Lastly, focusing on the vendor is a tired government cliche. Chronic internet security problems that go unsolved year after year, decade after decade, come from users failing, not vendors. Vendors quickly adapt, users don't. The most important solutions to today's IoT insecurities are to firewall and microsegment networks, something wholly within control of users, even home users. Yet government policy makers won't consider the most important solutions, because their goal is less cybersecurity itself and more how cybersecurity can further their political interests.
- Identify and examine/analyse/assess/evaluate your information risks;
- Decide how to treat them (avoid, mitigate, share and/or accept);
- Treat them however you like: it is YOUR decision, and you should be willing to justify your decision … but I generally recommend prioritizing and treating the most significant risks first and best, working systematically down towards the trivia where the consequences of failing to treat them so efficiently and effectively are of less concern;
- For risks you decide to mitigate with controls, choose whatever controls suit your situation. Aside from Annex A, there are many other sources of potential controls, any of which might be more suitable and that’s fine: go right ahead and use whatever controls you believe mitigate your information risks, drawing from Annex A or advice from NIST, DHS, CSA, ISACA, a friend down the pub, this blog, whatever. It is your choice. Knock yerself out;
- If they challenge your decisions, refer the certification auditors directly to the note under 6.3.1 b: “Organizations can design controls as required, or identify them from any source.” Stand your ground on that point and fight your corner. Despite the other ambiguities, I believe that note expresses what the majority of SC27 intended and understood. If the auditors are really stubborn, demonstrate why your controls are at least as effective or even better than those suggested in Annex A;
- Perhaps declare the troublesome Annex A controls “Not applicable” because you prefer to use some other more appropriate control instead;
- As a last resort, declare that the corresponding risks are acceptable, at least for now, pending updates to the standard and clearer, more useful advice;
- Having supposedly treated the risks, check that the risk level remaining after treatment (“residual risk”) is acceptable, otherwise cycle back again, adjusting the risk treatment accordingly (e.g. additional or different controls).
Organizations around the world are undergoing transformation fueled by cloud, artificial intelligence, mixed reality and the Internet of Things. These technologies are helping businesses and society reach new heights – retail is becoming more personal, banking is becoming more seamless, and healthcare is becoming more predictive and preventive.
At the heart of these incredible stories of transformation – and more – are Microsoft partners. The Microsoft partner ecosystem is a group of hundreds of thousands of organizations driving positive, global impact. Building everything from line-of-business apps to industry-specific solutions on Dynamics 365 to gaming experiences, these companies are a natural extension of the team at Microsoft, delivering cutting-edge technology to millions of customers.
For Microsoft partners – their success is our success. We are squarely focused on delivering a true, two-way partnership with our partner network. It is with success and partnership in mind that, on the eve of Inspire 2018, I’m thrilled to announce new programs, tools and resources to help partners innovate, grow and differentiate their businesses.
Delivering innovation through apps and services
Whether they’re building apps or services, we know partners need access to the latest technology from Microsoft and guidance on how to extend that technology to build tailor-made solutions.
Today, we are announcing exciting new innovations in Microsoft 365, including a free version of Teams, new intelligent events capabilities, the Workplace Analytics teamwork solution and more. We are also announcing new cloud, apps and data technologies including Azure Data Box Disk, Azure Virtual WAN, Azure Firewall and more. We’re so excited to see how our partners will leverage these new offerings to help customers embrace and innovate in the modern workplace and continue to help customers in their journey to the cloud.
In addition to new technologies, we’re releasing new Digital Transformation eBooks, and practice-building playbooks, expanding on the popular resources already leveraged by tens of thousands of partners looking to build and enhance their practices.
Reach more customers to sell your solutions
In our third quarter, we noted that Azure revenue grew by 93 percent, with partners driving a considerable portion of that growth. To build on this great momentum, we’re doing two new things to fuel partner growth – leaning in on our marketplaces and enhancing AppSource as the entry point for selling with Microsoft, and enhancing our go-to-market benefits for partners to help them grow their businesses.
The new marketplace capabilities, available today, include integrated partner-to-partner solutions, private offers, and expanded consulting services. Each of these new capabilities provides partners new ways to get solutions in front of a bigger base of customers and to provide them with a better buying experience. There is no greater priority for us than connecting partners with customers.
We’re also providing greater flexibility and more opportunities to unlock new benefits that help partners go to market. Starting later this year, partners with competencies will have a choice of benefits packages based on their business focus. We’re expanding core benefits to include access to services that support generating leads, improving lead velocity and increasing close rates for app or service offerings.
Focus on differentiation to attract customers
We hear from partners that specialization is key to growth. This concept has been a cornerstone of our profitability guidance to partners and many have taken that message to heart. The ask to Microsoft, from partners and customers, is to do more to help customers find the right partners with the right solutions. Today, we’re announcing new ways for partners to demonstrate their proven expertise to customers with the introduction of new advanced specializations and the new Microsoft Azure Expert MSP initiative. Partners can now demonstrate that they have the right capabilities to help with specific customer business challenges.
Last year at Inspire, we initiated a transformation at Microsoft, and a new journey with our partners that continues together. We are here for our partners, we are working hard to prepare them for the future, and we are committed to their success. We are at a unique time when the combination of technology and opportunity brings us together, and we need to rely on each other more than ever. In the world of Digital Transformation, everyone needs an ecosystem, and a partnership with Microsoft is a partnership with our ecosystem. Together, we are in a position to take advantage of the unprecedented $4.5 trillion opportunity and unleash the power of true partnership to unlock incredible growth and success – for each other, and for our customers.
The post Inspire 2018: Opening doors for partner innovation, growth and differentiation appeared first on The Official Microsoft Blog.
The lion’s share of modern day communication happens online and for that, thanks to the hundreds of apps available. Whether it is news or videos, blogging or education, social media or gaming, entertainment or social movements – a lot is happening online, all the time.
In fact, social media apps have become the new ‘hangout’ zones for virtual citizens. After all, we live in a connected world and enjoy being online. But that may not be always good for tweens and teens as they are still too young to process all the information download happening. This may lead to stress.
Stress is not uncommon in our physical lives. We get stressed by our education, career, relationships and the environment. The same happens in the digital world. In the physical world, our responses to stress are primarily venting, having face-to-face spats or ignoring the issue. Not so in the digital world. In the virtual space, stress may arise from different causes and the repercussions may take on a viral form.
Why do children get stressed by social media? The common causes are:
- Peer pressure: THE most important reason for children being online is to connect with their friends. And to keep this friendship alive and kicking, they often blindly copy the group leaders, even if they are not comfortable with what they are doing
- FOMO (Fear of Missing Out): Teens, especially girls, have a competitive spirit when it comes to online presence and don’t want to be ‘the last to know’ so, they end up spending a lot of time online
- Keeping up with the Jones’: The same competitive spirit leads kids to spend hours posing and selecting the perfect pics to share online or seek approval from strangers. This is risky, as negative comments online can harm self-confidence
- Excessive sharing: When kids share a lot of their private information on social media, they leave themselves vulnerable to hacking, as well as opening themselves up to contact from inappropriate individuals online
- Cyberbullying: Most kids have witnessed or experienced some forms of cyberbullying and often end up as either perpetrators or victims or mute spectators. In all cases, this is a disturbing occurrence
- Lack of screen time limits: Lack of digital balance can have psychological effects and so digital usage rules are a must
- Lack of empathy: When children are not taught to respect others and their traditions, they do not develop empathy and may end up bullying those with differing views and lifestyles
- Exposure to inappropriate content or people: The wrong connections and information are a big source of stress
- Online spats: Differences crop up, leading to squabbles and heated exchanges. It gets complex when this is done in a public forum and strangers join in
- Disturbing global news: The slew of violent news often creates negative tension in the minds of youngsters, leaving them feeling confused and belligerent
Parenting plays a major role in helping children learn how to tackle social media stress. As parents, you know your children the best. Yes, even teens.
Observe them and if you note any change in their social media habits or general behaviour, talk to them. The earlier you start having frank one-to-one conversations, the easier will it be for you later. But before that, you may need to modify your own response to stress and learn to control your reactions. That way you will teach them a very important lesson without having to use a single word.
Help your kids fight social media stress:
- Accept differences: People are different and will have different opinions. Accept the differences and respect their values
- Be discerning: Life isn’t a bed of roses for anyone, so don’t let profiles fool you. Don’t judge someone by their bio and pictures
- Practice tact: When things get bitter, the decent thing to do is to agree to disagree and walk away. If you don’t react, it doesn’t mean you are the weak one; it means you are smart enough not to get provoked. However, if the meanness gets out of hand, be the strong one and report and block account
- Practice digital balance: Limit screen time and have good friends in the real world who will always stand by you
- Be aware: The world will have both good and bad and growing up means learning to understand and accept this. Maturity is being able to stay true to values. Wisdom is knowing which is bad and avoiding it
Say goodbye to stress and lead a healthier and happier life online. Apply your values from your physical life in the digital one and practice STOP.THINK. CONNECT. And don’t forget! Use McAfee Total Protection on all connected devices to protect what you value the most.
The post Handling Social Media Stress – Pointers to Share with Your Teens appeared first on McAfee Blogs.
This blog post was co-written by Irfan Asrar.
English soccer fans have enthusiastically enjoyed the team’s current run in the World Cup, as the tune “Three Lions” plays in their heads, while hoping to end 52 years of hurt. Meanwhile a recent spyware campaign distributed on Google Play has hurt fans of the beautiful game for some time. Using major events as social engineering is nothing new, as phishing emails have often taken advantage of disasters and sporting events to lure victims.
“Golden Cup” is the malicious app that installs spyware on victims’ devices. It was distributed via Google Play, and “offered” the opportunity to stream games and search for records from the current and past World Cups. McAfee Mobile Security identifies this threat as Android/FoulGoal.A; Google has removed the malicious applications from Google Play.
Once Golden Cup is installed it appears to be a typical sporting app, with multimedia content and general information about the event. Most of this data comes from a web service without malicious activity. However, in the background and without user consent the app silently transfers information to another server.
Golden Cup captures a considerable amount of encrypted data from the victim’s device:
- Phone number
- Installed packages
- Device model, manufacturer, serial number
- Available internal storage capacity
- Device ID
- Android version
- IMEI, IMSI
This spyware may be just the first stage of a greater infection due to its capability to load dex files from remote sources. The app connects to its control server and tries to download, unzip, and decrypt a second stage.
Android/FoulGoal.A detects when the screen is on or off and records this in its internal file scrn.txt, with the strings “on” or “off” to track when users are looking at their screens:
The Message Queuing Telemetry Transport protocol serves as the communication channel between the device and the malicious server to send and receive commands.
User data is encrypted with AES before it is sent to the control server. Cryptor class provides the encryption and decryption functionality. The doCrypto function is defined as a common function. As the first parameter of the function, “1” represents encryption and “2” is decryption mode:
The encryption key is generated dynamically using the SecureRandom function, which generates a unique value on the device to obfuscate the data. The addKey function embeds the encryption key into the encryption data. The data with the key is uploaded to the control server.
We believe the malware author uses this AES encryption technique for any information to be uploaded to escape the detection by Google Bouncer and network inspection products.
Our initial analysis suggests there were at least 300 infections, which we suspect occurred between June 8‒12, before the first World Cup matches began.
The second round
The second phase of the attack leverages an encrypted dex file. The file has a .data extension and is downloaded and dynamically loaded by the first-stage malware; it is extracted with the same mechanism used to upload the encrypted files. The location of the decryption key can be identified from the size of the contents and a fixed number in the first-stage malware.
After decryption, we can see out.dex in zipped format. The dex file has spy functions to steal SMS messages, contacts, multimedia files, and device location from infected devices.
The control server in second stage is different from the first stage’s. The encryption methodology and the server folder structures on the remote server are identical to the first stage.
We found one victim’s GPS location information and recorded audio files (.3gp) among the encrypted data on the control server.
We have also discovered two other variants of this threat created by the same authors and published to Google Play as dating apps. Although all the apps have been removed from Google Play, we still see indications of infections from our telemetry data, so we know these apps are active on some users’ devices.
Our telemetry data indicates that although users around the world have downloaded the app, the majority of downloads took place in the Middle East, most likely as a result of a World Cup–themed Twitter post in Hebrew directing people to download the app for a breakdown of the latest events.
McAfee Mobile Security users are protected against all the variants of this threat, detected as Android/FoulGoal.A.
The post Google Play Users Risk a Yellow Card With Android/FoulGoal.A appeared first on McAfee Blogs.
Protecting data and assets starts with the ability to identify with an acceptable level of certainty the people and devices requesting access to systems. Traditionally, identity has been established using a “secret handshake” (user ID and password) that gets the person or device through a gateway with access to permitted systems. Once through, few safeguards are in place to further confirm identity.
- Health and safety awareness (about the H&S legislation mostly)
- Health awareness (with much broader objectives about living healthier lifestyles, getting fit, reducing obesity, not smoking etc.)
- Illness awareness e.g. cancer, mental ill-health etc. (aiming to support sick people and get them to seek professional help ... such as the breast cancer awareness ad I'm hearing right now on NZ local radio)
- Safety awareness (such as driving more carefully ... a n d s l o w l y ... and preparing for various disasters)
- Political awareness (promoting the policies and objectives of political parties)
- Social awareness (mostly about or supporting 'disadvantaged' groups for various values and causes of disadvantage)
- Marketing and advertising of products, branding And All That (by far the most widespread, creative and successful form of awareness, I'd argue)
- Global awareness (on a wide range of global issues such as warming, poverty, trade, travel ...)
- Business awareness (ranging from tax and other compliance stuff to good business practices)
- Finance awareness (mostly marketing but some genuine efforts to help people manage their money and debts more effectively)
- Life awareness a.k.a. the education system generally, not just skool
- Trades and professions, with their courses and badges galore, plus codes of practice and so forth
- Celebrity awareness (Kardashian-itis, Trump-itis ...)
- Art awareness and appreciation
- Science awareness and appreciation
- Engineering awareness ....
- More: over to you! What have I missed?
Convenience often beats security where users are concerned. Take USB keys, for example. They’re a very handy way to transfer files between computers, but they’re also a huge security risk. IBM recently attempted taking the drastic step of banning all removable portable storage devices (eg: USB, SD card, flash drive) completely. Should others follow suit?
To explore this issue deeper, I spoke to Neha Thethi, senior cybersecurity analyst at BH Consulting. She said for an attacker who has physical access to the victim’s machine, USB sticks are an effective way to install malicious software on a device or a network. Human nature being what it is, unsuspecting users will often plug unknown drives into their computers. From there, attackers have multiple ways to compromise a victim’s machine.
In fact, a classic tactic for security experts to test an organisation’s security awareness levels is to drop infected USB drives in a public area as part of a ‘red team’ exercise. If a percentage of employees picks up a key and plugs it into their machine, it’s a useful indicator of gaps in that organisation’s security.
Alternatives for file sharing
In Neha’s experience, given the current file sharing technologies available, many employees don’t need to use USBs for general tasks anyway. “We have found that restricting USB keys can definitely work. Most users in an organisation don’t really need access to those ports,” she said. Even where colleagues might need to share documents, it’s easier and safer to use a cloud service approved by their organisation.
But before banning USBs (or other removable media) outright, Neha recommends taking these five steps:
- Discover what data you have
- Know where you are storing the data
- Classify the data according to its importance
- Carry out a risk assessment for the most important data
- Protect the data based on the level of risk – including encryption if necessary.
A company can take some of the steps by itself, but it’s best to use the experience of a security specialist within the company or a third party to carry out the security risk assessment. “The assessment should be conducted with the help of an expert team based on the type of industry and service you provide. Otherwise, you end up with an inaccurate picture of the security risks the organisation faces,” she said.
Prepare for pushback
If a USB ban is identified as a risk treatment measure, be prepared for pushback from some employees. Some of that will stem from company culture. Is the organisation reliant on rules, or do staff expect a degree of freedom? “Not everyone will give a round of applause for more security, because it is a hindrance and an extra step,” Neha warned. “Expect and anticipate pushback and therefore put in place incentives for blocking USBs. If people aren’t happy and are not on board with the change, it leads to them bending the rules.”
In some cases, there may be genuine exceptions to a no-USB rule. IBM itself faced pushbacks and is reportedly considering making a few exemptions. Neha also gave the example of a media company that uses high-quality digital photographs for its work. While it restricted USB ports for all employees, it made an exception for its media person. This person needed to transfer these high-quality images from the camera to a company device. Their specific role meant they got formal approval to have their USB port enabled.
Banning USB sticks should be workable in many cases, because better, more convenient and secure alternatives exist in the form of cloud sharing platforms. But like with the implementation of most security measures, it always helps to be prepared and plan for multiple scenarios.
The post Is banning USB drives the key to better security behaviour? appeared first on BH Consulting.
A key component of SD-WAN is its ability to secure unreliable Internet links and identify anomalous traffic flows.
SD-WAN technology providers are continuing to increase their native security features and to create robust ecosystems of network-security partners.
IT managers should consider their branch network security requirements and carefully evaluate the security capabilities of leading SD-WAN providers, include their native security features and their partnerships with network security providers.
To commemorate F-Secure’s 30th year of innovation, we’re profiling 30 of our fellows from our more than 25 offices around the globe.
The global village can be a pretty great place to live. But it can still be a challenge working across distances or boundaries – whether they be cultural, logistical, linguistic, or whatever else. But it’s a challenge that F-Secure’s Jani Kallio has taken since he joined the company with F-Secure’s acquisition of cyber security firm nSense in 2015.
“At nSense I started building our Security & Risk Management consulting practice as the Global Practice Leader. But during the 2 years since we joined F-Secure, I left that responsibility and my great team of 15 consultants, and transitioned to a business development role,” explains Jani. “Now, one of my key tasks is to prepare expansion opportunities for our consulting business through M&A.”
And Jani’s favorite part of this is finding common ground between different people – what he calls “a common language”. It’s something he’s been doing while based in London, since F-Secure acquired Digital Assurance Consulting – a small but reputable penetration testing company . Part of that process was his relocation to the city with his wife and daughter in summer 2017.
It’s a skill Jani uses to help F-Secure consulting expand further. “The best part of my job is when I’m able to identify similarities in cultures and untapped potentials which we could address together for mutual benefit,” said Jani. “When trying to motivate entrepreneurs into selling their company, it’s all about people. I need to sell the idea of F-Secure as a new home. It’s actually kind a match making process and it doesn’t work if you are not able to sell a joint vision.”
The cyber security business is still all about security, and you have to know what it means to customers, but Jani thinks it might surprise some people how differently that is seen across industries.
“In a single day, I can be in talks about the technical details of a security vulnerability with a consultant, discounted cash flow variables with a M&A advisor, business strategies with a senior entrepreneur, and coverage of cyber insurance with a broker or underwriter. It is a privilege, really, to be involved in so many different fields with different people.”
In terms of career advice, Jani has a few suggestions on how people could progress in the cyber security business.
“Choose a team who you can learn from, preferably strong in other areas than your own background. Choose a boss who believes in you. Share what you know with the people around you. And never stop learning, because this world will never slow down to wait for you to catch up.“
And if you’re looking for a career that will take you to different countries, remember to find things you have in common with the people around you, because there are bound to be differences. Some of them are really small, an example Jani discovered from working in London.
“Londoners have lunch over their keyboards and eat a good 2 hours later than I’m used to. Most restaurants do not even serve proper lunch before 12:00 in Soho, which is one thing I’m still getting used to.”
After Jani’s interview, F-Secure announced the acquisition of MWR InfoSecurity, a privately held cyber security company with close to 400 employees and operating globally from its HQ in London and other offices in the UK, the US, South Africa and Singapore.
And check out our open positions if you want to join Jani and the hundreds of other great fellows fighting to keep internet users safe from online threats.
As part of our efforts to self-evaluate our backend systems, we closely monitor the behavioral reports produced by our dynamic analysis system. Every detection is, in fact, cross-checked and correlated with several other pieces of information, including the output from a number of static analyzers.
A few weeks ago a small anomaly started to creep in when analyzing malicious documents: executions spawning a rogue Equation Editor process (often linked to arbitrary code executions) were no longer triggering our internal static analyzers. It was as if the malicious documents were leveraging a new CVE, possibly just added to a well-maintained document exploit builder (for instance like the old Phantom exploit builder kit, or the Metasploit framework).
One of the malicious documents (sha1: cf63479cefc4984309e97ed71e34a078cbf21d6a) was obfuscated but the process snapshot was still clearly showing the exploitation of the same buffer overflow used by CVE-2017-11882. However, the header of the OLE object (as extracted by rtfobj) was clearly different.
This quickly explained why the static analyzer didn’t assert detection of the known CVE: any string that is often used to detect CVE-2017-11882 relies on either the class name or some other byte sequence that, as shown in Figure 1, is now clearly missing. At this point, we decided to analyze the document in more detail.
OLE Object Analysis
The OLE object (as extracted by RTFScan and viewed by SS viewer) clearly shows that even its stream type is somewhat generic (normally an Equation Editor OLE object contains an
EquationNative stream as further explained here). Instead, the OLE stream is parsed as a more obscure Ole10Native (see Figure 2).
There are two interesting things happening here: (i) Equation Editor is still invoked to process the OLE object regardless of the OLE format, and (ii) Equation Editor is able to parse this new and generic format. As we show in Figure 3, the first is achieved because the CLSID is also specified inside the OLE object itself (the reader can find a nice walk through on how this is done here).
As for the stream itself, its type is not something we see every day. Equation Editor, on the other hand, seems to know this format quite well, and in fact it parses the object without raising any issue: it selectively reads and tests specific bytes (the first and third byte of the MTEF header and the first two of the TYPESIZE header), and if some specific values are found (as shown in Figure 4), Equation Editor is finally convinced to parse the FONT record as well, triggering once again the same buffer overflow that is normally exploited in CVE-2017-11882.
The vulnerability exploited to execute the shellcode is indeed CVE-2017-11882; as soon as the FONT record is parsed, the control flow is transferred to 0x445203.
At this address, a RET instruction will be executed to transfer control to the shellcode stored in a buffer located in lieu of the FONT record (this exact method of executing a shellcode is also used by CVE-2017-0802 and further explained here):
The shellcode also is using an interesting way to find itself in memory. Unlike other malicious documents exploiting CVE-2017-11882, in our case, the sample does not rely on the
WinExecute API to divert execution. Rather, it searches the OLE stream itself to locate the entry point of the shellcode. To succeed, it needs the following three hardcoded values:
- Address 0x0045BD3C: this address references an object that contains a pointer to another temporary structure (see Table 3 in Appendix for more details). This temporary structure points to the beginning Ole10Native stream as loaded in memory.
- Address 0x004667B0: this address points to the imported function GlobalLock.
- 0x11F: the entry point in the shellcode from where it will start executing.
These three values are then used as follows:
- First, the shellcode retrieves the handle of the memory object from 0x0045BD3C.
- Then the handle so retrieved is passed as parameter and used to invoke the GlobalLock API.
- The pointer returned references the first byte of the OLE stream in memory. The shellcode now knows where it is residing in the memory and starts executing from StartOfShellcode+0x11F.
The sample goes on by downloading a file from hxxp://b.reich[.]io/hnepyp.scr, saving it on disk as name.exe, and executing it. In this report, we omit the analysis of this specific binary, as it is yet another pony variant. Were the reader interested, VirusTotal has a full report here (sha1: 2bcd81a9f077ff3500de9a80b469d34a53d51f4a); all IOCs are also listed in the Appendix, Table 1.
Why Static Analysis is not Enough
While in some cases static analysis can detect if a specific vulnerability is exploited, obfuscated samples often present quite a challenge even for the most sophisticated analyzer. In our case, a simple pattern match is not even possible: the only bits of information we can use to write a detection rule is the CLSID and the 5 bytes that are constant in the MathType OLE object (the OLE object used by Equation Editor).
A hypothetical static checker would need to:
- Extract the OLE object from the document
- Parse the OLE header and check if it is pointing to the Equation Editor CLSID
- Extract the Ole10Native stream
- Parse it and get the FONT record
- Check its actual length
- And finally, verify that the last four bytes of the buffer corresponds to an address
This is not a trivial task if done statically, and overall impossible if only pattern matching is available (as it is the case if we are using YARA rules, for example). On the other hand, in Figure 6 we can see the full behavioral analysis when analyzing the sample dynamically.
The sample subject of our analysis did not use any new CVEs, but relied on an unexpected new way to deliver the old and well-known CVE-2017-11882. This particular way of delivering the exploit effectively evaded all static analyzers relying on OLE’s static information. As the exploit author managed to remove (intentionally?) all non-binary strings from the exploit data, he considerably raised the bar for a static analyzer to detect this specific exploit.
Having said that, Microsoft has already issued advisory addressing this specific CVE, so previous mitigations are effective and still apply:
In conclusion, we verified whether MathType v7 (the successor of Equation Editor) was vulnerable to this specific parsing quirk when opening a Ole10Native stream, but we are glad to report that both mitigations DEP and ASLR are enabled, thereby protecting the binary from the aforementioned vulnerabilities.
|Indicator Of Compromise||Description|
|cf63479cefc4984309e97ed71e34a078cbf21d6a||SHA1 malicious document|
|2bcd81a9f077ff3500de9a80b469d34a53d51f4a||SHA1 loki payload|
|hxxp://b.reich[.]io/hnepyp.scr||URL loki payload|
Table 1: IoCs discussed in the blogpost.
|0||1||MTEF Version||0x2||Version 2|
|2||1||Generating Product||0x1||1 for Equation Editor|
Table 2: Ole10Native MTEF header.
|0x0||4||Handle to the memory object storing the Ole10Native stream in memory|
|0x4||4||Size in memory|
|0x8||4||Size in memory|
|0x10||4||Index of the byte which will be read next from the stream|
Table 3: Temporary Structure Format.
The post Evading Static Analyzers by Solving the Equation (Editor) appeared first on Lastline.