Daily Archives: October 11, 2018

DisruptOps: What Security Managers Need to Know About Amazon S3 Exposures (1/2)

Posted under:

As we spin up Disrupt:OPS we are beginning to post cloud-specific content over there, mixing theory with practical how-to guidance. Not to worry! We have plenty of content still planned for Securosis. But we haven’t added any staff at Securosis so there is only so much we can write. In the meantime, linking to non-product posts from Securosis should help ensure you don’t lose sleep over missing even a single cloud-related blog entry.

So here’s #1 from the Disrupt:Ops hit parade!

What Security Managers Need to Know About Amazon S3 Exposures (1/2)

The accidental (or deliberate) exposure of sensitive data on Amazon S3 is one of those deceptively complex issues. On the surface it seems entirely simple to avoid, yet despite wide awareness we see a constant stream of public exposures and embarrassments, combined with a healthy dollop of misunderstanding and victim blaming.

Read the full post at DisruptOps

- Rich (0) Comments Subscribe to our daily email digest

NBlog Oct 12 – evolving perspectives

We're slaving away this month on November's awareness materials about the information security aspects of cloud computing - an approach that was new and scary when we first covered it just a few years back.

These days, cloud computing has become an accepted, conventional, mainstream part of the IT and business worlds. Some of the information risks have materially changed but most are simply better understood today, meaning we are better able to predict their probabilities and impacts.

Hence I am re-drawing the generic Probability Impact Graph for cloud security, shifting the identified risks around, checking and adjusting the wording and hunting for any new ones.  

Those 'new ones' include information risks that:
  • We simply didn't identify when we last performed the risk analysis - oversights, failures in our risk identification process;
  • We identified but didn't include explicitly on the PIG, most likely because we didn't understand them well enough to figure them out, thought them too trivial even to mention, or considered them to be part of the risks shown;
  • Were literally not present at the time of our original risk analysis but have come into being subsequently.

The same thing happens routinely in our field due to frequent innovation - IoT being an obvious current example. When we next revise the IoT PIG, I wonder how the picture will change and what risks we'll add to the graph that didn't even feature before?

In addition to changing information risks, the information security controls also change over time. Some are completely new, others are refined or re-purposed, and some are downplayed or retired, perhaps replaced by different (hopefully more effective!) ones. And, behind all of this, the world around us is constantly moving on. The bigger picture of society, business and culture is also shifting.

... which all makes information security and security awareness both challenging and fun. There's always something new to raise, new perspectives, new angles to explore. Never a dull moment! 

New documents reveal details of the FBI’s dangerous practice of impersonating journalists

RCFP

FBI policy governing journalist impersonation, released by Reporters Committee for Freedom of the Press

Trust between journalists and their sources is paramount. When first approached by journalists, sources or subjects of stories can often be skeptical of a journalist’s motives—or even question whether they are really a journalist at all. Reporters often find themselves in life or death situations when when speaking with members of armed militias, accused terrorists, government rebels, or in myriad other cases.  

So every time a government agent impersonates a journalist to conduct its own investigation, they are putting countless other real journalists at physical risk.

Yet for years, the FBI has engaged in the impersonation of journalists and has defended its practice at the highest level—while keeping its exact policies that govern the tactic. Thanks to documents released as part of a Freedom of Information Act lawsuit by Reporters Committee for Freedom of the Press, we now know a little more.

Back in 2007, a man identifying himself as a reporter with the Associated Press approached a 15 year old high school student online and asked him to review an article about threats to his school for accuracy. But he wasn’t a real reporter, and it wasn’t real article.

Instead, the man was a FBI agent impersonating a journalist in an attempt to catch a suspect accused of making bomb threats. The faked article sent to the student included malware that revealed his computer’s location and IP address, allowing the FBI to confirm details about the suspect’s identity.

When this became public in 2015, backlash from the press and public was swift and intense. Press freedom advocates and the Associated Press itself raised serious concerns that this tactic could endanger journalists and undermine public trust in news gathering.

"This latest revelation of how the FBI misappropriated the trusted name of The Associated Press doubles our concern and outrage...about how the agency's unacceptable tactics undermine AP and the vital distinction between the government and the press," Kathleen Carroll, then-execute editor of the AP, said in a statement.

Despite the criticism, then-FBI director James Comey defended the agency impersonating journalists in the New York Times, and the FBI’s inspector general also signed off on the controversial practice.

In an even more disturbing incident in 2015, FBI posed as a documentary filmmaker crew in order to gain the trust of a group of ranchers engaged in an armed standoff with the government. The fake crew recorded hundreds of hours of video and audio and spent months with the ranchers pretending to make a documentary.

In response to these harrowing incidents, Reporters Committee for Freedom of the Press (RCFP) has been working to uncover the details of FBI’s tactic of impersonating journalists. It is engaged in multiple FOIA lawsuits about the practice—one that relates to the AP case from 2007, and one about impersonation of filmmakers, which led to this most recent disclosure.

This week, after fighting the government for years in court, they finally obtained the FBI’s internal policies for impersonating journalists.

The records show that in order to impersonate a journalist, a FBI field office is supposed to submit an application to do so with the Undercover Review Committee at FBI headquarters and it must be approved by the FBI Deputy Director after consultation with the Deputy Attorney General.

“We’ve understood for a long time that the FBI engages in this practice, so I think it’s helpful for the public to understand the internal rules it utilizes when engaging in it,” said Jen Nelson, a staff attorney at RCFP.

While we know the FBI has impersonated members of the press on multiple occasions, it’s possible that other agencies have also done so as part of their operations. Freedom of the Press Foundation has filed FOIA requests with over a dozen other federal agencies seeking more information.

RCFP continues to work to uncover the details and frequency of the FBI’s use of the tactic, which poses huge chilling effects for journalism.

The FBI’s own arguments in the case acknowledge the chilling effect on journalism presented by this tactic. In a motion of summary judgment obtained by Freedom of the Press Foundation, the agency argued that it should not be required to disclose details about other instances of media impersonation, on the grounds that “it would allow criminals to judge whether they should completely avoid any contacts with documentary film crews, rendering the investigative technique ineffective.”

“That’s our entire point,” said Nelson. “By impersonating members of the media, the FBI causes significant harm to the institution of journalism and undermines the practice.”

The FBI should immediately halt its use of the tactic, which poses real and significant dangers to journalists, who may have to deal with suspicion of being federal agents while going about their work. And the public also suffers when sources may be more reluctant to bring critical information to the press because they may not know who is a real journalist and who is fake.

If the agency refuses to do so, Congress has the ability to step in and ban the practice by law. Many lawmakers have defended press freedom in the fact of attacks on it by the president, and this would be a powerful way to protect countless journalists nationwide.

Stolen Apple IDs reportedly used for mobile payment theft in China

Users of two major mobile payment services in China -- Alipay and WeChat Pay -- have reported unauthorized Apple App Store spending in recent days, with some losing nearly $300 through fraudulent transactions. The companies say that stolen Apple IDs are to blame, the Wall Street Journal reports, and Alipay has asked Apple to investigate. In the meantime, Alipay is telling its customers to minimize potential losses by reducing how much money can be used from their accounts without a password.

Via: 9to5Mac

How To Recover When Your Website Got Hacked

How To Recover When Your Website Got Hacked

The array of easily available Hacking Tools out there now is astounding, combined with self-propagating malware, people often come to me when their website got hacked and they don’t know what to do, or even where to start.

Acunetix has come out with a very useful post with a checklist of actions to take and items to prepare to help you triage and react in the event of a compromise on one of your servers or websites.

Read the rest of How To Recover When Your Website Got Hacked now! Only available at Darknet.

AA18-284A: Publicly Available Tools Seen in Cyber Incidents Worldwide

Original release date: October 11, 2018

Summary

This report is a collaborative research effort by the cyber security authorities of five nations: Australia, Canada, New Zealand, the United Kingdom, and the United States.[1][2][3][4][5]

In it we highlight the use of five publicly available tools, which have been used for malicious purposes in recent cyber incidents around the world. The five tools are:

  1. Remote Access Trojan: JBiFrost
  2. Webshell: China Chopper
  3. Credential Stealer: Mimikatz
  4. Lateral Movement Framework: PowerShell Empire
  5. C2 Obfuscation and Exfiltration: HUC Packet Transmitter

To aid the work of network defenders and systems administrators, we also provide advice on limiting the effectiveness of these tools and detecting their use on a network.

The individual tools we cover in this report are limited examples of the types of tools used by threat actors. You should not consider this an exhaustive list when planning your network defense.

Tools and techniques for exploiting networks and the data they hold are by no means the preserve of nation states or criminals on the dark web. Today, malicious tools with a variety of functions are widely and freely available for use by everyone from skilled penetration testers, hostile state actors and organized criminals, to amateur cyber criminals.

The tools in this Activity Alert have been used to compromise information across a wide range of critical sectors, including health, finance, government, and defense. Their widespread availability presents a challenge for network defense and threat-actor attribution.

Experience from all our countries makes it clear that, while cyber threat actors continue to develop their capabilities, they still make use of established tools and techniques. Even the most sophisticated threat actor groups use common, publicly available tools to achieve their objectives.

Whatever these objectives may be, initial compromises of victim systems are often established through exploitation of common security weaknesses. Abuse of unpatched software vulnerabilities or poorly configured systems are common ways for a threat actor to gain access. The tools detailed in this Activity Alert come into play once a compromise has been achieved, enabling attackers to further their objectives within the victim’s systems.

How to Use This Report

The tools detailed in this Activity Alert fall into five categories: Remote Access Trojans (RATs), webshells, credential stealers, lateral movement frameworks, and command and control (C2) obfuscators.

This Activity Alert provides an overview of the threat posed by each tool, along with insight into where and when it has been deployed by threat actors. Measures to aid detection and limit the effectiveness of each tool are also described.

The Activity Alert concludes with general advice for improving network defense practices.

Technical Details

Remote Access Trojan: JBiFrost 

First observed in May 2015, the JBiFrost RAT is a variant of the Adwind RAT, with roots stretching back to the Frutas RAT from 2012.

A RAT is a program that, once installed on a victim’s machine, allows remote administrative control. In a malicious context, it can—among many other functions—be used to install backdoors and key loggers, take screen shots, and exfiltrate data.

Malicious RATs can be difficult to detect because they are normally designed not to appear in lists of running programs and can mimic the behavior of legitimate applications.

To prevent forensic analysis, RATs have been known to disable security measures (e.g., Task Manager) and network analysis tools (e.g., Wireshark) on the victim’s system.

In Use

JBiFrost RAT is typically employed by cyber criminals and low-skilled threat actors, but its capabilities could easily be adapted for use by state-sponsored threat actors.

Other RATs are widely used by Advanced Persistent Threat (APT) actor groups, such as Adwind RAT, against the aerospace and defense sector; or Quasar RAT, by APT10, against a broad range of sectors.

Threat actors have repeatedly compromised servers in our countries with the purpose of delivering malicious RATs to victims, either to gain remote access for further exploitation, or to steal valuable information such as banking credentials, intellectual property, or PII.

Capabilities

JBiFrost RAT is Java-based, cross-platform, and multifunctional. It poses a threat to several different operating systems, including Windows, Linux, MAC OS X, and Android.

JBiFrost RAT allows threat actors to pivot and move laterally across a network or install additional malicious software. It is primarily delivered through emails as an attachment, usually an invoice notice, request for quotation, remittance notice, shipment notification, payment notice, or with a link to a file hosting service.

Past infections have exfiltrated intellectual property, banking credentials, and personally identifiable information (PII). Machines infected with JBiFrost RAT can also be used in botnets to carry out distributed denial-of-service attacks.

Examples

Since early 2018, we have observed an increase in JBiFrost RAT being used in targeted attacks against critical national infrastructure owners and their supply chain operators. There has also been an increase in the RAT’s hosting on infrastructure located in our countries.

In early 2017, Adwind RAT was deployed via spoofed emails designed to look as if they originated from Society for Worldwide Interbank Financial Telecommunication, or SWIFT, network services.

Many other publicly available RATs, including variations of Gh0st RAT, have also been observed in use against a range of victims worldwide.

Detection and Protection

Some possible indications of a JBiFrost RAT infection can include, but are not limited to:

  • Inability to restart the computer in safe mode,
  • Inability to open the Windows Registry Editor or Task Manager,
  • Significant increase in disk activity and/or network traffic,
  • Connection attempts to known malicious Internet Protocol (IP) addresses, and
  • Creation of new files and directories with obfuscated or random names.

Protection is best afforded by ensuring systems and installed applications are all fully patched and updated. The use of a modern antivirus program with automatic definition updates and regular system scans will also help ensure that most of the latest variants are stopped in their tracks. You should ensure that your organization is able to collect antivirus detections centrally across its estate and investigate RAT detections efficiently.

Strict application whitelisting is recommended to prevent infections from occurring.

The initial infection mechanism for RATs, including JBiFrost RAT, can be via phishing emails. You can help prevent JBiFrost RAT infections by stopping these phishing emails from reaching your users, helping users to identify and report phishing emails, and implementing security controls so that the malicious email does not compromise your device. The United Kingdom National Cyber Security Centre (UK NCSC) has published phishing guidance.

Webshell: China Chopper 

China Chopper is a publicly available, well-documented webshell that has been in widespread use since 2012.

Webshells are malicious scripts that are uploaded to a target host after an initial compromise and grant a threat actor remote administrative capability.

Once this access is established, webshells can also be used to pivot to additional hosts within a network.

In Use

China Chopper is extensively used by threat actors to remotely access compromised web servers, where it provides file and directory management, along with access to a virtual terminal on the compromised device.

As China Chopper is just 4 KB in size and has an easily modifiable payload, detection and mitigation are difficult for network defenders.

Capabilities

China Chopper has two main components: the China Chopper client-side, which is run by the attacker, and the China Chopper server, which is installed on the victim web server but is also attacker-controlled.

The webshell client can issue terminal commands and manage files on the victim server. Its MD5 hash is publicly available (originally posted on hxxp://www.maicaidao.com).

The MD5 hash of the web client is shown in table 1 below.

Table 1: China Chopper webshell client MD5 hash

Webshell ClientMD5 Hash
caidao.exe5001ef50c7e869253a7c152a638eab8a

The webshell server is uploaded in plain text and can easily be changed by the attacker. This makes it harder to define a specific hash that can identify adversary activity. In summer 2018, threat actors were observed targeting public-facing web servers that were vulnerable to CVE-2017-3066. The activity was related to a vulnerability in the web application development platform Adobe ColdFusion, which enabled remote code execution.

China Chopper was intended as the second-stage payload, delivered once servers had been compromised, allowing the threat actor remote access to the victim host. After successful exploitation of a vulnerability on the victim machine, the text-based China Chopper is placed on the victim web server. Once uploaded, the webshell server can be accessed by the threat actor at any time using the client application. Once successfully connected, the threat actor proceeds to manipulate files and data on the web server.

China Chopper’s capabilities include uploading and downloading files to and from the victim using the file-retrieval tool wget to download files from the internet to the target; and editing, deleting, copying, renaming, and even changing the timestamp, of existing files.

Detection and protection

The most powerful defense against a webshell is to avoid the web server being compromised in the first place. Ensure that all the software running on public-facing web servers is up-to-date with security patches applied. Audit custom applications for common web vulnerabilities.[6]

One attribute of China Chopper is that every action generates a hypertext transfer protocol (HTTP) POST. This can be noisy and is easily spotted if investigated by a network defender.

While the China Chopper webshell server upload is plain text, commands issued by the client are Base64 encoded, although this is easily decodable.

The adoption of Transport Layer Security (TLS) by web servers has resulted in web server traffic becoming encrypted, making detection of China Chopper activity using network-based tools more challenging.

The most effective way to detect and mitigate China Chopper is on the host itself—specifically on public-facing web servers. There are simple ways to search for the presence of the web-shell using the command line on both Linux and Windows based operating systems.[7]

To detect webshells more broadly, network defenders should focus on spotting either suspicious process execution on web servers (e.g., Hypertext Preprocessor [PHP] binaries spawning processes) and out-of-pattern outbound network connections from web servers. Typically, web servers make predictable connections to an internal network. Changes in those patterns may indicate the presence of a web shell. You can manage network permissions to prevent web-server processes from writing to directories where PHP can be executed, or from modifying existing files.

We also recommend that you use web access logs as a source of monitoring, such as through traffic analytics. Unexpected pages or changes in traffic patterns can be early indicators.

Credential Stealer: Mimikatz 

Developed in 2007, Mimikatz is mainly used by attackers to collect the credentials of other users, who are logged into a targeted Windows machine. It does this by accessing the credentials in memory within a Windows process called Local Security Authority Subsystem Service (LSASS).

These credentials, either in plain text, or in hashed form, can be reused to give access to other machines on a network.

Although it was not originally intended as a hacking tool, in recent years Mimikatz has been used by multiple actors for malicious purposes. Its use in compromises around the world has prompted organizations globally to re-evaluate their network defenses.

Mimikatz is typically used by threat actors once access has been gained to a host and the threat actor wishes to move throughout the internal network. Its use can significantly undermine poorly configured network security.

In Use

Mimikatz source code is publicly available, which means anyone can compile their own versions of the new tool and potentially develop new Mimikatz custom plug-ins and additional functionality.

Our cyber authorities have observed widespread use of Mimikatz among threat actors, including organized crime and state-sponsored groups.

Once a threat actor has gained local administrator privileges on a host, Mimikatz provides the ability to obtain the hashes and clear-text credentials of other users, enabling the threat actor to escalate privileges within a domain and perform many other post-exploitation and lateral movement tasks.

For this reason, Mimikatz has been bundled into other penetration testing and exploitation suites, such as PowerShell Empire and Metasploit.

Capabilities

Mimikatz is best known for its ability to retrieve clear text credentials and hashes from memory, but its full suite of capabilities is extensive.

The tool can obtain Local Area Network Manager and NT LAN Manager hashes, certificates, and long-term keys on Windows XP (2003) through Windows 8.1 (2012r2). In addition, it can perform pass-the-hash or pass-the-ticket tasks and build Kerberos “golden tickets.”

Many features of Mimikatz can be automated with scripts, such as PowerShell, allowing a threat actor to rapidly exploit and traverse a compromised network. Furthermore, when operating in memory through the freely available “Invoke-Mimikatz” PowerShell script, Mimikatz activity is very difficult to isolate and identify.

Examples

Mimikatz has been used across multiple incidents by a broad range of threat actors for several years. In 2011, it was used by unknown threat actors to obtain administrator credentials from the Dutch certificate authority, DigiNotar. The rapid loss of trust in DigiNotar led to the company filing for bankruptcy within a month of this compromise.

More recently, Mimikatz was used in conjunction with other malicious tools—in the NotPetya and BadRabbit ransomware attacks in 2017 to extract administrator credentials held on thousands of computers. These credentials were used to facilitate lateral movement and enabled the ransomware to propagate throughout networks, encrypting the hard drives of numerous systems where these credentials were valid.

In addition, a Microsoft research team identified use of Mimikatz during a sophisticated cyberattack targeting several high-profile technology and financial organizations. In combination with several other tools and exploited vulnerabilities, Mimikatz was used to dump and likely reuse system hashes.

Detection and Protection

Updating Windows will help reduce the information available to a threat actor from the Mimikatz tool, as Microsoft seeks to improve the protection offered in each new Windows version.

To prevent Mimikatz credential retrieval, network defenders should disable the storage of clear text passwords in LSASS memory. This is default behavior for Windows 8.1/Server 2012 R2 and later, but can be specified on older systems which have the relevant security patches installed.[8] Windows 10 and Windows Server 2016 systems can be protected by using newer security features, such as Credential Guard.

Credential Guard will be enabled by default if:

  • The hardware meets Microsoft’s Windows Hardware Compatibility Program Specifications and Policies for Windows Server 2016 and Windows Server Semi-Annual Branch; and
  • The server is not acting as a Domain Controller.

You should verify that your physical and virtualized servers meet Microsoft’s minimum requirements for each release of Windows 10 and Windows Server.

Password reuse across accounts, particularly administrator accounts, makes pass-the-hash attacks far simpler. You should set user policies within your organization that discourage password reuse, even across common level accounts on a network. The freely available Local Administrator Password Solution from Microsoft can allow easy management of local administrator passwords, preventing the need to set and store passwords manually.

Network administrators should monitor and respond to unusual or unauthorized account creation or authentication to prevent Kerberos ticket exploitation, or network persistence and lateral movement. For Windows, tools such as Microsoft Advanced Threat Analytics and Azure Advanced Threat Protection can help with this.

Network administrators should ensure that systems are patched and up-to-date. Numerous Mimikatz features are mitigated or significantly restricted by the latest system versions and updates. But no update is a perfect fix, as Mimikatz is continually evolving and new third-party modules are often developed.

Most up-to-date antivirus tools will detect and isolate non-customized Mimikatz use and should therefore be used to detect these instances. But threat actors can sometimes circumvent antivirus systems by running Mimikatz in memory, or by slightly modifying the original code of the tool. Wherever Mimikatz is detected, you should perform a rigorous investigation, as it almost certainly indicates a threat actor is actively present in the network, rather than an automated process at work.

Several of Mimikatz’s features rely on exploitation of administrator accounts. Therefore, you should ensure that administrator accounts are issued on an as-required basis only. Where administrative access is required, you should apply privileged access management principles.

Since Mimikatz can only capture the accounts of those users logged into a compromised machine, privileged users (e.g., domain administrators) should avoid logging into machines with their privileged credentials. Detailed information on securing Active Directory is available from Microsoft.[9]

Network defenders should audit the use of scripts, particularly PowerShell, and inspect logs to identify anomalies. This will aid in identifying Mimikatz or pass-the-hash abuse, as well as in providing some mitigation against attempts to bypass detection software.

Lateral Movement Framework: PowerShell Empire 

PowerShell Empire is an example of a post-exploitation or lateral movement tool. It is designed to allow an attacker (or penetration tester) to move around a network after gaining initial access. Other examples of these tools include Cobalt Strike and Metasploit. PowerShell Empire can also be used to generate malicious documents and executables for social engineering access to networks.

The PowerShell Empire framework was designed as a legitimate penetration testing tool in 2015. PowerShell Empire acts as a framework for continued exploitation once a threat actor has gained access to a system.

The tool provides a threat actor with the ability to escalate privileges, harvest credentials, exfiltrate information, and move laterally across a network. These capabilities make it a powerful exploitation tool. Because it is built on a common legitimate application (PowerShell) and can operate almost entirely in memory, PowerShell Empire can be difficult to detect on a network using traditional antivirus tools.

In Use

PowerShell Empire has become increasingly popular among hostile state actors and organized criminals. In recent years we have seen it used in cyber incidents globally across a wide range of sectors.

Initial exploitation methods vary between compromises, and threat actors can configure the PowerShell Empire uniquely for each scenario and target. This, in combination with the wide range of skill and intent within the PowerShell Empire user community, means that the ease of detection will vary. Nonetheless, having a greater understanding and awareness of this tool is a step forward in defending against its use by threat actors.

Capabilities

PowerShell Empire enables a threat actor to carry out a range of actions on a victim’s machine and implements the ability to run PowerShell scripts without needing powershell.exe to be present on the system Its communications are encrypted and its architecture is flexible.

PowerShell Empire uses "modules" to perform more specific malicious actions. These modules provide the threat actor with a customizable range of options to pursue their goals on the victim’s systems. These goals include escalation of privileges, credential harvesting, host enumeration, keylogging, and the ability to move laterally across a network.

PowerShell Empire’s ease of use, flexible configuration, and ability to evade detection make it a popular choice for threat actors of varying abilities.

Examples

During an incident in February 2018, a UK energy sector company was compromised by an unknown threat actor. This compromise was detected through PowerShell Empire beaconing activity using the tool’s default profile settings. Weak credentials on one of the victim’s administrator accounts are believed to have provided the threat actor with initial access to the network.

In early 2018, an unknown threat actor used Winter Olympics-themed socially engineered emails and malicious attachments in a spear-phishing campaign targeting several South Korean organizations. This attack had an additional layer of sophistication, making use of Invoke-PSImage, a stenographic tool that will encode any PowerShell script into an image.

In December 2017, APT19 targeted a multinational law firm with a phishing campaign. APT19 used obfuscated PowerShell macros embedded within Microsoft Word documents generated by PowerShell Empire.

Our cybersecurity authorities are also aware of PowerShell Empire being used to target academia. In one reported instance, a threat actor attempted to use PowerShell Empire to gain persistence using a Windows Management Instrumentation event consumer. However, in this instance, the PowerShell Empire agent was unsuccessful in establishing network connections due to the HTTP connections being blocked by a local security appliance.

Detection and Protection

Identifying malicious PowerShell activity can be difficult due to the prevalence of legitimate PowerShell activity on hosts and the increased use of PowerShell in maintaining a corporate environment.

To identify potentially malicious scripts, PowerShell activity should be comprehensively logged. This should include script block logging and PowerShell transcripts.

Older versions of PowerShell should be removed from environments to ensure that they cannot be used to circumvent additional logging and controls added in more recent versions of PowerShell. This page provides a good summary of PowerShell security practices.[10]

The code integrity features in recent versions of Windows can be used to limit the functionality of PowerShell, preventing or hampering malicious PowerShell in the event of a successful intrusion.

A combination of script code signing, application whitelisting, and constrained language mode will prevent or limit the effect of malicious PowerShell in the event of a successful intrusion. These controls will also impact legitimate PowerShell scripts and it is strongly advised that they be thoroughly tested before deployment.

When organizations profile their PowerShell usage, they often find it is only used legitimately by a small number of technical staff. Establishing the extent of this legitimate activity will make it easier to monitor and investigate suspicious or unexpected PowerShell usage elsewhere on the network.

C2 Obfuscation and Exfiltration: HUC Packet Transmitter 

Attackers will often want to disguise their location when compromising a target. To do this, they may use generic privacy tools (e.g., Tor) or more specific tools to obfuscate their location.

HUC Packet Transmitter (HTran) is a proxy tool used to intercept and redirect Transmission Control Protocol (TCP) connections from the local host to a remote host. This makes it possible to obfuscate an attacker’s communications with victim networks. The tool has been freely available on the internet since at least 2009.

HTran facilitates TCP connections between the victim and a hop point controlled by a threat actor. Malicious threat actors can use this technique to redirect their packets through multiple compromised hosts running HTran to gain greater access to hosts in a network.

In Use

The use of HTran has been regularly observed in compromises of both government and industry targets.

A broad range of threat actors have been observed using HTran and other connection proxy tools to

  • Evade intrusion and detection systems on a network,
  • Blend in with common traffic or leverage domain trust relationships to bypass security controls,
  • Obfuscate or hide C2 infrastructure or communications, and
  • Create peer-to-peer or meshed C2 infrastructure to evade detection and provide resilient connections to infrastructure.
Capabilities

HTran can run in several modes, each of which forwards traffic across a network by bridging two TCP sockets. They differ in terms of where the TCP sockets are initiated from, either locally or remotely. The three modes are

  • Server (listen) – Both TCP sockets initiated remotely;
  • Client (slave) – Both TCP sockets initiated locally; and
  • Proxy (tran) – One TCP socket initiated remotely, the other initiated locally, upon receipt of traffic from the first connection.

HTran can inject itself into running processes and install a rootkit to hide network connections from the host operating system. Using these features also creates Windows registry entries to ensure that HTran maintains persistent access to the victim network.

Examples

Recent investigations by our cybersecurity authorities have identified the use of HTran to maintain and obfuscate remote access to targeted environments.

In one incident, the threat actor compromised externally-facing web servers running outdated and vulnerable web applications. This access enabled the upload of webshells, which were then used to deploy other tools, including HTran.

HTran was installed into the ProgramData directory and other deployed tools were used to reconfigure the server to accept Remote Desktop Protocol (RDP) communications.

The threat actor issued a command to start HTran as a client, initiating a connection to a server located on the internet over port 80, which forwards RDP traffic from the local interface.

In this case, HTTP was chosen to blend in with other traffic that was expected to be seen originating from a web server to the internet. Other well-known ports used included:

  • Port 53 – Domain Name System
  • Port 443 - HTTP over TLS/Secure Sockets Layer
  • Port 3306 - MySQL
  • By using HTran in this way, the threat actor was able to use RDP for several months without being detected.
Detection and Protection

Attackers need access to a machine to install and run HTran, so network defenders should apply security patches and use good access control to prevent attackers from installing malicious applications.

Network monitoring and firewalls can help prevent and detect unauthorized connections from tools such as HTran.

In some of the samples analyzed, the rootkit component of HTran only hides connection details when the proxy mode is used. When client mode is used, defenders can view details about the TCP connections being made.

HTran also includes a debugging condition that is useful for network defenders. In the event that a destination becomes unavailable, HTran generates an error message using the following format:

sprint(buffer, “[SERVER]connection to %s:%d error\r\n”, host, port2);

This error message is relayed to the connecting client in the clear. Network defenders can monitor for this error message to potentially detect HTran instances active in their environments.

 

Mitigations

There are several measures that will improve the overall cybersecurity of your organization and help protect it against the types of tools highlighted in this report. Network defenders are advised to seek further information using the links below.

Further information: invest in preventing malware-based attacks across various scenarios. See UK NCSC Guidance: https://www.ncsc.gov.uk/guidance/mitigating-malware.

Additional Resources from International Partners

Contact Information

NCCIC encourages recipients of this report to contribute any additional information that they may have related to this threat. For any questions related to this report, please contact NCCIC at

NCCIC encourages you to report any suspicious activity, including cybersecurity incidents, possible malicious code, software vulnerabilities, and phishing-related scams. Reporting forms can be found on the NCCIC/US-CERT homepage at http://www.us-cert.gov/.

Feedback

NCCIC strives to make this report a valuable tool for our partners and welcomes feedback on how this publication could be improved. You can help by answering a few short questions about this report at the following URL: https://www.us-cert.gov/forms/feedback.

References

Revisions

  • October, 11 2018: Initial version

This product is provided subject to this Notification and this Privacy & Use policy.


Sophos Mobile gets in sync with Google Cloud Identity

Onboarding new devices to management policy controls includes the important step of user authentication. That’s why we’re excited to be one of the launch partners for Google Cloud’s new secure LDAP feature, launched today at Google Next London. Sophos Mobile customers now have the option to validate their users’ identities with G Suite and Google […]

ICS Tactical Security Trends: Analysis of the Most Frequent Security Risks Observed in the Field

Introduction

FireEye iSIGHT Intelligence compiled extensive data from dozens of ICS security health assessment engagements (ICS Healthcheck) performed by Mandiant, FireEye's consulting team, to identify the most pervasive and highest priority security risks in industrial facilities. The information was acquired from hands-on assessments carried out over the last few years across a broad range of industries, including manufacturing, mining, automotive, energy, chemical, natural gas, and utilities. In this post, we provide details of these risks, and indicate best practices and recommendations to mitigate the identified risks.

Mandiant ICS Healthchecks

Mandiant ICS Healthchecks and penetration testing engagements include on-site assessments of customers' IT and ICS systems. The ICS Healthcheck consists of workshops and technical reviews. It captures the results in a final report that ranks discovered findings and vulnerabilities by risk using Mandiant’s Risk Rating method. During an onsite workshop with site technical experts, Mandiant develops a technical understanding of the subject control system(s), builds a network diagram of the control system, analyzes for potential vulnerabilities and threats, and assists with prioritizing recommended countermeasures to defend the environment.

Mandiant also collects and reviews packet captures of network traffic from the ICS environment to validate the network diagram constructed in the workshop and to identify any unexpected or undesirable deviations from the intended design. This traffic is also analyzed for evidence of compromise or misconfiguration of the ICS network/system. Mandiant inspects the deployed security technology for vulnerabilities and other architectural risks, such as inappropriately configured firewalls, dual-homed control system devices, and unnecessary connectivity to the business network or the Internet.

NOTE: Findings are discussed at a generalized level to preserve the anonymity of our customers. This post presents a high-level overview and is meant to be an informative first stop for customers interested in common cyber security issues. For more information or to request Mandiant services, please visit our website.

Methodology: Mandiant Risk Rating System

This blog post leverages information from Mandiant ICS Healthchecks, which evaluate cyber security risk in organizations from multiple industries. The rating of critical and high security risk is based on the Mandiant Risk Rating System, which is determined by identifying the exploitability and the impact of a given issue, and cross-referencing the results (Figure 1).


Figure 1: Impact/exploitability graphic

One Third of Security Risks in ICS Environments Ranked High or Critical

We reviewed findings from all of our risk assessments and then categorized and ranked the reported risks as critical or high, medium, low, or informational (Figure 2). At least 33 percent of the security issues we found in ICS organizations were rated of high or critical risk. This means they were most likely to allow adversaries to readily gain control of target systems and potentially compromise other systems or networks, cause disruption of services, disclose unauthorized information, or result in other significant negative consequences. We suggest immediate remediation for critical risks, and quick action to remediate high security risks.


Figure 2: Risk assessment distribution

Most Common High and Critical Security Risks in ICS Environments

FireEye iSIGHT Intelligence organized the critical and high security risks identified during Mandiant ICS Healthchecks into nine unique categories (Table 1). The three most common were:

  • Vulnerabilities, Patches, and Updates (32 percent)
  • Identity and Access Management (25 percent)
  • Architecture and Network Segmentation (11 percent)

In most of these cases, basic security best practices would be enough to stop (or at least make it more difficult for) threat actors to target an organization's systems. The implications are vast because specialized malware or actors targeting infrastructure would likely look for these flaws first to exploit throughout the targeted attack lifecycle.


Table 1: Distribution of high and critical security risks in ICS environments

Top Three High and Critical Risks and Recommended Mitigations

Vulnerabilities, Patches, and Updates

Vulnerability, patch, and update management procedures enable organizations to secure off-the-shelf software, hardware, and firmware from known security threats. Known vulnerabilities in ICS environments can be leveraged by threat actors to access the network and move laterally to execute targeted attacks. The following common risks were observed during our engagements:

  • Infrequent procedures for patching and updating control systems:
    • We encountered organizations with no formal vulnerability and patch management programs.
  • Out-of-date firmware, hardware, and operating systems (OS), including:
    • Network devices and systems such as switches, firewalls, and routers.
    • Hardware equipment, including desktop computers, cameras, and programmable logic controllers (PLCs).
    • Unsupported legacy operating systems such as Windows Server 2003, XP, 2000, and NT 4.
  • Unaddressed known vulnerabilities in software applications and equipment where patches are available:
    • We observed outdated firewalls with up to 53 unaddressed vulnerabilities and switches with more than 200 vulnerabilities.
    • System management software that can be exploited using known open source tools.
  • Lack of test environments to analyze patches and updates before implementation.

Mitigations

  • Develop a comprehensive ICS Vulnerability Management Strategy and include procedures to implement patches and updates on key assets. More information is provided by the National Institute for Standards and Technology's (NIST) Guide for ICS Security NIST SP800-82.
  • When patches and updates are no longer provided for key infrastructure, choose one of the two following options:
    • Implement a security perimeter around affected assets, protected by, at minimum, a firewall (industrial protocol inspection/blocking if appropriate) for access control and traffic filtering.
    • Decommission legacy devices that might be exploited to gain access to the network, such as switches.
  • Set up development systems or labs that are representative of the running IT and ICS devices. These systems can often be built from existing spares along with the purchase or loan of additional licenses for human-machine interfaces (HMIs) and configuration software from the system vendor. A development system is an excellent platform to test changes and patches, and on which to perform vulnerability scans without risk to active systems.
Identity and Access Management

The second most common category of security issues identified was related to the flaws in or absence of best practices for handling passwords and credentials. Common weaknesses identified by Mandiant include:

  • Lack of multi-factor authentication for remote access and critical accounts:
    • Users were able to remotely access ICS environments from the corporate network without requiring multi-factor authentication.
  • Lack of a comprehensive and enforced password policy:
    • Weak passwords with insufficient length or complexity used for privileged accounts, ICS user accounts, and service accounts.
    • Passwords were not changed frequently.
    • Passwords were reused for multiple accounts.
  • Prominently displayed passwords:
    • Passwords were written on the chassis of devices.
  • Hard-coded and default credentials in applications and equipment:
    • Mandiant discovered Remote Terminal Units (RTUs) containing default credentials, which are commonly available on the Internet and in the device manuals.
    • A modem contained a backdoor account incorporated by the manufacturer.
  • Commonly used “administrator” accounts.
  • Use of shared credentials.

Mitigations

  • Implement two-factor authentication for all possible users, especially administrative accounts.
  • Avoid keeping written copies of passwords and, if necessary, secure them out of sight with limited access for only authorized users.
  • Enforce password policies that require strong passwords that are regularly modified and cannot be reused. More information is available from SANS.
  • Avoid common, easily guessed user account names such as "operator," "administrator," or "admin." Instead, use uniquely named user accounts for all access.
  • Require administrative users to log in with uniquely named user accounts with strong passwords, tied back to an individual person.
  • Avoid shared accounts when feasible. However, if present, they should be hardened using strong passwords that are stored in an encrypted password manager.
Network Segregation and Segmentation

Of the top three risks identified in this post, weaknesses in network segregation and segmentation are the most important. Lack of segregation from the corporate IT network and within the ICS network allows threat actors opportunities to launch remote attacks against key infrastructure by moving laterally from IT services to ICS environments. Furthermore, it increases the risk of commodity malware spreading to ICS networks where the malware could interact with operational assets. The main risks identified by Mandiant included:

  • Plant systems accessible from the corporate network, either directly or through bridge devices (connected to both networks), such as unused servers, HMIs, historians, or loosely configured shared firewalls. We also found:
    • Unfiltered access to plant servers from corporate networks through, for example, a historian communicating with the distributed control system (DCS).
    • Missing segmentation between ICS and corporate networks.
    • Vulnerabilities in bridge devices (e.g., outdated appliances running vulnerable OS) that can enable lateral movement between networks.
    • Business functions (e.g., data backups and anti-virus updates) running on shared control system networks.
  • Dual-homed systems, both servers and desktop computers.
  • Industrial networks connected directly to the internet.

Mitigations

  • Segment all access to ICS with a network Demilitarized Zone (DMZ), as recommended by both NIST SP 800-82 and IEC (Figure 3):
    • Restrict the number of ports, services, and protocols used to establish communications between the ICS and corporate networks to the least possible to reduce the attack surface.
    • Terminate incoming access for both regular and administrative users first in the DMZ, and then establish another session with connectivity into the ICS network.
    • Place servers (or mirrored servers) that provide ICS data to the corporate network in the DMZ.
    • Use firewalls to filter all network traffic entering or leaving the ICS.
    • Firewall rules should filter both incoming traffic from the corporate network and outgoing traffic from the ICS, and they should only allow the minimum required amount of traffic to pass.
  • Isolate the control networks from the internet. A separate network should be used for internet access through a DMZ, and at no time should a bridged connection be allowed between the two networks.
  • Ensure that independent, regularly patched firewalls are used to separate the corporate network from the DMZ and ICS network, and review firewall rulesets on a regular basis.
  • Identify and redirect any non-control system traffic traversing the industrial network.
  • Eliminate all dual-homed servers and hosts.


Figure 3: Reference architecture for segmentation of enterprise and control system networks

Additional Highlights

Additional common risks were identified from other categories, but with less frequency.

Network Management and Monitoring
  • We identified the lack of Network Security Monitoring, Intrusion Detection, and Intrusion Prevention in organizations, including missing endpoint malware protection, leaving unused ports active, and having limited visibility into ICS networks. We recommend the following best practices:
    • A comprehensive network security monitoring strategy should be defined and implemented at the ICS level as part of an overarching ICS security program. Special attention should be placed on monitoring network segments where external connectivity occurs:
  • Implement or increase centralized system and network logging to provide visibility across the entire enterprise (IT and ICS). Monitor logs for anomalous behavior. Consider implementing additional host or network-based security controls that generate alerts or reject traffic based on anomalous or suspicious behavior.
  • Install a centrally managed anti-malware solution on all ICS and ICS DMZ hosts. Ensure that signature and application updates are deployed in a timely manner.
  • Explore alternatives for the deployment of an advanced endpoint protection solution that provides detection/prevention for malware and malicious activities that do not rely on signature-based detection methods.
  • Develop procedures to identify and shut down network ports when not in use.
Misconfigurations in Firewall Rules

We identified weak firewall rules including "ANY-ANY" configurations, conflicting or overlapping rules, overly permissive conditions allowing access to administrative services, and lack of console connection timeouts. We recommend the following best practices for secure firewall configuration:

  • Filtering rules should only allow access from/to specific source/destination IP addresses and ports.
  • Filter rules should specify a specific network protocol.
  • ICMP filter rules should specify a specific message type.
  • Filter rules should drop network packets instead of rejecting them.
  • Filter rules should perform a specific action and not rely on a default action.
  • Administrative session timeout parameters should be set to terminate those sessions after a predetermined amount of time.
Cyber Security Governance Best Practices

We identified some organizations with limited or absent formal and comprehensive ICS security programs. We highly suggest organizations implement ICS security programs to prioritize the following recommendations:

  • Establish a formal ICS security program with a clearly defined owner, accountability, and governance structure. It should include:
    • Business expectations, policies, and technical standards for ICS security.
    • Guidance on proactive security controls (e.g., implementation of patches and updates, change management, or secure configurations).
    • Incident Response, Disaster Recovery, and Business Continuity plans.
    • ICS security awareness training plans.
  • Develop a Vulnerability Management Strategy following NIST SP800-82, including asset identification and inventory, risk assessment and analysis methodology (with prioritization of critical assets), remediation testing, and deployment guidelines.

Conclusion

This blog post presents a broad picture of the current risks facing industrial organizations as observed during Mandiant ICS Healthchecks. While the trends observed in this research align with risk areas commonly discussed in security conference talks and media reports, this blog draws from dozens of on-site assessments that hold real-life validity.

Our findings indicate that at least one third of the critical and high security risks in ICS are related to vulnerabilities, patches, and updates. Known vulnerabilities continue to represent significant challenges for ICS owners that must oversee the daily operation of thousands of assets in complex industrial environments. It is also relevant to highlight that some of the most common risks we identified could be mitigated with security best practices, such as enforcing a comprehensive password management policy or establishing detailed firewall rules. If you are interested in more information or to request Mandiant services, please visit our website.

GPlayed Trojan – .Net playing with Google Market

This blog post is authored by Vitor Ventura.

Introduction

In a world where everything is always connected, and mobile devices are involved in individuals' day-to-day lives more and more often, malicious actors are seeing increased opportunities to attack these devices. Cisco Talos has identified the latest attempt to penetrate mobile devices — a new Android trojan that we have dubbed "GPlayed." This is a trojan with many built-in capabilities. At the same time, it's extremely flexible, making it a very effective tool for malicious actors. The sample we analyzed uses an icon very similar to Google Apps, with the label "Google Play Marketplace" to disguise itself.

The malicious application is on the left-hand side.



What makes this malware extremely powerful is the capability to adapt after it's deployed. In order to achieve this adaptability, the operator has the capability to remotely load plugins, inject scripts and even compile new .NET code that can be executed. Our analysis indicates that this trojan is in its testing stage but given its potential, every mobile user should be aware of GPlayed. Mobile developers have recently begun eschewing traditional app stores and instead want to deliver their software directly through their own means. But GPlayed is an example of where this can go wrong, especially if a mobile user is not aware of how to distinguish a fake app versus a real one.

Trojan architecture and capabilities

This malware is written in .NET using the Xamarin environment for mobile applications. The main DLL is called "Reznov.DLL." This DLL contains one root class called "eClient," which is the core of the trojan. The imports reveal the use of a second DLL called "eCommon.dll." We determined that the "eCommon" file contains support code and structures that are platform independent. The main DLL also contains eClient subclasses that implement some of the native capabilities.

The package certificate is issued under the package name, which also resembles the name of the main DLL name.

Certificate information

The Android package is named "verReznov.Coampany." The application uses the label "Installer" and its name is "android.app.Application."

Package permissions

The trojan declares numerous permissions in the manifest, from which we should highlight the BIND_DEVICE_ADMIN, which provides nearly full control of the device to the trojan.

This trojan is highly evolved in its design. It has modular architecture implemented in the form of plugins, or it can receive new .NET source code, which will be compiled on the device in runtime.

Initialization of the compiler object

The plugins can be added in runtime, or they can be added as a package resource at packaging time. This means that the authors or the operators can add capabilities without the need to recompile and upgrade the trojan package on the device.

Trojan native capabilities

This is a full-fledged trojan with capabilities ranging from those of a banking trojan to a full spying trojan. This means that the malware can do anything from harvest the user's banking credentials, to monitoring the device's location. There are several indicators (see section "trojan activity" below) that it is in its last stages of development, but it has the potential to be a serious threat.

Trojan details

Upon boot, the trojan will start by populating a shared preferences file with the configuration it has on its internal structures. Afterward, it will start several timers to execute different tasks. The first timer will be fired on the configured interval (20 seconds in this case), pinging the command and control (C2) server. The response can either be a simple "OK," or can be a request to perform some action on the device. The second timer will run every five seconds and it will try to enable the WiFi if it's disabled. The third timer will fire every 10 seconds and will attempt to register the device into the C2 and register wake-up locks on the system to control the device's status.

During the trojan registration stage, the trojan exfiltrates private information such as the phone's model, IMEI, phone number and country. It will also report the version of Android that the phone is running and any additional capabilities.

Device registration

This is the last of the three main timers that are created. The trojan will register the SMS handler, which will forward the contents and the sender of all of the SMS messages on the phone to the C2.

The final step in the trojan's initialization is the escalation and maintenance of privileges in the device. This is done both by requesting admin privileges on the device and asking the user to allow the application to access the device's settings.

Privilege escalation requests

The screens asking for the user's approval won't close unless the user approves the privilege escalation. If the user closes the windows, they will appear again due to the timer configuration.

After the installation of the trojan, it will wait randomly between three and five minutes to activate one of the native capabilities — these are implemented on the eClient subclass called "GoogleCC." This class will open a WebView with a Google-themed page asking for payment in order to use the Google services. This will take the user through several steps until it collects all the necessary credit card information, which will be checked online and exfiltrated to the C2. During this process, an amount of money, configured by the malicious operator, is requested to the user.

Steps to request the user's credit card information

In our sample configuration, the request for the views above cannot be canceled or removed from the screen — behaving just like a screen lock that won't be disabled without providing credit card information.

All communication with the C2 is done over HTTP. It will use either a standard web request or it will write data into a web socket if the first method fails. The C2 can also use WebSocket as a backup communication channel.

Before sending any data to the C2 using the trojan attempts to disguise its data, the data is serialized using JSON, which is then encoded in Base64. However, the trojan replaces the '=' by 'AAAZZZXXX', the '+' by '|' and the '/' by '.' to disguise the Base64.

Request encoding process

The HTTP requests follow the format below, while on the WebSocket only the query data is written.

<server path>?q=<IMEI>-<REQUEST CODE>:<Obfuscated Base64 encoded data>

As is common with trojans, the communication is always initiated by the trojan on the device to the C2. The request codes are actually replies to the C2 action requests, which are actually called "responses." There are 27 response codes that the C2 can use to make requests to the trojan, which pretty much match what's listed in the capabilities section.
  • Error
  • Registration
  • Ok
  • Empty
  • SendSMS
  • RequestGoogleCC
  • Wipe
  • OpenBrowser
  • SendUSSD
  • RequestSMSList
  • RequestAppList
  • RequestLocation
  • ShowNotification
  • SetLockPassword
  • LockNow
  • MuteSound
  • LoadScript
  • LoadPlugin
  • ServerChange
  • StartApp
  • CallPhone
  • SetPingTimer
  • SMSBroadcast
  • RequestContacts
  • AddInject
  • RemoveInject
  • Evaluate
Another feature of this trojan is the ability to register injects, which are JavaScript snippets of code. These will be executed in a WebView object created by the trojan. This gives the operators the capability to trick the user into accessing any site while stealing the user's cookies or forging form fields, like account numbers or phone numbers.

Trojan activity

At the time of the writing of this post, all URLs (see IOC section) found on the sample were inactive, and it does not seem to be widespread. There are some indicators that this sample is just a test sample on its final stages of development. There are several strings and labels still mentioning 'test' or 'testcc' — even the URL used for the credit card data exfiltration is named "testcc.php."

Debug information on logcat

Another indicator is the amount of debugging information the trojan is still generating — a production-level trojan would keep its logging to a minimum.

The only sample was found on public repositories and almost seemed to indicate a test run to determine the detection ratio of the sample. We have observed this trojan being submitted to public antivirus testing platforms, once as a package and once for each DLL to determine the detection ratio. The sample analyzed was targeted at Russian-speaking users, as most of the user interaction pages are written in Russian. However, given the way the trojan is built, it is highly customizable, meaning that adapting it to a different language would be extremely easy. The wide range of capabilities doesn't limit this trojan to a specific malicious activity like a banking trojan or a ransomware. This makes it impossible to create a target profile.

Conclusion

This trojan shows a new path for threats to evolve. Having the ability to move code from desktops to mobile platforms with no effort, like the eCommon.DLL demonstrates that malicious actors can create hybrid threats faster and with fewer resources involved than ever before. This trojan's design and implementation is of an uncommonly high level, making it a dangerous threat. These kinds of threats will become more common, as more and more companies decide to publish their software directly to consumers.

There have been several recent examples of companies choosing to release their software directly to consumers, bypassing traditional storefronts. The average user might not have the necessary skills to distinguish legitimate sites from malicious ones. We've seen that this has been the case for many years with spear-phishing campaigns on desktop and mobile platforms, so, unfortunately, it doesn't seem that this will change any time soon. And this just means attackers will continue to be successful.

Coverage

Additional ways our customers can detect and block this threat are listed below.

Advanced Malware Protection (AMP) is ideally suited to prevent the execution of the malware used by these threat actors.

Cisco Cloud Web Security (CWS) or Web Security Appliance (WSA) web scanning prevents access to malicious websites and detects malware used in these attacks.

Email Security can block malicious emails sent by threat actors as part of their campaign.

Network Security appliances such as Next-Generation Firewall (NGFW), Next-Generation Intrusion Prevention System (NGIPS), and Meraki MX can detect malicious activity associated with this threat.

AMP Threat Grid helps identify malicious binaries and build protection into all Cisco Security products.

Umbrella, our secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs, and URLs, whether users are on or off the corporate network.

Open Source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org.

Indicators of compromise (IOC)


URLs
hxxp://5.9.33.226:5416
hxxp://172.110.10.171:85/testcc.php
hxxp://sub1.tdsworker.ru:5555/3ds/

Hash values
Package.apk - A342a16082ea53d101f556b50532651cd3e3fdc7d9e0be3aa136680ad9c6a69f
eCommon.dl - 604deb75eedf439766896f05799752de268baf437bf89a7185540627ab4a4bd1
Reznov.dll - 17b8665cdbbb94482ca970a754d11d6e29c46af6390a2d8e8193d8d6a527dec3

Custom activity prefix
com.cact.CAct

How Can Businesses Protect against Phishing Attacks on Employee Smartphones?

Smartphones have become synonymous with everyday business operations, enabling employees to store important contact details, browse the web and reply to emails while on the move. However, the ubiquity of such devices has led scammers to increasingly target them with a variety of phishing attacks – all designed to convince individuals to part with sensitive personal and corporate information.

With banking details, phone numbers and email addresses all commonly stored on them, a successful attack on an employee’s smartphone could have devastating consequences, both for that individual and for your organisation. This threat is even more daunting considering that the click rate for suspicious URLs on mobile has increased 85% year-over-year since 2011.

With this in mind, it is vital that business leaders educate themselves on the types of attacks that today’s scammers are using, and advise employees on how best to protect themselves.

A new school of phish

Almost everyone has seen a dubious email hit their inbox at one time or another, seemingly from a legitimate source such as PayPal or Apple. At a cursory glance, these emails can look like the real thing, but tell-tale signs like frequent spelling errors and obviously false email addresses can help users identify a disguised phishing attack. 

Unfortunately, these signs can be far less obvious when received on a mobile device, as email headers and URLs are often hidden. As such, it’s worth encouraging employees to double-check the sender’s details, take note of impersonal address and avoid clicking on any suspicious links. 

But some more sophisticated scams can be even less obvious and, again, can be extremely damaging when targeting a mobile device. For example, spear-phishing attacks occur when a scammer creates an email that perfectly imitates genuine correspondence, often from senior members of staff within the same organisation. 

In these cases, the scammer will research company websites and social media channels to build a comprehensive profile of an employee to fool unsuspecting users. The scammer will usually target junior members of teams, requesting confidential information or encouraging them to click on links that will download malware, which can be particularly disastrous on Android phones, which tend not to have the rigorous in-built security that their iPhone counterparts do. Always advise staff members to check with your IT department or managed service provider before engaging with correspondence like this. 

However, it’s not just email that modern hackers are utilising. Social media has now become the go-to platform for phishers who want to extract crucial company information from unsuspecting staff. For a hacker, social media is a great place to start building a picture of exactly who you are in preparation of launching a phishing attack, and some have even resorted to sending suspicious links via messenger platforms. Investigating the privacy settings on such sites (and ensuring they are consistent across mobile, apps and desktop) is a worthwhile exercise to ensure you’re prepared.

Other mobile apps that facilitate remote working, such as Google Docs and Dropbox, have also grown increasingly vulnerable to phishing scams, with Google Docs falling victim to a large-scale attack which affected around 1 million users in 2017. Using a link, the scam diverted users from a Google page to a third-party site, where password information was claimed. Combatting such scams can be achieved by implementing two-factor authentication to add an extra layer of defence to your security measures.

Preventing mobile phishing

Education is extremely important when considering ways to combat phishing attempts, as learning to spot the warning signs can prevent your or your company’s data from falling into the wrong hands, and this is more prescient when considering your mobile devices. 

A strong enterprise mobility management strategy can help organisations to manage their apps and social media accounts that have access to your data, and secure personal information on employees’ smartphones. They should complement this by ensuring that their file transfer procedures are completely secure. 

Mobile devices are only going to become a more central component of our working lives in the future, so ensuring that the safeguards are in place to protect your vital information now will go a long way to preventing potential phishing scams in the future.

About the author: Matt joined Intercity Technology in 2015 from Imerja Limited, as one of the company’s founders. He worked there for 12 years as technical director and previously operations & services director. With over 25 years’ business and technical experience in providing IT solutions, Matt’s expertise covers the design, implementation, support and management of complex communications networks.

Copyright 2010 Respective Author at Infosec Island

Lessons from Cyber Essentials – Going Back to the Basics

Whether it’s phishing attacks or zero-day exploits, businesses are facing an increasing number of cyber threats every day. And when these attacks are successful, businesses can face both reputational and monetary consequences. In fact, a 2018 report from Ponemon found that businesses have to fork out an average of $3.9 million when hit by a data breach. However, there are some simple steps that organisations can follow to achieve cyber resilience and understanding the UK Government’s Cyber Essentials scheme is a great start. 

Launched in 2014, the scheme sets out five simple and effective cyber security measures that businesses of all sizes can implement to reinforce their defences against malicious attacks. Four years on, these measures are just as relevant as ever.

Configure and monitor firewalls to secure your internet connections

Any device that protects the network edge of your organisation, such as a router or firewall, needs to be configured and kept up to date. As key points of access to the wider network, these can be easy targets for hackers if their settings are not adjusted from their factory defaults. Having a trained member of IT staff that can approve and document inbound traffic allowed by network rules, and remove any that are no longer needed, is a simple way to better secure your internet connections. 

Ensure security for your devices and prevent automatic software installation

Most Windows-based devices and operating systems will have a minimum level of basic security measures built in as standard. However, as these default settings are altered or third-party software is installed, the risk of these devices being targeted by hackers increases as the potential attack surface broadens. Again, this can be prevented by implementing simple best practices across an organisation. 

This includes the disabling of guest accounts, removal of unnecessary admin rights, and ensuring that all accounts are secured by robust passwords. It’s also important to disable the Autoplay function on Windows Operating Systems to ensure that software on removable media isn’t authorised to be installed automatically. 

Adobe Flash, Acrobat Reader and Java are some of the most prolific third-party software packages that pose a threat to Windows devices. Wherever possible, Java should be removed and it’s essential that Adobe applications are updated with the latest releases. One way to minimise the risk that third-party applications pose is to implement application control to prevent users from installing potentially damaging third-party software. 

Finally, many Windows PCs connect to public WiFis or untrusted networks, outside of the protection of a corporate system. As such, an endpoint firewall should be enabled on each device, adhering to the same rules as those applied to network-edge security devices. 

Control who has access to data and services 

Of the five goals set out by Cyber Essentials, ensuring that administrative accounts are not used on devices with internet access can be the hardest to achieve. This is because admin rights are often required to perform certain tasks when running legacy applications. 

Businesses can circumvent this difficulty by using a third-party privilege solution which can remove administrative privileges without affecting a user’s experience. This can help ensure that logged-in users retain standard user privileges while affording necessary additional rights to applications and processes. 

The Cyber Essentials scheme also advises the creation of uniquely named accounts for each user, limiting administrative accounts to a small number of trusted employees, and forbids the sharing of administrative logins. New user accounts should also be approved and documented with a business case. 

Following these guidelines can provide your organisation with the high-levels of security needed to protect your most valuable data and applications, and help meet the requirements of the Cyber Essentials scheme. 

Guarding against malware

To protect against malware strikes, it’s important to have several layers of security in place – the most important measure being whitelisting. This is simply a method of preventing users from installing and running applications that may be compromised with malware. 

To implement whitelisting, an administrator is first required to create a list of applications trusted to run and operate on a corporate device. Any application that tries to run that is not approved will instantly be prevented from doing so. 

This is a particularly strong prevention technique as it can still work even if the malware avoids detection. Application whitelisting is relatively easy and quick for any organisation to implement and maintain – all the while ensuring that they are protected.

However, it is important to remember that application whitelisting, along with firewalls, can be rendered ineffective if antivirus software is misconfigured. Therefore, it’s essential that any device connected to a wider corporate network, is reinforced through malware protection software.

Keep your software patched

It may seem simple, but it’s worth remembering that updating devices regularly will go a long way towards safeguarding your business and important data – for example, whenever a new patch or update is released by a manufacturer or developer. To make this easier, operating systems, programmes, devices and apps should be set to automatically update. Again, Cyber Essentials provides clear guidance on this, requiring that operating systems and third-party software are updated within thirty days of a patch being released. In the case of security patched, these must be installed within a fortnight of their release. 

The Cyber Essentials scheme provides some of the easiest ways to achieve cyber resilience. IT leaders across all organisations should be working to weave in these steps into the fabric of their businesses, to ensure that their company can evolve and face an ever-growing pool of threats with confidence.

About the author: Andrew has been a fundamental part of the Avecto story since its inception in 2008. As COO, Andrew is responsible for Avecto's end-to-end customer journey, leading the global consultancy divisions of pre-sales, post sales and training, as well as customer success, support and IT.

Copyright 2010 Respective Author at Infosec Island

CVE-2018-1706 (spectrum_symphony)

IBM Spectrum Symphony 7.2.0.2 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 146341.

New TeleBots backdoor: First evidence linking Industroyer to NotPetya

ESET’s analysis of a recent backdoor used by TeleBots – the group behind the massive NotPetya ransomware outbreak – uncovers strong code similarities to the Industroyer main backdoor, revealing a rumored connection that was not previously proven

The post New TeleBots backdoor: First evidence linking Industroyer to NotPetya appeared first on WeLiveSecurity

Security Gets Messy: Emerging Challenges from Biometrics, New Regulations, Insiders

Over the coming years, the very foundations of today’s digital world will shake – violently. Innovative and determined attackers, along with seismic changes to the way organizations conduct their operations, will combine to threaten even the strongest establishments.  Only those with robust preparations will stand tall.

Existing controls and methods of managing information risk will be put under severe stress by an avalanche of new technologies, regulations and pressures on employees. Organizations that have a good record of securing information will be at risk of complacency, judging that the way they have always done things will continue to work in the future – a dangerous attitude to take.

Biometrics Offer a False Sense of Security

Biometric authentication technologies will flood into every part of an organization, driven by consumer demands for convenience and promising added security for corporate information. But organizations will sleepwalk towards a degradation of access controls as this sense of security turns out to be false: biometrics will frequently be compromised by attackers who learn to find increasingly sophisticated ways to overcome them.

Demands for convenience and usability will drive organizations to move to using biometric authentication methods as the default for all forms of computing and communication devices, replacing today’s multi-factor approach. However, any misplaced trust in the efficacy of one or more biometrics will leave sensitive information exposed. Attacks on biometrics will affect finances and damage reputations.

The problem will be compounded by the wide and confusing array of proprietary technologies produced by different vendors. As there are no common global security standards for biometrics, it is inevitable that some technologies will be vastly inferior to others. The question then becomes: which are secure today? And will that continue to hold true tomorrow… and the day after?

Existing security policies will fall well short of addressing the issues as new devices infiltrate organizations, from the boardroom down. Failure to plan and prepare for this major change will leave some organizations sleepwalking into a situation where critical or sensitive information is protected by a single biometric factor which proves vulnerable.

New Regulations Increase the Risk and Compliance Burden

Organizations will wrestle with an incredibly burdensome risk environment, with complex, conflicting and confusing regulatory demands overwhelming existing compliance mechanisms. Demands for transparency will lead to information being stored in multiple locations and with third parties, increasing the likelihood of a data breach occurring. At the same time, new data privacy regulations will greatly increase the financial impact of a breach by levying materially significant fines.

By 2020, we expect the number and complexity of new international and regional regulations to which organizations must adhere, combined with those already in place, will stretch compliance resources and mechanisms to breaking point. These new compliance demands will also result in an ever swelling ‘attack surface’ which must be protected fully while attackers continually scan, probe and seek to penetrate it.

For some organizations, the new compliance requirements will increase the amount of sensitive information – including customer details and business plans – that must be stockpiled and protected. Other organizations will see regulatory demands for data transparency resulting in information being made available to third parties who will transmit, process and store it in multiple locations. Most organizations will see penalties for non-compliance reach material levels.

Balancing potentially conflicting demands, while coping with the sheer volume of regulatory obligations, may either divert essential staff away from critical risk mitigation activities or raise the impact of compliance failure to new levels. Business leaders will be faced with tough decisions. Those that make a wrong call may leave their organization facing extremely heavy fines and damaged reputations.

Trusted Professionals Divulge Organizational Weak Points

Increasing pressure on trusted professionals will lead some to divulge their organization’s weak points.  Those entrusted with protecting information will be targeted or tempted to abuse their position of trust. Financial temptation, coercion and simple trickery will combine with reduced employee loyalty – taking the insider threat to a new dimension.

The relentless hunt for profits and never-ending change in the workforce will create a constant atmosphere of uncertainty and insecurity that has the effect of reducing loyalty to an organization. This lack of loyalty will be exploited: the temptations and significant rewards from ‘cashing-in’ corporate secrets will be amplified by the growing market worth of those secrets, which include organizational weak points such as security vulnerabilities. Even trusted professionals will face temptation.

Most organizations recognize that passwords or keys to their mission-critical information assets are handed out sparingly and only to those that have both a need for them and are considered trustworthy. However, employees who pass initial vetting and background checks may now – or in the future – face any number of circumstances that entice them to break that trust: duress through coercion; being passed over for promotion; extortion or blackmail; offers of large amounts of money; or simply a change in personal circumstances.

While the insider threat has always been important, it is not only the organizational crown jewels that are under threat. The establishment of bug bounty and ethical disclosure programs, together with a demand from cybercrime or hackers, puts a very high value on the most secret of secrets – the penetration test results and vulnerability reports that comprise the ‘keys to the kingdom’. Organizations reliant on existing mechanisms to ensure the trustworthiness of employees and contracted parties with access to sensitive information will find those mechanisms inadequate.

Preparation Must Begin Now

Information security professionals are facing increasingly complex threats—some new, others familiar but evolving. Their primary challenge remains unchanged; to help their organizations navigate mazes of uncertainty where, at any moment, they could turn a corner and encounter information security threats that inflict severe business impact.

In the face of mounting global threats, organization must make methodical and extensive commitments to ensure that practical plans are in place to adapt to major changes in the near future. Employees at all levels of the organization will need to be involved, from board members to managers in non-technical roles.

The threats listed above could impact businesses operating in cyberspace at break-neck speeds, particularly as the use of the Internet and connected devices spreads. Many organizations will struggle to cope as the pace of change intensifies. These threats should stay on the radar of every organization, both small and large, even if they seem distant. The future arrives suddenly, especially when you aren’t prepared.

About the author: Steve Durbin is Managing Director of the Information Security Forum (ISF). His main areas of focus include strategy, information technology, cyber security and the emerging security threat landscape across both the corporate and personal environments. Previously, he was senior vice president at Gartner.

Copyright 2010 Respective Author at Infosec Island

Could a Credit-Like Security Score Save the Cyber Insurance Industry?

In the evolving world of cybersecurity, enterprises need access to cyber insurance that accurately reflects their current security posture and that covers both direct and indirect expenses. The same challenge, of course, applies to the insurers issuing the policies. Unfortunately, the evolving threat landscape and rising incidents of attacks has created difficulty in matching packages with premiums, and as one chief information security officer has stated, the current state of risk modeling is like “trying to use the count of arrests for a crime to figure out the dollar losses from theft.”

Cyber insurance is an industry that could grow to nearly $17B in just five years. However, coverage today is still at less than 50 percent and varies widely by industry. And the state of coverage is even lower across the mid-market, a sector subject to 62 percent of all cyberattacks but does not always have the budget or expertise to deploy market-leading solutions. The result? It’s a proverbial accident waiting to happen, as enterprises are increasingly valued on their intangible assets – assets that can be compromised and even destroyed in a matter of minutes. In fact, between 1975 and 2015, the value of these assets, mostly uninsured, climbed from 17 percent to 84 percent.

What’s the Problem?

A major issue affecting insurance agencies is that cyber insurance coverage is not as universal as one would expect, especially amongst smaller enterprises.  To understand the enterprise technology risk, a questionnaire that is completed by the policy holder enterprise applicant (not always accurate) and major reliance on third-party external ratings of the applicant enterprise that is an outside-in view only (excludes cloud security views which are increasing in importance) may or may not be accurate. 

Smart enterprises and their security service providers are masking their environments from their external third-party rating firms to generate artificially higher scores This is done by implementing firewall rules that drop all outbound traffic to these third-party honeypots and also filters inbound scanning from these third-party firms.  These underwriting processes do not consider the true internal state of the enterprise and are at best limited point-in-time views.  What insurers fail to consider in an ever-changing threat level is that they may lose millions in underwriting policies over time to this constantly changing technology risk paradigm if they continue to rely on outdated approaches.  

In the Public Accounting Industry, when doing a financial audit of the firm (that includes technology reviews) no one relies only on management answers to questions and there is a strong verification process that the numbers are accurate and the controls are in place.  Insurers need to incorporate internal verification processes into their underwriting and on-going premium coverage process moving forward. 

What Next?

To move beyond this current, less-than-optimal state, insurers need more automation as part of their underwriting, streamline the process, better balance between premiums and risk, and make available policies that better cover the full range of assets potentially impacted by cyber peril.  In addition, insurers need to consider moving from point-in-time assessment to continuous assessment of their potential policy holders as the risk changes daily, based on the human factors and the threat landscape.  The individuals completing a large questionnaire (100 to 200 questions) are not 100% sure that their answers are correct, nor that the processes are consistently in place or enforced.  In addition, the third-party external ratings that Insurers use is like driving looking at the rear-view mirror.  All the data that is shown are past views that are reflective of how things were done in the past.  If the company had poor technology (CIO) and security (CISO) management that has been replaced, the external ratings do not reflect the future expected operation. 

External Ratings scoring logic assumes that technology management will not change.  In addition, the External ratings do not look at cloud security directly today as they do not have visibility into those environments unless there is a public facing website.

Introducing a Credit-Like Score for Security

One way to develop this is through the use of a ‘CyberPosture’ score, a security equivalent of a credit score; an easy to understand scoring of one’s current hybrid infrastructure security posture. 

Insurers now have the opportunity to provide the potential policy holder (customer) with an easy to deploy assessment technology (deployment and assessment within hours) that covers on-premises servers, cloud servers and cloud accounts, and containers that provides a detail understanding of their inside-out security level against benchmarks and provides a CyberPosture score it is in their best interest to implement this solution during the underwriting process and over time develop enhanced (more profitable) policies that change premiums and/or reduces coverage as the CyberPosture score changes during the premium coverage period.  The secondary benefit would be that this CyberPosture score would be available to the policy holder executive management team and board members to have an independent view of the cyber risks of the organization.  Today, a majority of the credit cards provide continuous free credit score reporting to their members (this follows that same logic).

In conclusion, enterprises and their security service providers have learned how to game the external third-party risk ratings which do not account for future enterprise risk models since the models do not consider technology/security leadership changes nor look at internal security risks (and/or cloud security risks) which in many enterprises represent the larger risks and potential control failure that generate cyber insurance claims.  It is in the best interest of the insurers to quickly adopt proactive underwriting and continuous monitoring solutions that provide a true representation of the applicant enterprise to minimize risk and maximize profit in new policies that are underwritten moving forward and the CyberPosture score provides one of those paths forward.

About the author: Joseph (Joe) Kucic is Cavirin’s Chief Security Officer, bringing to Cavirin over 20 years of enterprise and security experience. At Cavirin he is responsible for hybrid cloud infrastructure security strategies with CSOs, CIOs and CISOs and their teams across both enterprises and managed service providers / global system integrators.

Copyright 2010 Respective Author at Infosec Island

5 Ways Pentesters Can Earn Extra Revenue [Infographics]

Do you have an expensive project, want to earn big bucks or feel like taking on a new challenge? As a professional penetration tester, there are many things you can do to earn extra income. Whether you want to explore new opportunities or need the extra cash, here are 5 side-hustles to consider.

Reading from a mobile? Click on the image to enlarge it.

With very little time to adapt to new techniques and a fast-paced threat landscape, security professionals are busy trying to keep the internet secure while staying up-to-date on a regular basis. Still got some free time to take on an extra challenge? Feel free to try out one of these options, as it will surely boost your skills and ultimately enrich your career. If you decide to go for it, make sure to come back to us with details of your successes. We’d love to hear the stories you have to share!

Aspiring to become a professional penetration tester? Learn modern pentesting techniques with the penetration testing professional (PTP) training course.
GET FREE TRIAL

Sources: NIST | Freelancer | Glassdoor | Dark Reading | Sokanu | Security Intelligence

Connect with us on Social Media:

Twitter | Facebook | LinkedIn | Instagram

Mingis on Tech: Data breaches and the rise of ‘surveillance capitalism’

Kaspersky Total Security 2019 review: A fantastic security suite available at a better price

So here we are. The most awkward antivirus review ever. I mean how do you review a security platform that was accused of being a proxy for an unfriendly government just one year ago? Kaspersky Lab denies the allegations, but regardless of what the truth is, the accusation is out there.

Now, one of the first things many Americans think of when it comes to Kaspersky is Russian espionage. 

The reality is we have no way of ascertaining the truth so we’re going to do our best to set aside the controversy. This review is not going to weigh the spying accusations into the score. We’ll look at this suite like we would any other, and then leave it to you to weigh the other considerations—though we do have a helpful article on the Kaspersky controversy with advice from experts.

To read this article in full, please click here

Postdiction: Setting Perceptions of an Earlier Event

Everyone knows about prediction, because we often discuss how best we can accurately see into the future. Who predicted this? Consider also the opposite, postdiction, where we discuss how best we can accurately see into the past. Who postdicted this? Researchers at Caltech are calling their emerging research in this area an insight into time-traveling. … Continue reading Postdiction: Setting Perceptions of an Earlier Event