is simply going to be binary -- is it active or not.
  • Vector will be a combination of binary, relative factors. Depending on your frame of reference -- the organization you're in, your sector, the data you safeguard -- that calculated vector will be different.
  • Degradation, much like gravity or friction ultimately reduce kinetic energy, time will reduce the kinetic energy of an indicator.

For potential energy, it is a bit more nebulous. The main variables we're interested in are the compression or height and the degradation over time:

  • Compression/Height is where things might get sticky. This is going to be binary and relative to our frame of reference, like the vector for kinetic energy, but it is going to necessitate a better understanding of our adversary and their tactics.
  • Degradation is similar to what it is for kinetic energy with time ultimately reducing the potential energy of an indicator.

Our Equations

As we considered those factors that play into kinetic and potential energy, we ultimately generated the below equations to measure those energies. Keep in mind that these are the equations that we've developed to account for the aforementioned factors in the cyber world. The way that your organization views these factors and ultimately uses them to measure kinetic and potential energy may differ. More on that later.

Kinetic Energy

Velocity Vector Degradation

Kinetic energy for a given indicator is relative, meaning it is going to be different based on who is evaluating it and what organization they are a part of. Usually, any indicator with a kinetic energy greater than 0 deserves additional attention and the higher the kinetic energy, the more pertinent the indicator is going to be to the individual/organization evaluating it. Considering the scale below, the more of those inherent intelligence requirements that an indicator hits on, the higher kinetic energy it will have and thus increase its relevance to your organization.

 

Let's break down the different factors in the equation:

  • Velocity: To start off, if the indicator hasn't actually been used in an operation, U is going to be 0 so the kinetic energy is going to be 0. In that case, we'd move to potential energy and evaluate that.
  • Vector: S+O+D+A really represents those distilled, basic, inherent intelligence requirements referenced earlier. For our equation, we're treating all of these factors equally, but when doing this for your organization, you might choose to change it up a bit. This part of the equation represents essentially where that indicator is directed.
  • Degradation: The kinetic energy is going to decrease over time and ultimately approach 0 based on a deprecation period.

Potential Energy

Potential energy should only be evaluated when an indicator is not known to have been used in an attack. Potential energy correlates with what might happen that is relevant to a given organization based on known adversaries. When indicators with potential energy greater than 0 are addressed, organizations are being proactive in defense. These are the factors in the potential energy equation:

  • Compression/Height: Potential energy necessitates an understanding of your adversaries and their tactics. When those things aren't known, that can be considered an intelligence gap.
  • Degradation: Like with kinetic energy, potential energy will also degrade or deprecate over time. It should be noted however that the period over which you deprecate these suspicious indicators might be different than the period over which you deprecate known bad indicators.

Applying the Equations

Now we'll apply these equations and use these energies to better understand a group of indicators. We'll evaluate these indicators from the perspective of five different organizations. A financial company specifically working with cryptocurrency, and pharmaceutical, media, sporting, and think tank organizations. The indicators we'll evaluate include the following:

  • Arkouowi[.]com was identified in an Accenture report on 2018 Hogfish (aka APT10) operations targeting organizations in Japan; however, no context was given for the type of sector or data that was targeted. APT10 is known to have targeted financial and pharmaceutical organizations, among others.
  • Ikmtrust[.]com was identified in an Arbor Network 2018 report on Fancy Bear lojack operations, but no targeted sector or data type were included in the report. Fancy Bear is known to have targeted media, sport, and think tank organizations, among others.
  • 222.122.31[.]115 was identified in an Intezer report as part of a Hidden Cobra operation targeting the financial sector. Specifically they targeted data and organizations related to cryptocurrency. Hidden Cobra is known to have targeted financial and media organizations.
  • Fifacups[.]org was not identified in operations, but the domain was registered (Incident 20180326A: Domains Using Suspicious Name Servers and Hosted on Dedicated Servers) through a suspicious name server and as of July 24 2018 is hosted on a dedicated server at 5.135.237[.]219. Those tactics are consistent with previously identified Fancy Bear tactics.
  • Atlanticouncil[.]org was not identified in operations, but the domain was registered (Incident 20180611A: Additional Patchwork Infrastructure) at essentially the same time and through the same registrar as domains identified in Volexity report on a Patchwork activity targeting US think tanks. As of July 23 2018, this domain is also hosted on a dedicated server at 176.107.177[.]7. Patchwork is known to have targeted US think tanks and Chinese political and military organizations, among others.

Based on the above intelligence related to these indicators, we can calculate the kinetic and potential energy for each based on the organizations we previously mentioned. For the purposes of these calculations, we'll assume that the financial cryptocurrency organization deprecates malicious and indicators after 180 days, while all of the rest deprecate them after 360 days. We'll also assume that all of the organizations deprecate suspicious indicators after 360 days. Here are examples for two of the indicators:

222.122.31[.]115

Fifacups[.]org

Since this indicator has not been identified in operations (our U variable is 0), the kinetic energy is 0 so we then proceed to evaluate potential energy.

indicators equation 2

Understanding Results

Based on a calculation date of July 24 2018, we ultimately come up with the below measurements for these indicators' kinetic and potential energies.

When we rack and stack the findings for each organization, we can see how organizations might go about prioritizing the review of some indicators before others. For example, the 222.122.31[.]115 IP address would be a higher priority for the financial cryptocurrency organization while a lower one for the media organization.

We also see that, within these results, there are no potential energy scores for the financial or pharmaceutical organizations. If we conduct this analysis for a number of our sources and don't have any potential energy scores, that is something that can feed our collection requirements. In that case, we need to pursue different sources that focus on identifying suspicious indicators associated with our specific adversaries' tactics.

Important Notes

There are several important notes to mention now that we've employed the framework and gone through the analysis. To start off, it is important to note that potential and kinetic energy shouldn't be directly related because they aren't a one to one comparison. How you treat both most likely will differ.

When you're going through this analysis, everytime you say to yourself "I don't know" that is an intelligence gap. The more you work through those intelligence gaps, the more you'll build a baseline for who to follow and why. An important aspect of this framework is that it requires a general understanding of your adversaries or forces you to learn about them. It may be worthwhile to conduct a capability vs. intent assessment of adversaries prior to employing this framework to determine which adversaries are most pertinent to your organization.

Whenever you have a lack of or very low score of either type of energy, that is a collection gap. Procuring or acquiring additional sources may help mitigate those deficiencies and result in better intelligence for your organization.

From the intelligence publisher/creator perspective, this framework can be applied to improve the utility of what they share. If they find that they can't identify the variables that go into these equations from their reports, there is some additional context there that they should investigate and share if possible. Additionally, if they were to provide calculated kinetic and potential energies for affected organizations along with their reports, then that might facilitate consumption and integration of their intelligence.

It's also important to note that for some reports that are one instance of specific activity, you only have to calculate the scores for a single indicator. That same score would then be accurate for all other indicators in that report or directly related to its relevant activity. For example, the IP addresses 5.135.237[.]219 and 176.107.177[.]7, which respectively host fifacups[.]org and atlanticouncil[.]org, would have the same potential energy scores as the domains.

Extensibility

While we went over our specific equations for kinetic and potential energy, this idea and the equations are extensible. The main issue is capturing the velocity, vector, and degradation. But maybe you want to treat your assessment of that vector differently. Maybe you want to include other basic intelligence requirements like the country targeted, if so, this is how your equation might look, where L is whether your location/country was targeted in the activity:

Or maybe you want to exclude unknown variables to mitigate shortcomings in reporting. Using n, where n is the number of variables you're actually including, instead of 4 could do that:

Or maybe you want to weight certain variables differently to reflect more important intelligence requirements. This is maybe a way that equation would look, where activity targeting your organization is more important than the other variables:

Regardless of what intelligence requirements you want to include, the vector factor of the equation is where you can easily change things up based on your own organization's specific intelligence needs. Additionally, you may want to consider altering the degradation aspect of the equation. For example, you may choose to deprecate the kinetic energy for files over a longer period (540 days) than that for hosts (360 days). In that case, your equations might look like the following:

Caveats and Conclusions

There are several caveats related to this idea and framework that we should also mention. First and foremost, this framework isn't going to be for everyone and its utility may hinge on your threat intelligence program's maturity. Some organizations may completely discount it as they already have a different process in place to evaluate indicators against their intelligence requirements. Others might not have the resources to run through this framework. Others also might just not think this framework is useful. We're hoping though that some organizations might find this useful either as a thought experiment, or to audit their intelligence program and identify intelligence and collection gaps, or maybe to even incorporate into their daily processes. Regardless of where you fall on that spectrum, we'd love to hear back from you on this idea and any thoughts you have on it.

Finally, it's worth noting that at this point, this is a manual process and more of an analytic technique or framework; however, we are investigating ways to employ this at scale and include it in our own intelligence reports. A lack of standards in industry reports and feeds could ultimately complicate automation efforts, so that is something else we are taking into account.

We've also created a data sheet summarizing this framework, complete with a worksheet to employ it against indicators.

The post Kinetic and Potential Energy Framework: Applying Thermodynamics to Threat Intelligence appeared first on ThreatConnect | Enterprise Threat Intelligence Platform.

How Your Data Makes Them Money, at the Edge of The Law: The Rise and Fall of Social Media Giants

You lost almost $150 billion for Facebook. If you know the value of privacy, care about what happens to your data and the legality of the companies you support, if you own a business that relies on social platforms or is adjacent to them, you’re probably responsible for what happened in the past 48 hours at Facebook.

If you read this blog and followed our protection guides, then you’re probably doubly aware of your responsibility. What are you responsible for? For turning the tide.

On Thursday, the social media giant released its quarterly earnings report and, while the numbers did not look scary on the surface, the market was actually hit by a tsunami.

What happened

facebook q2 2018 earnings report

Source

After the Cambridge Analytica breach, the General Data Protection Regulation (GDPR) put in place earlier this year, Facebook’s rise finally stopped and even reversed, just like the tide.

With the report out, shares price fell down by 19%. In actual money, that dip translates to between $120 to $150 billion lost in Facebook’s market cap. As CNBC pointed out, no company in U.S. history managed to actually lose more than $100 billion in just one day. Intel came close, at the end of the dot-com bubble that was essentially a reset button for the whole of the Internet. In third place is Microsoft, whose stock went down 14%, or around $80 billion, on April 3rd, 2000.

Why? A judge’s hammer came down and decided that Microsoft Corp. violated antitrust laws and used its power to stifle competition. Is it not a coincidence that two out of the three biggest market earthquakes happened because a tech giant was walking at the edge of the law, trying to find a way to use it to drown competition while also undermining the landscape in which it was established.

Facebook does not want to provide a good experience to you, inasmuch as it wants to sell you things. It wants to keep you engaged, not happy, on its platform, in order to turn around and sell your attention to the highest bidder. Facebook Ads Manager, even with no previous experience of the platform, lets you play around like this.

(For practice’s sake, the following ad is being set up by the owner of a small coffee shop who wants to draw in commuters from Moira to Belfast. He/she also hopes that those commuters will not only stop for an iced coffee but they’ll also be inclined to post on social media the delicious drink. He excluded people who have a paleo diet because he doesn’t think they’d be interested. He also offers vegan options, so he left that one open.)

facebook ads manager targeting how it works

These settings are what is available now to advertisers, though you should know they were even more granular before the Cambridge Analytica incident, Facebook’s own Watergate. As you can see in the screenshot above, there is a notice that a lot of these options will no longer be available in the near future.

The poker-faced reason for why these ad targeting settings exist is that users freely share their personal info with Facebook and other social media giants. It’s meaningless little streams of information for the individual, which can indeed provide much better ads, but for Facebook and other giants is the actual revenue stream and the temptation to bend the rules.

As recent events revealed, the companies holding that data themselves are vulnerable to speculators like Cambridge Analytica.

You see, the online advertising ecosystem thrives under very specific conditions: it has to know exactly what Facebook users are doing and thinking at the moment so that they can serve up the best ad. And Facebook does have a history of questionable privacy practices and security incidents.

facebook timeline of privacy breaches and incidents

It’s easy to cast blame on one company alone but it would be unfairly singling them out since the practices of handling large amounts of data have not always fallen into the “fair” category and have always carried the “risky” label.

Google was slammed with a $2.8 billion fine for antitrust violations this summer, for almost the same tricks that brought the hammer down on Microsoft almost 2 decades ago.

“Today, mobile internet makes up more than half of global internet traffic. It has changed the lives of millions of Europeans. Our case is about three types of restrictions that Google has imposed on Android device manufacturers and network operators to ensure that traffic on Android devices goes to the Google search engine. In this way, Google has used Android as a vehicle to cement the dominance of its search engine. These practices have denied rivals the chance to innovate and compete on the merits. They have denied European consumers the benefits of effective competition in the important mobile sphere. This is illegal under EU antitrust rules,” said Commissioner Margrethe Vestager.

Coming back to the past few months and the events of the last 48 hours, Facebook lost the trial in the public court and now it’s losing ground with investors too.

For privacy and security-oriented individuals, this is good news, though it doesn’t come from a good place.

Like the investment firm who is now calling for Mark Zuckerberg to step down from his position said,  “this lack of independent board Chair and oversight has contributed to Facebook missing, or mishandling, a number of severe controversies, increasing risk exposure and costs to shareholders.”

You could agree fully with the statement and sentiment. You could sigh and say “capitalism”. However, we’re here to look at it from the perspective of privacy and security. In this context, it’s a signal to you is that you have to be even more vigilant than usual.

Right now, more than ever, investors are pushing companies to the limit of legality, in the name of profits. They’re not saying “be careful with users’ data and their wellbeing, they’re saying “be careful the users don’t realize what you’re doing with their data” and “make sure you assuage their fears.”

“Looking ahead, we will continue to invest heavily in security and privacy because we have a responsibility to keep people safe,” he said.

It sounds nice but we are sure you know better by now. You need to invest in your own security and privacy because your and your business’s valuable data should not be at the mercy of giants.

Where to go from here

If you’re a home user, use one of our privacy guides to start protecting your digital life, they’re quite easy to follow and will ensure that you’re safe not just from cybercriminals, but also from those companies that sit at the edge of the law.

If you’re approaching this from an organization’s perspective, reach out to us for the best tools to protect your and your customers’ interests. For a healthy digital economy in which all parties are satisfied, security and compliance are essential.

 

Disclosure: This post probably ended up after we spent a very small sum to buy advertising space on a social platform. The only criteria we used to “target” you was the fact you speak English and value both privacy and security. We know that’s what you also look for when you come to us for cybersecurity expertise.

The post How Your Data Makes Them Money, at the Edge of The Law: The Rise and Fall of Social Media Giants appeared first on Heimdal Security Blog.

Emoji are wierd

So I put a “man shrugging” emoji in my last post; it shows up strangely in RSS as displayed by NetNewsWire, showing “woman shrugging”, the “mars zodiac” sign and a bar code. No idea. Chaos, emergent.

REVIEW: Best VPN routers for small business

When selecting VPN routers, small businesses want ones that support the VPN protocols they desire as well as ones that fit their budgets, are easy to use and have good documentation.

We looked at five different models from five different vendors: Cisco, D-Link, and DrayTek, Mikrotik and ZyXEL. Our evaluation called for setting up each unit and weighing the relative merits of their price, features and user-friendliness.

Below is a quick summary of the results:

To read this article in full, please click here

(Insider Story)

Save up to 25% off your course fees

Boost your information security career and become proficient in industry-standard roles such as Incident Responder, Vulnerability  Analyst, Secure Software Assessor, and more… To help you get started, we’re now offering volume discounts based on the number of courses you enroll in at once.

How do our volume discounts work?

Our new volume discounts are based on the number of courses you enroll in at once. You can either pick one of our training paths or a combination of courses of your choice.

The discount automatically applies on the complete amount of all course fees in one transaction so you won’t need a coupon code. Several transactions, existing courses, or consecutive enrollments will not be considered for a volume discount.

Here’s how these combined course fees are discounted:

Enroll in 2 courses
= Get 10% off
Enroll in 3 courses
= Get 15% off 
Enroll in 4 courses
= Get 20% off
Enroll in 5+ courses
= Get 25% off 

The volume discounts are valid for course fees only, but cannot be used for installments, be combined with any other offers, or used for a group of students. Please click here for corporate enrollments: eLearnSecurity.com/organization

Get 15% off your chosen training path

Our new Training Paths were developed to help you become proficient in industry-standard roles outlined in the NICE Cybersecurity Workforce Framework by NIST. By enrolling in one of our Training Paths, you’ll get 15% off your course fees. But that’s not all, following a training path has more value than just a volume discount. Click below to find out more:

You might be interested: 5 Reasons To Follow Our Training Paths

Connect with us on Social Media: Twitter | Facebook | LinkedIn | Instagram

CVE-2018-14612 (linux_kernel)

An issue was discovered in the Linux kernel through 4.17.10. There is an invalid pointer dereference in btrfs_root_node() when mounting a crafted btrfs image, because of a lack of chunk block group mapping validation in btrfs_read_block_groups in fs/btrfs/extent-tree.c, and a lack of empty-tree checks in check_leaf in fs/btrfs/tree-checker.c.

CVE-2018-14609 (linux_kernel)

An issue was discovered in the Linux kernel through 4.17.10. There is an invalid pointer dereference in __del_reloc_root() in fs/btrfs/relocation.c when mounting a crafted btrfs image, related to removing reloc rb_trees when reloc control has not been initialized.

CVE-2018-14611 (linux_kernel)

An issue was discovered in the Linux kernel through 4.17.10. There is a use-after-free in try_merge_free_space() when mounting a crafted btrfs image, because of a lack of chunk type flag checks in btrfs_check_chunk_valid in fs/btrfs/volumes.c.

CVE-2018-14613 (linux_kernel)

An issue was discovered in the Linux kernel through 4.17.10. There is an invalid pointer dereference in io_ctl_map_page() when mounting and operating a crafted btrfs image, because of a lack of block group item validation in check_leaf_item in fs/btrfs/tree-checker.c.

CVE-2018-14617 (linux_kernel)

An issue was discovered in the Linux kernel through 4.17.10. There is a NULL pointer dereference and panic in hfsplus_lookup() in fs/hfsplus/dir.c when opening a file (that is purportedly a hard link) in an hfs+ filesystem that has malformed catalog data, and is mounted read-only without a metadata directory.

CVE-2018-14610 (linux_kernel)

An issue was discovered in the Linux kernel through 4.17.10. There is out-of-bounds access in write_extent_buffer() when mounting and operating a crafted btrfs image, because of a lack of verification that each block group has a corresponding chunk at mount time, within btrfs_read_block_groups in fs/btrfs/extent-tree.c.

How Improving Password Security Helps Protect Against Botnets

The DDoS threat landscape has been transformed by the emergence of IoT botnets. In turn this has facilitated DDoS attacks that originate from botnets, allowing criminals to execute assaults with precision and control, and sent in different ways which are often virtually impossible to trace back to the original attacker. The largest DDoS attacks are also growing exponentially in size, as attackers take advantage of the breadth of connected devices incorporated in our Internet of Things.

IoT devices are poorly securired, and they are everywhere

One of the major contributors behind the rise of IoT-related attacks, is the massive number of these typically poorly-secured, Internet-connected, devices currently in use worldwide. One of the key catalysts was the original Mirai botnet, that harnessed millions of vulnerable IoT devices by using telnet to find those still using their factory default username and password pairs to launch attacks. We are now seeing derivatives of Mirai that use increasingly sophisticated exploits, such as finding vulnerabilities in the software that runs on devices, in a similar way that hackers have been compromising Windows and Android devices.

The sheer scale and variety of devices offers a significant return for cyber criminals, as they only need to find a way to compromise one device model and can then replicate the attack to compromise hundreds of thousands more devices. There is really no limit to the potential size and scale of future botnet-driven DDoS attacks, particularly when they harness the full range of smart devices incorporated into our Internet of Things. And, by using amplification techniques with these devices, which includes vast numbers of home-routers, baby video monitors and security surveillance cameras, the largest DDoS attacks are set to become even more colossal in scale.

Enhancing password security is a must

As devices become increasingly secure by design, we’re still witnessing mass production and release of devices with the same default passwords which are easy targets for cyber attackers. The challenge is that, technically, it is more complex for manufacturers to produce devices with unique credentials, versus just relying on users to change them at the point of use. However, in reality, very few consumers will do this – assuming they even knew how, allowing hackers to take full advantage of the situation. Default passwords are pretty simple to discover and, in fact, some can be found from a simple Google search. So, changing these ‘masterkeys’ should be of paramount importance to both end users and organisations alike.

In addition, when a network router’s administrative interface is accessible from the Internet, then hackers can often gain access via a brute-force attack. Routers continue to be an attractive target as they act as a gateway to the entire network, giving cybercriminals the potential to access additional devices and recruit them into a botnet army. Users can, typically, disable external access by choosing local administration only, ensuring all their passwords, including default ones, cannot be used from the Internet.

Fortunately, some of the security flaws are already being identified and fixed, with consumers increasingly aware of the security risks posed by IoT devices. Device manufacturers have also started implementing security updates automatically to reduces the chances of those connected devices being hacked or taken over.

Best practices for improving your IoT device security

Attackers understand that manufacturers and home users are starting to wake up to the problem of default passwords on IoT devices, and are seeking alternative, more complex ways to access them. As this trend continues, hackers become increasingly inventive when searching for accessible devices and ways to gain entry to them.

There isn't one solution for connected-device protection - there's probably a dozen different things that people need to do, to help address this challenge, all the way from homeowners being more responsible and changing default details, to manufacturers implementing secure update practices. What is a given is this problem is not going to be solved overnight.

With the growing number of connected devices around the globe, it is important that manufacturers, service providers and retailers work together to raise IoT security awareness and encourage organisations to educate end-users on the part they need to play with good password hygiene, that ultimately will benefit all of us.

In the meantime, for organisations who cannot afford negative service impact from a rogue Botnet powered DDoS attack, real-time DDOS protection is a necessity.

For more information, contact us.

CVE-2018-14602 (gitlab)

An issue was discovered in GitLab Community and Enterprise Edition before 10.8.7, 11.0.x before 11.0.5, and 11.1.x before 11.1.2. Information Disclosure can occur because the Prometheus metrics feature discloses private project pathnames.

Threat Modeling Thursday: 2018

Since I wrote my book on the topic, people have been asking me “what’s new in threat modeling?” My Blackhat talk is my answer to that question, and it’s been taking up the time that I’d otherwise be devoting to the series.

As I’ve been practicing my talk*, I discovered that there’s more new than I thought, and I may not be able to fit in everything I want to talk about in 50 minutes. But it’s coming together nicely.


The current core outline is:

  • What are we working on
    • The fast moving world of cyber
    • The agile world
    • Models are scary
  • What can go wrong? Threats evolve!
    • STRIDE
    • Machine Learning
    • Conflict

And of course, because it’s 2018, there’s cat videos and emoji to augment logic. Yeah, that’s the word. Augment. 🤷‍♂

Wednesday, August 8 at 2:40 PM.

* Oh, and note to anyone speaking anywhere, and especially large events like Blackhat — as the speaker resources say: practice, practice, practice.

Beers with Talos EP 34: Click Here to Assign New Mobile Device Owner



Beers with Talos (BWT) Podcast Ep. #34 is now available.  Download this episode and subscribe to Beers with Talos:

If iTunes and Google Play aren't your thing: www.talosintelligence.com/podcast.

Ep. #34 show notes: 

Recorded July 20, 2018 — This week, we touch on several topics, but we spend the lion’s share of the episode discussing the mobile device management (MDM) campaign we've been following. We are joined by Aaron Woland and spend a great deal of time discussing how these attacks work and how they happen to users of devices across multiple platforms. We talk about the differences in how MDM is handled across different OS flavors, and the similarities in how the attacks happen (hint: users ignoring the warnings).

The timeline:

The roundtable

01:00 - Nigel: Three weeks to go until the Mighty Reds face… ???
03:05 - Craig: The Furbo is dead. It was probably Lurene, just sayin'.
06:20 - Joel: "My busy week with Joel"

The topics

07:55 - Talos cryptocurrency mining whitepaper, including an interesting take from our Portcullis Labs friends
11:05 - Vuln Discovery: Samsung and Sony
16:27 - MDM — Mobile Device Management: This is what you came here for. 

The links



Talos cryptomining Whitepaper: https://blog.talosintelligence.com/2018/07/blocking-cryptomining.html
Sony vuln post: https://blog.talosintelligence.com/2018/07/sony-ipela-vulnerability-spotlight-multiple.html
Samsung vuln post: https://blog.talosintelligence.com/2018/07/samsung-smartthings-vulns.html
MDM, Pt.1: https://blog.talosintelligence.com/2018/07/Mobile-Malware-Campaign-uses-Malicious-MDM.html
MDM, Pt. 2: https://blog.talosintelligence.com/2018/07/Mobile-Malware-Campaign-uses-Malicious-MDM-Part2.html

==========

Featuring: Craig Williams (@Security_Craig), Joel Esler (@JoelEsler), Matt Olney (@kpyke) and Nigel Houghton (@EnglishLFC).  Special Guest: Aaron Woland (@AaronWoland).
Hosted by Mitch Neff (@MitchNeff).

Find all episodes:
http://cs.co/talospodcast

Subscribe via iTunes (and leave a review!)
http://cs.co/talositunes

Check out the Talos Threat Research Blog:
http://cs.co/talosresearch

Subscribe to the Threat Source newsletter:
http://cs.co/talosupdate

Follow Talos on Twitter:
http://cs.co/talostwitter

Give us your feedback and suggestions for topics:
beerswithtalos@cisco.com

Focus on Real Friends This Friendship Day

I walked into my niece’s room and found her busy making colourful bands.

“What are these for?” I asked.

“Friendship Day is coming up and this year I have decided to make my own bands to give to my friends. Got to finish making them all today.”

“That’s lovely,” and then as a thought struck me, I added, “Are you making them for your friends online?”

“No!!! What a question! How do you think I would give these to them? Virtually? These bands only for real friends.”

Happy as I was to hear that, I couldn’t help adding a parting shot, “Really? Then why do you share so much about yourself with these virtual friends?”

We spent the next few minutes thinking about friends and friendship.

The charm of school and college life lies in friends- the better the group of friends you have the more enjoyable your student life is. Such friendships stand the test of time and can be revived even after years of separation.

If adults can be duped, then aren’t the highly impressionable teens also at risk? Even tech-savvy kids tend to be duped by fake profiles so the smart parenting thing to do is to create awareness beforehand.

Friendship Day is the perfect time to initiate a discussion with your kids on how to establish if online friends are actual people. Start by administering this quiz on real vs. online friends:

Who are your real friends? (Check the boxes that apply):

  • You know them well in person
  • Your parents know them too, and approve of them
  • You are most probably studying in the same school or college
  • You live in the same apartment block or neighborhood
  • You have shared interests and know each other’s strengths and weaknesses
  • You have been to each another’s house
  • You know they will accept you the way you are and never embarrass you in public
  • You trust them

Then, ask them to tick the boxes that apply for their virtual friends and follow it up with a discussion.

Takeaway: The online world holds infinite promises and possibilities but they can be realized only when the user is judicious and careful. In the early years of adolescence, it’s better to keep virtual friends limited to known people.

 Next in line is to find ways to identify fake profiles and learn to block and report:

Teach kids to identify fake profiles online:

  • Profile – Profile pictures is very attractive but there are rarely any family, group pictures
  • Name- The name sounds weird or is misspelled
  • Bio – The personal details are sketchy
  • Friend list – Have no common friends
  • Posts – The posts and choice of videos make you feel uncomfortable or are clearly spams
  • Verification – A Google search throws up random names for profile pic

Show kids how to block and report fake profiles:

  • Save: If you had erroneously befriended a suspicious person, no worries. Keep records of all conversations by taking screen shots, or copy + pasting or through a print screen command
  • Unfriend: Remove the user from your friend list
  • Block: Prevent the person from harassing you with friend requests in future by using the blocking function
  • Flag: Report suspicious profiles to the social media site to help them check and remove such profiles and maintain the hygiene of the platform

Share digital safety tips:

  1. Practice STOP. THINK. CONNECT. -Do not be in a hurry to hike friend count and choose your friends wisely
  2. Share with care: Be a miser when it comes to sharing personal details like name, pictures, travel and contact details online. The less shared, the better it is for the child
  3. Review privacy and security: Check all your posts periodically and delete those you don’t like. Maximize account security and keep privacy at max

Finally, share this message with your kids.

On Friendship Day, pledge to be a good friend to your real friends and limit your online friends to those you know well in real life. Secure your online world by using security tools on your devices and acting judiciously online. If you act responsibly online, you not only make your digital world safer but also help to secure the digital worlds of your friends. That’s the sign of an ideal digital citizen.

 

The post Focus on Real Friends This Friendship Day appeared first on McAfee Blogs.

Offensive Security Online Exam Proctoring

When we started out with our online training courses over 12 years ago, we made hard choices about the nature of our courses and certifications. We went against the grain, against the common certification standards, and came up with a unique certification model in the field - "Hands-on, practical certification". Twelve years later, these choices have paid off. The industry as a whole has realized that most of the multiple choice, technical certifications do not necessarily guarantee a candidate's technical level...and for many in the offensive security field, the OSCP has turned into a golden industry standard. This has been wonderful for certification holders as they find themselves actively recruited by employers due to the fact that they have proven themselves as being able to stand up to the stress of a hard, 24-hour exam - and still deliver a quality report.

Insurance Occurrence Assurance?

You may have seen my friend Brian Krebs’ post regarding the lawsuit filed last month in the Western District of Virginia after $2.4 million was stolen from The National Bank of Blacksburg from two separate breaches over an eight-month period. Though the breaches are concerning, the real story is that the financial institution suing its insurance provider for refusing to fully cover the losses.

From the article:

In its lawsuit (PDF), National Bank says it had an insurance policy with Everest National Insurance Company for two types of coverage or “riders” to protect it against cybercrime losses. The first was a “computer and electronic crime” (C&E) rider that had a single loss limit liability of $8 million, with a $125,000 deductible.

The second was a “debit card rider” which provided coverage for losses which result directly from the use of lost, stolen or altered debit cards or counterfeit cards. That policy has a single loss limit of liability of $50,000, with a $25,000 deductible and an aggregate limit of $250,000.

According to the lawsuit, in June 2018 Everest determined both the 2016 and 2017 breaches were covered exclusively by the debit card rider, and not the $8 million C&E rider. The insurance company said the bank could not recover lost funds under the C&E rider because of two “exclusions” in that rider which spell out circumstances under which the insurer will not provide reimbursement.

Cyber security insurance is still in its infancy and issues with claims that could potentially span multiple policies and riders will continue to happen – think of the stories of health insurance claims being denied for pre-existing conditions and other loopholes. This, unfortunately, is the nature of insurance. Legal precedent, litigation, and insurance claim issues aside, your organization needs to understand that cyber security insurance is but one tool to reduce the financial impact on your organization when faced with a breach.

Cyber security insurance cannot and should not, however, be viewed as your primary means of defending against an attack.

The best way to maintain a defensible security posture is to have an information security program that is current, robust, and measurable. An effective information security program will provide far more protection for the operational state of your organization than cyber security insurance alone. To put it another way, insurance is a reactive measure whereas an effective security program is a proactive measure.

If you were in a fight, would you want to wait and see what happens after a punch is thrown to the bridge of your nose? Perhaps you would like to train to dodge or block that punch instead? Something to think about.

CVE-2017-7538 (satellite)

A cross-site scripting (XSS) flaw was found in how an organization name is displayed in Satellite 5, before 5.8. A user able to change an organization's name could exploit this flaw to perform XSS attacks against other Satellite users.

Vulnerability Spotlight: Multiple Vulnerabilities in Samsung SmartThings Hub

These vulnerabilities were discovered by Claudio Bozzato of Cisco Talos.



Executive Summary


Cisco Talos recently discovered several vulnerabilities present within the firmware of the Samsung SmartThings Hub. In accordance with our coordinated disclosure policy, Cisco Talos has worked with Samsung to ensure that these issues have been resolved and that a firmware update has been made available for affected customers. These vulnerabilities could allow an attacker to execute OS commands or other arbitrary code on affected devices.

The SmartThings Hub is a central controller that monitors and manages various internet-of-things (IoT) devices such as smart plugs, LED light bulbs, thermostats, cameras, and more that would typically be deployed in a smart home. The SmartThings Hub functions as a centralized controller for these devices and allows users to remotely connect to and manage these devices using a smartphone. The firmware running on the SmartThings Hub is Linux-based and allows for communications with IoT devices using a variety of different technologies such as Ethernet, Zigbee, Z-Wave and Bluetooth.

Given that these devices often gather sensitive information, the discovered vulnerabilities could be leveraged to give an attacker the ability to obtain access to this information, monitor and control devices within the home, or otherwise perform unauthorized activities. Some example scenarios are listed below:

  • Smart locks controlled by the SmartThings Hub could be unlocked, allowing for physical access to the home.
  • Cameras deployed within the home could be used to remotely monitor occupants.
  • The motion detectors used by the home alarm system could be disabled.
  • Smart plugs could be controlled to turn off or on different things that may be connected.
  • Thermostats could be controlled by unauthorized attackers.
  • Attackers could cause physical damage to appliances or other devices that may be connected to smart plugs deployed within the smart home.

Given the wide range of possible deployments of these devices, this is not a complete list of different scenarios. Cisco Talos recommends ensuring that affected SmartThings Hubs are updated to the latest version of firmware to ensure that these vulnerabilities are addressed.

Exploitation


In total, Talos found 20 vulnerabilities in the Samsung SmartThings Hub. These vulnerabilities vary in the level of access required by an attacker to exploit them and the level of access they give an attacker. In isolation, some of these might be hard to exploit, but together they can be combined into a significant attack on the device. While we discuss all 20 of these vulnerabilities later in this blog post, in this section we will discuss how an attacker can chain together three vulnerability classes that are present in the device to gain complete control of the device.

Chains


It is possible to gather the set of preconditions needed to exploit bugs that would otherwise be unreachable by using multiple vulnerabilities. This is commonly referred to as "chaining." When considering the severity of vulnerabilities, it is essential to keep in mind that they might be used as part of a chain, as this would significantly elevate their severity.

We identified three notable chains, the last of which allows for remotely compromising the device without prior authentication:

A


Remote code execution: TALOS-2018-0556 describes a post-auth vulnerability that allows for the execution of arbitrary SQL queries against a database inside the device. When used alone, it only allows for altering the whole database. However, TALOS-2018-0557, TALOS-2018-0576, TALOS-2018-0581 and TALOS-2018-0583 describe a set of memory corruption vulnerabilities that allow for executing arbitrary code, assuming the attacker is capable of issuing arbitrary SQL queries. Since TALOS-2018-0556 provides this capability, they can be chained together to achieve code execution from the network. Note, however, that this list is not exhaustive, as other combinations may be viable.

B


Remote information leakage: TALOS-2018-0556 can also be used to create an empty file anywhere inside the device. As described in TALOS-2018-0593, the existence of an empty file at path "/hub/data/hubcore/stZigbee" will make the "hubCore" process to crash. Moreover, as described in TALOS-2018-0594, when the "hubCore" process crashes, it triggers an information leak that can be captured from the network. By chaining these 3 vulnerabilities in order, an attacker can obtain a memory dump of the `hubCore` process, which contains most of the core logic, and consequent sensitive information, of the Hub.

C


Pre-auth remote code execution: TALOS-2018-0578 describes a vulnerability that allows for injecting semi-controlled HTTP requests to the internal `video-core` process, from the network and without prior authentication. Since the injected requests are not completely controllable, TALOS-2018-0577 can be chained (using all its 3 CVEs together) to further refine the injected HTTP request: TALOS-2018-0577 shows how to modify the method, path, and body components of an HTTP request, by exploiting a bug while handling HTTP pipelining. Finally the chain could end with TALOS-2018-0573, which exploits a buffer overflow on the stack by sending a local HTTP request to the `video-core` process. By chaining these 3 vulnerabilities together, an attacker can compromise the device remotely without prior authentication. Note that other similar vulnerabilities could be used as the last element of the chain. However, they might be more complex to implement.

Attack vectors


Chain C can be executed without prior authentication. Chains A and B, however, as well as the majority of the vulnerabilities reported, have different preconditions depending on the attack vector.

To understand the attack surface, it is useful to note that there is a trust relationship between the SmartThings Hub and the remote servers that it communicates with. This allows for the remote monitoring and management of the smart home via a smartphone application, as well as for the addition of custom features to make the Hub compatible with other, non-officially supported devices.

In the scope of the vulnerabilities that we reported, we identified multiple notable attack vectors:

X


Anyone owning a valid OAuth bearer token, or the relative username and password pair to obtain it, can talk to the remote SmartThings servers as an authenticated user. At this stage, an attacker could exploit some of the bugs that we reported, as demonstrated in TALOS-2018-0539.

Y


Third-party developers can write a "SmartApp" to make unknown hardware able to transparently communicate with the hub. SmartApps can be either published on the public marketplace or exist exclusively on the developer's hub. Since SmartApps are supposed to communicate with unsupported hardware, they need a way to send network messages. In fact, a SmartApp can instruct the Hub to perform network connections on its behalf. These network messages are sent by the remote SmartThings servers (which are where the SmartApp is actually executed) and sent to the Hub. Internally, these connections are performed by the `hubCore` process.

This has the side effect of giving SmartApps the power to communicate with localhost-bound services, such as `video-core`, which wouldn't otherwise be reachable.

Thus, the existence of SmartApps make chains A and B, as well as any `video-core` vulnerability, exploitable without authentication, but with the requirement of having a custom SmartApp enabled on the device.

Z


Anyone able to impersonate the remote SmartThings servers can talk to the `hubCore` process in the hub, which in turn allows an attacker to talk directly to the `video-core` process and exploit any of its bugs. Note that the SmartThings server that communicates with the Hub is not supposed to be able to run arbitrary code on it, as is proven by the fact that firmware update packages, although sent over this same TLS connections, are encrypted and authenticated, and likely packaged by a different, more privileged, machine.

Vulnerability Details


Samsung SmartThings Hub RTSP Password Command Injection Vulnerability (TALOS-2018-0539 / CVE-2018-3856)

The Samsung SmartThings Hub can be used to register, configure, and view the video stream from various IP cameras. The smart hub also provides users the ability to modify the camera's password, which is then stored by `video-core` in an internal database. Accessing the camera's video feed causes the camera to invoke the `ffmpeg` command using the `camera-password` parameter that is retrieved from this database. By including a space character in the camera password, an attacker could cause the `ffmpeg` binary to be launched with attacker-controlled command-line options. These options could be used to execute arbitrary system commands. TALOS-2018-0539 has been assigned CVE-2018-3856. For additional information, please see the advisory here.

Samsung SmartThings Hub video-core samsungWifiScan Code Execution Vulnerability (TALOS-2018-0548 / CVE-2018-3863 - CVE-2018-3866)

Multiple buffer overflow vulnerabilities exist within the samsungWifiScan handler of the `video-core` HTTP server used by the SmartThings Hub. An attacker could send specially crafted HTTP POST requests to affected devices to exploit this vulnerability. This vulnerability manifests due to the SmartThings hub improperly processing user-controlled JSON that is submitted as part of an HTTP POST request to /samsungWifiScan. The values of the `user`, `password`, `cameraIp`, and `callbackUrl` keys can be used to trigger these vulnerabilities as this data is transferred to a destination buffer in memory using `strcpy` without first checking the size of the destination buffer, resulting in an overflow condition. TALOS-2018-0548 has been assigned CVE-2018-3863 through CVE-2018-3866. For additional information, please see the advisory here.

Samsung SmartThings Hub video-core samsungWifiScan Callback Code Execution Vulnerability (TALOS-2018-0549 / CVE-2018-3867)

An exploitable buffer overflow vulnerability exists within the Samsung WifiScan callback notification functionality present within the `video-core` HTTP server used by the SmartThings Hub. An attacker could send specially crafted HTTP POST requests to affected devices to exploit this vulnerability. This vulnerability manifests due to the SmartThings hub incorrectly processing communications received from smart cameras during the smart camera discovery process. An attacker could host specially crafted HTTP contents using an HTTP server that could be used to trigger this vulnerability. During the smart camera registration process, the SmartThings Hub will attempt to retrieve these contents from the host specified. The retrieved contents are then transferred using `sprintf` without first checking the size of the destination buffer. This vulnerability could be exploited to execute arbitrary code. TALOS-2018-0549 has been assigned CVE-2018-3867. For additional information, please see the advisory here.

Samsung SmartThings Hub video-core credentials videoHostUrl Code Execution Vulnerability (TALOS-2018-0554 / CVE-2018-3872)

Multiple exploitable buffer overflow vulnerabilities exist within the `credentials` handler of `video-core` HTTP server used by the SmartThings Hub. An attacker could send a specially crafted HTTP POST request to affected devices to exploit this vulnerability. This vulnerability manifests due to the SmartThings Hub improperly processing user-controlled JSON that is submitted as part of a POST request to `/credentials`. The value of the `videoHostUrl` key can be used to trigger this vulnerability, as the data contained within this key is transferred to a destination buffer in memory without first checking the size of the destination buffer, resulting in an overflow condition. TALOS-2018-0554 has been assigned CVE-2018-3872. For additional information, please see the advisory here.

Samsung SmartThings Hub video-core credentials Code Execution Vulnerability (TALOS-2018-0555 / CVE-2018-3873 - CVE-2018-3878)

Multiple exploitable buffer overflow vulnerabilities exist within the `credentials` handler of the `video-core` HTTP server used by the SmartThings Hub. An attacker could send a specially crafted HTTP POST request to affected devices to exploit this vulnerability. These vulnerabilities manifest due to the SmartThings Hub improperly processing user-controlled JSON that is submitted as part of a POST request to `/credentials`. The values of the `secretKey`, `accessKey`, `sessionToken`, `bucket`, `directory`, and `region` keys can be used to trigger these vulnerabilities, as the data contained within those keys is transferred to a destination buffer in memory using `strncpy` without first checking the size of the destination buffer, resulting in an overflow condition. TALOS-2018-0555 has been assigned CVE-2018-3873 through CVE-2018-3878. For additional information, please see the advisory here.

Samsung SmartThings Hub video-core credentials Parsing SQL Injection Vulnerability (TALOS-2018-0556 / CVE-2018-3879)

A SQL injection vulnerability exists within the `credentials` handler of the `video-core` HTTP server used by the SmartThings Hub. An attacker could send specially crafted HTTP POST requests to affected devices to exploit this vulnerability. This vulnerability manifests due to the SmartThings Hub improperly processing user-controlled JSON that is submitted as part of a POST request to `/credentials`. The SmartThings Hub allows for the changing of credentials that the hub uses when connecting to other devices. This process includes an HTTP POST request containing JSON which is made up of all of the parameters required to change the credentials. This information is not properly sanitized prior to being stored in an internal SQLite database. By including JSON and SQL syntax within this request, it is possible to trigger a JSON injection that, in turn, triggers a SQL injection condition. TALOS-2018-0556 has been assigned CVE-2018-3879. For additional information, please see the advisory here.

Samsung SmartThings Hub video-core Database find-by-cameraId Code Execution Vulnerability (TALOS-2018-0557 / CVE-2018-3880)

An exploitable buffer overflow vulnerability exists within the database 'find-by-cameraId' functionality present within the `video-core` HTTP server used by the Samsung SmartThings hub. An attacker could send specially crafted HTTP requests to affected devices to exploit this vulnerability. This vulnerability manifests due to the `video-core` process incorrectly handling records present within the SQLite database it uses. After first adding a camera to the 'camera table' of the SQLite database along with overly long camera information, an attacker can trigger this vulnerability by sending a specially crafted HTTP DELETE request specifying the camera that was previously added, causing an overflow condition.. This works due to a lack of restriction on the data that was pulled in during the database lookup for the camera. TALOS-2018-0557 has been assigned CVE-2018-3880. For additional information, please see the advisory here.

Samsung SmartThings Hub video-core clips Code Execution Vulnerability (TALOS-2018-0570 / CVE-2018-3893 - CVE-2018-3897)

Multiple exploitable buffer overflow vulnerabilities exist within the `/cameras/XXXX/clips` handler present in the `video-core` HTTP server used by the Samsung SmartThings Hub. An attacker could send specially crafted HTTP POST requests to affected devices to exploit these vulnerabilities. These vulnerabilities manifest due to the SmartThings Hub improperly processing user-controlled JSON that is submitted as part of a POST request to "/cameras/<camera-id>/clips." The values of the 'captureTime', 'startTime', 'endTime', 'correlationId', and 'callbackUrl' keys can be used to trigger these vulnerabilities, as the data contained within those keys is transferred to a destination buffer using `strncpy` without first checking the size of the destination buffer, resulting in an overflow condition. TALOS-2018-0570 has been assigned CVE-2018-3893 through CVE-2018-3897. For additional information please see the advisory here.

Samsung SmartThings Hub video-core Camera URL Replace Code Execution Vulnerability (TALOS-2018-0573 / CVE-2018-3902)

An exploitable buffer overflow vulnerability exists within the camera "replace" feature present within the `video-core` HTTP server used by the Samsung SmartThings hub. An attacker could send specially crafted HTTP requests to affected devices to exploit this vulnerability. This vulnerability manifests due to the SmartThings Hub improperly processing user-controlled JSON that is submitted as part of an HTTP PUT request to "/cameras/<camera-id>." The value of the 'url' key can be used to trigger this vulnerability as the data contained within this key is transferred to a destination buffer using `memcpy` without first checking the size of the destination buffer, resulting in an overflow condition. TALOS-2018-0573 has been assigned CVE-2018-3902. For additional information please see the advisory here.

Samsung SmartThings Hub video-core Camera Update Code Execution Vulnerabilities (TALOS-2018-0574 / CVE-2018-3903 - CVE-2018-3904)

Multiple exploitable buffer overflow vulnerabilities exist within the camera "update" feature present within the `video-core` HTTP server used by the SmartThings Hub. An attacker could send specially crafted HTTP requests to affected devices to exploit these vulnerabilities. These vulnerabilities manifest due to the SmartThings hub improperly processing user-controlled JSON that is submitted as part of a PATCH request to "/cameras/<camera-id>." The values of the 'url' or 'state' keys can be used to trigger these vulnerabilities as the data contained within these keys is transferred to a destination buffer using `memcpy` without first checking the size of the destination buffer, resulting in an overflow condition. TALOS-2018-0574 has been assigned CVE-2018-3903 and CVE-2018-3904. For additional information please see the advisory here.

Samsung SmartThings Hub video-core Camera Creation Code Execution Vulnerability (TALOS-2018-0575 / CVE-2018-3905)

An exploitable buffer overflow vulnerability exists within the camera "create" feature present within the `video-core` HTTP server used by the Hub. An attacker could send specially crafted HTTP requests to affected devices to exploit this vulnerability. This vulnerability manifests due to the SmartThings hub improperly processing user-controlled JSON that is submitted as part of a POST request to "/cameras." The value of the "state" key can be used to trigger this vulnerability as the data contained within this key is transferred to a destination buffer using `memcpy` without first checking the size of the destination buffer, resulting in an overflow condition. TALOS-2018-0575 has been assigned CVE-2018-3905. For additional information please see the advisory here.

Samsung SmartThings Hub video-core Database shard.videoHostURL Code Execution Vulnerability (TALOS-2018-0576 / CVE-2018-3906)

An exploitable stack-based buffer overflow vulnerability exists within the retrieval of a database field within the `video-core` HTTP server used by the SmartThings Hub. An attacker could send a specially crafted HTTP request to affected devices to exploit this vulnerability. This vulnerability manifests due to the `video-core` HTTP server improperly extracting the "shard.videoHostURL" field from its SQLite database, causing a stack-based buffer overflow condition. To exploit this vulnerability, an attacker would need to modify the value of this field in the SQLite database. This could be accomplished by leveraging TALOS-2018-0556. TALOS-2018-0576 has been assigned CVE-2018-3906. For additional information, please see the advisory here.

Samsung SmartThings Hub video-core REST Request Parser HTTP Pipelining Injection Vulnerabilities (TALOS-2018-0577 / CVE-2018-3907 - CVE-2018-3909)

Multiple exploitable vulnerabilities exist within the REST parser present within the `video-core` HTTP server. An attacker could send specially crafted HTTP requests to affected devices to exploit these vulnerabilities. These vulnerabilities manifest due to the SmartThings Hub incorrectly handling pipelined HTTP requests. These vulnerabilities could allow an attacker to overwrite the methods and contents of an HTTP request in order to insert malicious data for a variety of different reasons. These vulnerabilities could be leveraged along with other vulnerabilities to further maximize the attacker's impact on affected devices. TALOS-2018-0577 has been assigned CVE-2018-3907 through CVE-2018-3909. For additional information, please see the advisory here.

Samsung SmartThings Hub hubCore Port 39500 HTTP Header Injection Vulnerability (TALOS-2018-0578 / CVE-2018-3911)

An exploitable HTTP header injection vulnerability exists within the communications present between the Hub and the remote servers it communicates with. An attacker could send a specially crafted HTTP request to affected devices to exploit this vulnerability. This vulnerability is present within the JSON processing performed by the `hubCore` binary present within the SmartThings hub and could be combined with other vulnerabilities present within affected devices to achieve code execution. TALOS-2018-0578 has been assigned CVE-2018-3911. For additional information, please see the advisory here.

Samsung SmartThings Hub video-core Database shard Code Execution Vulnerabilities (TALOS-2018-0581 / CVE-2018-3912 - CVE-2018-3917)

Multiple exploitable stack-based buffer overflow vulnerabilities exist within the retrieval of database fields within the `video-core` HTTP server used by the Samsung SmartThings hub. An attacker could send specially crafted HTTP requests to affected devices to exploit these vulnerabilities. These vulnerabilities manifest due to the `video-core` HTTP server improperly extracting the contents of several fields from its SQLite database, causing a stack-based buffer overflow condition. To exploit these vulnerabilities, an attacker would need to modify the value of these fields within the SQLite database. This could be accomplished by leveraging TALOS-2018-0556. TALOS-2018-0581 has been assigned CVE-2018-3912 through CVE-2018-3917. For additional information, please see the advisory here.

Samsung SmartThings Hub hubCore Port 39500 Sync Denial Of Service Vulnerability (TALOS-2018-0582 / CVE-2018-3918)

A vulnerability exists within the communications between the Samsung SmartThings Hub and the remote servers it communicates with. This vulnerability is present within the "sync" operation used to determine which cameras should be managed by the Hub. An attacker could send specially crafted HTTP requests to affected devices to exploit this vulnerability. Due to the lack of proper authentication, a remote attacker could leverage this trust relationship to delete cameras that should otherwise be managed by the SmartThings hub. TALOS-2018-0582 has been assigned CVE-2018-3918. For additional information, please see the advisory here.

Samsung SmartThings Hub video-core Database clips Code Execution Vulnerability (TALOS-2018-0583 / CVE-2018-3919)

An exploitable stack-based buffer overflow vulnerability exists within the retrieval of database fields in the `video-core` HTTP server used by the Hub. An attacker could send specially crafted HTTP requests to affected devices to exploit this vulnerability. This vulnerability manifests due to the `video-core` server not properly processing and extracting the fields from the "clips" table within its SQLite database. Leveraging TALOS-2018-0556, an attacker could arbitrarily insert a "captureTime" value within this table that exceeds the maximum size expected by the Hub, which results in a buffer overflow condition due to the lack of proper enforcement of this maximum size value. TALOS-2018-0583 has been assigned CVE-2018-3919. For additional information, please see the advisory here.

Samsung SmartThings Hub video-core AWSELB Cookie Code Execution Vulnerability (TALOS-2018-0591 / CVE-2018-3925)

An exploitable buffer overflow vulnerability exists within the the remote video-host communication that is present within the `video-core` HTTP server used by the Samsung SmartThings Hub. An attacker could send specially crafted HTTP requests to affected devices to exploit this vulnerability. This vulnerability manifests due to the `video-core` server not properly handling the contents of AWSELB cookies. The cookie value that is obtained from the remote video-host servers is copied to a destination buffer without first checking the length of the cookie value leading to a buffer overflow condition. TALOS-2018-0591 has been assigned CVE-2018-3925. For additional information, please see the advisory here.

Samsung SmartThings Hub hubCore ZigBee firmware update CRC16 check Denial of Service Vulnerability (TALOS-2018-0593 / CVE-2018-3926)

An exploitable integer underflow vulnerability exists within the ZigBee firmware update process present within the `hubCore` binary used by the SmartThings Hub. An attacker could create a specially crafted file present within the "data" directory used by this process to create an infinite loop that ultimately crashes the service. Due to a logic error present within the ZigBee firmware update process that takes place on the SmartThings Hub, an attacker could leverage TALOS-2018-0556 to upload a specially crafted file that causes the process to continuously loop until a crash occurs. TALOS-2018-0593 has been assigned CVE-2018-3926. For additional information, please see the advisory here.

Samsung SmartThings Hub hubCore Google Breakpad backtrace.io information disclosure vulnerability (TALOS-2018-0594 / CVE-2018-3927)

An exploitable information disclosure vulnerability exists within the exception handler present within the `hubCore` binary used by the SmartThings Hub. The Hub currently leverages Google Breakpad for the purpose of creating minidumps in situations where a crash is encountered. After these minidumps are created by the Hub, they are transmitted to a remote service (backtrace.io) for analysis via the "curl" utility, which is configured to leverage the "-k" switch for this data transmission. This insecure switch allows curl to establish a connection with a remote server that responds with a self-signed SSL certificate. An attacker with the ability to impersonate the remote server could intercept this minidump using a self-signed certificate in order to extract sensitive process data. TALOS-2018-0594 has been assigned CVE-2018-3927. For additional information, please see the advisory here.

Versions Tested


Talos has tested and confirmed that the following Samsung SmartThings Hub firmware versions are affected:

Samsung SmartThings Hub STH-ETH-250 - Firmware version 0.20.17

https://community.smartthings.com/t/hub-firmware-release-notes-22-13/129936

Conclusion


While devices such as the SmartThings Hub are typically deployed to provide additional convenience and automation to users, special consideration must be made to ensure that they are configured securely, and updated when new firmware updates are made available by the manufacturer. Given that these devices can be deployed in many different scenarios, the impact of a successful attack against them could be severe. Talos recommends that these devices are updated as quickly as possible. As Samsung pushes updates out to devices automatically, this should not require manual intervention in most cases. It is important to verify the updated version has actually been applied to devices to ensure that they are no longer vulnerable. Samsung has released a firmware update that resolves these issues. An advisory related to these vulnerabilities can be found here.

Coverage


The following Snort rules will detect exploitation attempts. Note that additional rules may be released at a future date and current rules are subject to change pending additional vulnerability information. For the most current rule information, please refer to your Firepower Management Center or Snort.org.

Snort Rules: 45891, 46079, 46090, 46149, 46150-46155, 46211, 46217, 46296, 46319, 46320, 46321, 46390 - 46392, 46395, 46543, 46661

Microsoft Office Vulnerabilities Used to Distribute FELIXROOT Backdoor in Recent Campaign

Campaign Details

In September 2017, FireEye identified the FELIXROOT backdoor as a payload in a campaign targeting Ukrainians and reported it to our intelligence customers. The campaign involved malicious Ukrainian bank documents, which contained a macro that downloaded a FELIXROOT payload, being distributed to targets.

FireEye recently observed the same FELIXROOT backdoor being distributed as part of a newer campaign. This time, weaponized lure documents claiming to contain seminar information on environmental protection were observed exploiting known Microsoft Office vulnerabilities CVE-2017-0199 and CVE-2017-11882 to drop and execute the backdoor binary on the victim’s machine. Figure 1 shows the attack overview.


Figure 1: Attack overview

The malware is distributed via Russian-language documents (Figure 2) that are weaponized with known Microsoft Office vulnerabilities. In this campaign, we observed threat actors exploiting CVE-2017-0199 and CVE-2017-11882 to distribute malware. The malicious document used is named “Seminar.rtf”. It exploits CVE-2017-0199 to download the second stage payload from 193.23.181.151 (Figure 3). The downloaded file is weaponized with CVE-2017-11882.


Figure 2: Lure documents


Figure 3: Hex dump of embedded URL in Seminar.rtf

Figure 4 shows the first payload trying to download the second stage Seminar.rtf.


Figure 4: Downloading second stage Seminar.rtf

The downloaded Seminar.rtf contains an embedded binary file that is dropped in %temp% via Equation Editor executable. This file drops the executable at %temp% (MD5: 78734CD268E5C9AB4184E1BBE21A6EB9), which is used to drop and execute the FELIXROOT dropper component (MD5: 92F63B1227A6B37335495F9BCB939EA2).

The dropped executable (MD5: 78734CD268E5C9AB4184E1BBE21A6EB9) contains the compressed FELIXROOT dropper component in the Portable Executable (PE) binary overlay section. When it is executed, it creates two files: an LNK file that points to %system32%\rundll32.exe, and the FELIXROOT loader component. The LNK file is moved to the startup directory. Figure 5 shows the command in the LNK file to execute the loader component of FELIXROOT.


Figure 5: Command in LNK file

The embedded backdoor component is encrypted using custom encryption. The file is decrypted and loaded directly in memory without touching the disk.

Technical Details

After successful exploitation, the dropper component executes and drops the loader component. The loader component is executed via RUNDLL32.EXE. The backdoor component is loaded in memory and has a single exported function.

Strings in the backdoor are encrypted using a custom algorithm that uses XOR with a 4-byte key. Decryption logic used for ASCII strings is shown in Figure 6.


Figure 6: ASCII decryption routine

Decryption logic used for Unicode strings is shown in Figure 7.


Figure 7: Unicode decryption routine

Upon execution, a new thread is created where the backdoor sleeps for 10 minutes. Then it checks to see if it was launched by RUNDLL32.exe along with parameter #1. If the malware was launched by RUNDLL32.exe with parameter #1, then it proceeds with initial system triage before doing command and control (C2) network communications. Initial triage begins with connecting to Windows Management Instrumentation (WMI) via the “ROOT\CIMV2” namespace.

Figure 8 shows the full operation.


Figure 8: Initial execution process of backdoor component

Table 1 shows the classes referred from the “ROOT\CIMV2” and “Root\SecurityCenter2” namespace.

WMI Namespaces

Win32_OperatingSystem

Win32_ComputerSystem

AntiSpywareProduct

AntiVirusProduct

FirewallProduct

Win32_UserAccount

Win32_NetworkAdapter

Win32_Process

Table 1: Referred classes

WMI Queries and Registry Keys Used

  1. SELECT Caption FROM Win32_TimeZone
  2. SELECT CSNAME, Caption, CSDVersion, Locale, RegisteredUser FROM Win32_OperatingSystem
  3. SELECT Manufacturer, Model, SystemType, DomainRole, Domain, UserName FROM Win32_ComputerSystem

Registry entries are read for potential administration escalation and proxy information.

  1. Registry key “SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System ” is queried to check the values ConsentPromptBehaviorAdmin and PromptOnSecureDesktop.
  2. Registry key “Software\Microsoft\Windows\CurrentVersion\Internet Settings\” is queried to gather proxy information with values ProxyEnable, Proxy: (NO), Proxy, ProxyServer.

Table 2 shows FELIXROOT backdoor capabilities. Each command is performed in an individual thread.

Command

Description

0x31

Fingerprint System via WMI and Registry

0x32

Drop File and execute

0x33

Remote Shell

0x34

Terminate connection with C2

0x35

Download and run batch script

0x36

Download file on machine

0x37

Upload File

Table 2: FELIXROOT backdoor commands

Figure 9 shows the log message decrypted from memory using the same mechanism shown in Figure 6 and Figure 7 for every command executed.


Figure 9: Command logs after execution

Network Communications

FELIXROOT communicates with its C2 via HTTP and HTTPS POST protocols. Data sent over the network is encrypted and arranged in a custom structure. All data is encrypted with AES, converted into Base64, and sent to the C2 server (Figure 10).


Figure 10: POST request to C2 server

All other fields, such as User-Agents, Content-Type, and Accept-Encoding, that are part of the request / response header are XOR encrypted and present in the malware. The malware queries the Windows API to get the computer name, user name, volume serial number, Windows version, processor architecture and two additional values, which are “1.3” and “KdfrJKN”. The value “KdfrJKN” may be used as identification for the campaign and is found in the JOSN object in the file (Figure 11).


Figure 11: Host information used in every communication

The FELIXROOT backdoor has three parameters for C2 communication. Each parameter provides information about the task performed on the target machine (Table 3).

Parameter

Description

‘u=’

This parameter contains target machine information in the following format:

<Computer Name>, <User Name>, <Windows Versions>, <Processor Architecture>, <1.3>, < KdfrJKN >, <Volume Serial Number>

‘&h=’

This parameter includes the information about the command executed and its results.

‘&p=’

This parameter contains the information about data associated with the C2 server.

Table 3: FELIXROOT backdoor parameters

Cryptography

All data is transferred to C2 servers using AES encryption and the IbindCtx COM interface using HTTP or HTTPS protocol. The AES key is unique for each communication and is encrypted with one of two RSA public keys. Figure 12 and Figure 13 show the RSA keys used in FELIXROOT, and Figure 14 shows the AES encryption parameters.


Figure 12: RSA public key 1


Figure 13: RSA public key 2


Figure 14: AES encryption parameters

After encryption, the cipher text to be sent over C2 is Base64 encoded. Figure 15 shows the structure used to send data to the server, and Figure 16 shows the structural representation of data used in C2 communications.


Figure 15: Structure used to send data to server


Figure 16: Structure used to send data to C2 server

The structure is converted to Base64 using the CryptBinaryToStringA function.

FELIXROOT backdoor contains several commands for specific tasks. After execution of every task, the malware sleeps for one minute before executing the next task. Once all the tasks have been executed completely, the malware breaks the loop, sends the termination buffer back, and clears all the footprints from the targeted machine:

  1. Deletes the LNK file from the startup directory.
  2. Deletes the registry key HKCU\Software\Classes\Applications\rundll32.exe\shell\open
  3. Deletes the dropper components from the system.

Conclusion

CVE-2017-0199 and CVE-2017-11882 are two of the more commonly exploited vulnerabilities that we are currently seeing. Threat actors will increasingly leverage these vulnerabilities in their attacks until they are no longer finding success, so organizations must ensure they are protected. At this time of writing, FireEye Multi Vector Execution (MVX) engine is able to recognize and block this threat. We also advise that all industries remain on alert, as the threat actors involved in this campaign may eventually broaden the scope of their current targeting.

Appendix

Indicators of Compromise

11227ECA89CC053FB189FAC3EBF27497

Seminar.rtf

4DE5ADB865B5198B4F2593AD436FCEFF

Seminar.rtf

78734CD268E5C9AB4184E1BBE21A6EB9

Zam<RandomNumber>.doc

92F63B1227A6B37335495F9BCB939EA2

FELIXROOT Dropper

DE10A32129650849CEAF4009E660F72F

FELIXROOT Backdoor

Table 4: FELIXROOT IOCs

Network Indicators of Compromise

217.12.204.100/news

217.12.204.100:443/news

193.23.181.151/Seminar.rtf

Accept-Encoding: gzip, deflate

content-Type: application/x-www-form-urlencoded

Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)

Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)

Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)

Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)

Configuration Files

Version 1:

{"1" : "https://88.198.13.116:8443/xmlservice","2" : "30","4" : "GufseGHbc","6" : "3", "7" :

“http://88.198.13.116:8080/xmlservice"}

Version 2:

{"1" : "https://217.12.204.100/news/","2" : "30","4" : "KdfrJKN","6" : "3", "7" :

"http://217.12.204.100/news/"}

FireEye Detections

MD5

Product

Signature

Action

11227ECA89CC053FB189FAC3EBF27497

NX/EX/AX

Malware.Binary.rtf

Block

4DE5ADB865B5198B4F2593AD436FCEFF

NX/EX/AX

Malware.Binary.rtf

Block

78734CD268E5C9AB4184E1BBE21A6EB9

NX/EX/AX

Malware.Binary

Block

92F63B1227A6B37335495F9BCB939EA2

NX/EX/AX

FE_Dropper_Win32_FELIXROOT_1

Block

DE10A32129650849CEAF4009E660F72F

NX/EX/AX

FE_Backdoor_Win32_FELIXROOT_2

Block

11227ECA89CC053FB189FAC3EBF27497

HX

IOC

Alert

4DE5ADB865B5198B4F2593AD436FCEFF

HX

IOC

Alert

Table 5: FireEye Detections

Acknowledgements

Special thanks to Jonell Baltazar, Alex Berry and Benjamin Read for their contributions to this blog.

CVE-2017-7535 (foreman)

foreman before version 1.16.0 is vulnerable to a stored XSS in organizations/locations assignment to hosts. Exploiting this requires a user to actively assign hosts to an organization that contains html in its name which is visible to the user prior to taking action.

Top 10 Signs of a Malware Infection on Your PC

Not all viruses that find their way onto your computer dramatically crash your machine. Instead, there are viruses that can run in the background without you even realizing it. As they creep around, they make messes, steal, and much worse.

Malware today spies on your every move. It sees the websites you visit, and the usernames and passwords you type in. If you login to online banking, a criminal can watch what you do and after you log off and go to bed, he can log right back and start transferring money out of your account.

Here are some signs that your device might already be infected with malware:

  1. Programs shut down or start up automatically
  2. Windows suddenly shuts down without prompting
  3. Programs won’t start when you want them to
  4. The hard drive is constantly working
  5. Your machine is working slower than usual
  6. Messages appear spontaneously
  7. Instead of flickering, your external modem light is constantly lit
  8. Your mouse pointer moves by itself
  9. Applications are running that are unfamiliar
  10. Your identity gets stolen

If you notice any of these, first, don’t panic. It’s not 100% that you have a virus. However, you should check things out. Make sure your antivirus program is scanning your computer regularly and set to automatically download software updates. This is one of the best lines of defense you have against malware.

Though we won’t ever eliminate malware, as it is always being created and evolving, by using antivirus software and other layers of protection, you can be one step ahead. Here are some tips:

  • Run an automatic antivirus scan of your computer every day. You can choose the quick scan option for this. However, each week, run a deep scan of your system. You can run them manually, or you can schedule them.
  • Even if you have purchased the best antivirus software on the market, if you aren’t updating it, you are not protected.
  • Don’t click on any attachment in an email, even if you think you know who it is from. Instead, before you open it, confirm that the application was sent by who you think sent it, and scan it with your antivirus program.
  • Do not click on any link seen in an email, unless it is from someone who often sends them. Even then, be on alert as hackers are quite skilled at making fake emails look remarkably real. If you question it, make sure to open a new email and ask the person. Don’t just reply to the one you are questioning. Also, never click on any link that is supposedly from your bank, the IRS, a retailer, etc. These are often fake.
  • If your bank sends e-statements, ignore the links and login directly to the banks website using either a password manager or your bookmarks.
  • Set your email software to “display text only.” This way, you are alerted before graphics or links load.

When a device ends up being infected, it’s either because of hardware or software vulnerabilities. And while there are virus removal tools to clean up any infections, there still may be breadcrumbs of infection that can creep back in. It’s generally a good idea to reinstall the devices operating system to completely clear out the infection and remove any residual malware .

As an added bonus, a reinstall will remove bloatware and speed up your devices too.

Robert Siciliano is a Security and Identity Theft Expert. He is the founder of Safr.me a cybersecurity speaking and consulting firm based in Massachussets. See him discussing internet and wireless security on Good Morning America.

CactusTorch Fileless Threat Abuses .NET to Infect Victims

McAfee Labs has noticed a significant shift by some actors toward using trusted Windows executables, rather than external malware, to attack systems. One of the most popular techniques is a “fileless” attack. Because these attacks are launched through reputable executables, they are hard to detect. Both consumers and corporate users can fall victim to this threat. In corporate environments, attackers use this vector to move laterally through the network.

One fileless threat, CactusTorch, uses the DotNetToJScript technique, which loads and executes malicious .NET assemblies straight from memory. These assemblies are the smallest unit of deployment of an application, such as a .dll or .exe. As with other fileless attack techniques, DotNetToJScript does not write any part of the malicious .NET assembly on a computer’s hard drive; hence traditional file scanners fail to detect these attacks.

In 2018 we have seen rapid growth in the use of CactusTorch, which can execute custom shellcode on Windows systems. The following chart shows the rise of CactusTorch variants in the wild.

Source: McAfee Labs.

The DotNetToJScript tool kit

Compiling the DotNetToJScript tool gives us the .NET executable DotNetToJScript.exe, which accepts the path of a .NET assembly and outputs a JavaScript file.

 

Figure 1: Using DotNetToJScript.exe to create a malicious JavaScript file.

The DotNetToJScript tool kit is never shipped with malware. The only component created is the output JavaScript file, which is executed on the target system by the script host (wscript.exe). For our analysis, we ran some basic deobfuscation and found CactusTorch, which had been hidden by some online tools:

Figure 2: CactusTorch code.

Before we dive into this code, we need to understand .NET and its COM exposure. When we install the .NET framework on any system, several .NET libraries are exposed via Microsoft’s Component Object Model (COM).

Figure 3: COM exposing the .NET library System.Security.Cryptography.FromBase64Transform.

If we look at the exposed interfaces, we can see IDispatch, which allows the COM object to be accessed from the script host or a browser.

Figure 4: Exposed interfaces in a .NET library.

To execute malicious code using the DotNetToJScript vector, an attack uses the following COM objects:

  • Text.ASCIIEncoding
  • Security.Cryptography.FromBase64Transform
  • IO.MemoryStream
  • Runtime.Serialization.Formatters.Binary.BinaryFormatter
  • Collections.ArrayList

Now, let’s return to the JavaScript code we saw in Figure 2. The function base64ToStream()converts the Base64-encoded serialized object to a stream. Before we can fully understand the logic behind the JavaScript code, we need to examine the functionality of the Base64-encoded serialized object. Thus our next step is to reverse engineer the embedded serialized object and recreate the class definition. Once that was done, the class definition looks like the following code, which is responsible for executing the malicious shellcode. (Special thanks to Casey Smith, @subTee, for important pointers regarding this step).

Figure 5: The class definition of the embedded serialized object.

Now we have the open-source component of CactusTorch, and the JavaScript code in Figure 2 makes sense. We can see how the malicious shellcode is executed on the targeted system. In Figure 2, line 29 the code invokes the flame(x,x) function with two arguments: the executable to launch and the shellcode.

The .NET assembly embedded in the CactusTorch script runs the following steps to execute the malicious shellcode:

  • Launches a new suspended process using CreateProcessA (to host the shellcode)
  • Allocates some memory with VirtualAllocEx() with an EXECUTE_READWRITE privilege
  • Writes the shellcode in the target’s process memory with WriteProcessMemory()
  • Creates a new thread to execute the shellcode using CreateRemoteThread()

Conclusion

Fileless malware takes advantage of the trust factor between security software and genuine, signed Windows applications. Because this type of attack is launched through reputable, trusted executables, these attacks are hard to detect. McAfee Endpoint Security (ENS) and Host Intrusion Prevention System (HIPS) customers are protected from this class of fileless attack through Signature ID 6118.

 

Acknowledgements

The author thanks the following colleagues for their help with this analysis:

  • Abhishek Karnik
  • Deepak Setty
  • Oliver Devane
  • Shruti Suman

References

MITRE ATT&CK techniques

  • Drive-by compromise
  • Scripting using Windows Script Host
  • Decode information
  • Command-line interface
  • Process injection

Hashes

  • 4CF9863C8D60F7A977E9DBE4DB270819
  • 5EEFBB10D0169D586640DA8C42DD54BE
  • 69A2B582ED453A90CC06345886F03833
  • 74172E8B1F9B7F9DB600C57E07368B8F
  • 86C47B9E0F43150FEFF5968CF4882EBB
  • 89F87F60137E9081F40E7D9AD5FA8DEF
  • 8A33BF71E8740BDDE23425BBC6259D8F
  • 8DCCC9539A499D375A069131F3E06610
  • 924B7FB00E930082CE5B96835FDE69A1
  • B60E085150D53FCE271CD481435C6E1E
  • BC7923B43D4C83D077153202D84EA603
  • C1A7315FB68043277EE57BDBD2950503
  • D2095F2C1D8C25AF2C2C7AF7F4DD4908
  • D5A07C27A8BBCCD0234C81D7B1843FD4
  • E0573E624953A403A2335EEC7FFB1D83
  • E1677A25A047097E679676A459C63A42
  • F0BC5DFD755B7765537B6A934CA6DBDC
  • F6526E6B943A6C17A2CC96DD122B211E
  • CDB73CC7D00A2ABB42A76F7DFABA94E1
  • D4EB24F9EB1244A5BEAA19CF69434127

 

The post CactusTorch Fileless Threat Abuses .NET to Infect Victims appeared first on McAfee Blogs.

M12 and VC partners commit $4 million to empower women entrepreneurs

Today, I’m proud to announce that Microsoft’s corporate venture fund, M12, is joining forces with EQT Ventures and SVB Financial Group to launch the Female Founders Competition, a global startup contest to identify top female talent and accelerate access to capital for women entrepreneurs.

We’ve all heard the long odds facing women founders in tech. Last year, female founders received just 2.2 percent of total global venture capital funding, and only 17 percent of all startups have at least one female founder, despite the fact that gender diversity on executive teams correlates with greater profitability and value creation.

I’ve experienced this painful data up close. Over the course of my career, I’ve spent thousands of hours in pitch meetings, often as the only woman in the room. I still can’t hold back a smile when a woman founder walks through the door, because I know the obstacles she’s overcome just to get there.

But most importantly, I also know the opportunity she represents. Study after study shows that investing in women founders returns significantly more than the market average.

When we founded M12 two years ago, we knew we had a special opportunity to build our team from the ground up, and we set out to make diversity a competitive advantage. In an industry where only 8 percent of investment partners at the top firms are women, we worked intentionally to build a team that looked and thought differently from the rest – not only with diversity of gender and ethnicity, but of background, education, expertise and network. We believed it would make us stronger, help surface ideas and opportunities that the rest of the industry was missing, and ultimately – we hoped – lead to a more diverse and profitable portfolio.

While I’m proud of the team we’ve built and progress to date – women make up nearly 40 percent of our investment team – these efforts are not yet reflected in our portfolio, where only about 8 percent of our founders are women.

We want to change that. We want to do more. So, we’re trying something new.

Last year, we launched our first global startup competition, casting a wide net to uncover high-potential investments in artificial intelligence. We thought that by extending the search beyond our traditional network, we’d surface a companies and entrepreneurs not typically on our radar. We did; we found four incredible companies, proving there’s a ton of great potential out there that doesn’t have an easy pathway to funding, even more so for women.

Through the Female Founders Competition, we are asking startups with at least one woman founder to apply for the chance to win $2 million in funding from M12 and our VC partners, EQT Partners and SVB Financial Group, as well as getting access to technology resources, mentoring and legal counsel.

Applicants will compete for the opportunity to participate in a live pitch-off this fall, where they will present their ideas as a solution that is solving a critical business problem. Up to 10 finalists across the regions of North America, Europe and Israel will be chosen as contenders, and two winning teams will receive equal prizes, totaling a combined $4 million in venture funding.

At Microsoft, diversity and inclusion are central to the culture we’re building. To achieve our mission to empower every person and organization on the planet to achieve more, we need to be a truer reflection of the planet we serve. While our efforts are a story of steady progress, we know there is more to do to become a more diverse company.

But this is about more than just Microsoft.

The future of the tech industry is still being written, and we know that many of its most important authors won’t be those of us in the Fortune 500. They’re the startups with big visions and the founders with bold ideas. If we’re truly committed to becoming the inclusive industry we aspire to, then those of us at the top have a responsibility – and an opportunity – to support entrepreneurs with new thinking, fresh voices and diverse points of view.

This has been a journey for M12, and one that’s deeply personal for me. Today is just one of many steps we’ll take to ensure that VC dollars reach the ideas and founders with incredible investment potential that too often get left behind.

Submissions are now open through Sept. 30, 2018 on the M12 website. Female-founded teams building for the enterprise are encouraged to apply.

The post M12 and VC partners commit $4 million to empower women entrepreneurs appeared first on The Official Microsoft Blog.

OVPN review: An ideal VPN except for one big drawback

OVPN in brief:

P2P allowed: Yes
Business location: Stockholm, Sweden
Number of servers: 56
Number of country locations: 7
Cost: $84 per year
VPN protocol: OpenVPN
Data encryption: AES-256-GCM
Data authentication: SHA1 HMAC
Handshake encryption: TLSv1.2

One of the big questions many people have about a VPN service is just how well they can trust a company’s no-logging claim. OVPN tries to allay that concern as much as possible by running its own small network of servers in seven countries.

To read this article in full, please click here

“Here Be Dragons”, Keeping Kids Safe Online

Sitting here this morning sipping my coffee, I watched fascinated as my 5-year-old daughter set up a VPN connection on her iPad while munching on her breakfast out of absent-minded necessity.

It dawned on me that, while daughter has managed to puzzle out how to route around geofencing issues that many adults can’t grasp, her safety online is never something to take for granted. I have encountered parents that allow their kids to access the Internet without controls beyond “don’t do X” — which we all know is as effective as holding up gauze in front of semi and hoping for the best (hat tip to Robin Williams).

More parents need to be made aware that on the tubes of the Internet, “here be dragons.”

First and foremost for keeping your kids safe online is that you need to wrap your head around a poignant fact. iThingers and their ilk are NOT babysitters. Please get this clear in your mind. Yes, I have been known to use these as child suppression devices for long car rides but, we need to be honest with ourselves. Far too often they become surrogates and this needs to stop. When I was kid my folks would plonk me down in front of the massive black and white television with faux wood finish so I could watch one of the three channels. Too a large extent this became the forerunner of the modern digital iBabysitter.

These days I can’t walk into a restaurant without seeing some family engrossed in their respective devices oblivious of the world around them, let alone each other. Set boundaries for usage. Do not let these devices be a substitute parent or a distraction and be sure to regulate what is being done online for both you and your child.

I have had conversations about what is the best software to install on a system to monitor a child’s activity with many parents. Often that is a conversation borne out of fear of the unknown. Non-technical parents outnumber the technically savvy ones by an order of magnitude and we can’t forget this fact. There are numerous choices out there that you can install on your computer but, the software package that is frequently overlooked is common sense.

All kidding aside, there seems to a precondition in modern society to offload and outsource responsibility. Kids are curious and they will click links and talk to folks online without the understanding that there are bad actors out there. It is incumbent upon us, the adults, to address that situation through education. Talk with your kids so that they understand what the issues are that they need to be aware of when they’re online. More importantly, if you as a parent aren’t aware of the dangers that are online you need to avail yourself of the information.

This is where programs such as the ISC2’s “Safe and Secure Online” come in.

Protecting your children is your top priority and helping children protect themselves online is ours. The (ISC)² Safe and Secure Online (SSO) program brings cyber security experts into classrooms and to community groups like scouts or sports clubs at no charge to teach children ages 7-10 and 11-14 how to stay safe online. We also offer a parent presentation so that you may learn these vital tools as well.

This is by no means that only choice out there but, it is a good starting point. The Internet is a marvelous collection of information but, as with anything that is the product of a hive mind, there is a dark side. Parents and kids need to take the time to arm themselves with the education to help guard against perils of the online world.

If you don’t know, ask. If you don’t ask, you’ll never know.

Originally posted on CSO Online by me.

The post “Here Be Dragons”, Keeping Kids Safe Online appeared first on Liquidmatrix Security Digest.

NBlog July 26 – cyber, again

Something on the Just Security law blog caught my attention today:
"For a growing number of states, cyber operations are now firmly ensconced as a means of conducting traditional and not-so-traditional statecraft, to include conflict. Cyberspace has delivered tremendous benefits, but its unique construct and ubiquity have also created significant national security vulnerabilities, generating unprecedented challenges to the existing framework of international peace and security. One need look no further than North Korea’s destructive and subversive actions against Sony Pictures, its launch of the Wannacry ransomware, Russia’s launch of the indiscriminate NotPetya malware against the Ukraine, or its cyber-enabled covert influence campaigns against the U.S. and other western democracies to realize that cyber capabilities are increasingly part of a powerful arsenal states are using to pursue their interests, oftentimes through aggressive actions aimed at disrupting the status quo. As the recently released Command Vision for US Cyber Command recognizes, the emerging cyber-threat landscape is marked by adversary states engaging in sustained, well-constructed campaigns to challenge and weaken western democracies through actions designed to hover below the threshold of armed conflict while still achieving strategic effect. And as the Cyber Command Vision also makes clear, passive, internal cyber security responses have proved inadequate, ceding strategic initiative and rewarding bad behavior."
I've argued for years that most people (including many journalists and far too many so-called cybersecurity professionals) interpret "cybersecurity" rather differently to how it is being used in the government/military context. Whereas everyday Internet security is part of the problem space, it's a small part. Ordinary controls such as firewalls and antivirus are woefully inadequate defences against the "powerful arsenals" being developed and deployed by "adversary states". Those "unprecedented challenges" are not going to be met with off-the-shelf security solutions - just as wet cardboard is not much use as a bulletproof vest.

One of the lessons in next month's NoticeBored security awareness module on insider threats is that everyday controls are inadequate against high-end threats involving committed and resourceful adversaries - and yet, it makes sense to start with those everyday controls both to knock back the everyday issues and as a platform for the more advanced stuff. The cases we'll be using illustrate the range of insider threats nicely, from casual expenses fraud to espionage.

In discussing the more severe end of the scale, I'm conscious of the risk of alienating the most naive parts of the audience ... and yet if we don't make the effort to open their eyes to what's going on, they will remain oblivious. Actual incidents reported by the news media are a good way to demonstrate that we are not entirely paranoid. Headline stories catch their attention: all we need to do is explain what's behind the headline. Easy, when you know how.

CVE-2018-14430 (multi_step_form)

The Mondula Multi Step Form plugin through 1.2.5 for WordPress allows XSS via the fw_data [id][1], fw_data [id][2], fw_data [id][3], fw_data [id][4], or email field of the contact form, exploitable with an fw_send_email action to wp-admin/admin-ajax.php.

CVE-2018-13988 (poppler, ubuntu_linux)

Poppler through 0.62 contains an out of bounds read vulnerability due to an incorrect memory access that is not mapped in its memory space, as demonstrated by pdfunite. This can result in memory corruption and denial of service. This may be exploitable when a victim opens a specially crafted PDF file.

Millions of iOS and Android Users Could Be Compromised by Bluetooth Bug

Similar to smartphones and computers, Bluetooth is one of the modern-day pieces of tech that has spread wide and far. Billions of devices of all types around the world have the technology woven into their build. So when news about the BlueBorne vulnerabilities broke back in late 2017, everyone’s ears perked up. Fast forward to present day and a new Bluetooth flaw has emerged, which affects devices containing Bluetooth from a range of vendors—including Apple, Intel, Google, Broadcom, and Qualcomm.

Whether it’s connecting your phone to a speaker so you can blast your favorite tunes, or pairing it with your car’s audio system so you can make phone calls hands-free, the pairing capabilities of Bluetooth ensures the technology remains wireless. And this bug affects precisely that — Bluetooth’s Secure Simple Pairing and Low Energy Secure Connections, which are capabilities within the tech designed to assist users with pairing devices in a safe and secure way.

Essentially, this vulnerability means that when data is sent from device to device over Bluetooth connections, it is not encrypted, and therefore vulnerable. And with this flaw affecting Apple, Google and Intel-based smartphones and PCs, that means millions of people may have their private data leaked. Specifically, the bug allows an attacker that’s within about 30 meters of a user to capture and decrypt data shared between Bluetooth-paired devices.

Lior Neumann, one of the researchers who found the bug, stated, “As far as we know, every Android—prior to the patch published in June—and every device with a wireless chip from Intel, Qualcomm or Broadcom is vulnerable.” That includes iPhone devices with a Broadcom or Qualcomm chip as well.

Fortunately, fixes for this bug within Apple devices have already been available since May with the release of iOS 11.4. Additionally, two Android vendors, Huawei and LG, say they have patched the vulnerability as well. However, if you don’t see your vendor on this list, or if you have yet to apply the patches – what next steps should you take to secure your devices? Start by following these tips:

  • Turn Bluetooth off unless you have to use it. Affected software providers have been notified of these vulnerabilities and are working on fixing them as we speak. But in the meantime, it’s crucial you turn off your Bluetooth unless you absolutely must use it. To do this on iOS devices, simply go to your “Settings”, select “Bluetooth” and toggle it from on to off. On Android devices, open the “Settings” app and the app will display a “Bluetooth” toggle button under the “Wireless and networks” subheading that you can use to enable and disable the feature.
  • Update your software immediately. It’s an important security rule of thumb: always update your software whenever an update is available, as security patches are usually included with each new version. Patches for iOS and some Android manufacturers are already available, but if your device isn’t on the list, fear not – security patches for additional providers are likely on their way.

And, of course, to stay on top of the latest consumer and mobile security threats, be sure to follow me and @McAfee_Home on Twitter, listen to our podcast Hackable? and ‘Like’ us on Facebook.

The post Millions of iOS and Android Users Could Be Compromised by Bluetooth Bug appeared first on McAfee Blogs.

Scammers Use Breached Personal Details to Persuade Victims

Scammers use a variety of social engineering tactics when persuading victims to follow the desired course of action. One example of this approach involves including in the fraudulent message personal details about the recipient to “prove” that the victim is in the miscreant’s grip. In reality, the sender probably obtained the data from one of the many breaches that provide swindlers with an almost unlimited supply of personal information.

Personalized Porn Extortion Scam

Consider the case of an extortion scam in which the sender claims to have evidence of the victim’s pornography-viewing habits. The scammer demands payment in exchange for suppressing the “compromising evidence.” A variation of this technique was documented by Stu Sjouwerman at KnowBe4 in 2017. In a modern twist, the scammer includes personal details about the recipient—beyond merely the person’s name—such as the password the victim used:

“****** is one of your password and now I will directly come to the point. You do not know anything about me but I know alot about you and you must be thinking why are you getting this e mail, correct?

I actually setup malware on porn video clips (adult porn) & guess what, you visited same adult website to experience fun (you get my drift). And when you got busy enjoying those videos, your web browser started out operating as a RDP (Remote Desktop Protocol) that has a backdoor which provided me with accessibility to your screen and your web camera controls.”

The email includes demand for payment via cryptocurrency such Bitcoin to ensure that “Your naughty secret remains your secret.” The sender calls this “privacy fees.” Variations on this scheme are documented in the Blackmail Email Scam thread on Reddit.

The inclusion of the password that the victim used at some point in the past lends credibility to the sender’s claim that the scammer knows a lot about the recipient. In reality, the miscreant likely obtained the password from one of many data dumps that include email addresses, passwords, and other personal information stolen from breached websites.

Data Breach Lawsuit Scam

In another scenario, the scammer uses the knowledge of the victim’s phone number to “prove” possession of sensitive data. The sender poses as an entity that’s preparing to sue the company that allegedly leaked the data:

“Your data is compromised. We are preparing a lawsuit against the company that allowed a big data leak. If you want to join and find out what data was lost, please contact us via this email. If all our clients win a case, we plan to get a large amount of compensation and all the data and photos that were stolen from the company. We have all information to win. For example, we write to your email and include part your number ****** from a large leak.”

The miscreant’s likely objective is to solicit additional personal information from the victim under the guise of preparing the lawsuit, possibly requesting the social security number, banking account details, etc. The sender might have obtained the victim’s name, email address and phone number from a breached data dump, and is phishing for other, more lucrative data.

What to Do?

If you receive a message that solicits payment or confidential data under the guise of knowing some of your personal information, be skeptical. This is probably a mass-mailed scam and your best approach is usually to ignore the message. In addition, keep an eye on the breaches that might have compromised your data using the free and trusted service Have I Been Pwned by Troy Hunt, change your passwords when this site tells you they’ve been breached, and don’t reuse passwords across websites or apps.

Sometimes an extortion note is real and warrants a closer look and potentially law enforcement involvement. Only you know your situation and can decide on the best course of action. Fortunately, every example that I’ve had a chance to examine turned out to be social engineering trick that recipients were best to ignore.

To better under understand persuasion tactics employed by online scammers, take a look at my earlier articles on this topic:

 

Top Cyber Threats Organizations Are Facing Right Now

What are the top cyber threats the public and private sectors should be concerned about in the latter part of 2018? Cyber security is a continuous game of Spy vs. Spy. Every time a new technology is introduced, the potential attack surface expands. The moment one vulnerability is patched, hackers find another way in. Keeping… Read More

The post Top Cyber Threats Organizations Are Facing Right Now appeared first on .

Meet your 2018 Imagine Cup champions – smartARM of Canada!

Satya Nadella with the smartARM team, 2018 Imagine Cup winners, and Chloe Kim, special guest and Olympic snowboarding gold medalist.
Satya Nadella with smartARM team members, the 2018 Imagine Cup World Champions, along with Chloe Kim, special guest and Olympic snowboarding gold medalist.

At its heart, the Imagine Cup is all about bringing students together from across the globe, inspiring them to usher in our collective future using cloud-based technologies of today and tomorrow, including artificial intelligence (AI), big data, mixed reality and more. Since its inception 16 years ago, the Imagine Cup has motivated nearly 2 million students from over 190 countries around the world to bring their biggest, boldest ideas to life.

Today, we are excited to announce smartARM of Canada as the 2018 Imagine Cup champions! smartARM created a robotic hand prosthetic, using Microsoft Azure Computer Vision, Machine Learning and Cloud Storage, that uses a camera embedded in its palm to recognize objects and calculate the most appropriate grip for an object. Based on machine learning, the more the model is used, the more accurate it becomes.  As the victors, smartARM wins a mentoring session with Microsoft CEO Satya Nadella, $85,000 in cash and a $50,000 Azure grant. Team iCry2Talk of Greece earned second place with a low-cost and non-invasive intelligent interface between infant and parent that translates in real time the baby’s cry, and associates it with a specific physiological and psychological state, depicting the result in a text, image and voice message. Third place went to Team Mediated Ear of Japan for its project, Mediated Ear, software for hearing-impaired individuals to focus on a specific speaker among a multitude of conversations. Mediated Ear can relay specific sounds in audio waveforms through deep learning.

For the winners, and for their competitors, the road to the World Finals started with a single idea on how to change the world through innovative use of technology. Tens of thousands of students walked this road, spending months coding their solutions and dreaming up go-to-market plans to bring their ideas to life. From there, and through fierce competition at the national and regional level, 49 teams from 33 countries were selected to compete in the World Finals.

This year, we’ve added special Imagine Cup awards of $15,000 for three key areas of digital transformation: AI, big data and mixed reality. On Tuesday, we crowned the winners. SochWare from Nepal, won the AI award for designing a solution to help farmers identify plant diseases, suggest mitigation strategies, connect with experts and get updated with recent agriculture findings. Drugsafe from India won the big data award for their solution to validate genuine drugs and decrease illness from counterfeit substances. Pengram from the United States won the mixed reality award for allowing engineers from around the world to be holographically “teleported” into a workspace when needed.

The 2018 winners emerged from a strong field of competitors featuring projects that utilized leading-edge cloud technologies with the promise of improving the way we live and work. Throughout it all, the next generation of innovators put their creativity on display in addressing some of humanity’s most pressing issues.

This year’s participants weren’t just developing unique and potentially game-changing technology experiences, but they are also actively sharpening the skills that will boost their success as developers, technologists and entrepreneurs for the next generation. They follow in the footsteps of a long line of dreamers driven to succeed. For example, 2017 year Imagine Cup alumni Declan Goncalves of Canada was featured in Betakit’s “Canada’s Developer 30 Under 30” list for developing a platform which allows medical practitioners to better quantify their patient’s progress and detect neurodegenerative disease onset with the help of AI. Another alumni team, Kobojo, began their journey making Facebook games at Imagine Cup 2008 and has since raised $6 million in venture capital for their startup.

I’d like to thank this year’s championship judges: Co-founder and COO of Bitnami, Erica Brescia; CEO of Glitch, Anil Dash;, and Microsoft’s own Peggy Johnson, Executive Vice President of Business Development at Microsoft. Special thanks also to Microsoft Corporate Vice President of Azure Compute Corey Sanders, who hosted the championship and announced this year’s winner. Last but certainly not least, on behalf of Microsoft, I’d like to congratulate our new Imagine Cup champion, team smartARM, and all of the students who worked so hard to make this 16th anniversary Imagine Cup the most inspiring one yet. If you haven’t had a chance, be sure to view the championship video above to see some of the best student developers in the world envision a brighter, bolder future for us all.

— Charlotte

P.S. Follow me on Twitter for updates on Imagine Cup and other news and noteworthy information in the cloud and ecosystem space.

The post Meet your 2018 Imagine Cup champions – smartARM of Canada! appeared first on The Official Microsoft Blog.

CVE-2018-1002207 (archiver)

mholt/archiver golang package before e4ef56d48eb029648b0e895bb0b6a393ef0829c3 is vulnerable to directory traversal, allowing attackers to write to arbitrary files via a ../ (dot dot slash) in an archive entry that is mishandled during extraction. This vulnerability is also known as 'Zip-Slip'.

CVE-2018-1002208 (sharplibzip)

sharplibzip before 1.0 RC1 is vulnerable to directory traversal, allowing attackers to write to arbitrary files via a ../ (dot dot slash) in a Zip archive entry that is mishandled during extraction. This vulnerability is also known as 'Zip-Slip'.

CVE-2018-1002209 (quazip)

QuaZIP before 0.7.6 is vulnerable to directory traversal, allowing attackers to write to arbitrary files via a ../ (dot dot slash) in a Zip archive entry that is mishandled during extraction. This vulnerability is also known as 'Zip-Slip'.

CVE-2018-1002203 (unzipper)

unzipper npm library before 0.8.13 is vulnerable to directory traversal, allowing attackers to write to arbitrary files via a ../ (dot dot slash) in a Zip archive entry that is mishandled during extraction. This vulnerability is also known as 'Zip-Slip'.

CVE-2018-1002204 (adm-zip)

adm-zip npm library before 0.4.9 is vulnerable to directory traversal, allowing attackers to write to arbitrary files via a ../ (dot dot slash) in a Zip archive entry that is mishandled during extraction. This vulnerability is also known as 'Zip-Slip'.

CVE-2018-1002202 (zip4j)

zip4j before 1.3.3 is vulnerable to directory traversal, allowing attackers to write to arbitrary files via a ../ (dot dot slash) in a Zip archive entry that is mishandled during extraction. This vulnerability is also known as 'Zip-Slip'.

CVE-2018-1002201 (zt-zip)

zt-zip before 1.13 is vulnerable to directory traversal, allowing attackers to write to arbitrary files via a ../ (dot dot slash) in a Zip archive entry that is mishandled during extraction. This vulnerability is also known as 'Zip-Slip'.

Q&A: Jeff Wilbur of the Online Trust Alliance on why enterprise IoT security is a lot like BYOD

As consumer Internet of Things (IoT) devices inevitably find their way into the workplace, IT pros need to isolate them from the rest of the enterprise network, perhaps on a network of their own, so they don’t become backdoors exploitable by attackers, according to the head of the Online Trust Alliance.

Jeff Wilbur, the director of the alliance, which is an initiative within the larger Internet Society, says that it is better to embrace employees’ IoT devices and allow them to be used safely than to ban them and risk their unauthorized, unprotected use that could undermine network security.

To read this article in full, please click here

CVE-2018-5537 (big-ip_access_policy_manager, big-ip_advanced_firewall_manager, big-ip_application_acceleration_manager, big-ip_application_security_manager, big-ip_edge_gateway, big-ip_global_traffic_manager, big-ip_local_traffic_manager, big-ip_policy_enforcement_manager, big-ip_webaccelerator, big-ip_websafe)

A remote attacker may be able to disrupt services on F5 BIG-IP 13.0.0-13.1.0.5, 12.1.0-12.1.3.5, 11.6.0-11.6.3.1, or 11.2.1-11.5.6 if the TMM virtual server is configured with a HTML or a Rewrite profile. TMM may restart while processing some specially prepared HTML content from the back end.

CVE-2018-5530 (big-ip_access_policy_manager, big-ip_advanced_firewall_manager, big-ip_analytics, big-ip_application_acceleration_manager, big-ip_application_security_manager, big-ip_edge_gateway, big-ip_local_traffic_manager, big-ip_policy_enforcement_manager, big-ip_websafe)

F5 BIG-IP 13.0.0-13.1.0.5, 12.1.0-12.1.3.5, or 11.6.0-11.6.3.1 virtual servers with HTTP/2 profiles enabled are vulnerable to "HPACK Bomb".

CVE-2018-5531 (big-ip_access_policy_manager, big-ip_advanced_firewall_manager, big-ip_analytics, big-ip_application_acceleration_manager, big-ip_application_security_manager, big-ip_domain_name_system, big-ip_edge_gateway, big-ip_fraud_protection_service, big-ip_global_traffic_manager, big-ip_link_controller, big-ip_local_traffic_manager, big-ip_policy_enforcement_manager, big-ip_webaccelerator)

Through undisclosed methods, on F5 BIG-IP 13.0.0-13.1.0.7, 12.1.0-12.1.3.5, 11.6.0-11.6.3.1, or 11.2.1-11.5.6, adjacent network attackers can cause a denial of service for VCMP guest and host systems. Attack must be sourced from adjacent network (layer 2).

CVE-2018-5538 (big-ip_domain_name_system, big-ip_global_traffic_manager, big-ip_link_controller, big-ip_local_traffic_manager)

On F5 BIG-IP DNS 13.1.0-13.1.0.7, 12.1.3-12.1.3.5, DNS Express / DNS Zones accept NOTIFY messages on the management interface from source IP addresses not listed in the 'Allow NOTIFY From' configuration parameter when the db variable "dnsexpress.notifyport" is set to any value other than the default of "0".

CVE-2018-5542 (big-ip_access_policy_manager, big-ip_advanced_firewall_manager, big-ip_analytics, big-ip_application_acceleration_manager, big-ip_application_security_manager, big-ip_domain_name_system, big-ip_edge_gateway, big-ip_fraud_protection_service, big-ip_global_traffic_manager, big-ip_link_controller, big-ip_local_traffic_manager, big-ip_policy_enforcement_manager, big-ip_webaccelerator)

F5 BIG-IP 13.0.0-13.0.1, 12.1.0-12.1.3.6, or 11.2.1-11.6.3.2 HTTPS health monitors do not validate the identity of the monitored server.

Software Quality Is a Competitive Differentiator

software quality

One of the ironies of DevOps is that while the methodology supports faster and more automated software production, it doesn't boost code quality unless quality is a focus for the software team. As more than a few business leaders have discovered, gaining a competitive edge in the digital economy requires a more concentrated and comprehensive approach.

It's no secret that software code powers our world — it’s in jet engines, automobiles, the electric grid, medical systems, commerce, appliances…just about everything. Yet, producing reliable and secure software has become increasingly difficult. Applications are not only growing in size, they’re also becoming more complex and intertwined across platforms, systems and devices. APIs and the Internet of Things (IoT) are inserting code — and distributing processing — across millions of applications and devices, as well as the cloud.

This complicated environment is forcing business executives, IT leaders and software developers to think and work differently. For example, a growing array of systems and devices rely on artificial intelligence (AI) to drive activity. Automated systems increasingly decide on the course of action based on constantly changing inputs. A system — and the software that runs it — must adapt dynamically.

The upshot? Software quality can no longer be a checkbox item — it must be a framework that spans an organization. Ultimately, an enterprise must own the success of its code — and develop habits that produce high-quality software. This includes understanding how and why code quality is important not only for performance but also for security and final business results. A DevOps initiative can succeed only when an enterprise recognizes the scope of today's software frameworks.

Software Quality Redefined

The digital world is creating intriguing challenges related to software quality. These extend beyond the sheer volume of code that’s required to run systems. For instance, UI/UX has emerged front stage center — particularly as apps have proliferated. Maturing technologies, such as augmented reality and virtual reality, have introduced new challenges. The takeaway? It's no longer acceptable to view UI/UX testing as a traditional, commoditized function — a quality experience is paramount.

There are other challenges, too. As the IoT matures and grows, there's a need for innovation in testing. The variety and number of edge devices is exploding, and all of this introduces enormous QA challenges. Ensuring that software performs adequately and meets user requirements is critical. The need for service level agreements between service providers and consumers has never been more important.

Artificial intelligence changes the testing landscape as well. It can take over some human roles. However, those hoping to replace traditional software testing teams with AI readily admit that largely autonomous applications would still require continuous training to ensure that technological and business goals are met. Simply put, AI will augment rather than replace QA professionals and will create new fields of specialization.

Raising the Quality of Code

All of this is changing the stakes. Yet, many organizations aren't prepared. For example, the rollout of Healthcare.gov. was delayed by months as a result of breakdowns in processes. In the end, the cost of building out the IT framework exceeded the original estimate by three times due to ongoing performance, load and management issues. In the private sector, breach after breach has occurred in recent years.

How can organizations step out of the development morass and transform software development into success stories? These factors make or break an initiative:

  • The need for automation. This encompasses everything from quality controls to scanning code for vulnerabilities. Quality tests and metrics are part of a continuous delivery pipeline — and these benchmarks must be clearly defined across the organization. Investments in quality automation — unit tests, functional tests, and performance, load and system tests — generate long term savings.
  • The need for a modular approach. Organizations that produce smaller and more focused batches of code simplify scanning and testing, and increase overall delivery velocity. It's also easier to identify problems when software is composed of modules and sub-modules. Finally, with these modules in place, an Agile approach becomes far more viable. The enterprise can produce and reconfigure software while maintaining quality.
  • The need to address scope. What needs to be tested and scanned has also changed. As we enter a world where infrastructure is comprised of code, we also need to plan and test the quality of infrastructure creation and configuration scripts. This requires the right internal governance framework and processes as well as the right tools and technologies.
  • The need for continuous feedback. It's critical to fail, then fail fast and move on. A rapidly evolving product can be shaped according to customer feedback, and fast turnaround allows your teams to stamp out defects and hone the software for your audience or customer base. This involves tracking how users interact with a site through blue-green or A-B testing that that analyzes features and new code based on a subset of the user population.

Security Can’t Be an Afterthought

Finally, there's a need to connect security to code quality. Although organizations are embracing DevOps, many aren't addressing the need for secure, high-quality code. Incredibly, 69% of apps fail the OWASP Top 10 in the first scan. A more holistic DevSecOps approach — one that incorporates automation, modular software, scope and continuous feedback — helps organizations achieve a superior position in the marketplace. Simply put, their code becomes a competitive differentiator.  

Best-practice organizations understand that delays due to code defects, a failed product launch, or savage user reviews can severely impact business goals. Application crashes and security breaches directly impact the bottom line. The takeaway is that the need for strategic risk assessment has never been greater. Rather than adopting a defensive and reactive posture, it's wise to focuses on quality throughout the software lifecycle. The move from DevOps to DevSecOps can prove transformative.

McAfee Interns Share Their Experience for #NationalInternDay

By Christie, HR Communications Intern

As someone who always wanted to make an impact in the world, I thought nonprofit was the only fit for my passions in marketing and philanthropy. Because of this, I’ve worked primarily in the nonprofit sector for the last three years. But to keep my options open, I desired to experience at least one corporate internship before I graduated college.

I wasn’t sure if any company would take me under its wing due to my lack of corporate experience though. That was until McAfee offered me the opportunity to work with them this summer.

As a senior in college, McAfee provided me the real-life experience I hoped for and more. Below are the top three reasons why my internship experience with McAfee has truly been nothing less than invaluable:

Playing to Win Even as an Intern

Since day one, I knew this internship was unique and not like any other. Everyone at McAfee works with agility. Although the nonprofit industry is notorious for moving fast, it is still fascinating to see employees so eager to work on tasks of all sizes with such drive and efficiency.

Instead of being delegated tasks to fulfill, I get to share what I want to work on and what I want to take away from my time working with McAfee.

As a huge social media enthusiast, I helped manage @LifeatMcAfee’s Instagram strategy from implementing new social trends, generating online advertisements and publishing my own designs.

But the best part? I am not seen or approached as an intern, but as a team member. I am held to the same expectations and given the same opportunities – being able to add value to the team and carry out real, impactful work every day.

People First and Foremost

If I’ve learned anything from my first 10 weeks here, it is that McAfee genuinely values its employees and community. McAfee does not shy away from diversity or from supporting its employees in every way possible.

I experienced this firsthand by assisting with social media during Pride Month by covering the Global LGBT Pride Photo Competition, Gender Revolution Documentary Watch Party and Keyeon’s “How I Wear My #McAfee Pride” Life at McAfee blog. Although this doesn’t fully portray how McAfee practices inclusive candor and transparency, it really showed me how McAfee embraces diversity and its employees’ authentic selves.

Giving back is also very important in McAfee’s company culture. This is visible through its various events and programs such as Global Community Service Day, McAfee Explorers, Bring Your Kid to Work Day, McAfee Blood Drive, and the list goes on and on. This undeniably displayed to me McAfee also shares my value of making a positive impact on the world. And knowing colleagues share this significant value with me, reinforced McAfee as a truly one tight-knit, loving family.

Together is Power

On the first day of my internship, I signed my name on the McAfee Pledge Wall among all the other employees’ signatures – signifying our single pledge to defend the world from cyber threats.

This symbolic gesture is evident every day when I step my foot into the office. I work with people from different positions, departments and even countries. Everyone is always willing to help, even in projects they’re not involved in.

This sense of togetherness is something I really value and believe is one of the best things about working at McAfee. We all have one mission that we want to fulfill and strive towards every day, together.

An Unforgettable Experience

McAfee makes an impact in the world every day by providing the best cybersecurity possible, but also gives back to the community and its employees through its various educational and community outreach programs. But notably, McAfee has made a lasting impact on me. These short 10 weeks have shown me my career options are unlimited and I can truly make a difference in any field of work, especially with a great team that strives to fulfill the same mission as I do every day.

Read from other McAfee interns from around the globe about their internship experiences below!

Internship Experiences at McAfee

Juan – Customer Experience (Argentina)

“These past few months, I got to meet some of the most talented people and all of them were eager to share their knowledge and expertise with me. McAfee is truly a great place to work while making our world and our communities a safer place.”

 

 

Emily – Digital Marketing & Content Operations (US)

“I get to help my team work on redesigning our Marketing Intranet, so that new Marketing hires, as well as existing employees, can have a resource to answer questions they may have. I really love working here at McAfee!”

 

 

Adam – Human Resources & Talent Acquisition (Ireland)

“This opportunity has provided me with priceless experience and insight into one of the leading cybersecurity companies in the world. I have been extremely privileged to have been given the responsibilities I have had during my time here and I have gleaned a vast amount of experience as a result.”

 

 

Mark – Advanced Threat Research (US)

“I got to meet all the wonderful people I’d be working most closely with, whose locations ranged from Dallas to the UK. McAfee places importance on interpersonal relationships in their teams and even as an intern, I was treated as one of the gang since day one.”

 

 

Csaradhi – Platform Engineering (India)

“The transition from college to corporate life has been so beautiful. I’ve learned so many tings apart from the technical aspects. I thank McAfee for choosing to believe in me and I’m here to make the most of it.”

 

 

For more stories like this, follow @LifeAtMcAfee on Instagram and on Twitter @McAfee to see what working at McAfee is all about.

Interested in joining our teams? We’re hiring! Apply now.

The post McAfee Interns Share Their Experience for #NationalInternDay appeared first on McAfee Blogs.

The ABCs of Detecting and Preventing Phishing

Have you ever considered that you could be a target for phishing attacks?

It’s not a new issue, but it’s a rising threat. Phishing attackers have been constantly growing and improving their techniques. Let’s see how you can actually start preventing phishing, since cybercriminal strategies became so convincing that you can barely distinguish them from harmless communications.

And all it takes to fall into their trap is a fraction of a second.

Perhaps the most dangerous reaction to this concern was: “Ehhh, so what? It don’t think it can happen to me. And I don’t have important stuff anyway”.

Actually, they can harm you a lot if you’re not paying attention.

They can: withdraw money, make purchases, steal your identity and open credit card accounts in your name, or further trade those information about you and much more.

The latest Kaspersky report shows that, in 2017, Facebook was one of the top 3 most exploited company names.

Telegram, a popular messaging platform, was so frequently a target of phishing attempts that there is now an anti-phishing bot that attempts to protect user accounts.

Just look at what types of seemingly-innocent messages actually hide dangerous attempts to hijack your data.

phishing scenarios emotional motivators

Source

And the context is ripe for phishing attacks to happen, especially on an enterprise level. According to Allen Paller, the director of research at the SANS Institute 95% of all attacks on enterprise networks are the result of successful spear phishing.

Even worse, research suggests that, in the event of a security breach, 60% of customers will think about moving and 30% actually follow up on that thought.

For regular users, the threat of identity fraud always looms and is usually preceded by a phishing attack. According to a report that tracked identity fraud incidence rate since 2003, in just 2016 the number of cases rose by sixteen percent. Regular users exposed to phishing had to pay an average of $263 out of pocket costs. Together, all the users who were affected by phishing that year had to spend 20.7 million hours to deal with the consequences of account takeovers.

Phishing

Keep reading if you want to avoid getting caught in their net, as we’ll cover the ABCs of phishing: what it is, what you can do to detect and prevent any attacks and what measures to take if you think you got caught in the phishing net.

 

WHAT IS PHISHING?

Phishing is the name given to cybercriminals’ attempts to lure you into giving them sensitive information or money.

The word “phishing” is similar to “fishing” because of the analogy of using bait to attempt to trap victims.

By sensitive information we mean anything that ranges from your social security number to passwords, bank account number, credit card details, PIN number, home address, social media account, birthday, mother’s maiden name and so on.

This information can be used for financial damages, identity theft, to gain unlawful access to different accounts, for blackmail etc.

No phishing

 

HOW DOES PHISHING WORK?

Attackers use different methods of deception as phishing strategies.

They will create fake messages and websites, that imitate the original ones. With their help, they will try to lure you into handing over your personal information. They will either ask you to reply to them, follow a link included in the message or download an attachment.

The communication appears to be initiated by a legitimate person or company. Famous phishing attacks imitate messages from financial institutions, government agencies (ex: IRS), online retailers and services (ex: Amazon, eBay, PayPal), social networks (ex: Facebook), or even from a friend or colleague.

In order to make phishing look genuine, attackers include photos and information from the original website.

They may even redirect you to the company’s website and collect the data through a false pop-up window. Or it can happen the other way around: they first request your personal data, then redirect you to the real website.

Other times, they tell you that you have been targeted by a scam and that you urgently need to update your information in order to keep your account safe. That’s how millions of Walmart consumers were tricked in 2013.

All these gimmicks will minimize the chances for you to realise what happened.

Here’s an example of Standard Bank phishing from 2010, via McAfee:

Standard Bank phishing example

Phishing has become a way to spread malware. The attackers will deliver malicious content through the attachments or links they trick you into clicking on. The malicious code will take over a person’s computer in order to spread the infection.

Although phishing is mostly transmitted via email, it can also work through other mediums. In the past years, cyber attackers moved their focus on phishing attacks done through instant messaging services, SMS, social media networks, direct messages in games and many others.

 

WHY DOES IT WORK?

Phishing is popular among cyber attackers because it is easier to trick someone into clicking on links or downloading attachments than trying to break into their system defenses.

It works because they appeal to emotions. It promises great deals or alerts you that there may be a problem with an account.

It’s also so effective because more than 50% of users use the same passwords for different accounts. This makes it easy for the cyber criminals to gain access to them.

 

PHISHING EFFECTS

Phishing damages can range from loss of access to different accountsbanking, email, social media profiles, online retailers, to identity theft, blackmail and many more.

Just to name a few of them:

  • financial loss
  • data loss
  • accounts loss
  • ransom asked in exchange for regaining access to your data
  • blacklisting from institutions
  • malware or viruses infections into a PC or network
  • illegal use of personal data
  • illegal use of social security number
  • creation of fake accounts in your name
  • ruining your credit score
  • losing your job, if you happen to be phished via your work email address and give out essential company details as a consequence

 

A LITTLE BIT OF HISTORY

The first phishing records date back to the beginning of 1996, when cyber scammers were trying to lure AOL (America Online) customers into a trap and get access to their accounts and billing information.

Cyber scammers would contact users through the AOL instant messaging and email system and pose as AOL employees. Needless to say that it was pretty effective, especially since phishing was virtually unknown at the time.

You can find out more about the first records of phishing here.

 

TYPES OF PHISHING

 

1. SPEAR PHISHING

Spear phishing is an email directed at specific individuals or companies. It is highly effective and very well planned.

The attackers will take their time and gather all the available information about their target before the attack: personal history, interests, activities, details about colleagues and any other details they can find. These are used in order to create a highly personalized and believable email.

It’s a technique that works because the phishing email appears to be from someone you know and requires urgent action. Maybe it will even make reference to a mutual friend or a recent purchase you’ve made. The attacker takes advantage of the fact that people are inclined to act before they double-check it. They also leverage your trust in companies, organizations and people.

Spear phishing requires higher efforts, but its success rates are also higher. It’s currently the most successful phishing technique, accounting for 95% of attacks.

And all this just by gathering publicly available information that we freely share on our social media accounts and blogs. It’s one of the main reasons why we should think twice before divulging any more personal information online. Even if all your privacy measures are in check, you can never know whose friend account may have been compromised.

 

2. WHALING

Whaling phishing is the term used for attacks directed at high profile targets within companies, such as upper management or senior executives.

These are tailored to appear as critical business email, sent from a legitimate business authority, that concern the whole company.

Here are a few examples: legal subpoenas, managerial issues, consumer complaints.

Needless to say that return on investment for attackers is very high in this case. And, contrary to what you’d think, these types of targets are not always as security savvy or protected as they should be.

 

3. CLONE PHISHING

Clone phishing uses legitimate, previously delivered emails.

The cyber attackers will use original emails to create a cloned or almost identical version. Clone phishing emails may claim to be a resend of the original or an updated version of it. Only this time, the attachment or link is replaced with a malicious version. It appears to come from the original sender and uses a fake reply-to address.

This phishing strategy works because it exploits the trust created from the original mail.

 

HOTTEST PHISHING TRENDS:

 

1. CLOUD PHISHING

Cloud phishing attacks also had a boost in the past year, because of the increasing usage of cloud storage technology.

This is usually distributed via email or social media, as a message sent by compromised friends accounts or on behalf of a cloud service provider. It will invite users to download a document uploaded to a popular cloud service. When the victim clicks on the link, malicious software will be downloaded.

The stolen information can be used for extortion, sold to third parties or used in targeted attacks.

Here’s an example of cloud phishing using Dropbox brand, via Kaspersky:

Dropbox phishing

 

2. GOVERNMENT PHISHING

Be vigilant when it comes to communications that claim to be from law enforcement agencies, such as the IRS, FBI or any other entity.

The most fraudulent attempts in the past years were created to mimic IRS communication, in an attempt to steal your financial information.

You should know that government agencies don’t initiate contact with taxpayers via email, especially to request personal or financial information.

You should read these actionable advices provided by the IRS.

Also keep an eye out for insurance offers, as this was one of the hottest topics for spamming and phishing in 2015.

 

3. SOCIAL MEDIA PHISHING

Phishing on social media networks isn’t novelty, but it will probably never get old. Phishers create websites that look identical to Facebook or LinkedIn or any other social media websites, using similar URLs and emails, in an attempt to steal login information.

Phishers will ask you to reset your password. If you click on the link, you’ll be redirected to a page that looks identical to Facebook and asks you to enter your login information.

The attackers can then use this to access your account and send messages to friends, to further spread the illegitimate sites.

Other times, they can make money by exploiting the personal information they’ve obtained, either by selling them to third parties or by blackmailing.

Read this warning note from Facebook to see how this phishing category may look like.

Facebook phishing

 

HOW TO START PREVENTING PHISHING

 

1. SENDER DETAILS

First thing to check: the sender’s email address.

Look at the email header. Does the sender’s email address match the name and the domain?

Spoofing the display name of an email, in order to appear to be from a brand, is one of the most basics phishing tactics.

Here’s an example: an email from Amazon that comes from “noreply@amazon.com” is legitimate. But an email that appears to be from someone at Amazon but was sent from a different domain, like the email in the picture below, is most certainly not from Amazon.

Phishing example - Amazon Prime (22-12-2015)

Compare the headers from a known valid message from a given source with those on a suspect message.

If they don’t match, don’t click on anything, don’t download any attachment.

For experts: You can also analyze the email header and track IP using this tool.

If you are using Gmail, you can turn on the authentication icon for verified senders. This way, you will see a key icon next to authenticated messages from trusted senders, such as Google Wallet, eBay or PayPal. Unfortunately, only few domains are currently supported by this program, but hopefully it will extend in the future.

Another verification method available for Gmail users:

Check whether the email was authenticated by the sending domain. Open the message and click on the drop-down arrow below the sender’s name. Make sure the domain you see next to the ‘mailed-by’ or ‘signed-by’ lines matches the sender’s email address.

Find out more about it here. It will look like this:

Sent by & Signed by - Amazon & Gmail authentication example (22-12-2015)

The second thing to check: the address the email was sent to.

Look at TO and CC fields. If the email was sent to old or wrong addresses, it may indicate it was sent to old lists or randomly generated emails.

 

2. MESSAGE CONTENT

Clue number one: They ask you to send them or verify personal information via email.

Or they are asking for information which the supposed sender should already have.

Here is a recent example of phishing using the brand DHL (screenshot via Comodo):

DHL Shipment phishing 2015

Clue number two: They are likely to play on your emotions or urgency.

As a general rule, be suspicious of any mail that has urgent requests (e.g. “respond in two days otherwise you will lose this deal”), exciting or upsetting news, offers, gift deals or coupons (especially around major holidays or events, such as Black Friday or Christmas).

Clue number three: They claim there was some sort of problem with your recent purchase or delivery and ask you to resend personal information or just click on a link to resolve it.

Banks or legitimate e-Commerce representatives will never ask you to do that, as it’s not a secure method to transmit such information.

Here’s an example of PayPal phishing:

PayPal Phishing Example 2015

Clue number four: They claim to be from a law enforcement agency.

They never use email as a form of contact.

Clue number five: They ask you to call a number and give your personal details over the phone.

If this is the case, search for the official correspondence from the company and use the phone number provided them to verify if this is true.

 

3. MESSAGE FORM

First rule: Beware of bogus or misleading links.

Hover your mouse over the links in the email message in order to check them BEFORE clicking on them.

The URLs may look valid at a first glance, but use a variation in spelling or a different domain ( .net instead of .com, for example). Thanks to the new generic topic-level domains that were introduced in 2014, spammers and phishers gained new tools for their campaigns.

Other phishing scams use JavaScript to place a picture of a legit URL over a browser’s address bar. The URL revealed when hovering with your mouse over a link can also be changed using Java.

Second rule: Look out for IP addresses links or URL shorteners.

They can take a long URL, shorten it using services such as bit.ly, and redirect it to the intended destination. It’s hard to find out what’s on the other end of that link, so you might be falling into a trap. Better be safe than sorry.

It’s not unusual for the domain to be deliberately distorted in the email, by adding extra spaces or characters, together with instructions on how to use it (“Remove all the extra characters / spaces and copy to the address bar”).

Useful tools:
Check a redirect with this Redirect Checker from Internet Officer, to see where it’s leading to.

Or screenshot the page remotely using Browser Shots.

Third rule: Beware of typos or spelling mistakes.

This used to be the norm, but it’s no longer an imperative.

Fourth rule: Beware of amateurish looking designs.

This means: images that don’t match the background or look formatted to fit the style of the email. Stock photos. Photos or logos uploaded at low resolution or bad quality.

Fifth rule: Beware of missing signatures.

Lack of details about the sender or how to contact the company points into phishing direction. A legitimate company will always provide such information.

 

4. ATTACHMENTS

Look out for attachments.

They can attach other types of files, such as PDF or DOC, that contain links. Or they can hide malware. Other times, they can cause your browser to crash while installing malware.

A Kaspersky Labs reports shows that in Q3 of 2015 there’s been an increase in phishing using attachments, a trend that doesn’t seem to want to go away.

“A particular feature was a new trick used in phishing emails – in order to bypass spam filters they placed the text of the email and fraudulent link in an attached PDF document rather than in the message body.”

 

5. EXTERNAL LINKS / WEBSITES

Let’s assume that you already clicked on a link from a suspicious email.

Is the domain correct? Don’t forget that the link may look identical, but use a variation in spelling or domain.

Before submitting any information on that website, make sure that you are on a secure website connection. You can easily check that by looking at the link: does it start with “https” or “http”? The extra “s” will mean that the website has SSL. SSL is short for Secure Sockets Layer and is a method to ensure that the data sent and received is encrypted. More legit and safe websites will have a valid SSL certificate installed.

Another way to check that is to look on the left of the web address: is there an icon of a closed padlock? Or is the address highlighted in green? This will indicate that you are visiting an encrypted site and the transferred data is safe. Fortunately, from now on, Google Chrome will mark sites without http as insecure, so it should be easy for you to spot them.

google chrome connection not secure phishing prevention

HELPFUL TOOLS

Use browsers that offer built-in phishing protection.

In general, there are two ways to detect phishing websites: heuristics and blacklists.

A heuristic method analyzes patterns in URL, words in web pages and servers in order to classify the site and warn the user.

Google and Microsoft operate blacklists. Google integrated them with Firefox and Chrome, so a warning message will appear before entering a phishing website. Microsoft is integrated with Internet Explorer and Edge.

You can also install browser add-ons and extensions designed to block phishing attempts. Read more tips on this subject on Tech Support Alert.

Other useful tools:

Check and Secure browser & plugin

Browser & Plugin-Check by Check & Secure. This scans your browser and all the installed plugins, to see if they are up to date.

“83% of all malware infections could have been avoided, if the browser plugins had been updated in the first place.”

Cyscon PhishKiller

 

BASIC ONLINE SECURITY

IN ORDER TO KEEP YOUR PC SAFE:

Be aware that cyber attackers are one step ahead of the defenders. That means that you cannot always be 100% protected against them, not even with all the email filtering systems or anti-virus software.

Of course, this doesn’t mean that you want to make their jobs easier, so taking these steps will go a long way in preventing phishing.

Keep your software updated as well. If you use a free tool that offers automatic and silent software updates, you can eliminate up to 85% of security holes in your system.

Install a reliable antivirus. It should include real-time scanning and automatic update of virus database.

Choose an antivirus that scores high on phishing protection tests. More tips on this you can read in our guide.

You should also create a separate email account that you only use to subscribe to newsletters, forums, online retailers, social media accounts or other public Internet services. Keep your personal email account as private as possible. This will help reduce the amount of spam and phishing attempts you receive.

Also, beware not to click on the Unsubscribe button or follow instructions for unsubscribing. Many spammers and phishers use these in order to find out if your email is valid.

 

BASIC SAFE PASSWORDS MANAGEMENT RULES

Phishing is very effective because more than 50% of users use the same passwords for different credentials. This makes it easy for the cyber criminals to gain access to other accounts.

It’s important to use different passwords for your accounts. The same way you don’t use only one key for your house and your car, you shouldn’t use the same password more than once. This simple preventing phishing technique won’t let cyber attackers get into your other accounts.

If available, activate two-factor authentication. This way, you’ll receive a unique one time code on your phone every time you want to log in from a different device. It will add a second layer of protection, that’s much more difficult to breach by cyber attackers.

For more actionable tips on this subject, check out our password security guide.

How Tough is Your Password Security

 

FINANCIAL SECURITY STEPS

Periodically review your bank account activity (daily, if possible), to check all the transactions.

If you don’t recognize any of the transactions, regardless the amount, contact your bank straight away.

Turn on text messages notifications for all card transactions.

It will alert you in real time if an online transaction exceeds the limit that you set (make sure you set it to the minimum available).

Also enable two-steps approval for transactions, so that you will have to use your mobile phone number.

Put a security freeze on your credit report.

In case of identity theft, it will prevent any openings of new accounts in your name. However, you will have to lift it every time you want to apply for a loan or rent a new place.

And lastly but not least important: try to use a separate card, dedicated only to digital transactions.

Transfer money on it every time you plan to buy something. In the rest of the time, leave only a small amount of money on it.

Credit cards

 

IF STILL UNSURE WHETHER IT’S PHISHING OR NOT

What steps to take:

Try to always directly type the web address of the site you want to access in your browser, instead of clicking on links from emails or social media networks.

Directly contact the company or organization from which the message appears to be sent. Grab the phone or forward them the phishy email. Search for prior communications with them, such as post mail, and use the contact information provided there. Don’t use the contact information provided in the email.

You can also improve your phishing detection skills by taking these quizzes gathered by Capterra on their blog. They also have plenty of phishing emails examples.

Phishing_Login

 

WHAT TO DO IF YOU THINK YOU WERE PHISHED

If you have a hunch that something is wrong, immediately contact your bank or credit card institution and close the accounts you believe they may have been compromised.

Change the passwords used for those accounts and then also change the passwords used for the emails linked to them.

WHERE TO REPORT PHISHING ATTACKS

Forward the message to the last known good address of the sender.

There are several places where you can submit phishing attacks or websites:

If it appears to be from IRS, you can forward it to phishing@irs.gov
Or to the Federal Trade Commission at spam@uce.gov
At US Cert: phishing-report@us-cert.gov
At The Anti-Phishing Working Group: reportphishing@apwg.org

Submit a suspected website using the phish site reporting service, PhishTank.

If you are using Gmail, in the drop down menu at every email there is a Report Phishing button.

Report Phishing at Gmail example

If you aren’t using Gmail, you can complete this form.

 

Conclusion

One last advice: for preventing phishing, always trust your gut. It may not be the most scientific approach, but, ultimately, you should just listen to what your intuition tells you. If something feels wrong, even if you cannot specifically explain why, or if it’s too good to be true, it’s better to stay away from it.

 

This article was originally published in December 2015 by Cristina Chipurici and was last updated with current information on July 7, 2018.

The easy way to protect yourself against malware
Here's 1 month of Thor Foresight Home, on the house!
Use it to: Block malicious websites and servers from infecting your PC Auto-update your software and close security gaps Keep your financial and other confidential details safe

EASY AND RELIABLE. WORKS WITH ANY ANTIVIRUS.

Try Thor Foresight

The post The ABCs of Detecting and Preventing Phishing appeared first on Heimdal Security Blog.

Advanced Mobile Malware Campaign in India uses Malicious MDM – Part 2

This blog post is authored by Warren Mercer and Paul Rascagneres and Andrew Williams.

Summary


Since our initial post on malicious mobile device management (MDM) platforms, we have gathered more information about this actor that we believe shows it is part of a broader campaign targeting multiple platforms. These new targets include Windows devices and additional backdoored iOS applications. We also believe we have associated this actor with a very similar campaign affecting Android devices.

With this additional information, we have been able to build a profile of how the MDM was working, as explained in the previous post, while also allowing us to identify new infrastructure. We feel that it is critical that users are aware of this attack method, as well-funded actors will continue to utilize MDMs to carry out their campaigns. To be infected by this kind of malware, a user needs to enroll their device, which means they should be on the lookout at all times to avoid accidental enrollment.

In the new MDM we discovered, the actor changed some of their infrastructure in an attempt to improve the MDM's security posture. We also found additional compromised devices, which were again located in India, with one even using the same phone number linking the MDM platforms, and one located in Qatar. We believe this newer version was used from January to March 2018. Similar to the previous MDM, we were able to identify the IPA files the attacker was using to compromise iOS devices. Additionally, we discovered that malicious apps such as WhatsApp had new malicious methods tacked onto them.

During this ongoing analysis, we also looked into other potential indicators that would point us toward the actor. We discovered this Bellingcat article that potentially links this actor to one they dubbed "Bahamut," an advanced actor who was previously targeting Android devices. Bahamut shared a domain name with one of the malicious iOS applications mentioned in our previous post. There was also a separate post from Amnesty International discussing a similar actor that used similar spear-phishing techniques to Bahamut. However, Cisco Talos did not find any spear phishing associated with this campaign. We will discuss some links and potential overlapping with these campaigns below.



New MDM


Technical information about the MDM


Talos identified a third MDM server that we believe was used by this actor: ios-update-whatsapp[.]com.

The first relevant difference between this MDM and the MDM we discussed in the previous article is the fact that the attackers patched the open-source project mdm-server — a small iOS MDM server. The attackers added an authentication process. In the last version, no authentication was available. Here is the auth page:

Additionally, we identified different technical information based on the certificate used. Here is the certificate used by this MDM:

CA.crt
Serial Number: 17948952500637370160 (0xf9177d33a2d98730)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=HK, ST=Kwun Tong, L=6/F 105 Wai Yip St 000000, O=TECHBIG, OU=IT, CN=TECHBIG.COM/emailAddress=info@techbig.com
Validity
Not Before: Jan 15 09:47:15 2018 GMT
Not After : Jan 15 09:47:15 2019 GMT
Subject: C=HK, ST=Kwun Tong, L=6/F 105 Wai Yip St 000000, O=TECHBIG, OU=IT, CN=TECHBIG.COM/emailAddress=info@techbig.com
A fake company, Tech Big, which was allegedly located in Hong Kong, had this certificate issued to it in January 2018.

Log analysis


Three devices were enrolled on this server:

  • Two devices with an Indian phone number that were also located in India (one of the devices has the same phone number as the believed attacker's device used in the previous post)
  • One device with a British phone number located in Qatar

The logs showed us that the MDM was created in January 2018, and was used from January to March of this year.

New malicious iOS apps


Fake Telegram & WhatsApp


Talos identified two other malicious Telegram and WhatsApp apps. The attacker built these apps by adding malicious capabilities to existing Telegram and WhatsApp applications. The malicious aspect of the apps is the same as what we described in the previous post. The only difference is the command and control (C2) obfuscation. The URLs are not stored in plaintext, but are encrypted with data encryption standard (DES) and encoded in base64.

Here is an example of the encoded URL:

And the DES key:

Once decoded and decrypted, we can easily read the URL of the C2:
./decode.py vZVI2iNWGCxO+FV6g46LZ8Sdg7YOLirR/BmfykogvcLhVPjqlJ4jsQ== '&%^*#@!$'
hxxp://hytechmart[.]com/UcSmCMbYECELdbe/

Fake IMO


IMO is a chat and video app available on mobile devices. We identified a fake application that pretended to be IMO. The attackers used the same technique to add malicious code to the legitimate application: BOptions sideloading technique. For more information about this technique, we recommend reading the previous blog post.

The C2 server has the same obfuscation technique as the fake, malicious Telegram and WhatsApp apps described above. The attacker simply changed the encryption key used. The purpose of the malicious code is similar to the previous malicious apps in that it steals contact information and chat history. This application uses SQLite to store the data. Here is an example of request performed to get the data:

  • DBManager accesses 'IMODb2.sqlite'
  • Select ZIMOCHATMSG.Z_PK,ZIMOCHATMSG.ZTEXT,ZIMOCHATMSG.ZISSENT,ZIMOCONTACT.ZPHONE,ZIMOCONTACT.ZBUID AS Contact_ID from ZIMOCONTACT join ZIMOCHATMSG ON (ZIMOCONTACT.ZBUID = ZIMOCHATMSG.ZBUID) where ZIMOCHATMSG.Z_PK >'%d'

Malicious Safari browser


Talos has also discovered a malicious Safari application available on the third malicious MDM. For this application, the attackers did not use the BOptions sideloading technique. It's a malicious browser developed from scratch and based on three open-source projects: SCSafariPageController, SCPageViewController and SCScrollView.

The purpose of this browser is to steal sensitive information from the infected device. First, the app sends the universally unique identifier (UUID) of the device to the C2 server. Based on the server response, the malicious browser will send additional information, such as the user's contact information (picture, name, email, postal address, etc.), the user's pictures, the browser's cookies and the clipboard.

The malware checks for a file named "hib.txt," and if the file doesn't exist on the device, it displays an iTunes login page in an attempt to harvest the user's login credentials. Upon entering the credentials, the email address and password are sent to the C2 server. Additionally, these credentials get written into the file and the user is considered "signed in."

The most intriguing part is the credential stealer. If the browsed domain name contains one of the following strings, the malware will automatically exfiltrate the username and the password of the user to the C2 server. Most notably, there is the presence of secure email providers, among a variety of other web services.

  • Login.yahoo (email platform)
  • Mail.com (email platform)
  • Rediff (Indian news portal and email platform with around 95 million registered users)
  • Amazon (e-commerce platform)
  • Pinterest (image-sharing and discovery platform)
  • Reddit (news aggregation web portal with forums)
  • Accounts.google (Google sign-in platform)
  • Ask.fm (anonymous decentralised Q&A platform)
  • Mail.qq (Chinese email platform)
  • Baidu.com (Chinese search engine and email provider)
  • Mail.protonmail (secure email provider located in Switzerland)
  • Gmx (email platform)
  • AonLine.aon (British assurance)
  • ZoHo (Indian email service)
  • Tutanota (secure email provider located in Germany)
  • Lycos.com (search engine and web portal with email platform)

The malware continuously monitors a web page, seeking out the HTML form fields that hold the username and password as the user types them in to steal credentials. The names of the inspected HTML fields are embedded into the app alongside the domain names. Here is a list of the "username" fields that are referenced by the app code:
For example, we see m_U, which is the username field in the Lycos mail authentication page:

The malware contains a similar list concerning the password field.

Finally, the malicious browser contains three malicious plugins:
  • "Add Bookmark"
  • "Add To Favourites"
  • "Add to Reading List"
The purpose of the malicious extensions are very similar to the previous ones — it sends off stored data to the same C2 server as the other apps.

In the core and the plugins, the C2 server is encoded in base64 and encrypted in AES instead of DES.

Links with previous campaign


The Bahamut group was discovered and detailed by Bellingcat, an open-source news website. In this post, the author was discussing Android-based malware with some similarities to the iOS malware we identified. That post kickstarted our investigation into any potential overlap between these campaigns and how they are potentially linked.

The new MDM platform we identified has similar victimology with Middle Eastern targets, namely Qatar, using a U.K. mobile number issued from LycaMobile. Bahamut targeted similar Qatar-based individuals during their campaign.

We identified an overlap in the domain voguextra[.]com, which was used by Bahamut within their "Devoted To Humanity" app to host an image file and as C2 server by the PrayTime iOS app mentioned in our first post. Bellingcat also reported the domain had been used previously to host potential decoy documents as detailed in VirusTotal here using hxxp://voguextra[.]com/decoy.doc.

The domains used during this campaign shared similarities with the domains used throughout the Bahamut campaign reported by Bellingcat. Most of the email addresses used within the domains were *@mail.ru email accounts, the C2s identified both used AES encrypted strings represented as base64 values, and the URI patterns used in both campaigns shared an almost identical syntax:
repository + random.php + GET value
/hdhfdhffjvfjd/gfdhghfdjhvbdfhj.php?p=1&g=[string]&v=N/A&s=[string]&t=[string]
The domains also had similar structures for the domain name (they are formatted [word]-[word]-[word]) across both campaigns. Actors tend to stick with similar structures, especially if they have had success in the past.

Once we started profiling the domains, we quickly noticed a strong link to India. With access to historical whois and hosting information, we were able to determine that the three MDM domains pointed to an Indian nexus. All three domains used a privacy proxy to register their domains. However, what the actor did not do was create nameservers upon registering the domains. This allowed us to discover that two of the three domains were registered with Indian registrars and hosting providers.

The three domains identified for MDM use were ios-update-whatsapp[.]com, ios-certificate-update[.]com and www[.]wpitcher[.]com.

ios-update-whatsapp[.]com

The nameserver used initially was obox.dns[.]com, which is owned by the India-based Directi platform, is an Indian registrar and was the original nameservers used by this domain. This later changed to being [ns1-2].ios-update-whatsapp[.]com, which suggests this domain was potentially registered and purchased in India.

wpitcher[.]com

This domain initially used nameservers related to the Indian company MantraGrid, an India-based cloud platform that shows another link to an Indian actor by using this as one of the original MDM domains we identified.

ios-certificate-update.com

This domain used a similar structure to ios-update-whatsapp[.]com and also shared the same privacy proxy as the other two domains listed above relating to the MDM activity. This was one of the first registered domains and was using a bulletproof hosting platform in Panama.

Finally, Bellingcat, via Tom Lancaster, identified similarities with a previous InPage campaign reported by Kaspersky which shows similar URI structuring, as well as victimology. The InPage attack targeted Urdu-speaking Muslims, which further increases the likelihood that the victims are Indian-based because Urdu is a dialect primarily spoken in India and Pakistan. With our attacker, we identified that the MDM was also taking advantage of an application called PrayTime — a popular app for Muslims that alerts them to complete their daily prayers.

With all of this taken into consideration, we assess with moderate confidence that the attacker is located in India. Additionally, we assess with low confidence that the campaign we discovered is linked to the Bahamut group.

Links with Windows-targeted campaigns


Talos identified several malicious binaries that could be used to target victims running Microsoft Windows operating systems using the same infrastructure as the malicious app mentioned in our previous article, techwach.com.

The sample 6b62f4db64edf7edd648c38a563f44b656b0f6ad9a0e4e97f93cf9abfdfc63e5 contacts the following URL to download an additional payload from the following page:

  • hxxp://techwach[.]com/Beastwithtwobacks/Barkingupthewrongtree.php

We know that the MDM and the Windows services were up and running on the same C2 server in May 2018. The purpose of this malicious Windows binary is to get information on the infected device (username and hostname), send this information and retrieve an additional PE32 file if the operator estimates that the targeted system is relevant.

We found additional similar samples between June 2017 and June 2018 with different C2 servers. The attackers have two kinds of samples: one developed in Delphi and one developed in VisualBasic.

Here are the Delphi samples:

  • b96fc53f321729eda24af2a0b95e5c1d39d46acbd5a565e6c5f8c81f1bf9c7a1 -> hxxp://appswonder[.]info
  • 3f463cebef1550b055ef6b4d1dad16ff1cb514f0091271ce92549e77bb5080d6 -> hxxp://referfile[.]com
  • 4b94b152293e49532e549b2538cad85e950cd16ccd948a47a632376a840626ed -> hxxp://hiltrox[.]com
  • e70a1c230ef2894363b834132bbdbb3a0edc88e81049a7c7774fa5b4ed78206b -> hxxp://scrollayer[.]com
  • e7701f81141dfd6234488e51340ba2d05901c8242a6e9a9952c297c52a3ff050 -> hxxp://twitck[.]com
  • e93f28efc1787ed5e8763cdc0417e7d5db1c9203e484350c64860fff91dab4f5 -> hxxp://scrollayer[.]com

Here are the VisualBasic samples:

  • 6f362bc439ce09c7dcb0ac5cce84b81914b9dd1e9969cae8b570ade3af1cea3d -> hxxp://32player[.]com
  • ce0026e0eb3f4f1d3d2a003400f863900f497745f3384e430926d99206cc5ed6 -> hxxp://nfinx[.]info
  • d2c15c2043b0455cfad36f22f564b99ed46cea3891abb80eaf86093654c94dea -> hxxp://metclix[.]com/
  • d7f90e9b1129e3223a886422b3625399d52913dcc2757734a67422ac905683f7 -> hxxp://appswonder[.]info/
    ec973e4319f5a9e8e9c28d315e7bb8153a620baa8ae52b455b68400612aad1d1 -> hxxp://capsnit[.]com/
Some of the C2 servers are still up and running at this time. The Apache setup is very specific, and perfectly matched the Apache setup of the malicious IPA apps.

Additionally, we identified the infection vector of one of the Windows malware. The attackers used a malicious RTF (a1f2018bd61989a78247df53d808b6b513d530c47b89f2a919c59c848e2a6ac4) abusing the CVE-2018-0802 vulnerability in order to drop and execute the last binary of the previously mentioned list.

Finally, one of the VisualBasic binary was bundled in a msiexec file with this following decoy document:

This decoy document is using a news story image found on the India Today newspaper website here, which is describing the Naga peace accord. The Indian targets in this campaign are likely very interested in this topic.

Conclusion


Since researching our original blog post, we have discovered that an actor has been operating these malicious MDMs for many years. Based on previous research regarding the Bahamut group and our research, we believe the observed infrastructure is not limited to iOS targets, but is part of a broader framework that supports Apple iOS and Windows platforms.

This actor is likely located in India, given what we see in the technical elements. While the attacker's infrastructure throughout the entirety of the operation seems very similar to the one used by the Bahamut group, and they may even be connected, it is not possible to assert with high confidence that it is Bahamut at this time.

The use of a malicious MDM is convenient and the system is well-documented. Given the effectiveness of MDM abuse, it's likely that well-funded actors will continue to move into this area.

Because enrollment into the MDM requires user interaction and acceptance, it is crucial that they are aware of this type of threat and the dangers it can pose to their data and privacy.

Talos will continue to keep an eye on MDM and similar infrastructures to ensure we are reporting the latest information and forcing the bad guys to innovate.

Coverage


Additional ways our customers can detect and block this threat are listed below.
Advanced Malware Protection (AMP) is ideally suited to prevent the execution of the malware used by these threat actors.

Cisco Cloud Web Security (CWS) or Web Security Appliance (WSA) web scanning prevents access to malicious websites and detects malware used in these attacks.

Email Security can block malicious emails sent by threat actors as part of their campaign.

Network Security appliances such as Next-Generation Firewall (NGFW), Next-Generation Intrusion Prevention System (NGIPS), and Meraki MX can detect malicious activity associated with this threat.

AMP Threat Grid helps identify malicious binaries and build protection for all Cisco Security products.

Umbrella, our secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs, and URLs, whether users are on or off the corporate network.

Open Source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org.

IOCs


iOS Applications

  • 422e4857614cc603f2388eb9a6b7bbe16d45b9fd0a9b752f02c107887cf8cb3e imo.ipa
  • e3ceec8676e2a1779b8289e341874209a448b11f3d81834a2faae9c494267602 Safari.ipa
  • bab7f61ed0f2b085c02ff1e4305ceab4479455d7b4cfba0a018b73ee955fcb51 Telegram.ipa
  • fbfaed75aa855c7db486edee15359b9f8c1b394b0b02f77b22500a90c53cb423 WhatsApp.ipa

MDM Domain:

  • ios-update-whatsapp[.]com

C2 Domains:

  • hytechmart[.]com

PE32 Samples:

  • b96fc53f321729eda24af2a0b95e5c1d39d46acbd5a565e6c5f8c81f1bf9c7a1
  • 3f463cebef1550b055ef6b4d1dad16ff1cb514f0091271ce92549e77bb5080d6
  • 4b94b152293e49532e549b2538cad85e950cd16ccd948a47a632376a840626ed
  • e70a1c230ef2894363b834132bbdbb3a0edc88e81049a7c7774fa5b4ed78206b
  • e7701f81141dfd6234488e51340ba2d05901c8242a6e9a9952c297c52a3ff050
  • e93f28efc1787ed5e8763cdc0417e7d5db1c9203e484350c64860fff91dab4f5
  • 6f362bc439ce09c7dcb0ac5cce84b81914b9dd1e9969cae8b570ade3af1cea3d
  • ce0026e0eb3f4f1d3d2a003400f863900f497745f3384e430926d99206cc5ed6
  • d2c15c2043b0455cfad36f22f564b99ed46cea3891abb80eaf86093654c94dea
  • d7f90e9b1129e3223a886422b3625399d52913dcc2757734a67422ac905683f7
  • ec973e4319f5a9e8e9c28d315e7bb8153a620baa8ae52b455b68400612aad1d1

PE32 C2 servers:

  • hxxp://appswonder[.]info
  • hxxp://referfile[.]com
  • hxxp://hiltrox[.]com
  • hxxp://scrollayer[.]com
  • hxxp://twitck[.]com
  • hxxp://scrollayer[.]com
  • hxxp://32player[.]com
  • hxxp://nfinx[.]info
  • hxxp://metclix[.]com/
  • hxxp://capsnit[.]com/

Malicious RTF Samples:

  • a1f2018bd61989a78247df53d808b6b513d530c47b89f2a919c59c848e2a6ac4

SN 673: The Data Transfer Project

This week as we examine still another new Spectre processor speculation attack, some news on DRAM hammering attacks and mitigation, the consequences of freely available malware source code, the reemergence of concern over DNS rebinding attacks, Venmo's very public transaction log, more Russian shenanigans, the emergence of flash botnets, Apple continuing move of Chinese data to China, another (the 5th) Cisco secret backdoor found, an optional missing Windows patch from last week, a bit of Firefox news and piece of errata... and then we look at "The Data Transfer Project" which, I think, marks a major step of maturity for our industry.

We invite you to read our show notes.

Hosts: Steve Gibson and Leo Laporte

Download or subscribe to this show at https://twit.tv/shows/security-now.

You can submit a question to Security Now! at the GRC Feedback Page.

For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6.

Bandwidth for Security Now is provided by CacheFly.

Sponsors:

Risky Business #507 — For Vlad

We didn’t have space to run a feature in this week’s show, mostly because we had three weeks of news to catch up on because of my holiday. Adam Boileau is away on a company retreat this week, so Haroon Meer is this week’s news guest.

We talk about:

  • The Russia indictment
  • Chrome now marks http sites as “not secure”
  • Julian Assange is close to being turfed out of his London digs
  • Microsoft’s midterm meddling misfire
  • Singapore loses 1.5m health records
  • Some cool research from Talos and Cyberark
  • Azimuth Security acquired by L3
  • The npm supply-chain attack
  • Chrome site isolation
  • And much more!

This week’s sponsor is ICEBRG. And ICEBRG just announced today that it’s been acquired by Gigamon, which is pretty big news for them. So we’ll spend a couple of minutes talking about that with ICEBRG’s Jason Rebholz. Then we’ll be talking to Justin Warner about a pretty cool Flash 0day they found hiding in a Microsoft Office document. That was some pretty cool work, and the attackers in that case did some pretty novel things in terms of keeping their payload away from prying eyes. Obviously they didn’t do a good enough job or we wouldn’t be talking about it, but there are some new techniques there, fun stuff.

*****NOTE: At one point I get Jason Rebholz’s name wrong. I call him Justin Rebholz by accident. Apologies for the error, Jason!

Show notes

Today’s the day that Chrome brands plain old HTTP “not secure” | Ars Technica
12 Russian Spies Indicted for Hacking in 2016 | Fortune
The Russians Who Allegedly Hacked the DNC Sexted a Playboy Model and 'Bond Girl' - Motherboard
Russian hackers struck Clinton server hours after Trump called for emails - CyberScoop
Trump calls Putin's plan for investigating 2016 DNC breach an 'incredible offer' - Cyberscoop
Ecuador 'close to evicting' Julian Assange from UK embassy | The Independent
Microsoft: Russian Hackers Are Targeting The Midterms
Three top cybersecurity officials are leaving the FBI: Report
Singapore personal data hack hits 1.5m, health authority says - BBC News
Cisco's Talos Intelligence Group Blog: Advanced Mobile Malware Campaign in India uses Malicious MDM
Cellebrite's newest target: Your IoT-filled home
Alexa, Are You A Spy? Israeli Startup Raises $12.5 Million So Governments Can Hack IoT
L3 Strengthens Intelligence Collection and Surveillance Capabilities With Cyber Acquisitions | Business Wire
In the opaque world of government hacking, private firms grapple with allegiances
King iPhone Hacker NSO Group Robbed By Employee -- Spyware On Dark Web Sale For $50 Million, Israel Claims
Private sector played critical role in WannaCry attribution, ODNI official says
Compromised JavaScript Package Caught Stealing npm Credentials
Google Chrome shifts browser architecture to thwart Spectre attacks
Lawmakers call on Amazon and Google to reconsider ban on domain fronting
DOJ regrets the error on OPM-linked fraud case
A Privacy Researcher Uncovered a Year’s Worth of Breakups and Drug Deals Using Venmo’s Public Data - Motherboard
Avoid Detection with Shadow Keys - CyberArk
Attacks on Oracle WebLogic Servers Detected After Publication of PoC Code
Watch a Hacker Install a Firmware Backdoor on a Laptop in Less Than 5 Minutes - Motherboard
Many Bluetooth Implementations and OS Drivers Affected by Crypto Bug
ICEBRG, Inc.
Risky Biz Annual Black Hat Party w/ Signal Sciences, Remediant and Bugcrowd Tickets, Tue, Aug 7, 2018 at 7:00 PM | Eventbrite

Half the US population will live in 8 states

In about 20 years, half the population will live in eight states“, and 70% of Americans will live in 15 states. “Meaning 30 percent will choose 70 senators. And the 30% will be older, whiter, more rural, more male than the 70 percent.” Of course, as the census shows the population shifting, the makeup of the House will also change dramatically.

Maybe you think that’s good, maybe you think that’s bad. It certainly leads to interesting political times.

CVE-2018-11060 (archer)

RSA Archer, versions prior to 6.4.0.1, contain an authorization bypass vulnerability in the REST API. A remote authenticated malicious Archer user could potentially exploit this vulnerability to elevate their privileges.

CVE-2018-11059 (archer)

RSA Archer, versions prior to 6.4.0.1, contain a stored cross-site scripting vulnerability. A remote authenticated malicious Archer user could potentially exploit this vulnerability to store malicious HTML or JavaScript code in a trusted application data store. When application users access the corrupted data store through their browsers, the malicious code gets executed by the web browser in the context of the vulnerable web application.

CVE-2018-8859 (i.lon_100_firmware, i.lon_600_firmware, smartserver_1_firmware, smartserver_2_firmware)

Echelon SmartServer 1 all versions, SmartServer 2 all versions prior to release 4.11.007, i.LON 100 all versions, and i.LON 600 all versions. An attacker can bypass the required authentication specified in the security configuration file by including extra characters in the directory name when specifying the directory to be accessed. This vulnerability does not affect the i.LON 600 product.

Free SANS Webinar: I Before R Except After IOC

Join Andrew Hay on Wednesday, July 25th, 2018 at 10:30 AM EDT (14:30:00 UTC) for an exciting free SANS Institute Webinar entitled “I” Before “R” Except After IOC. Using actual investigations and research, this session will help attendees better understand the true value of an individual IOC, how to quantify and utilize your collected indicators, and what constitutes an actual incident.

Overview
Just because the security industry touts indicators of compromise (IOCs) as much needed intelligence in the war on attackers, the fact is that not every IOC is valuable enough to trigger an incident response (IR) activity. All too often our provided indicators contain information of varying quality including expired attribution, dubious origin, and incomplete details. So how many IOCs are needed before you can confidently declare an incident? After this session, the attendee will:

  • Know how to quickly determine the value of an IOC,
  • Understand when more information is needed (and from what source), and
  • Make intelligent decisions on whether or not an incident should be declared.

Register to attend the webinar here: https://www.sans.org/webcasts/108100.

CVE-2018-14579 (golemcms)

GolemCMS through 2008-12-24, if the install/ directory remains active after an installation, allows remote attackers to execute arbitrary PHP code by inserting this code into the "Database Information" "Table prefix" form field, or obtain sensitive information via a direct request for install/install.sql.

I read the news today, oh boy: social sharing and the dangers of false information

We’ve all done it: shared a post on social media in the belief that it’s spreading an important message or helping someone in need. But how many of us check to see whether it’s genuine? Earlier today I appeared on East Coast FM Radio in Ireland to talk about this problem.

The interview came after a message circulated widely on social media in Ireland, warning about a child abduction gang supposedly active in south Dublin. The message shows a photo of a clearly identifiable foreign man who is wrongly accused of being in the gang. The photo has already been shared more than 2,000 times on Facebook.

The Irish police, An Garda Siochana, felt the need to intervene. They urged people not to share the warnings on social media or on WhatsApp groups, while confirming they’re not investigating any such kidnapping group.

Bad news travels fast; false news travels even faster

Interestingly, researchers have tracked this very phenomenon and came to some interesting conclusions. A recent MIT study, “The spread of true and false news online”, examined 12 years’ worth of data from Twitter. The researchers found that fake reports promising some new, juicy detail spread far faster and wider, often reaching more than 10,000 Twitter users. Verifiably true news, on the other hand, rarely reached more than 1,000 users.

What’s more, bots aren’t the problem: people are. The research also found that bots spread news equally whether it was true or not, “implying that false news spreads more than the truth because humans, not robots, are more likely to spread it”. Science Magazine has a good writeup of the main findings.

Trust, but verify

In the radio interview, I said it was important for people not to accept all stories at face value, even when they come from a perceived trusted source. When it’s an update from a friend on social media, people are more inclined to spread them. Even if you’re sharing with good intentions, it’s still worth taking some simple steps before hitting the ‘forward’ button:

  • Apply critical thinking to the situation: don’t just believe what you read
  • Look at other trusted sources to verify the information in the message
  • Check with local police if you have a genuine concern relating to a possible crime.

A simple web search will usually be enough to debunk a story. It’s also worth bookmarking an independent fact-checking website like Snopes.com. The Garda website has a useful page that answers frequently asked questions about typical cyber scams that many people encounter online.

We’ve written about online frauds many times on the BH Consulting blog. The ‘gotcha’ behind CEO fraud or phishing is that criminals want to trick you through social engineering. There’s usually a financial motive. But it’s becoming clear just how insidious false news stories can be. They create fear and promote mistrust and xenophobia, since they often target ethnic groups or foreign nationals. They also undermine people’s trust in media sources.

The internet is a breeding ground for urban myths and untruths. Every time we unthinkingly share false news, we’re helping them to grow and spread. We might as well be feeding weeds with fertiliser – and we all know what that’s made from.

The post I read the news today, oh boy: social sharing and the dangers of false information appeared first on BH Consulting.

CVE-2018-10604 (sel_compass)

SEL Compass version 3.0.5.1 and prior allows all users full access to the SEL Compass directory, which may allow modification or overwriting of files within the Compass installation folder, resulting in escalation of privilege and/or malicious code execution.

CVE-2017-18104 (jira)

The Webhooks component of Atlassian Jira before version 7.6.7 and from version 7.7.0 before version 7.11.0 allows remote attackers who are able to observe or otherwise intercept webhook events to learn information about changes in issues that should not be sent because they are not contained within the results of a specified JQL query.

CVE-2018-13386 (sourcetree)

There was an argument injection vulnerability in Sourcetree for Windows via filenames in Mercurial repositories. An attacker with permission to commit to a Mercurial repository linked in Sourcetree for Windows is able to exploit this issue to gain code execution on the system. Versions of Sourcetree for Windows before version 2.6.9 are affected by this vulnerability.

CVE-2018-14335 (h2)

An issue was discovered in H2 1.4.197. Insecure handling of permissions in the backup function allows attackers to read sensitive files (outside of their permissions) via a symlink to a fake database file.

Are Fake Apps Taking Over Your Phone?

It seems some malicious app developers have taken the phrase “fake it ‘til you make it” to heart, as fake apps have become a rampant problem for Android and iPhone users alike. Even legitimate sources, such as Google Play and Apple’s App Store, have been infiltrated with illegitimate applications, despite their own due diligence in combating this phenomenon.

After downloading a fake app, cybercriminals leverage ransomware or malware through ads to run in the background of your device to do damage, making it difficult to notice something’s off. But while you’re minding your own business, your personal data –such as usernames, photos, passwords, and credit card information– can be compromised.

Malicious apps have become more challenging to detect, and even more difficult to delete from a device without causing further damage. The trend of fake apps shows no sign of slowing down either, as bad actors have become more brazen with the apps they work to imitate. From Nordstrom to Fortnite to WhatsApp, it seems no business or industry is off limits.

Luckily, cybercriminals have yet to figure out a sure-fire way to get their fake apps onto our devices. By paying extra attention to detail, you can learn to identify a fake app before downloading it. Here’s how:

  • Check for typos and poor grammar. Double check the app developer name, product title, and description for typos and grammatical errors. Malicious developers often spoof real developer IDs, even just by a single letter, to seem legitimate. If there are promises of discounts, or the description just feels off, those signals should be taken as red flags.
  • Look at the download statistics. If you’re attempting to download a popular app like WhatsApp, but it has an inexplicably low number of downloads, that’s a fairly good indicator that an app is most likely fraudulent.
  • Read what others are saying. When it comes to fake apps, user reviews are your ally. Breezing through a few can provide vital information as to whether an app is authentic or not, so don’t be afraid to crowdsource those insights when you can.

If you do find yourself having accidentally downloaded a fake app, there are steps you can take to rid your phone of it. Here’s what to do:

  • Delete the app immediately or as soon as you notice anything suspicious. If you can’t find it, but you’re still having issues, the app could still be on your device. That’s because, in the interest of self-preservation, fake apps can try and protect themselves from disposal by making their icon and title disappear. If that happens, go to your installed apps page(s) and look for blank spaces, as it may be hiding there.
  • Check the permissions. After installation, check the app’s permissions. Fake apps usually give long lists of frivolous requests in an effort to get access to more data.
  • Clear the app’s cache and data. If you do find the app you want to delete, this is the first step you must take in order to get the app completely off your phone.
  • Take it into your provider. If you’re still having issues after you’ve deleted an app, consider taking your device into your provider to run a diagnostic test.
  • Factory reset. As a last resort, if you can’t find the app because it has “disappeared,” or traces of the app and malware linger, the best way to ensure it is completely gone is to wipe the data, factory reset your device, and start over. This is why it is vital to have backups of your devices.

Even as this ever-growing trend of malicious developers spoofing legitimate applications to gain access to victims’ personal information continues, we can deter their advances simply by paying closer attention to detail. Remember to be vigilant about being aware of the signs to avoid fake apps at all costs.

Interested in learning more about IoT and mobile security tips and trends? Stop by ProtectWhatMatters.online, follow @McAfee_Home on Twitter, and ‘Like” us on Facebook.

The post Are Fake Apps Taking Over Your Phone? appeared first on McAfee Blogs.

5 Reasons To Follow Our Training Paths

Becoming an expert in a field – let alone an industry – requires time and effort. Most of all, dedication. While a single training course might teach you a lot, following a training path can bring a whole lot more to the table in the long run. Find out five ways our training paths can help you reach your goals and more.

1. Save time and money

How much time do you spend looking for the right IT Security course? One of the reasons why our experts developed our new Training Paths is to help you save both time and money. These combinations of courses were thought of as a guide for you to become proficient in the industry-standard role of your dreams and to help you get there.

2. Assess real practical skills

Designed with a particular role in mind, our training paths help you gain the right skills necessary to succeed. With access to thousands of course materials and hundreds of lab hours to practice real-life scenarios, you will learn all the theoretical knowledge and practical techniques you need, and become certified to prove your IT Security skills.

3. Receive lifetime new course-updates

To stay up-to-date on new threats and techniques, we’re now offering you LIFETIME NEW COURSE-UPDATES! If you complete a path by obtaining all the certifications in it, you’ll receive lifetime course-updates for those courses at no cost 😉 Are you one of our students? Enjoy this offer by completing a training path. Just enroll and get certified in the remaining course(s) of your desired path. Who’s up for a new challenge?

4. Be recognized as an expert

All of our certifications are valid for a lifetime. However, this does not mean that your skills won’t need a little upgrade from time to time. We all know it, IT Security professionals need to keep up with new threats and techniques. With free and lifetime new course-updates added automatically to your member’s area, you’ll not only be able to study upgraded materials but also to get access to a whole new set of labs. You tell us… what’s a better way to become the expert?

5. 1 path, 1 invoice, 3 times more skills

Whether you’re an IT Security professional trying to get approval for the training you need or the back office trying to eliminate red tape, our new Training Paths, based on the NICE Cybersecurity Framework, make everyone’s day a little easier and more efficient. Not only are these training paths a great option for you to step up your game and learn 3 times more skills, they’re also a great solution for companies of all size to train their IT Security team and new hires.

Have we piqued your interest? Click below to discover our training paths.

  

CLICK TO TWEET 🐦

Connect with us

Twitter | Facebook | LinkedIn | Instagram

CVE-2018-10912 (keycloak)

keycloak before version 4.0.0.final is vulnerable to a infinite loop in session replacement. A Keycloak cluster with multiple nodes could mishandle an expired session replacement and lead to an infinite loop. A malicious authenticated user could use this flaw to achieve Denial of Service on the server.

CVE-2018-14328 (online_trade)

Brynamics "Online Trade - Online trading and cryptocurrency investment system" allows remote attackers to obtain sensitive information via a direct request for /dashboard/addplan, /dashboard/paywithcard/charge, /dashboard/withdrawal, or /privacy&terms, as demonstrated by reading database username, database password, database_name, and IP address fields, related to CVE-2018-12908.

CVE-2018-14570 (b2b2c_multi-business)

A file upload vulnerability in application/shop/controller/member.php in Niushop B2B2C Multi-business basic version V1.11 allows any remote member to upload a .php file to the web server via a profile avatar field, by using an image Content-Type (e.g., image/jpeg) with a modified filename and file content. This results in arbitrary code execution by requesting that .php file.

CVE-2018-14568 (suricata)

Suricata before 4.0.5 stops TCP stream inspection upon a TCP RST from a server. This allows detection bypass because Windows TCP clients proceed with normal processing of TCP data that arrives shortly after an RST (i.e., they act as if the RST had not yet been received).

CVE-2016-10728 (suricata)

An issue was discovered in Suricata before 3.1.2. If an ICMPv4 error packet is received as the first packet on a flow in the to_client direction, it confuses the rule grouping lookup logic. The toclient inspection will then continue with the wrong rule group. This can lead to missed detection.

CVE-2018-1999007 (jenkins)

A cross-site scripting vulnerability exists in Jenkins 2.132 and earlier, 2.121.1 and earlier in the Stapler web framework's org/kohsuke/stapler/Stapler.java that allows attackers with the ability to control the existence of some URLs in Jenkins to define JavaScript that would be executed in another user's browser when that other user views HTTP 404 error pages while Stapler debug mode is enabled.

CVE-2018-1999005 (jenkins)

A cross-site scripting vulnerability exists in Jenkins 2.132 and earlier, 2.121.1 and earlier in BuildTimelineWidget.java, BuildTimelineWidget/control.jelly that allows attackers with Job/Configure permission to define JavaScript that would be executed in another user's browser when that other user performs some UI actions.

CVE-2018-1999001 (jenkins)

A unauthorized modification of configuration vulnerability exists in Jenkins 2.132 and earlier, 2.121.1 and earlier in User.java that allows attackers to provide crafted login credentials that cause Jenkins to move the config.xml file from the Jenkins home directory. If Jenkins is started without this file present, it will revert to the legacy defaults of granting administrator access to anonymous users.

CVE-2018-1999002 (jenkins)

A arbitrary file read vulnerability exists in Jenkins 2.132 and earlier, 2.121.1 and earlier in the Stapler web framework's org/kohsuke/stapler/Stapler.java that allows attackers to send crafted HTTP requests returning the contents of any file on the Jenkins master file system that the Jenkins master has access to.

CVE-2018-1999006 (jenkins)

A exposure of sensitive information vulnerability exists in Jenkins 2.132 and earlier, 2.121.1 and earlier in Plugin.java that allows attackers to determine the date and time when a plugin HPI/JPI file was last extracted, which typically is the date of the most recent installation/upgrade.

CVE-2018-1999004 (jenkins)

A Improper authorization vulnerability exists in Jenkins 2.132 and earlier, 2.121.1 and earlier in SlaveComputer.java that allows attackers with Overall/Read permission to initiate agent launches, and abort in-progress agent launches.

TalosIntelligence.com is rolling out a new dispute system

At Cisco Talos, we need customers to be able to provide feedback at all times, whether it be about false positives, false negatives, or missed categories. Because we deal with an abundance of data across our platforms — such as IPS alerts, AMP alerts and more — feedback helps us test the efficacy of those alerts and systems promptly.

Today, there are several ways of doing this: calling Cisco Support (aka TAC), submitting a dispute through Talosintelligence.com, or securityhub.cisco.com, plus a myriad of other ways — each winding up in a different “system” for Talos to deal with on our side. The days of that confusion are numbered.

We’ve been silently working on a streamlined experience, not only for the customers but for our workflow as well.  We asked ourselves the question, “What is the easiest way we can enable a customer to get disputes to us, deal with it the fastest way possible, and get that information back to the customer in the most efficient manner?”

The merging of senderbase.org into talosintelligence.com started to make this easier. The merge allowed any user on the internet to look up the reputation of any IP or domain and see any information Talos has on that entry at the time. We enabled this through, what we call, the Talos Reputation Center. This not only gave users the ability to look something up manually, but also gave them information about who the highest volume senders were, or data by network owner or even by country.

This provided the ability for a customer to directly dispute the findings of our systems by clicking this link:




That would take the customer to our dispute support center.  Hundreds of tickets a week flow into this system and are processed by our team. This was carried over from the senderbase.org website, and was for non-customers.

Earlier this year, we set off on a journey to make filing disputes with Talos easy for customers and free users (senderbase.org legacy users) alike. We’re doing this through Talosintelligence.com.

Next week, we’ll be taking this a step further — we’re going to be changing how the dispute system functions. We will require users to log in with their CCO ID (Cisco Connection Online ID). We’ve had this in a silent beta for the past two weeks, and already more than 600 people have logged into Talosintelligence.com using their CCO ID.

Starting July 30, this will be mandatory for everyone wishing to file a dispute on Talosintelligence.com. If a user does not have a CCO ID through Cisco, they will be asked to create a guest account (which is free).

There are numerous benefits to this change. The new dispute system will link the dispute ticketing system and our analysts closely together. This will allow greater interactivity between our analysts and customers, allowing our customers to log into their account on Talosintelligence.com and see the resolution of every dispute they have ever filed through the new system. It will set the stage for further consolidation of ticketing systems later this year, which we will announce closer to the rollout.

We look forward to providing users with a better customer experience through the dispute system on the website. More information will be coming over the next couple of months during the rollout.

Facing the Fear of Public Speaking with Toastmasters

By: DaWane, Sales Director

Standing in front of 800 parents and fellow students to deliver the welcome address, thoughts swirled around in my head. My hands were shaky, my palms oozed with sweat and I had a death grip on the podium. They say I did well, but inside, I was so uncomfortable, I thought I may vomit.

That was my experience as a 16-year-old high school senior as president of the National Honor Society during a school function. And it was a moment when I swore I’d never, ever feel that way again.

My strategy? Avoid all circumstances that could even possibly place me in a position to feel so vulnerable. It worked—until I was promoted in to sales leadership. Haunted by that moment in high school, I decided if public speaking was expected of me, I had two options: I could A) quit or B) tackle my fear head-on.

I chose option B. Thanks to McAfee Toastmasters, I am a skilled public speaker and am now heading up our office chapter in Plano.

Conquering My Fear of Public Speaking

I started overcoming my fears by seeking out opportunities to push myself out of my comfort zone—again, again and again. I presented to new hire classes. I volunteered to present at sales kick-offs. I even took a class called Acting for Non-Actors. Whatever gave me a chance to get more stage time, I was in.

About a year into my career at McAfee, I was invited to a humorous speech contest hosted by Toastmasters. I watched talented people deliver funny and well-done speeches. I thought to myself, “I can do that,” but the only way I’d know for sure was to give it a try.

Getting Involved and Growing with McAfee Toastmasters

Soon after, I realized McAfee had internal Toastmasters chapters in Santa Clara, Waterloo, India and Plano. I visited Plano Toastmasters, which validated my theory that public speaking is a muscle memory. The more you do it, the better you become. More importantly, the more comfortable you become enables your desire to do it more. It’s a vicious cycle, but a good one.

But last year, the McAfee Toastmasters in Plano was in danger of dissolving. Knowing the difference practice makes and wanting to help others overcome their fears, I knew I couldn’t let that happen.

In a 1×1 with my VP, I shared the growth I experienced in public speaking during my short tenure in Toastmasters and recalled the severe stage fright I plowed through. He agreed that even if you’re pretty good on stage, there is always room for improvement and how valuable this could be to others as well. He assigned the resurrection of the McAfee Plano Toastmasters chapter to me as my own leadership development project.

Leading the Charge for Toastmasters

I worked with various McAfee executives to pitch the value of a Toastmasters chapter and the benefits to individuals and the entire organization. In addition to improving your public speaking skills, Toastmasters brings opportunities to develop hands-on leadership experience—not only during chapter meetings but as a club officer or in district leadership.

Toastmasters resonated with enough people that we relaunched McAfee Plano Toastmasters in January 2018 starting with 21 members. Over the first 6 months of 2018, we successfully competed in speech contests. We recently signed our 42nd member and installed a new set of officers, who will lead our club going forward into the next wave of success. And for the first time ever, McAfee Toastmasters achieved “Distinguished” status.

A Long and Rewarding Journey

It has been an honor to be part of this resurrection story and to see the growth of our members—from each meeting held to each speech given. If you’ve ever had to give a speech and left the stage thinking, “Well, I’ll never do THAT again,” there is a solution.

For me, it was Toastmasters. I appreciate the learnings McAfee’s Plano chapter left me with and now the opportunity to lead and help others speak confidently in front of a crowd.

Interested in joining our teams? We’re hiring! Apply now!

The post Facing the Fear of Public Speaking with Toastmasters appeared first on McAfee Blogs.

CVE-2018-1999023 (the_battle_for_wesnoth)

The Battle for Wesnoth Project version 1.7.0 through 1.14.3 contains a Code Injection vulnerability in the Lua scripting engine that can result in code execution outside the sandbox. This attack appear to be exploitable via Loading specially-crafted saved games, networked games, replays, and player content.

CVE-2018-1999024 (mathjax)

MathJax version prior to version 2.7.4 contains a Cross Site Scripting (XSS) vulnerability in the \unicode{} macro that can result in Potentially untrusted Javascript running within a web browser. This attack appear to be exploitable via The victim must view a page where untrusted content is processed using Mathjax. This vulnerability appears to have been fixed in 2.7.4 and later.

The next wave of computing is the intelligent edge and intelligent cloud

YouTube Video

Take a look around your house, office or even the next store you visit, and you’ll start to notice that internet-connected devices are bringing us closer than ever before to a world of ubiquitous computing and ambient intelligence. As these Internet of Things (IoT) devices become increasingly commonplace, people will start to expect computing to be more integrated into their lives, to anticipate, understand and seamlessly meet their needs. They will expect software to respond to spoken natural language, gestures, body language and emotion, and for it to understand the physical world and the rich context surrounding each user as they navigate their personal life, their work and the world around them.

This trend has more promise than just bringing additional convenience, productivity and connections to our everyday lives. Smart sensors and devices are breathing new life into industrial equipment from factories to farms, helping us navigate and plan for more sustainable urban cities and bringing the power of the cloud to some of the world’s most remote destinations. With the power of artificial intelligence (AI) enabling these devices to intelligently respond to the world they are sensing, we will see new breakthroughs in critical areas that benefit humanity like healthcare, conservation, sustainability, accessibility, disaster recovery and more.

We call this next wave of computing the intelligent edge and intelligent cloud. When we take the power of the cloud down to the device – the edge – we provide the ability to respond, reason and act in real time and in areas with limited or no connectivity. As Satya shared at our Build developer conference, it’s still early days, but we’re starting to see how these new capabilities can be applied towards solving critical world challenges:

  • Increasing the world’s food supply: The world will need 70 percent more food according to the U.N., to feed a global population of 9.6 billion in 2050. Farmers like Sean Stratman in Carnation, Washington, are using the intelligent edge to do precision agriculture with real-time intelligence on soil, even in remote areas with unreliable connectivity. Using Microsoft’s FarmBeatssolution, which combines intelligence trained in the cloud to run on a drone, Sean created a heatmap of his land that served as a guide for him to plant the crops that will best perform in specific locations.
  • Ecological research and conservation: The intelligent edge creates opportunities to collect more accurate data in our research of natural disasters and threatened habitats. Smart sensors can collect data and act on events as they happen, providing researchers greater fidelity in their models and enabling them to take specific actions and make predictions that could improve conservation efforts. Disney Animal Kingdom is leveraging the intelligent edge to study the purple martin bird. They worked with Microsoft to develop hundreds of tiny “smart houses” in Disney’s Animal Kingdom to learn more about the species and help inspire a new generation of conservationists in the parks. The scientists have unprecedented insight now into the nesting behavior of the purple martins.
  • Reducing waste and improving safety in energy: The world depends on natural resources to produce energy for the world.  Because these resources are limited, it is also critical that energy companies leverage technology to increase efficiency. Schneider Electric is using the intelligent edge in oil fields to monitor and configure pump settings and operations remotely, only sending personnel onsite when necessary for repair or maintenance when, for example, intelligent pump monitoring indicates that something will go wrong. This contributes to overall worker safety and improved resource management.

We need to give all organizations and developers the tools to build these kinds of increasingly ambitious solutions that span the intelligent edge and intelligent cloud.  Moreover, these tools must give developers strong security foundations and help them to place security at the very core of their solutions. Devices on the edge handle some of our most sensitive business and personal data in our homes, workplaces, and sometimes in physically remote places.

To protect data wherever it lives, security needs to be baked in from the silicon to the cloud. This has been one of the central design principles of Microsoft’s intelligent edge products and services. Azure Sphere is our intelligent edge solution to power and protect connected microcontroller unit (MCU)-powered devices. There are 9 billion of these MCU-powered devices shipping every year, which power everything from household stoves and refrigerators to industrial equipment. With more processing power than traditional MCUs and a holistic security approach, we believe Azure Sphere will make our increasingly connected world safer. In addition, Azure IoT Edge enables you to run cloud intelligence directly on IoT devices and includes security from device provisioning and management to hardware and cloud services that run on top of the devices. Azure Stack, just one of our many tools to power hybrid scenarios, offers customers the flexibility to securely deploy in the cloud, on-premises or at the intelligent edge.

In the past three months, we introduced Azure Sphere at RSA; announced a powerful application developer experience with Visual Studio for Azure Sphere to accelerate innovation at the outer edge, as well as new IoT edge capabilities and partnerships at Build; and shipped Azure IoT Edge general availability last month. This is all part of our commitment to intelligent edge innovation and our broader $5 billion investment in IoT to empower our customers and partners. We have more exciting updates around the corner and look forward to seeing what our customers and partners build.

 

The post The next wave of computing is the intelligent edge and intelligent cloud appeared first on The Official Microsoft Blog.

CVE-2018-1999013 (ffmpeg)

FFmpeg before commit a7e032a277452366771951e29fd0bf2bd5c029f0 contains a use-after-free vulnerability in the realmedia demuxer that can result in vulnerability allows attacker to read heap memory. This attack appear to be exploitable via specially crafted RM file has to be provided as input. This vulnerability appears to have been fixed in a7e032a277452366771951e29fd0bf2bd5c029f0 and later.

CVE-2018-1999020 (onos)

Open Networking Foundation (ONF) ONOS version 1.13.2 and earlier version contains a Directory Traversal vulnerability in core/common/src/main/java/org/onosproject/common/app/ApplicationArchive.java line 35 that can result in arbitrary file deletion (overwrite). This attack appear to be exploitable via a specially crafted zip file should be uploaded.

CVE-2018-1999015 (ffmpeg)

FFmpeg before commit 5aba5b89d0b1d73164d3b81764828bb8b20ff32a contains an out of array read vulnerability in ASF_F format demuxer that can result in heap memory reading. This attack appear to be exploitable via specially crafted ASF file that has to provided as input. This vulnerability appears to have been fixed in 5aba5b89d0b1d73164d3b81764828bb8b20ff32a and later.

CVE-2018-1999018 (pydio)

Pydio version 8.2.1 and prior contains an Unvalidated user input leading to Remote Code Execution (RCE) vulnerability in plugins/action.antivirus/AntivirusScanner.php: Line 124, scanNow($nodeObject) that can result in An attacker gaining admin access and can then execute arbitrary commands on the underlying OS. This attack appear to be exploitable via The attacker edits the Antivirus Command in the antivirus plugin, and executes the payload by uploading any file within Pydio.

CVE-2018-1999017 (pydio)

Pydio version 8.2.0 and earlier contains a Server-Side Request Forgery (SSRF) vulnerability in plugins/action.updater/UpgradeManager.php Line: 154, getUpgradePath($url) that can result in an authenticated admin users requesting arbitrary URL's, pivoting requests through the server. This attack appears to be exploitable via the attacker gaining access to an administrative account, enters a URL into Upgrade Engine, and reloads the page or presses "Check Now". This vulnerability appears to have been fixed in 8.2.1.

CVE-2018-1999009 (octobercms)

October CMS version prior to Build 437 contains a Local File Inclusion vulnerability in modules/system/traits/ViewMaker.php#244 (makeFileContents function) that can result in Sensitive information disclosure and remote code execution. This attack appear to be exploitable remotely if the /backend path is accessible. This vulnerability appears to have been fixed in Build 437.

CVE-2018-1999010 (ffmpeg)

FFmpeg before commit cced03dd667a5df6df8fd40d8de0bff477ee02e8 contains multiple out of array access vulnerabilities in the mms protocol that can result in attackers accessing out of bound data. This attack appear to be exploitable via network connectivity. This vulnerability appears to have been fixed in cced03dd667a5df6df8fd40d8de0bff477ee02e8 and later.

CVE-2018-1999011 (ffmpeg)

FFmpeg before commit 2b46ebdbff1d8dec7a3d8ea280a612b91a582869 contains a Buffer Overflow vulnerability in asf_o format demuxer that can result in heap-buffer-overflow that may result in remote code execution. This attack appears to be exploitable via specially crafted ASF file that has to be provided as input to FFmpeg. This vulnerability appears to have been fixed in 2b46ebdbff1d8dec7a3d8ea280a612b91a582869 and later.

CVE-2018-1999016 (pydio)

Pydio version 8.2.0 and earlier contains a Cross Site Scripting (XSS) vulnerability in ./core/vendor/meenie/javascript-packer/example-inline.php line 48; ./core/vendor/dapphp/securimage/examples/test.mysql.static.php lines: 114,118 that can result in an unauthenticated remote attacker manipulating the web client via XSS code injection. This attack appear to be exploitable via the victim openning a specially crafted URL. This vulnerability appears to have been fixed in version 8.2.1.

CVE-2018-1999008 (october_cms)

October CMS version prior to build 437 contains a Cross Site Scripting (XSS) vulnerability in the Media module and create folder functionality that can result in an Authenticated user with media module permission creating arbitrary folder name with XSS content. This attack appear to be exploitable via an Authenticated user with media module permission who can create arbitrary folder name (XSS). This vulnerability appears to have been fixed in build 437.

CVE-2018-1999014 (ffmpeg)

FFmpeg before commit bab0716c7f4793ec42e05a5aa7e80d82a0dd4e75 contains an out of array access vulnerability in MXF format demuxer that can result in DoS. This attack appear to be exploitable via specially crafted MXF file which has to be provided as input. This vulnerability appears to have been fixed in bab0716c7f4793ec42e05a5aa7e80d82a0dd4e75 and later.

CVE-2018-1999012 (ffmpeg)

FFmpeg before commit 9807d3976be0e92e4ece3b4b1701be894cd7c2e1 contains a CWE-835: Infinite loop vulnerability in pva format demuxer that can result in a Vulnerability that allows attackers to consume excessive amount of resources like CPU and RAM. This attack appear to be exploitable via specially crafted PVA file has to be provided as input. This vulnerability appears to have been fixed in 9807d3976be0e92e4ece3b4b1701be894cd7c2e1 and later.

CVE-2018-1999021 (gleezcms)

Gleezcms Gleez Cms version 1.3.0 contains a Cross Site Scripting (XSS) vulnerability in Profile page that can result in Inject arbitrary web script or HTML via the profile page editor. This attack appear to be exploitable via The victim must navigate to the attacker's profile page.

How My McAfee Internship Launched My Career

By: Ruby, Digital Media Specialist

It’s often assumed that interns are usually college undergraduates with a temporary assignment. I’m an exception to the rule in both respects. I started as a McAfee intern while I was a part-time graduate MBA student at Santa Clara University. Through my internship, I secured a full-time position on McAfee’s Digital Media team.

A Life-Changing Experience

My internship at McAfee has literally changed my life. I’ve been able to explore various aspects of marketing—starting out in Digital Content Operations where I helped with website content and design—and later transitioning to the Digital Media team. It was here that I discovered my love for digital media, found my niche in marketing and earned my position as a full-time McAfee employee.

I love my work, but over the three years I have been at McAfee, there are two primary reasons why I’ve never considered moving on: the people and culture. There’s a real opportunity at McAfee to build an exciting career, even from a standing start as an intern.

When I started my internship at McAfee, I worked with a group of marketing interns and had the opportunity to create relationships with everyone on the Content Marketing team. Several co-workers took me under their wing which helped me tremendously and was key in enabling me to advance to where I am today. McAfee has a unique culture full of learning, innovation, excellence, and challenge—with everyone supporting each other.

Out and About for McAfee

McAfee makes it a point to send interns to conferences and events. During my internship, I traveled to Black Hat USA in Las Vegas, RSA Conference in San Francisco and attended MPower Cybersecurity Summit twice, a McAfee customer event in Las Vegas!

Black Hat was amazing and probably one of the best experiences I’ve ever had. All four events opened my eyes to the power of real-time social media, as well as the importance of cybersecurity to enterprises and individuals alike.

Wearing Many Hats: A Balancing Act

I am often asked how I balance full-time employment with school and everything else in life. While the answer may seem simple, (good time management and stress relief outlets!) anyone who wears multiple hats knows that life can be a balancing act. To tackle stress, it’s all about working out for me! In addition to working at McAfee and pursuing my school studies, I’m a half marathon, triathlon and swim coach.

The culture at McAfee has been a huge gift. My managers understand the challenges I face and the benefits my MBA will bring both to me and the company. They have been very supportive of my school schedule along the way.

McAfee helped me launch my career and find work that I’m passionate about while pursuing higher education. I have an exciting and challenging career path ahead of me and I’ve made several lifelong friendships that would never have happened if it were not for McAfee. It’s a great place to be and I am thankful to be here!

For more stories like this, follow @LifeAtMcAfee on Instagram and @McAfee on Twitter to see what working at McAfee is all about.

Interested in joining our teams? We’re hiring! Apply now!

The post How My McAfee Internship Launched My Career appeared first on McAfee Blogs.

CVE-2018-14563 (thulac)

An issue was discovered in libthulac.so in THULAC through 2018-02-25. "operator delete" is used with "operator new[]" in the TaggingLearner class in include/cb_tagging_learner.h, possibly leading to memory corruption.