Today we chat with Web Analyst Manager Serena Peruzzi. Serena constantly filters through the web to analyze content. Sometimes her position requires looking through difficult material, but other times you can find her traveling, organizing company events, and even gardening!
See how Serena helps build Webroot’s company culture in this Employee Spotlight.
How did you get into the technology field?
During my undergrad in Translation and Interpreting 10 years ago, I came to realize how big a role automation and machine translation were going to play in my field. Thus, I decided to beat the trend to the punch and focus my research on Google Translate for my thesis; further on, I completed a master’s degree in Translation Technology, which mixed together traditional translation with state-of-the art localization technologies, and included leveraging on Machine Learning and language pattern recognitions to build automated translation engines. Google Translate pretty much rules the multilingual content scene for the general public, making content in more than 100 languages immediately accessible to the global audience with just one click. Also, a lot of crowdsourced content, for example travel or business reviews on the web, is also localized using machine translation technologies to maximize international reach. Additionally, many large corporations already leverage on customized enterprise machine translation engines to translate manuals and other documentation. There are already technologies allowing to converse in multiple languages in real-time, so there’s virtually no language barriers than cannot be overcome anymore; of course, provided you have an internet connection
What does a week as a Web Analyst Manager look like?
I typically have a few one-on-one calls with all remote Web Analysts on a weekly or bi-weekly basis, and two team meetings per week, one with the US and one with Sydney. We discuss top issues, upcoming tool updates and feature releases, and use the wisdom of the crowd to find a solution to difficult cases. We use a collaborative Kanban board to track the topics we discuss, so that we can always go back to them or track progress on resolutions. Finally, I work on a number of projects related to training, quality assessments, classification approvals, new implementations, case escalations from the team, and documentation. I also have a few gardening tasks to take care of, keeping the Webroot Threat plants alive is quite an arduous task!
What have you learned / what skills have you built in this role?
Customer care, URL threat analysis, and all aspects of people management are among the key skills I learned in the role. It also helped me keep up my passion for foreign languages, especially Spanish and Japanese, since I need to analyze web content from all over the world.
What is the hardest thing about being a Web Analyst Manager?
Explaining what a Web Analyst does is quite an arduous task, partially because it is a very complex and multi-faceted role involving analyzing large amounts of online content, but also because it involves, to some extent, evaluating content that may be disturbing or violent in nature, and it can be a difficult sell at times.
What is your greatest accomplishment in your career at Webroot so far?
Having helped build a global team of brilliant and enthusiastic minds is perhaps what makes me most proud of being a part of Webroot. The Web Analysts are first and foremost masters of languages and cultures; collectively we speak 12 different languages. The more languages you know, the more confidence you have in analyzing online content from all over the world, bringing different perspectives to the mix. Also, we have another element in common: we all want to make the internet a little safer for our user base. Because of that, building the team has always been an incredibly fun experience. It allows candidates to bring up their unique backgrounds and passions for different cultures and the IT security world in their interviews.
Does your work allow you to travel a lot? Where are some of the coolest places you have travelled?
I’ve travelled to San Diego, Colorado and Sydney with Webroot. While I enjoyed all my trips, I do have a weak spot for Australia. I am a big fan of water sports, and Australia offers the best sceneries for surfing and diving. It also hosts some of the most amazing animals I’ve ever seen. I’ll admit that my encounter with a group of Huntsmen in Sydney, despite being harmless spiders, had me run away fast. But when I first met Quokkas (smiling furry animals), they literally melted my heart
Best career advice you’ve received?
There’s a saying in Ireland which can be used as an antidote when things don’t go your way, “What’s for you won’t pass you.” I felt particularly close to it when I couldn’t attain a role in the past, as it ultimately led me to a different, extremely satisfactory role surrounded by amazing people.
Are you involved in anything at Webroot outside of your day to day work?
Aside from gardening, I’ve given a hand with organizing team-building and social events for Dublin in the past, including Christmas parties, Health Day, mini-golf and bubble football tournaments, and escape room challenges. Since the team is spread across three offices, team events vary based on group size and local amenities. In Ireland, we typically go out for a nice meal once a month, and order in food for celebrations; additionally, there are regular pub sessions with other Webroot teams. We also have office-wide team building activities on a quarterly basis, and/or when we have visitors on-site.
Favorite memory on the job?
St Patrick’s Day in the office, when I was in Support, was also a truly fun day. On our lunch break we went to Temple Bar, the very core of St Patrick’s celebrations, hid amongst the mayhem of thousands of party-goers celebrating, and then pinged the US team to spot us on the live street camera, just like in a game of “Where’s Waldo.”
Hackers Breach Private Keys to Steal Cryptocurrency
A possible coding error allowed hackers to compromise at
least 732 unique,
improperly secured private keys used in the Ethereum blockchain. By
exploiting a vulnerability, hackers have successfully stolen 38,000 Ethereum
coins so far, translating to over $54 million in stolen funds, though the
current number is likely much higher. While uncommon, such attacks do show that
the industry’s security and key-generation standards have plenty of room for
Prominent Malware Reverse Engineer Faces Jail Time
The malware researcher Marcus
Hutchins, who successfully reversed and stopped the WannaCry
ransomware attacks in 2017, is facing up to six years of jail time for prior
malware creation and distribution. Hutchins’ charges all tie back to his
involvement in the creation of Kronos, a widespread banking Trojan that’s caused
significant damage around the world.
Data Exposed for Thousands of Rehab Patients
Personally identifiable data belonging to nearly 145,000
patients of a Pennsylvania rehab facility have been found in a
publicly available database. After a Shodan search, researchers discovered the
database that contained roughly 4.9 million unique documents showing information
ranging from names and birthdays to specific medical services provided and
billing records, all of which could be used to to steal the identity of these thousands
Study Finds Password Security Still Lacking
After this year’s review of password
security it may come as no surprise that the top five passwords
still in use are simple and have remained at the top for some time. Using a
list generated from past data breaches, researchers found the password “123456”
was used over 23 million times, with similar variations rounding out the top five.
Several popular names, sports teams, and bands like blink182 and Metallica are
still in use for hundreds of thousands of accounts. While these passwords may
be easy to remember, they are exceedingly simple to guess. Stronger passwords should
include multiple words or numbers to increase the complexity.
Bodybuilding Site Breached through Phishing Campaign
The website bodybuilding.com has announced they were the
victim of a data breach stemming from an email
phishing campaign in July 2018 that could affect many of the site’s
clients. Fortunately, the site doesn’t store full payment card data, and the
data it does store is only stored at the customer’s request, leaving little
data for hackers to actually use. The site also forced a password reset for all
users issued a warning about suspicious emails coming from bodybuilding.com, noting
they may be part of another phishing campaign.
A peer-to-peer (P2P) communications technology built into millions of security cameras and other consumer electronics includes several critical security flaws that expose the devices to eavesdropping, credential theft and remote compromise, new research has found.
A map showing the distribution of some 2 million iLinkP2P-enabled devices that are vulnerable to eavesdropping, password theft and possibly remote compromise, according to new research.
The security flaws involve iLnkP2P, software developed by China-based Shenzhen Yunni Technology. iLnkP2p is bundled with millions of Internet of Things (IoT) devices, including security cameras and Webcams, baby monitors, smart doorbells, and digital video recorders.
iLnkP2P is designed to allow users of these devices to quickly and easily access them remotely from anywhere in the world, without having to tinker with one’s firewall: Users simply download a mobile app, scan a barcode or enter the six-digit ID stamped onto the bottom of the device, and the P2P software handles the rest.
A Webcam made by HiChip that includes the iLnkP2P software.
But according to an in-depth analysis shared with KrebsOnSecurity by security researcher Paul Marrapese, iLnkP2P devices offer no authentication or encryption and can be easily enumerated, allowing potential attackers to establish a direct connection to these devices while bypassing any firewall restrictions.
Marrapese said a proof-of-concept script he built identified more than two million vulnerable devices around the globe (see map above). He found that 39 percent of the vulnerable IoT things were in China; another 19 percent are located in Europe; seven percent of them are in use in the United States.
Although it may seem impossible to enumerate more than a million devices with just a six-digit ID, Marrapese notes that each ID begins with a unique alphabetic prefix that identifies which manufacturer produced the device, and there are dozens of companies that white-label the iLnkP2P software.
For example, HiChip — a Chinese IoT vendor that Marrapese said accounts for nearly half of the vulnerable devices — uses the prefixes FFFF, GGGG, HHHH, IIII, MMMM, ZZZZ.
These prefixes identify different product lines and vendors that use iLnkP2P. If the code stamped on your IoT device begins with one of these, it is vulnerable.
“In theory, this allows them to support nearly 6 million devices for these prefixes alone,” Marrapese said. “In reality, enumeration of these prefixes has shown that the number of online devices was ~1,517,260 in March 2019. By enumerating all of the other vendor prefixes, that pushes the number toward 2 million.”
Marrapese said he also built a proof-of-concept attack that can steal passwords from devices by abusing their built-in “heartbeat” feature. Upon being connected to a network, iLnkP2P devices will regularly send a heartbeat or “here I am” message to their preconfigured P2P servers and await further instructions.
“A P2P server will direct connection requests to the origin of the most recently-received heartbeat message,” Marrapese said. “Simply by knowing a valid device UID, it is possible for an attacker to issue fraudulent heartbeat messages that will supersede any issued by the genuine device. Upon connecting, most clients will immediately attempt to authenticate as an administrative user in plaintext, allowing an attacker to obtain the credentials to the device.”
What’s more, as we saw with Mirai the firmware and software built into these IoT devices is often based on computer code that is many years old and replete with security vulnerabilities, meaning that anyone able to communicate directly with them is also likely to be able to remotely compromise them with malicious software.
Marrapese said despite attempts to notify China’s CERT, iLnk and a half dozen major vendors whose products make up the bulk of the affected devices, none of them have responded to his reports — even though he first started reaching out to them more than four months ago. Neither HiChip nor iLnk responded to requests for comment sent by KrebsOnSecurity.
Interestingly, iLnk’s Web site (p1.i-lnk[.]com) currently appears to be non-functional, and a review of its HTML source code indicates the site is currently compromised by an obfuscated script that tries to redirect visitors to a Chinese gaming Web site.
Despite the widespread impact of these vulnerabilities, Marrapese’s research suggests that remediation from vendors is unlikely – and in fact, unfeasible.
“The nature of these vulnerabilities makes them extremely difficult to remediate for several reasons,” Marrapese wrote. “Software-based remediation is unlikely due to the infeasibility of changing device UIDs, which are permanently assigned during the manufacturing process. Furthermore, even if software patches were issued, the likelihood of most users updating their device firmware is low. Physical device recalls are unlikely as well because of considerable logistical challenges. Shenzhen Yunni Technology is an upstream vendor with inestimable sub-vendors due to the practice of white-labeling and reselling.”
Marrapese said there is no practical way to turn off the P2P functionality on the affected devices. Many IoT devices can punch holes in firewalls using a feature built into hardware-based routers called Universal Plug and Play (UPnP). But simply turning off UPnP on one’s router won’t prevent the devices from establishing a P2P connection as they rely on a different communications technique called “UDP hole punching.”
Marrapese said it should be possible to block vulnerable devices from communicating with any P2P servers by setting up firewall rules that block traffic destined for UDP port 32100.
Welcome to our weekly roundup, where we share what you need to know about the cybersecurity news and events that happened over the past few days. This week, learn about schemes used in phishing and other email-based attacks. Also, learn how ransomware continues to make a significant impact in the threat landscape.
As email remains to be a common infection vector because of how easily it can be abused, attackers continue to take advantage of it by crafting threats that are persistent in nature and massive in number.
Organizations will be able to test their ability to deter hackers and cyberattacks with a free new tool designed by experts at the UK’s National Cyber Security Centre to prepare them against online threats including malware, phishing and other malicious activities.
A hacker broke into thousands of accounts belonging to users of two GPS tracker apps, giving him the ability to monitor the locations of tens of thousands of vehicles and even turn off the engines for some of them while they were in motion.
The UK could one day create a national cyber-defense system built on sharing real-time cybersecurity information between intelligence agencies and business, the head of the UK’s Government Communications Headquarters said at CYBERUK 19.
Do you think the new hacker defenses tool will decrease the number of cyber-attacks targeted at organizations and public sectors? Share your thoughts in the comments below or follow me on Twitter to continue the conversation: @JonLClay.
Scott is still here with me on the Gold Coast lapping up the sunshine before NDC Security next week so I thought we'd do this week's video next to the palm trees and jet ski 😎 But, of course, there's still a heap of stuff happening that's worthy of discussion, everything from the UK gov's NCSC doing good work to the Reply All podcast I was on this week to new data breaches to the ongoing shenanigans involving kids "smart" watches. And oh boy, the communications strategies of a couple of these in particular is just absolutely woeful. All that and more in this week's update.
Oh - and right after I published this, I noticed some crazy static for about 14 seconds at the 27:15 mark. Sorry - I'd republish it but I'd be looking at about 2 hours to re-render and re-upload and this is already going out a couple of hours late so, yeah, sorry!
From the last one year, Quick Heal Security Labs has been observing a boost in the number of mining malware. One of the ways to earn cryptocurrencies is to mine them. Nowadays cryptocurrency miner malware have become hot attack vectors for cybercriminals due to its ease of deployment and instant return on investments. We usually observe that such miners come with different techniques to deliver it to a victim. Attacker can download original open source software and slightly modify them rather than completely writing their own module.
In this blog post, we would talk about couple of cases where attack scenario is built on top of these open source tools. We would also talk about how the trend of abusing open source tools for building new malware is helping malware authors.
The trend is observed especially in cryptojacking cases. Though cryptojacking is a direct source of income for cybercriminals, stolen information from the victim’s systems can yield additional money for cybercriminals. So, these open source tools are used for various purposes like downloading frameworks, information stealing, crypto-mining, DNS Changer, Mirai bot and many more. This helped a lot to form a botnet of similar hosts to produce more hashes per second. Often such open source tools are easily available on Github and similar platforms. We can classify them as exploit frameworks, vulnerability scanners, password stealer, privilege elevators, evaders, etc.
We received a miner downloader which downloads multiple components of the attack. This script may come to your system through spam mails, malicious URLs, free software bundler or any conventional method that is being used by all the malware variants. Also, we suspect that a powershell script seems to be the initial culprit. The behavior of the miner is a bit recursive in nature so we could not confirm its initial trace in the system.
The miner downloader creates a file named as ‘xpdown.dat’ which contains some IP addresses of C2 servers from where it downloads further components.
Looking at the links in the file we observed following things.
Downs.exe is a modified version of Microsoft “CACLS” (Which displays and modifies the access control list). Ups.rar is downloaded as cab.exe. This component is a downloader for windows variant of Mirai botnet. This also acts as a DNS Changer and opens a backdoor in the system. On execution, it performs multiple operations like modifying the DNS entry in the host with IP “220.127.116.11” which has the Geo location in China and ISP of DNS is “Hangzhou Alibaba Advertising Co.,Ltd.”
Then it checks whether the compromised machine is a window server or not by calling GetVersionExA. It downloads update.txt from C2 server, if the machine is server, and drops at “C:\windows\system\uplist.txt”. The uplist.txt contains the following payload to be downloaded and executed.
It also downloads npptools.dll, 64npf.sys, npf.sys, nsoak.dat, packet.dll and wpcap.dll. These are files used for network packets processing loaded by msinfo.exe during its execution.
Let’s look into these components one by one.
It contains the code which is very stealthy and evasive as it uses several techniques such as “Squiblydoo”, “download cradle” and WMI Event Subscription persistence exploit to run malicious content on infected machines.
The WMI script contains multiple PowerShell scripts.
“Up.txt” contains the code which collects information regarding System OS, Physical Memory, List of running processes using WMI classes and then downloads Powershell format of Mimikatz from Github.
Further it steals the credentials from the compromised machine and uploads it to the FTP server IP:18.104.22.168 with hard coded credential of FTP.
It is basically a windows version of Mirai botnet. As more of its code matches with Mirai source code which was leaked previously. Upon execution with command line parameters “-create” “-run”, it checks the architecture of the current system whether it is x86, MIPS, ARM etc. Based on the identification, it will check for its latest update and download if available.
It performs the following task as per an encrypted file downloaded from C2 server.
Implements spreader mechanism by performing in the form of blind SQLi (sql injection), brute force techniques by using crack library and hydra tool. [Cracker:Telnet][Cracker:MSSQL] [Cracker:CCTV][Cracker:MS17010], CrackerWMI, CrackerSSH
It scans various ports such as 80,8000,445 using masscan (a very fastport scanner an open source project) which operates similar to nmap , the popular port scanning tool. https://github.com/robertdavidgraham/masscan
Disable specific services by invoking the following command: C:\Windows\system32\cmd.exe /c taskkill /f /im csrs.exe&sc stop netprofm&sc config netprofm start= disabled&sc stop NlaSvc&sc config NlaSvc start=disabled
It also performs network scan for which it collects the Public/Private IP of the system and all the associated information such as Geo Location etc. Then attacker spoofs his own IP against the current system IP and using masscan it performs scanning of other devices.
By these steps it converts this system into a bot and adds to their bot network. Its code has been developed in C++ and distributed across many sources like-
It basically targets IoT devices which contain embedded Linux. So it has used BusyBox (a software suite that provides UNIX utilities also called as Swiss Army Knife of embedded Linux) for executing remote commands after compromising/cracking those devices through various ways mentioned above.
VBS/BAT Agent For Download Miner:
First the payload will be dropped and executed on the below location in the victim machine.
hxxp://22.214.171.124/b.exe ( downloaded at C:\windows\inf\msief.exe)
On execution, it will drop the VBS and batch file in the below mentioned location and execute the vbs file by invoking wscript.exe which eventually execute the bat file.
The bat file contains a lot of code, which will modify attributes of some folder/files, kill some specific processes, delete some files, modifies the access control of some folder/files, make persistent for multiple payload in the system via registry, task scheduler, WMI Event subscription and also modifies the firewall policy by blocking 445,139 ports.
There are also two more additional payloads which are downloaded from one of C2 server present in xpdown.dat; one is a diskwritter, a DLL file , dropped at “C:\Windows\debug” location. It will execute on system start as it has an entry in task scheduler added by the above bat file.
And the second one is the final payload i.e. XMRig Monero Miner, a 64 bit executable downloaded from hxxp://126.96.36.199/64.rar at “C:\windows\debug\lsmos.exe”
On execution, it unpacks itself and drops 3 files on the current execution folder, one is an executable (lsmose.exe -64 bit packed with VM Protect) file and two DLLs (xmrstak_cuda_backend.dll and xmrstak_opencl_backend.dll), which helps miner for successful execution.
One more similar case we have observed, a base64 encoded PowerShell script which is basically a cryptomining malware hiding in WMI class to evade AV and most of the security product due to its stealthy and unique feature.
After decoding we get the following code:
Following is basic workflow of the malware.
On execution, it checks whether IP/Domain is alive or not mentioned in the code. If it is available, it requests for banner and receive a response as ‘SCM Event1 Log’
After that malware queries for ‘FilterToConsumerBinding’ WMI Class by executing the below command
and then checks whether it contains ‘SCM Event1 Log’. If not present, then it downloads and executes in6.ps1 (64 bit) or in3.ps1 (32 bit) by Invoking Expression(IEX).
These scripts consist of two parts, first part is a base64 encoded Gzip data stream and second part contains obfuscated code. After de-obfuscation, the code reassembles similar to initial base64 encoded script with additional features.
The encoded gzip contains four files as mentioned below:
‘mini’ – Mimikatz, a credential stealer
‘mon’ – Monero CPU Miner
‘funs’ – Collection of functions having function to execute remote DLL via WMI and eternal blue vulnerable scanning.
‘sc’ – Shellcode to execute on another systems and to download same payload, if it is vulnerable to eternal blue.
It creates a WMI Class “systemcore_Updater0” under the Namespace “root\default” and adds properties like mimi, mon, funs, sc, ipsu and i17.
Then it sets the filtername=”SCM Event1 Log Filter” and consumername=”SCM Event1 Log Consumer”
When attacker uses WMI as a persistence mechanism, instances of __EventFilter,_EventConsumer and __FilterToConsumerBinding have to be created and an _InstanceCreationEvent event is fired.
In this case, attacker uses following query as the EventFilter and binds it with the initial base64 encoded script, which will eventually get executed approximately in every 3 hrs.
SELECT * FROM __InsanceModificationEvent WITHIN 10600 WHERE TargetInstance ISA Win32_PerfFormattedData_PerfOS_System
It has tried to delete the task scheduler entry “sysupdater0” also checks “sysupdater0.bat” in %systemroot% , if exists remove that as well.
Modifies Windows sleep, hibernate and power plan setting by invoking the following command: powercfg /CHANGE -standby-timeout-ac 0 powercfg /CHANGE -hibernate-timeout-ac 0 powercfg -SetAcValueIndex 381b4222-f694-41f0-9685-ff5bb260df2e4f971e89-eebd-4455-a8de-9e59040e7347 5ca83367-6e45-459f-a27b-476b1d01c936 000
It removes all WMI Object in __FilterToConsumerBinding class under Namespace “root\subscription” if filter name has not matched with “SCM Event0 Log”
Then it kills the process if it has an “ESTABLISHED” connection with port number 3333, 5555 or 7777.
It makes a list of PIDs of running “Powershell” processes and the network connections of the system. It then checks for the process with “ESTABLISHED” connection and associated port number 80 or 14444 or 14433 or 443. If no such processes exist and the count of running PowerShell processes are less than 8 then it executes the Monero Miner using “funs” module. After that it executes the mimikatz and dumps the credential irrespective of execution of Monero Miner.
It also enumerates the network addresses and checks for the IPs that are active and adds them to the property named, ‘ipsu’. It then scans those IPs to identify the systems which are vulnerable to MS17-010 (with Eternal Blue Scanner Script), stores them to the property ‘i17’ and finally executes shell code which will download the ze3.ps1 or ze6.ps1 exactly similar to in3.ps1 or in6.ps1 based on OS architecture.
Shell code downloads and executes the PS Script to infect other vulnerable systems. This way it spreads and mines the other systems on the networks.
So in both the cases, the open source tools are abused heavily to perform the attack. Mimikatz, masscan, eternal blue vulnerability scanner seems to be popular tools among the malware authors. Similar techniques are being used for spreading the ransomware too. Seqrite successfully detects such attacks at various detection levels.
From the last one year, Quick Heal Security Labs has been observing a boost in the number of mining malware. One of the ways to earn cryptocurrencies is to mine them. Nowadays cryptocurrency miner malware have become hot attack vectors for cybercriminals due to its ease of deployment and instant…