Sustainable enterprise security is both a great practice and a core business process. Enterprises are increasingly becoming aware of the diverse & intense nature of threats that exist in cybersphere and the damage it can cause – that’s where strong enterprise security solutions come in.
This is step one – enterprise security consists of ever-evolving complex layers that are never in stasis. Hence, after every cycle, security mechanisms only tend to get stronger. However, cyberattackers are getting extremely savvy and sophisticated in their malware onslaught, ensuring that attacks are timed to penetrate endpoints during cybersecurity transitional phases.
Hence, here are some easy-to-prevent flaws that can creep in when enterprises try to secure their endpoints.
Lack of proper enterprise security policies
Enterprise security policies cannot be ad-hoc – this process needs to be implemented right from the beginning, and that is where strong enterprise security takes root. The best strategies can be ineffective if they are not backed up with strong security policies.
When it comes to enterprise security, organizations must be proactive in drafting policies. The crux of these security policies should consist of employee dos and don’ts, workforce collaboration that supports cybersecurity, human resource initiatives on malware literacy, among many others and should be complied to and regularly updated so that business security is never at risk.
Inability to prioritize security integration of mobiles into enterprise networks
Mobile phones as work devices are seeing increasing adoption in the enterprise. Employees, that leverage this facility need to bind their devices with enterprise security ports so that business-critical data is not compromised. Due to rising attacks on mobile devices, Enterprise Mobility Management (EMM) has become a must for businesses of all sizes that allow this facility. Solutions like Seqrite mSuite are excellent solutions through which employees can safely access productivity apps on BYOD (Bring Your Own Device) or CYOD (Choose Your Own Device) platforms while maintaining strong security.
Compliance with regulations
Most companies nowadays operate under some sort of regulatory control of their data, for example, HIPAA for private health information or the FERPA for student records. Often this information is stored in the cloud with the intention of keeping this ultra-sensitive data hidden from cybercriminals. As such, leaking of this information can have serious consequences – hence enterprises should be vigilant about being compliant about the nature of data and it’s storage.
Faulty access permission
Enterprises can build the strongest firewalls at par with military standards, but the framework will collapse if appropriate access control mechanisms are not put in place. Essentially, system administrators need to grant precise access to business users based on their role in the organization. This ensures that insider breaches do not happen and sensitive information remains confidential. Also, if hackers gain direct access to employee systems, they can break-in creating a demolition kind of scenario for any business.
Not taking employees into confidence
Employees are the backbone for maintaining cybersecurity decorum. Hence, enterprises should consider taking employees into consideration and be confident about them as they look to implement cybersecurity solutions. They must be made aware of the dangers of weak enterprise security, the steps they can take and the warning signs they should look for. Since cyberthreats are highly dynamic and dangerous, if organizations don’t train employees properly, they are highly prone to be internal agents and channels of a guaranteed cyberattack.
After covering these flaws internally, enterprises should choose to invest in proven cybersecurity solutions such as Seqrite Endpoint Security (EPS) which offers a simple and comprehensive platform integrating several advanced technologies in one place for protection against advanced cyber threats.
EPS also comes packed with other vital features such as –
According to Start-Up Nation Central (SNC), there are currently 400 cybersecurity start-ups operating in Israel. In 2018, they raised over $1.2 billion in 96 rounds of funding. That is more money raised than any other vertical market in the Israeli economy. However, as many as 80% of these companies fail to progress from the early stage to mature, high growth companies. What does this typical growth trajectory indicate? Is it because of a highly competitive … More →
Microsoft has recently come out and said that mandatory password changing is ancient and obsolete. This goes directly against everything we were trained to think for the last couple of decades, and against most compliance directives including some of the most dominant security standards. And it is correct. If anything, Microsoft hasn’t gone far enough: password changing is the visible tip of the iceberg – there are many other major inconveniences for our users that … More →
Two-step verification is one of the best steps you can take to secure any account. Two-step verification is when you require both a password and code sent to or generated by your mobile device. Examples of services that support two-step verification include Gmail, Dropbox and Twitter.
As we have repeatedly mentioned here in Hackercombat.com, hackers today are no longer interested in digital vandalism against systems and websites. Showing how good you are in cracking and hacking may give you a boost of ego, but the buck stops there, you may still end up behind bars when caught. Might as well earn huge amount of money doing a cybercrime, right? Yes, that is the main motivation of cybercriminals today, earn money. From the script kiddie category up to the high-level hackers who cause online bank heist, it is very clear that black hat hacking evolved from mere “I know it can be done” to “I will earn profit with this” kind of campaign.
It really shows, just look at how many cybersecurity news we publish here at Hackercombat.com. Cybercriminals have developed a deep arsenal of tools in order to dupe people and organizations of their hard-earned money. From identity theft, social engineering, phishing, banking trojans, ransomware and the most covert of all campaigns, cryptocurrency mining malware. The list goes on, and being an organization whose primary purpose is to grow its money as much as possible, the financial sector is in the crosshairs of cybercriminal organizations.
Having money to grow, while also carefully spending money for a mundane cybersecurity defense posture is a risky endeavor that many financial institutions, both public and private are engaging every day. As we enter the age where state-sponsored hacking organizations are organizing themselves to get ready for the next cyberattack, institutions that store a lot of personally identifiable information and financially liquid are the prime targets. We have featured more than a dozen cyber attack articles since 2017, about banks, lending firms and even public sector agencies that have something to do with taxation becoming a victim of certain attacks such as DDoS, ransomware and banking trojans.
“This is a useful way to think about cyber threats, because it is easy to map attacker motivations across to specific businesses, and subsequently understand to what extent they apply. Once you understand why various threat actors might target you, then you can more accurately measure your cyber risk and implement appropriate mitigations,” explained George Michael, F-Secure’s Senior Research Analyst when asked to describe cyber threats against private organizations.
Mitigations are software patches designed to plug the security bugs that were discovered in hardware. However, it is not always a happy ending when it comes to installation of mitigations. We can review the case of Meltdown & Spectre of 2018 and the MDS exploit of 2019, revealing to the public that mitigation patches lower the performance of hardware. It is like being between a rock and a hard place, choose security and you will pay with the lower performance of the system, more particularly the CPU’s execution of code. Choose speed, and your system is exposed to security exploits and various cyber attack risks. Such choice is something system administrators wish not to decide on, as both security and hardware performance are important for any organizations. As mentioned earlier, not all hackers are operating for themselves, they are funded by nation-states. Such organizations have deep packets for establishing an effective research and development campaigns to develop much worst system exploits we have yet to witness.
“North Korea has been publicly implicated in financially motivated attacks in over 30 countries in the past three years, and their tactics are also being used by cyber criminals, particularly against banks. This is symbolic of a wider trend that we’ve seen in which there is an increasing overlap in the techniques used by state-sponsored groups and cyber criminals. If you don’t understand the threats to your business, you don’t stand a chance at defending yourself properly. Blindly throwing money at the problem doesn’t solve it either,” concluded Michael.
In 2018, phishing attacks were attempted 482.5 million times, more than doubling the number of incidents in 2017. New research conducted by the Georgia Institute of Technology Cyber Forensics Innovation (CyFI) Laboratory confirms that a website with a company-branded address bar greatly decreases the chance of internet users falling victim to a malware attack or phishing (fraud) scam. CyFI Lab’s research concluded that the presence of an Extended Validation (EV) SSL certificate represents a 99.987% … More →
Despite significant investment in AI, many companies are still struggling to stabilize and scale their AI initiatives, according to Dotscience. While 63.2% of businesses reported they are spending between $500,000 and $10 million on their AI efforts, 60.6% of respondents continue to experience a variety of operational challenges. This is evidenced by the fact that 64.4% of organizations deploying AI said that it is taking between seven to 18 months to get their AI workloads … More →
Gurucul, a leader in behavior based security and fraud analytics technology for on-premises and the cloud, announced the Gurucul Network Behavior Analytics (NBA) solution, the industry’s most advanced Network Traffic Analysis product. It leverages Gurucul’s advanced machine learning analytics to provide identification of advanced and unknown cyber threats. The Gurucul Network Behavior Analytics solution delivers flexible entity modeling to monitor and identify unusual, risky behavior from any entity. This includes traditional devices like workstations, servers … More →
RiskIQ, the global leader in attack surface management, announced the launch of RiskIQ JavaScript Threats Module to ensure customer trust in e-commerce by protecting organizations’ high-traffic payment pages from JavaScript attacks. The module is part of a comprehensive platform for reducing threats to organizations’ internet attack surfaces. JavaScript Threats is the only enterprise-scale product trusted by the largest financial and e-commerce companies and powered by the threat intelligence of industry-leading experts on Magecart JavaScript attacks. … More →
Masergy, a leading provider of managed SD-WAN, cloud communications and managed security solutions, announced industry-unique bundles that combine its Managed SD-WAN solutions with advanced security services. Masergy Managed SD-WAN delivers simple, secure, and scalable connectivity that improves application performance, reduces cost and increases agility. A recent IDG survey indicated that for 81% of buyers, security was the top criteria in selecting SD-WAN services. With deep expertise in both software-defined networking and sophisticated threat detection and … More →
eGlobalTech, A Tetra Tech Company, is pleased to announce the launch of Auxilium, eGlobalTech’s premier Artificial Intelligence (AI) solution. Auxilium is an open source chatbot solution which answers internal and external stakeholder questions efficiently and effectively, empowering teams to focus on higher-level tasks and complex business problems. An innovative and impactful tool for both federal and commercial organizations, Auxilium: Understands intent Answers questions in milliseconds Monitors impact through a customizable dashboard of detailed analytics Supports … More →
Are you going to Black Hat USA 2019? If you are, you’re no doubt counting down the days until 3-8 August when you can join the thousands upon thousands of security professionals at the Mandalay Bay Resort and Casino in Las Vegas, Nevada. But if you’ve been to any of its other 21 iterations, you […]… Read More
Aqua Security, the leading platform provider for securing container-based and cloud native applications, announced the public release of Aqua Security’s runtime protection for Pivotal Cloud Foundry (PCF). Users of Pivotal’s platform can download and install the Aqua Security for PCF service from Pivotal Services Marketplace, and deploy an end-to-end solution for scanning, application assurance and runtime protection for their application workloads. PCF includes a widely deployed distribution of Cloud Foundry Application Runtime (CFAR) and allows … More →
Confluera, the real-time cybersecurity company, announced that it has raised $9 million in Series A funding led by Lightspeed’s Ravi Mhatre with significant participation by John W. Thompson, former CEO of Symantec; Frank Slootman, former CEO of ServiceNow; and Lane Bess, former CEO of Palo Alto Networks. The company also launched its Early Access Program for Real-time Attack Interception and Defense platform. In spite of aggregate security spending exceeding $124 billion, businesses around the world … More →
HyperLabel, a new desktop data labeling application for Machine Learning (ML) just announced by Sixgill, offers the fastest path to creating high-quality labeled datasets for better ML models. With HyperLabel, there’s no need to upload files to an external service. Users retain complete ownership, privacy and control of their data, while accelerating project onboarding and completion with quick and easy usability anchored on the desktop. It’s all cloud-free, highly scalable and locally installed. HyperLabel is … More →
Western Digital announced enhancements to its ActiveScale storage system portfolio, making it one of the highest performing and most cost-effective object storage platforms for storing, managing and extracting value from the ever-expanding universe of unstructured data. With the introduction of OS 5.5, ActiveScale becomes an even more integral part of an IT infrastructure by expanding its comprehensive set of data management capabilities for streamlining workflows and reducing latency barriers for multi-site data distribution. More than … More →
Attivo Networks, the award-winning leader in deception for cyber security threat detection, announced significant portfolio enhancements that effectively lock down the endpoint so that attackers cannot advance their attacks. These innovations include securing Active Directory and the ability to turn every endpoint into a network decoy. The company’s ThreatDefend Detection Platform provides a comprehensive deception fabric that interweaves decoys, lures, and breadcrumbs throughout the network. By blending in seamlessly with the production environment, the deception … More →
GTT Communications, the leading global cloud networking provider to multinational clients, announced it has expanded its SD-WAN service by adding the capability to run multiple network applications on a single universal customer premises equipment (uCPE) device. uCPE enables more cost-effective and efficient delivery of network services, including centralized management of software updates and more flexible service customization. GTT leverages virtualized network function (VNF) technology to deliver multiple services, such as SD-WAN, firewall and WAN optimization, … More →
Posted by Christiaan Brand, Product Manager, Google Cloud
Credential compromise as a result of phishing is one of the most common causes of security breaches. Security keys provide the strongest protection against these types of attacks, and that’s one of the main reasons why Google requires them as a second factor of authentication for our employees. Last year, we launched Titan Security Keys in the United States and were excited to see strong demand from users and businesses choosing to protect their personal and work Google Accounts. Starting today, Titan Security Keys are also available on the Google Store in Canada, France, Japan, and the United Kingdom (UK).
Titan Security Keys
Titan Security Keys are built with a hardware chip that includes firmware engineered by Google to verify the keys’ integrity. Each key leverages FIDO standards to cryptographically verify your identity and URL of the login page, preventing an attacker from accessing your account even if you are tricked into providing your username and password. Security keys are appropriate for any security-conscious user or enterprise, and we recommend that all users, especially those at higher risk such as IT administrators, executives, politicians, and activists consider signing in via security keys. Bundles of two Titan Security Keys (one USB/NFC and one Bluetooth) are available on the Google Store in Canada, France, Japan, and the UK in addition to the US. To set up your security keys with your personal or work Google Account, sign in and navigate to the 2-Step Verification page. In addition, you can enroll in the Advanced Protection Program, which provides Google’s strongest security for anyone at risk of targeted attacks. Titan Security Keys can also be used anywhere FIDO security keys are supported, including Coinbase, Dropbox, Facebook, GitHub, Salesforce, Stripe, Twitter, and more Enterprise administrators can require security keys for their users in G Suite and Google Cloud Platform (GCP). Bulk orders of unbundled Titan Security Keys are available in Canada, Japan, and the US.
Zyxel Communications, a leading provider of secure broadband networking, Internet access and connected home products, announced it has begun shipping the LTE7480 LTE-A Pro Outdoor Router, enabling network operators to cost-effectively provide high-speed Fixed Wireless Access (FWA) to customers in remote areas where other technologies would be cost-prohibitive. Designed for use in suburban areas, public locations, homes and offices, the LTE7480 utilizes the 3.5 GHz Citizens Broadband Radio Service (CBRS) band to deliver high-speed broadband … More →
New Light Technologies (NLT) announces a strategic partnership with Fugue to deliver public cloud configuration, drift detection, active drift enforcement (e.g., self-healing infrastructure), and security control gap analysis for NLT’s Amazon Web Services (AWS) and Microsoft Azure clientele. The partnership extends Fugue’s capabilities to all of NLT’s Azure and AWS clients, strengthening NLT’s Cloud Service Provider (CSP) and Managed Service Offerings (MSO). Fugue rounds out a set of best-of-industry tools and practices chosen by NLT … More →
Alibaba Cloud, the data intelligence backbone of Alibaba Group, and Fortinet, a global leader in broad, integrated and automated cybersecurity solutions, announced the expansion of the Fortinet Security Fabric offerings and new automation capabilities for Alibaba Cloud to provide streamlined and consistent security for organizations with hybrid cloud infrastructures. The combination of Alibaba Cloud and the Fortinet Security Fabric provide organizations with the ability to extend security visibility and control from the data center to … More →
Visa announced that Paul D. Fabara will join Visa as Chief Risk Officer, effective Sept. 3. Mr. Fabara takes over from Ellen Richey, Visa’s former Vice Chairman and Chief Risk Officer who recently retired after more than 11 years with the company. Mr. Fabara will report to Al Kelly, Visa’s Chairman and Chief Executive Officer. Mr. Fabara’s responsibilities will include a broad portfolio of functions designed to maintain the integrity of the Visa payment system … More →
A few hours ago, I have written about an interesting analysis of the possible hack of avionics systems, not DHS warns of cyber attacks against small airplanes.
Today we introduced an interesting report published by researchers at Rapid7 about the hacking of avionics systems via CAN bus, now the DHS issues an alert to warn owners of small airplanes of flight data manipulation attacks.
The scenario is disconcerting, hackers could manipulate the electronic systems in the small airplanes to force them displaying false flight data to the pilot, with unpredictable consequences.
The attackers, of course, need to have in some way physical access to small airplanes before they take off.
“An attacker with physical access to the aircraft could attach a device to an avionics CAN bus that could be used to inject false data, resulting in incorrect readings in avionic equipment. The researchers have outlined that engine telemetry readings, compass and attitude data, altitude, airspeeds, and angle of attack could all be manipulated to provide false measurements to the pilot.” reads the alert published by the US Department of Homeland Security’s (DHS). “The researchers have further outlined that a pilot relying on instrument readings would be unable to distinguish between false and legitimate readings, which could result in loss of control of the affected aircraft. “
The DHS confirms that it issued the alert because CISA is aware of a public report of cyber attacks against avionics systems in small airplanes through CAN bus.
Patrick Kiley, a senior security consultant at Rapid7 conducted an investigation into the security of avionics systems inside small airplanes.
The expert focused the analysis on the Controller Area Network (CAN) bus implements by two commercially available avionics systems from aircraft manufacturers who specialize in light aircraft.
The CAN is a crucial component in vehicles and aircraft that allows data and signaling information to be’ exchanged between the onboard computer systems.
Unfortunately, an attacker can abuse the CAN bus to interfere with the ordinary operations even if unlike cars, airplanes adopt some protection measures.
Kiley was able to able to send forged messages to the control systems of the aircraft and perform malicious activities.
The expert demonstrated that it is possible to change the altitude and airspeed readings, changing engine telemetry readings, altering telemetry, and disabling or rerouting the autopilot.
“The researchers have further outlined that a pilot relying on instrument readings would be unable to distinguish between false and legitimate readings, which could result in loss of control of the affected aircraft,” the DHS’ cyber division warned Tuesday.
Kiley demonstrated the attack after investigating avionics systems—an electronic control and navigation system fitted in an aircraft—from two unnamed commercial aircraft manufacturers specialized in light aircraft.
Kiley found that the key problem with the avionics CAN bus is that it is integrated into the aircraft’s other components without any firewalls or authentication, which means untrusted connections over a USB adapter attached to the plane can send unauthorized commands to its electronic systems.
CISA recommends owners of small airplanes to restrict access to the aircraft. The US agency also urges manufacturers of aircraft to review the implementation of CAN bus networks and implement mitigations such as CAN bus-specific filtering, whitelisting, and segregation should also be evaluated by aircraft manufacturers.
“CISA recommends aircraft owners restrict access to planes to the best of their abilities. Manufacturers of aircraft should review implementation of CAN bus networks to compensate for the physical attack vector.” concludes the alert. “The automotive industry has made advancements in implementing safeguards that hinder similar physical attacks to CAN bus systems. Safeguards such as CAN bus-specific filtering, whitelisting, and segregation should also be evaluated by aircraft manufacturers.”
Money intended for the construction of a brand new high school was instead placed in a bank account controlled by scammers by officials of a North Carolina county.
Read more in my article on the Hot for Security blog.
Just a few days after Equifax settled with the FTC over its 2017 data breach, Capital One announced it was the target of a March attack. Identifying information and bank account numbers are among some of the data breached in the attack that affects 100 million people. A software engineer is behind the attack and is awaiting a hearing. In this episode of TECH(feed), Juliet discusses the consequences of the attack and how to find out if you've been affected.
Global messaging giant WhatsApp turned 10 years old this year. It’s not unusual for companies to provide loyal customers or members with gifts to show their appreciation during these milestones. Unfortunately, cybercriminals are using this as a ploy to carry out their malicious schemes. According to Forbes, security researchers have discovered a fraudulent message promising users 1000GB of free internet data, which is a scam bringing in ad click revenue for cybercriminals.
Let’s dive into the details of this suspicious message. The text reads “WhatsApp Offers 1000GB Free Internet!” and includes a link to click on for more details. However, the link provided doesn’t use an official WhatsApp domain. Many users might find this confusing since some businesses do run their promotions through third-party organizations. Forbes states that once a user clicks on the link, they are taken to a landing page that reads “We offer you 1000 GB free internet without Wi-Fi! On the occasion of our 10th anniversary of WhatsApp.” To make the user feel like they need to act fast, the landing page also displays a bright yellow countdown sticker warning that there are a limited number of awards left.
As of now, it doesn’t appear that the link spreads malware or scrapes users’ personal information. However, the scam could eventually evolve into a phishing tactic. Additionally, the more users click on the fraudulent link, the more the cybercriminals behind this scheme rack up bogus ad clicks. This ultimately brings in revenue for the cybercrooks, encouraging them to continue creating these types of scams. For example, the domain being used by the scammers behind the WhatsApp message also hosts other fake brand-led promotional offers for Adidas, Nestle, Rolex, and more.
So, what can users do to prevent falling for these phony ads? Check out the following tips to help you stay secure:
Avoid interacting with suspicious messages. Err on the side of caution and don’t respond to direct messages from a company that seems out of the ordinary. If you want to know if a company is participating in a promotional offer, it is best to go directly to their official site to get more information.
Be careful what you click on.If you receive a message in an unfamiliar language, one that contains typos, or one that makes claims that seem too good to be true, avoid clicking on any attached links.
Stay secure while you browse online. Security solutions like McAfee WebAdvisor can help safeguard you from malware and warn you of phishing attempts so you can connect with confidence.
And, of course, stay on top of the latest consumer and mobile security threats by following meand @McAfee_Homeon Twitter, listen to our podcast Hackable?, and ‘Like’ us on Facebook.
The recent changes in Windows 10, aiming to add case sensitivity (CS) at directory level, have prompted our curiosity to investigate the potential to use CS as a mean of obfuscation or WYSINWYG (What You See is NOT What you Get). While CS was our entry point, we then ventured into other file naming techniques to achieve similar outcomes.
Threats and Red Teams may include these techniques in their arsenal to execute various versions of persistence tricks, scan avoidance, security bypass or, in extreme cases, make the system totally unusable.
As part of this blog we use the term “Evil Twins” to describe a scenario where 2 files on disk are crafted using specific file naming techniques to confuse security mechanisms, leading to the good twin being scrutinized while the evil twin flies under the radar.
This is part of a series that will explore each of the different scenarios and techniques we researched.
Evil Twins and WSL (Windows Sub-System for Linux) to the Rescue
Windows Linux Subsystem introduces a set of new cool features and provides interoperability between Linux & Windows, including the ability to execute ELF files.
Some time ago, case sensitiveness was enabled by default when using DRVFS, the file system driver that allows to mount Windows drives. (C:\\, D:\\) from a WSL instance.
After some internal releases it was removed, and case-sensitiveness did change over time in terms of CS inheritance, including the restriction to change sensitiveness of folders that already have “twins”.
The following technique relies on the ability to mount DRVFS with case=force that will literally override any case-sensitiveness set for any directory.
Any attacker that has admin rights and wants to achieve any of the following goals can rely on this approach to:
Persist & Hide files
Make the OS unusable
Stop many products from starting (even if they have other kinds of protection).
Alter dlls loaded to control the applications.
This scenario is based on the premise that WSL and a Linux distribution are installed. In case those requirements are not met, scripts that automate that process, or even importing your custom distribution.
For complex scenarios where installing WSL & importing a distribution is required, even although it’s possible to di programmatically for any adversary and even remove WSL, it will still be very noisy in terms of suspicious activities whether the workstation does not belong to a developer for instance. As time goes on, many companies that have Linux development will include WSL as part of the daily basics for developer workstations, servers, etc.
The execution steps would include something like:
Enable WSL
Check if a distribution is already installed / Install it if missing
Look for LXSS and enable DRVFS force flag
Depending on how the twin will be created you can do several things:
Create a WSL conf file with automount options. This is optional since you can remount the /mnt/c folder with new options.
Copy files from the rootfs folder in Windows to preserve permissions (read/execute/etc.) without messing with ACL’s on the Linux side.
Approach #1: Create the proper files without starting bash until the end (only touching Windows files): Ex: One of the scripts just copies the environment file and, if it is empty, it adds some content, so it is executed from bashrc next time bash is launched.
Approach #2: Create the proper files from bash itself, so you do not need to mess with permissions (this will depend on how systems will be alerted by detecting bash execution, etc.)
Terminate WSL instances.
Start bash (by using a task, autorun, or just as part of the PowerShell script)
From here you can just execute commands on the POC example, depending on the script arguments; the commands to be executed are of /etc/bashrc file.
VOILA, the script will create a folder or copy the twin dll in a non-cs enabled folder, thus promoting the twin as the file to look for next time.
Sample script:
Executing the technique to implant an Evil Twin dll: (replacing IEPROXY.dll for a mock that will just change the background)
The IEPROXY.DLL implant taking effect
Watch the video recorded by our expert Cedric Cochin, illustrating the entire technique:
Outcomes for this technique include:
A piece of ransomware creating C:\Windows\SYSTEM32 twin folder and not allowing a normal boot.
A targeted attack could create a IEPROXY.DLL so next time any application loads the dll it will load the compromised dll.
A targeted attack could create a C:\Program Files\[FAVORITE VENDOR] to disable such application, if the application is not CS aware/compatible
Detecting and stopping attacks that tamper with kernel-mode agents at the hypervisor level is a critical component of the unified endpoint protection platform in Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP). It’s not without challenges, but the deep integration of Windows Defender Antivirus with hardware-based isolation capabilities allows the detection of artifacts of such attacks.
Recently, the Microsoft Defender ATP research team found a malicious system driver enabling a token swap attack that could lead to privilege escalation. In this blog, we’ll share our analysis of the said attack and discuss how Windows Defender Antivirus uses its unique visibility into system behaviors to detect dangerous kernel threats.
Hardware-based root of trust
Windows Defender System Guard, a hardware-based system integrity capability in Microsoft Defender ATP, has a runtime measurement component called runtime attestation. This runtime measurement component includes a sub-engine called assertion engine (see Figure 1), which continuously measures and asserts the integrity of the Windows kernel, providing supplementary signals about any abnormal system behavior.
Figure 1. High-level Windows Defender System Guard runtime attestation architecture
Architecturally, the solution is collectively referred to as the Windows Defender System Guard runtime monitor and consists of the following client-side components:
The VTL-1 runtime assertion engine itself
A VTL-0 kernel-mode agent
A VTL-0 process we call the ‘broker’ to host the assertion engine
The goal is to detect artifacts of data corruption attacks and other threats that tamper with kernel-mode agents at the hypervisor level. Windows Defender Antivirus, the next-generation component of Microsoft Defender ATP, integrates with Windows Defender System Guard runtime attestation and consumes signals from the assertion engine.
Detecting token theft attacks
Every Windows process has a primary token that describes the security context of the user account associated with the process. The information in the token includes the identity and privileges of the user account associated with the process or thread. Token theft attacks are rampant because they can allow adversaries to use access tokens to operate using different user accounts or under different system security contexts to perform malicious actions and evade detection.
The Microsoft Defender ATP Research team recently uncovered and analyzed signals from Windows Defender System Guard assertion engine that indicated manipulation of a primary token, causing token swap – a distinctly suspicious activity, given that the aspects of a primary token are immutable once the process starts running.
Further analysis of Windows Defender Antivirus telemetry identified the offending malicious system driver responsible for the invariant token swap attack. The sample containing the system driver was signed with a compromised certificate (thumbprint: 31e5380e1e0e1dd841f0c1741b38556b252e6231) that’s commonly misused in the wild.
Figure 2. Revoked certificate used by malicious system driver
The driver exhibited the following rootkit behavior:
Token swap
Tampering EPROCESS structure in kernel mode and PEB to disguise a process as svchost.exe
In this scenario, Windows Defender System Guard raised an initial assertion failure signal for the token swap. Windows Defender Antivirus consumed the signal and applied intelligence to discover that the suspicious activity was being orchestrated by a system driver.
Figure 3. Decompiled malicious driver code for token theft
Using a Microsoft cloud service that that keeps track of stolen or revoked PKI certificates worldwide, Windows Defender Antivirus found that the driver was indeed signed by a revoked or stolen certificate, which was communicating with the infected binary to perform the token swap.
Windows Defender Antivirus works seamlessly with Microsoft cloud services, such as the one that flags binaries signed by stolen or revoked certificates. Signals like these enrich the protection delivered by multiple next-generation protection engines in Windows Defender Antivirus to provide near-instant, automated defense against new and emerging threats. With cloud-delivered protection, next-generation technologies provide rapid identification and blocking of attacks, typically even before a single machine is infected.
Device integrity for broader security
The goal of Windows System Guard runtime attestation is to provide its consumers with a trustworthy assessment of the security posture and integrity of devices. Apps and services can take advantage of this attestation technology to ensure that the system is free from tampering and that critical processes are running as expected. Runtime attestation can help in many scenarios, including:
Providing supplementary signals for endpoint detection and response (EDR) and antivirus vendors (including full integration with the Microsoft Defender ATP stack)
Detecting artifacts of kernel tampering, rootkits, and exploits
Protected game anti-cheat scenarios (for example, detection of process-protection bypasses that can lead to game-state modification)
Conditional access (enabling and enhancing device security-based access policies)
The assertion engine can detect attacks that can reasonably be performed under the most restrictive attack conditions, such as when system has been already hardened with hypervisor-protected code integrity (HVCI) and enforced kernel mode code integrity (KMCI).
The case study has shown how Microsoft Defender ATP – hence, the broader Microsoft Threat Protection – reaps significant security benefits from Windows Defender System Guard runtime attestation. We invite the industry to do the same.
Abhijat Singh, Enterprise & Security David Kaplan (@depletionmode), Microsoft Defender ATP Research Chun Feng, Microsoft Defender ATP Research Hermineh Sanossian, Enterprise & Security
Artificial Intelligence (AI) and machine learning have created lots of buzz with vendors. Being cast as the superheroes of technology is great for getting attention. But even Superman and Supergirl had their kryptonite.* Could the lack of diversity and inclusiveness in the design teams and data types weaken these two superhero technologies, like kryptonite weakened our friends from Krypton? Now is the time to shine a spotlight on problems that arise from the lack of inclusiveness and diversity in these areas to make sure that we are not automating existing biases in data or design.
Lack of diversity and inclusivity hurts products, profits, and people
Discrimination and non-inclusiveness in product development can be harmful—and dangerous—to those who suffer its consequences. Car airbags serve as a poignant example. Designed to save the lives of an average-sized male, airbags were deadly for children and petite women. Even the crash-test dummies the industry used until 2012 were average-man-sized, so it was impossible to test airbag safety for broader populations.
When workforces are not diverse and inclusive, problems stemming from various types of bias may occur. For example, women might not get a fair shot at a position because hiring standards have been set to match the pool of traits exhibited by current employees—who are predominately men.
Datasets can be at fault, as well, especially when populations are skewed because of social issues or the biases of system designers. Take the case of raw data used to predict criminality. Since the current justice system is biased against African Americans, who are incarcerated at a rate which is five times that of Caucasians, the dataset will be biased, too.
A diverse and inclusive team is a more productive team
AI and machine learning require a collaborative, inclusive approach that is ethical and respectful of the values each employee brings to the table. But diversity and inclusiveness are not only about ethnicity, gender, and gender-orientation. It’s also about a diversity of viewpoints and ways of examining issues and problem solving.
Lack of team diversity can hurt productivity. Homogenous teams may outperform diverse teams initially, but over time, the productivity of diverse teams increases. This is due, in part, to the strength gained from a variety of perspectives brought to the problem-solving process.
For example: A lawyer brings a unique awareness and mindset to problem-solving that differs from the mindset of privacy experts, mathematicians, data scientists, ethicists, and more. These different viewpoints and skillsets create stronger solutions and practices. Furthermore, diverse viewpoints ensure that the values of fairness, reliability, safety, security, privacy, inclusiveness, transparency, and accountability are included in any data model.
Be aware that if diversity comes in many forms, bias does as well. Companies should work hard to remove biases based on culture, geography, income bracket, educational background, and ageism in addition to those already mentioned.
How does this connect to better cybersecurity?
In creating resilient models that better detect and respond to cybersecurity issues, the greater the team diversity, the greater the resilience to attack and perturbation the models may be. Potentially, these more diverse models will provide us with a greater variety of insights and tools as well.
We’re already seeing that diversity in teams creates diversity in AI and machine learning models, which in turn increases the speed and precision of detection. For example, as part of the Microsoft Threat Protection solution using machine learning, Emotet was detected and blocked in milliseconds.
Since cybercriminals are varied in background and skillset, there is no one type of cyberattack we can defend against and no single machine learning model to find and stop all cyberattacks. But by working with diverse and inclusive design teams and using diverse, layered machine learning models, we’re increasing our ability to find and stop attacks quickly.
If you want more resilient cybersecurity, looking to a superhero isn’t really an option. Instead, rely on the diversity of the cyberheroes you hire and put the power of inclusivity to work for you.
I encourage you to read the report in this companion book, Microsoft: The Future Computed—the first of a series to explore AI, the future of the workforce, ethics, and policies related to individual industries. Also, read more of our CISO series blogs.
*Superman and Supergirl are characters owned by DC Comics, Inc.
One of the trickiest challenges enterprises face is managing the balance between aggressively blocking malicious advertisements (aka malvertising) and allowing content to remain online, accessible for the average user. The days of installing a basic ad blocker on your web browser and expecting full protection are gone. Between the sites that require them to be disabled and the ability for advertisers to pay to evade them, ad blockers alone are not sufficient.
As this blog will cover in detail, malvertising is a problem not strictly associated with basic web browsing. It can also come with other software programs including adware or potentially unwanted applications (PUA). These latter examples require the most attention. In today’s enterprise, an aggressive approach to advertising is required to be protected against malicious threats. That may include securing your DNS or adding additional layers of inspection through a firewall, intrusion prevention system, or a web security platform. Regardless of the approach, it needs to be thorough and take into account not just the security impacts, but the potential of cascading impact on your users.
Advertising is a key part of the internet as a whole and, whether you realize it or not, is one of the most foundational aspects of it. It is one of the reasons that a large chunk of the content available on the internet is free. It allows people to support their passion projects, their small businesses, and the food blogs of people around the world. However, it is a highly complex and convoluted system that is ripe for abuse. This is an issue that should not be ignored by the public, as these malicious ads can deliver malware out of nowhere and trick traditional internet users who may not be aware of the threats that exist on some pages.
This blog is going to walk through how online advertising works, what malvertising is and why it’s dangerous including real life examples, and finally the options that exist for organizations and private citizens to try and protect themselves from these threats.
It is like being hit by a bullet that we never saw coming our way. That is how we at hackercombat.com describe the controversy with regards to VxWorks embedded OS’ TCP/IP bugs that are now affecting close to 2 billion Internet-connected devices globally. Now known as Urgent/11, a batch of 11 flaws affecting VxWorks, an operating system known only by engineers who made embedded Internet-connected devices that are being used by almost all industries and everyone who use gadgets.
But before we go deeper into the issue, let us step back and explain what is VxWorks. It is an embedded real-time operating system first launched publicly in 1987, thirty-two years ago. It is not a household name for an operating system for its entire duration of existence, as it is embedded in SOCs (system-on-a-chip). End users cannot interact with it in a practical way, and it operates independently as part of the functionality of embedded devices. Electronic devices from a simple Internet-connected light bulb (an IoT device) up to the NASA-made rovers Opportunity, Spirit and Curiosity have chips using VxWorks. All consumers exposed to electronic devices are using it without realizing it in the first place, like the operating system embedded on one’s microwave oven, car stereo systems, and even elevators.
Urgent/11 operates under the vulnerable TCP/IP stack bundled with VxWorks, the eleven flaws are categorized from medium-level threats like DoS (Denial of Service) vulnerability, mishandling of reverse ARP replies, IPv4 logical flaw and IGMP information leakage to critical level flaws such as remote code execution. Armis Labs, a cybersecurity consulting firm has pointed out that out of 11 flaws, six are categorized as critical. They are now described with their respective CVE numbers:
1. CVE-2019-12263
TCP Urgent Pointer state confusion due to race condition affecting VxWorks versions 6.6 and above.
2. CVE-2019-12261
TCP Urgent Pointer state confusion during connect to a remote host affecting VxWorks versions 6.7 and above
3. CVE-2019-12260
TCP Urgent Pointer state confusion caused by malformed TCP AO option affecting VxWorks versions 6.9.4 and above
4. CVE-2019-12257
Heap overflow in DHCP Offer/ACK parsing in ipdhcpc
5. CVE-2019-12255
TCP Urgent Pointer = 0 leads to integer underflow affecting VxWorks versions 6.5 to 6.9.3
6. CVE-2019-12256
Stack overflow in the parsing of IPv4 packets IP options
“URGENT/11 are the most severe vulnerabilities found in VxWorks to date, which has suffered from only 13 public CVEs in its 32-year history. URGENT/11 is a unique group of vulnerabilities that allow attackers to circumvent NAT and firewalls and take control over devices remotely via the TCP/IP stack undetected, with no user interaction required. This is due to the vulnerabilities’ low level position inside the TCP/IP stack, which enables attacks to be viewed as legitimate network activity,” emphasized Armis Lab’s representative.
Win River, the company who is responsible for the release and maintenance of VxWorks operating system has released version 7 of the firmware. However, we bring-up the same issue of updating the firmware, similar on how Android has a fragmentation problem. It will be very difficult for all 2-billion vulnerable devices to be flashed with the fixed v7 of VxWorks. There will always be devices in the Internet that will continue to run the vulnerable old version of the firmware.
At the final day of the Cyber: Secured Forum in Dallas, moderators hosted a series of discussions in which attendees played a crucial part in putting forth solutions to some of the the most pressing cyber–physical topics facing the security industry.
Attendees were divided into four different groups to collaborate on responses to some of the biggest cyber–physical challenges, including:
The Tenants of a Cybersecurity Hardening Guide
Privacy in the Age of Connected Devices
Show Me the Money: The Considerations for Monetizing Cybersecurity as an Integrator
Gap Analysis – How the Security Industry Should Address Cybersecurity
In coming together to share their responses, attendees expressed their collective ideas. One of the key concerns for integrators is understanding how to monetize cybersecurity. In order to do this successfully, integrators need to acquire an array of skill sets that they might not have. For those that are looking to grow and be the experienced industry provider, they need to rely on the skills of others while they themselves grow and learn.
While it’s not all about the money, business is all about the money. Unfortunately, connectivity has opened up a Pandora’s box of opportunity and challenges for the physical security industry. Integrators are seeking to monetize cybersecurity services while ensuring new threats to their customers are mitigated in the systems they deploy.
In looking at privacy in the age of connected devices, attendees recognize that the lack of security in the internet of things poses not only digital but also physical privacy vulnerabilities. As such, solutions providers are working to ensure that their connected products are hardened out of the box and that the folks deploying them have the guidance to ensure that they provide customer value, not cybersecurity headaches.
The security industry needs to shift its siloed thinking order to really address cybersecurity. One overarching theme of the Cyber: Secured Forum was that the lines between physical and cybersecurity are slowing disappearing. The vulnerabilities are overlapping, the risks are expanding and the ability to mitigate risks is hampered by an ever-growing skills gap. Collaboration, now more than ever, is key.
An expert analyzed the level of security of avionics systems used in small airplanes, and the results are disconcerting.
Patrick Kiley, a senior security consultant at Rapid7 conducted an investigation into the security of avionics systems inside small airplanes. The results are disconcerting it is quite easy to hack a small plane.
Kiley, which is also, an amateur pilot, was able to crack the ⁷aircraft’s control and navigation systems.
The expert focused the analysis on the Controller Area Network (CAN) bus implements by two commercially available avionics systems from aircraft manufacturers who specialize in light aircraft.
The CAN is a crucial component in vehicles and aircraft that allows data and signaling information to be’ exchanged between the onboard computer systems.
The control systems send commands to several components via CAN bus.
“Small aircraft typically maintain the direct mechanical linkage between the flight controls and the flight surface. However, electronic controls for flaps, trim, engine controls, and autopilot systems are becoming more common,” explained Kiley.
“This is similar to how most modern automobiles no longer have a physical connection between the throttle and the actuator that causes the engine to accelerate.”
Unfortunately, an attacker can abuse the CAN bus to interfere with the ordinary operations even if unlike cars, airplanes adopt some protection measures.
Kiley was able to able to send forged messages to the control systems of the aircraft and perform malicious activities.
The expert demonstrated that it is possible to change the altitude and airspeed readings, changing engine telemetry readings, altering telemetry, and disabling or rerouting the autopilot.
“While the impact of such an attack could be dire, we want to emphasize that this attack requires physical access, something that is highly regulated and controlled in the aviation sector,” Kiley noted.
“While we believe that relying wholly on physical access controls is unwise, such controls do make it much more difficult for an attacker to access the CAN bus and take control of the avionics systems.”
Let me suggest to read the report that contains much interesting information about the security of avionics systems.
The evolution of mobile devices has certainly improved our lives, but yet, security threats are rising. Although malware can affect any mobile operating system (OS), in this article I’m going to look at Android malware specifically, since Android the most targeted OS. Actually, you may have already read a bunch of headlines around Android malware attacks.
Curious to find out how it all started? Would you like to avoid losing your security and privacy? If the answer to these questions is yes, keep on reading, as I will try to paint a clearer picture and answer some commonly asked questions.
Can You Really Get Malware On Your Android Device?
Are Android phones and tablets safe?
Long gone are the days when cybercriminals were only targeting computers. Now, they are likely to infect any piece of tech equipment you can imagine, starting from smart home ecosystems, to self-driving cars, drones, and AR/VR devices. And of course, your Android device is no exception.
How It All Started – The Early Days of Android Malware
First of all, let’s take a quick look at the origins of Android malware.
The first Android OS was released by Google back in 2008 and ever since has grown to be the most popular choice on the market. Currently, there are over 2.5 billion active Android devices worldwide.
At first, Android smartphones were not being targeted by malware since their popularity was growing gradually and attackers were mainly focusing on other widespread mobile operating systems of the time, such as Symbian. But as soon as its user base started developing more and more, by 2010, the platform was becoming a suitable environment for malware infections. Due to its open-source model, some illegal Android app stores were beginning to rise, and illicit apps were also starting to get included in Google’s official app store.
Spotted in 2010, AndroidOS.DroidSMS.A was the first Android Trojan. This was an SMS fraud app, which would subscribe your phone to various SMS services.
Back in the days of SMS subscription services, you could opt in to receive different alerts on your phone via text messages (i.e. ringtone of the week, joke of the day, etc.). Of course, you would also have to pay for each message you received. Once your phone got infected with this type of Android Trojan, it would automatically subscribe you to the service. And it would do it silently in the background without your prior approval, so you’d only notice it later on your phone bill.
During the same year, another Trojan was discovered posing as the TapSnake game. This particular Trojan would deliver the victims’ GPS location once their phones were infected over HTTP, which would then be identified by other phones that had the GPS Spy app installed.
In March 2011, yet another kind of malware, DroidDream, was added to the “collection”. Apparently, it was named due to the fact that it was programmed to run between 11:00 PM and 08:00 AM, when Android phone users were most likely to be asleep and not using their device. A dream turned into a nightmare, this was a mobile botnet type of malware, which could gain root access to Android devices and steal unique identification information. At the same time, it could download other malicious apps without the user being aware and allowed hackers to control the device.
Android Malware Toolkits Were Becoming Mainstream
Going forward, Android malware attacks were showing no signs of a slowdown and the mobile cybercrime market was thriving. This type of malware was being sold illegally on the dark web. Malware-spreading kits were becoming widely available to be used by virtually anyone willing to do harm.
For example, the MazelTov Toolkit, dubbed an “APK Download System”, was created and discovered back in 2015 to facilitate malicious actors into uploading and spreading malware to Android devices. Attackers were granted control and provided with statistics on how successful their malware campaigns were. These toolkits were being sold for the Bitcoin equivalent of $3,000 and “customers” would receive everything they needed to effectively infect mobile devices.
Perks and benefits included registered developer accounts for three reputable Android markets of your choice, two domains, templates for a landing page, Traffic Distribution System (TDS) to add bot filtering and ensure the malicious websites received unique visitors per each desired geolocations, etc.
In this article, I’ve already briefly mentioned the Android Trojan virus, yet there are many other forms of malware that can infect your device. So, below I’ll list the most frequent types of Android malware and explain how each of them works.
#1. Trojans
As you could probably already tell from the attacks I’ve already listed in the Early Days of Android Malware section above, Trojans are malware disguised as legitimate software and apps. They can be used to harvest your sensitive data, spy on your activity, delete files, gain access to your device, download other malware, and more.
#2. Keyloggers
Keyloggers are malware designed to record your keystrokes, or when it comes to mobile devices, the information you type on your device. The fact that you can also find keylogger software openly on the surface web (and not only the dark web!) readily available to the general public and indexed in the search engines is somewhat shocking and disturbing. Sadly, these apps are usually masquerading as parental control solutions, while other developers are openly encouraging the surveillance of your friends and partners.
#3. Ransomware
Although this type of malware is more common on computers, this doesn’t mean your mobile device can’t get infected with Ransomware.
Through this kind of attack, all your files end up encrypted and sometimes even your screen gets locked too. A message gets displayed on your device which asks you for a payment in return for decrypting your device.
In the image below, you can see an example of a ransomware attack targeting Russian users. The message displayed on the phone’s screen urges them to pay 500 Russian rubles ($8-$10) while they are also being threatened with a text message that would be sent to their contacts to let them know the victim was caught watching illegal adult content.
Spyware is a highly common malware infection on mobile devices. You may have recently heard of it in the controversial WhatsApp Spyware attack when a discovered vulnerability found in the app could be exploited in order to make way for spyware on the victims’ devices.
So what is mobile Spyware? It’s malware that enables attackers to access all the information on your phone, including contacts, calls, texts, and other sensitive information and also hijack your microphone and camera. Next, you can watch a short documentary created by a student who installed spyware on his phone, which got stolen. He shows how easy it is to spy on people and learn different things about them.
#5. Adware
If annoying advertisements are randomly being displayed on your device (full screen), even when you’re not browsing the Internet or using apps that have ads enabled, this means your mobile device is infected with Adware.
Here is what an Android mobile adware infection looks like:
Notorious Android Malware Campaigns Spotted in 2019
The pieces of malware below have been discovered this year alone, so notice how frequent these attacks can happen.
#1. Android/Filecoder.C
Targeting devices running Android 5.1 and higher, the FileCoder ransomware spreads via text messages that contain a malicious link. These messages try to trick you into installing an app which promises to use your own photos to create sex simulation imagery. But what this app actually does is encrypt all of your local files in exchange for a ransom ranging between $94 and $188.
For the full picture, here you can read the Security Alert around the FileCoder ransomware strain that we’ve recently released.
#2. SimBad
This malware campaign discovered in March 2019 impacted almost 150 million users. It was an adware strain found in 210 Android apps available on the official Google Play store. It was masquerading as the advertising kit named RXDrioder, which allowed attackers to control what ads were being displayed to users. The majority of the corrupted apps were shooter or racing games. RXDrioder was able to conceal the apps’ icons so users would find it more difficult to uninstall them.
In this adware campaign, attackers were abusing the legitimate advertising kit for their own profit to display the ads they desired. What’s more, they could make users’ browsers open at a particular URL to show even more ads. Or worse, open the Google Play and 9Apps stores to certain apps, so users could choose to engage in pay-per-install app monetization schemes.
But the malicious features of SimBad didn’t end here. The adware’s code could also display custom notifications and install additional apps from a server without the users’ consent.
#3. Agent Smith
This year in July, another malware campaign that infected over 25 million devices, dubbed “Agent Smith” due to its ability to bypass detection, was brought to light. This malware hacked apps and made them display more ads or took credit for the ads that were already displayed. Also, this piece of malware could identify well-known apps, such as WhatsApp, and replaced parts of their code and impeded app updates.
The malware was hiding in certain apps, which after were downloaded, the malware would pose as a Google app under a name like “Google Updater”, and then the process of replacing code would begin.
It was found in the 9Apps third-party store and the malware’s developer was also trying to spread it into the official Google Play Store too, where 11 apps included code similar to a simpler version of the malware. However, the malware stayed dormant in this case.
#4. BianLian
BianLian had been previously known as the dropper that enabled Anubis, a banking Trojan spotted last year, to get installed on devices while being disguised as apps that were in high demand (think currency calculators, discounter apps, device cleaners, etc.). This malware strain would ask for permission to alter the device’s accessibility services and acted as a keylogger to steal banking login credentials. What’s even more frightening in this particular case is that the apps were actually working just fine, just like legitimate applications would, and they even had high ratings in the official Google Play Store.
Fast forward to July 2019, a brand new version of BianLian was discovered, which transitioned to a complex malware that brings new attack tactics. Now, it would actually record the devices’ screens so that users’ credentials could be stolen, allowing attackers to gain access to usernames, passwords, card details, and account numbers.
#5. Monokle
Android spyware known as Monokle and allegedly designed by one of the Russian government’s surveillance providers has been discovered this month as well. It has supposedly been out in the wild since 2016, and it’s been hiding in fake apps that look identical to highly popular Android applications, such as Pornhub, Evernote, Skype, or Signal. This spyware retrieves passwords and converts smartphones into listening devices. The tool is also able to record home screens when devices are locked to steal passwords, look at predictive-text dictionaries to understand the victim’s interests, record calls, and listen through the phone’s microphone.
#6. MobonoGram (Android.Fakeyouwon)
MobonoGram is a malicious app that used the open-source code of the original Telegram app. Its code was injected with malware and afterward published on the Google Play Store.
The fake app was targeting users in countries such as Iran, Russia, the UAE, and the US, where the official app is banned. The app could launch itself each time the devices were booted, or right after an app was updated or installed. Moreover, when the app was running, it was gaining access to a set of C&C servers to obtain malicious URLs, a browser user agent to hide the requests’ source and some JavaScript codes. These JavaScript codes were created to engage in click fraud and profit from fake ad revenues.
Also, some URLs caused an infinite loop of requests to a malicious website. Such activity can drain the device’s battery as well as also possibly making it crash.
Between January and May 2019, researchers detected and blocked 1,235 infections belonging to the Android.Fakeyouwon malware family. The MobonoGram was downloaded over 100,000 times, and its developer (RamKal Developers) released at least five updates before it was eventually removed by Google from the Play store. Another malicious app named “Whatsgram” was published by the same developer.
How to check for malware on Android
So, what are the warning signs that could be telling you your Android device is infected with malware?
If your Android smartphone or tablet starts acting in a weird way and there are no obvious signs why this is happening, this behavior may be due to malware. Here are some common signs of Android malware:
Your battery is draining faster than usual.
If you’ve been using your Android device for roughly the same amount of time each day, yet you notice your battery is suddenly draining without an explicable cause, this may be due to a malware infection. Sometimes, malicious apps are using a lot of power resources. You should go to Settings, open the Battery section on your phone and see exactly which apps are using the most power. Try to identify if the apps that are showing up in there are genuine.
Your device heats up and performs poorly.
If you’re certain you’re not overusing the device and it heats up quickly and becomes really slow or your screen often freezes, we may be talking about malware. You should check the data usage to see which apps are using a lot of data. Access Settings, go to Data and look at all the apps. Uninstall anything that looks fishy immediately.
Pop-ups and ads have started to appear randomly.
This is a clear sign of a malware infection, namely adware. No ads should be showing up on your screen for no particular reason. Remember: DO NOT click on any of these ads, no matter what they promise. You should identify which apps you’ve recently installed and remove all the suspicious ones ASAP.
You’ve noticed weird phone calls and texts.
If you see any unexplained messages or calls, they may be due to a malware infection, as this is a common way for it to replicate. For instance, if you receive strange text messages from friends, trying to lure you into clicking on suspicious links, their phones may be infected with malware that is trying to pass over on your device as well. Here you can see a clear example of a Ransomware attack (dubbed FileCoder), which spreads via text messages on Android. Whatever you do, DO NOT click on any fishy URLs or answer unknown calls.
Unknown apps have suddenly appeared on your phone.
Needless to say, if you notice any apps that you haven’t installed yourself, remove them promptly! And remember the “Google Updater” app I previously mentioned in this article? Some malicious apps will try to sound genuine or mimic other apps, so be extra careful.
Check for any hidden apps.
Some apps may not be visible on your Android device unless you know where to look for them. I know, this may sound scary, but here’s what you need to do. Just go to Settings – Applications, and look for any unwanted names on the list. From this menu, uninstall any suspicious apps right away!
Tips to Avoid Malware on Your Android Device
Here is how you can prevent your Android device from being attacked by cybercriminals.
#1. Set up a PIN/password/pattern or biometric authentication.
This should be the first security measure you apply on your Android device. Always make sure your phone can’t be accessed by someone who could, for instance, install spyware so they can monitor your activity.
#2. Turn your screen’s sleep timer to no more than 15-30 seconds.
Just in case you forget your device unsupervised, make sure any potential malicious actors have as little time as possible to gain access to it.
#3. Do not root your Android device.
Rooting is the Android equivalent of jailbreaking Apple’s iOS, which means you can unlock the operating system to customize it, install unofficial apps, apply OS updates by yourself, and so on.
However, keep in mind this practice involves serious security risks, so don’t do it, unless you are an expert or simply want to experiment and aren’t concerned with security.
#4. Never sideload apps.
In other words, do not install apps from third-party sources other than the official Google Play Store. Basically, when you do it, you bypass the security protocols from the Play Store. But it’s your choice if you want to take the risk.
#5. Delete any unnecessary apps.
Time for spring cleaning on your phone! If you’re not actually using an app, don’t just let it sit there and gather dust. It may someday be a security hole on your device.
#6. Be careful what apps you download (even from the official Google Play store).
As we’ve witnessed so many rogue apps evading malware detection and being introduced in the Google Play store, this means you can’t fully trust the tech giant’s official platform either. And imagine how many malicious apps could be hiding in third-party stores, so always make sure you download from reputable sources. Also, make sure you check the number of downloads and reviews.
#7. Pay close attention to the permissions requested by an app
For instance, an app may ask you to give it permission to identify your location, access your list of contacts, see your photos, etc. Here, Google explains how you can keep track of the permission rights requested by apps and how to enable and disable them.
#8. Update your system software and apps.
I can’t stress this enough – apply the latest updates as soon as possible. This is truly mandatory. Do not postpone the process. Here you can read a piece on the importance of software and apps patching.
#9. Encrypt your device.
An easy and obvious way to keep your data away from unwanted eyes is through encryption. How can you do this? Open Settings on your Android device. Under Security you’ll see the encrypt device option. This encryption process can take up an hour or even more. Keep in mind this will drain your battery and begin the process with a fully charged and plugged in device.
#10. Back up your device.
Always have a copy of your files handy in case you lose the ones stored directly on your gadget. You can either manually transfer files to your PC on your hard drive (or save them on external storage devices), or you can choose to back up your data in the Cloud. Of course, the latter is more convenient and saves you time, but it’s your choice to make. Some Android phones allow you to back up your app data, call history, contacts, photos, videos, settings, and text messages directly on Google Drive. But on other devices, you will have to use third-party backup options.
#11. Stay informed about the latest threats.
Continuous education is your safest bet when it comes to cybersecurity. You should be able to spot malicious cyber behavior and know how to defend yourself. If you’re a cyber-security newbie or if you’d simply like to learn more and stay on top of things, we recommend you subscribe to our newsletter and to our Cyber Security for Beginners course.
#12. Use an anti-malware security solution on your Android device.
For instance, Thor Mobile Security blocks any mobile threat before it gets the chance to infect your gadget. It makes sure all the URLs you end up on are safe (which means no phishing links, no ransomware, no credential-stealing or identity theft), and if they’re unsafe, they instantly get blocked.
How to Remove Malware from Your Android Device (A Quick and Easy Guide)
Well, you did your best to avoid malware on Android, but you’ve still ended up with a compromised device. Or you simply weren’t aware of the dangers lurking out there so you weren’t careful enough.
You may have clicked on a malicious link you received via text message or installed a rogue app. Now, your device has been acting weirdly and it’s clearly infected with a virus.
What can you do about it?
Obviously, if you don’t mind losing all your data, you can always perform a factory reset, which will bring your device to its initial state. But there are other steps you can take for a quick remedy.
Step #1. Restart your phone in safe mode.
Go to the Power Off options by pressing the power button on your phone. The power menu will appear. Tap and hold Power Off until the Reboot to Safe Mode option appears and choose OK.
Step #2. Uninstall any suspicious apps and the ones you don’t use.
You’re already aware of the importance of uninstalling apps that should not have been on your device in the first place or old ones that bring you no benefits whatsoever.
Step #3. Install a reputable anti-malware solution.
Don’t rely solely on Google Play Protect. This is the built-in antivirus protection on Android, which in a test released by AV Comparatives in July 2019, scored a protection rate of only 83.2% and 28 false positives. We recommend you install Thor Mobile Security for continuous protection against advanced malware, phishing, ransomware, identity theft, and so much more.
Bottom Line
Most of these Android malware attacks are successful because they’re based on false promises which sound appealing. But keep in mind, the threats are real. Always stay alert, keep your apps and system software updated, and never download anything on your mobile device from dubious places.
If you liked this post, you will enjoy our newsletter.
Receive new articles directly in your inbox
Has your Android device ever been infected with malware? Share your stories in the comments section below.
Asking the real questions here – can a smart TV get a virus? We’re about to find out. If you’re into gaming or streaming, you’ve probably bought yourself a wide QLED.
Smart TVs are awesome since they give you access to tons of content without the need to use an intermediary – remember when you had to hook up your desktop or laptop to the TV just to see a movie?
Since most smart TVs out there run an OS akin to Android, the question about whether or not TVs can get viruses seems only natural. So, if you’re still worried about someone hijacking your smart during an epic streaming night, check out this guide. Enjoy!
It started with a tweet…
Like every ‘great’ Internet smash, the entire smart TV malware gig started with a tweet from Samsung. Try as I might, but I couldn’t get ahold of the said message since the company was kind enough to delete not long after it went live. However, it did not go away quietly (into the night) – pretty soon, people began wondering whether or not their TVs are safe.
Per Samsung’s statements, the tweet was part of their cybersecurity awareness campaign.
Awareness or not, it does pose a rather interesting question: can a smart TV get a virus? Everybody agrees to disagree that the answer is “no” since smarts do not tap into the same resources as PCs, Macs, tablets, or smartphones. True, but not very convincing.
So, I started poking around to seek the answer to this elusive question. Long story short – yes, your smart TV can get a virus if you download stuff that, well, you shouldn’t download. Android TVs are more vulnerable compared to the non-Android models since they have full access to Google Play’s apps library.
Yes, one wrong download and you can probably end up with a bricked set or even with a compromised router. Daunting as it may seem, the chances of this actually happening are slim to none.
Of course, many agree that any kind electronic device can be hacked, but is it really worth it? Think of it this way: if someone were to hack his way into your PC, he could steal precious stuff like financial info. That’s a prize worth having.
Thor Foresight makes sure that link is safe!
Your parents and friends will click any suspicious link, so make sure they're protected.
Thor Foresight provides:
Automatic and silent software updatesSmart protection against malwareCompatibility with any traditional antivirus.
First of all, a wide-spread cyberattack should be capable of targeting several types of chipsets. It’s true that most smart TVs use ARM- or MIPS-based cores, but the tech itself used to bring the sets to life, differs from that employed to build PCs or smartphones.
That would be the first limitation. The second one would be the fact that all TV operating systems are written in ‘read-only’ form, which means that the set itself can view and read the code, but it cannot write or overwrite on its own accord.
So, what does that even mean? Well, it kind of translates to someone having to redo the whole code to change the attribute from ‘read-only’ to ‘read-and-write’. Sounds easy enough on paper, but reality says otherwise; no one’s going through that much trouble just to hack a TV set!
Another ‘countermeasure’ smart TV manufacturers use is the digital signature. Each time a new firmware update becomes available, it simply overwrites the old one. Being digitally-signed means that in the event that malware does find its way inside your TV, it will simply be picked up by the in-built antivirus and deleted.
Now, even if the malware manages to evade detection (and that’s a very big ‘if’), worst case scenario – it will gain access to the TV’s config & general settings sections. Not much damage it can do from there (maybe trigger a voltage overload in those CPU cores or something).
So can a smart TV get a virus?
Not quite – TVs, just like any other electronics, CAN become infected. Well, that’s a bummer – how can a device get and not get infected at the same time? Let me try to clear things up a bit. So, for a TV to get viruses, Trojans, or any kind of ransomware, you would need to perform a specific set of actions.
For instance, if you insert a USB flash stick that harbors a bug, then your smart TV gets infected. It’s as easy as that. There’s even a story to go along with that claim; several of them, actually.
Fishing for Trojans
Apparently, in 2015, a Tom’s Guide user reported that he unwillingly transformed his Samsung smart TV into a breeding pool for trojans. As the story goes, the user plugged a USB stick into the TV without knowing that the stick was infected with win32.waldek.ACL, a trojan notorious for its ability to reconfigure the affected machine’s DNS and to restrict access to some websites.
Nothing appears to have happened to the TV, but once the user inspected the thumb drive on a computer, he saw that it was indeed infected with that particular trojan. His AV managed to bust the win32 variant, without any issues.
However, each time he would plug the stick into his TV and then back into the PC, his AV would detect an infection. I don’t know how this story ends, but I guess returning the set to its factory setting can root out just about any kind of malware from the smart TV’s buffer.
There are other accounts of smarts getting bitten by the ‘love bug’.
When gaming turns…viral
During the same year, Candid Wueest, a cybersecurity researcher managed to prove what others couldn’t: that someone can hold your TV for ransom. In other words, ransomware’s universal. Now, keep in mind that Wueest’s ‘experiment’ worked because, well, he wanted it to work.
Here’s how it went down: in his demo, Wueest managed to infect a Sony Android TV with ransomware using a Man-in-the-Middle attack, by replacing a game installation file with ransomware. As a result, the TV locked itself up. What’s even worse is that you can’t do anything because there’s no way of actually clicking on the instructions’ link to see the payment details.
So, yes, it’s possible, but certain conditions must be met. First of all, the researcher was able to access the network path; IRL that could happen if the hacker was either on the same network as his victim or hijacks the victim’s DNS resolution.
Second, before starting this unlikely experiment, he enabled the TV’s Android ADB debugging feature, which granted him access to some pretty advanced features. Last, but not least, he knew where the experiment was headed and how it would end.
He eventually purged the ransomware by using the ADB shell. Lesson learned – it can happen, but there’s a boorishly long list of ifs to go along with that assumption.
Sis’s sys got pwned
The winter of 2016 brings us yet another case of what appears to be a ransomware infiltration. Lucky for us, this wasn’t another experiment, but the real McCoy. According to Reddit user u/tell_me_im_funny, his sister’s LG smart became infected while she was navigating on the TV’s web browser.
A couple of minutes later, the set got ‘bricked’, the only thing capable of displaying would be a message reading “Your computer has been infected, please gib money to fix it.”
This time, there was no ADB shell, no access to the network pathway, and no one to call for help. In a later ad-lib, the user said that he managed to ‘unbrick’ his sister’s TV by performing a hard-reset (returning the TV to the factory settings).
Netflix is so gauche
And in hoping I haven’t bored you to death with my cybersec ‘penny dreadfuls’, the last story comes all the way from Kansas. Darren Cauthon, the protagonist and a software dev in his spare time, said that back in 2015, his Google Android-powered smart tv picked up a bug during his attempt at downloading a movie-streaming application.
Cauthon recalled streaming some flick when all of a sudden, the screen froze. Naturally, he tried rebooting the TV. However, upon restart, instead of the familiar LG start screen, Cauthon was met by a message allegedly sent by the Federal Bureau of Investigation. Apparently, the software dev was informed that due to some “suspicious files”, the device has been locked. The full text reads:
Department of Justice
Federal Bureau of Investigation
FBI Headquarters
Washington DC Department, USA
As a result of full scanning of your device, some suspicious files have been found and your attendance of the forbidden pornographic sites has been fixed. For this reason, your device has been locked. Information on your location and snapshots containing your face have been uploaded on the FBI Cyber Crime Department’s Datacenter.
Of course, Cauthon’s first thought was ransomware. And yes, his hunch was right – after downloading the wrong movie-streaming app, his TV became infected with FLocker, otherwise known as Dogspectus or Frantic Locker, a Cyber.Police ransomware variant. Since the bug made it into his TV and not his PC or phone, Cauthon was able to get rid of it by returning the set to its factory settings.
What’s there to be done if your TV does get a virus?
For the sake of argument, let’s say your smart TV picks up a trojan or ransomware. What are you going to do then? Well, there are several ways to root out malware from your device. Check these out.
1. Force-scan the TV and attached storage devices
Most modern smart TVs have in-built antivirus software. Sure, it’s signature-based and wouldn’t make much of a difference in case of Advanced Persistent Threats, but still better than nothing.
Keep in mind that your TV’s AV is not as sophisticated as the one on your computer. Certain functions like auto-scan or scheduled scans may not be available. So, it’s up to you to conduct periodical scans of your device. Here’s what to do:
Step 1. Navigate to Settings using your remote.
Step 2. Go to General Settings.
Step 3. Head to System Manager.
Step 4. Under Smart Security, click on Scan.
Step 5. Enjoy a virus-free streaming experience!
(*) This method applies to Samsung smart TVs. For other brands, please consult the user’s manual. Look for things like “smart security”, “smart hub”, or “online security.
2. Return TV to factory settings
Just like Cauthon, you could return your smart TV to factory settings in case of a ransomware infection. Bear in mind that in a Denial-of-Service attack, some or all of your TV’s functions will be disabled. This means that you will need to find an alternative way to do that. My advice to you would contact your brand’s customer service for technical info.
Now, if you’re the ‘proud’ owner of Samsung smart just like I am, you can find the reset to the factory settings option in Support, under Self-Diagnosis. Keep in mind that you might be required to provide your PIN code to complete the operation (if you haven’t messed around with the security settings, the default PIN is 0000). Bon chance!
3. Regular software updates
Yes, I know that this tip does not qualify as a fix, but you know how it goes with that proverbial ounce of prevention. Anyway, keep your TV’s firmware and all downloaded apps up to date. Almost all smart TVs have an auto-updater or, rather, semi-auto update feature since it will prompt you to install the latest version.
If you have an older set, try checking at least once per month for any updates. Do the same for your apps. Why keeping everything up to date? Because over 80 percent of malware infections occur due to outdated apps which turn into breach points.
4. Wired over wireless
If you can choose between a wired and a wireless connection, go with the first. Wired connections are harder to hack compared to the wireless ones. Of course, there’s the entire cable management issue, but everything can be solved with a bit of patience and some cable ties.
5. Avoid shady vendors
Now, if that TV really can’t wait, do yourself a favor and buy yours from a legit vendor. Don’t fall for bogus discounts, giveaways, or whatnots because that’s how you end up with rip-offs and malware-infected devices. Lesson learned – say YES to Samsung or LG and NO to Samysung or MG.
6. Refrain from plugging (infected) USB sticks into your TV
Seems pretty obvious, but I still need to say it: never, ever stick a malware-infected memory stick or portable hard-drive into your smart TV. It would be wise to run a quick scan on your PC or Mac before plugging in the stick. And I wouldn’t recommend using sticks other than your own.
7. Ditch generic web browsers
If you don’t have an Android smart TV, then you’ve no other choice but to use the in-built one. Now, if you really don’t like the default one, you should stick with the usual ‘suspects’ like Chrome, Mozilla, Firefox, Opera, or Brave. Why? Because they’re much more secure compared to generic ones.
Wrap-up
So, can a smart TV get a virus? That would be a “yes”. Still, you should take this with a grain of salt – sure, malware can brick your TV or whatever, but it’s still not nearly as dramatical compared to what would happen if the same bug got into your computer.
As always, keep your apps up to date, perform regular scans, avoid dubious memory sticks, and stick with the big brands. For any question, comments, rants, or suggestions, feel free to shoot me a comment. Cheers!
If you liked this post, you will enjoy our newsletter.
Developer training has an essential role in reducing code vulnerabilities and avoiding a breach. Effective application security requires both locating security-related defects, and fixing them. But developers simply aren’t equipped with the knowledge or skills they need to fix these flaws. Veracode recently sponsored the 2017 DevSecOps Global Skills Survey from DevOps.com, and found that less than one in four developers or other IT pros were required to take a single college course on security. Meanwhile, once developers get on the job, employers aren't advancing their security training options, either. Approximately 68 percent of developers and IT pros say their organizations don't provide them adequate training in application security. The good news is that getting developers the security training they need makes a big difference. Data collected for our State of Software Security report revealed that eLearning on secure coding improved developer fix rates by 19 percent; even better, remediation coaching improved fix rates by a whopping 88 percent.
Clearly, developer training on secure coding is both needed and effective. The following are some key elements to keep in mind when establishing security-training initiatives for development teams.
Consider the channel and the content
Consider employing a variety of training types to accommodate different learning styles and preferences, time zone differences, and to allow for both quick insights and deep dives. For instance, consider both self-paced eLearning training along with periodic instructor-led training.
In terms of content, ensure the training is both role- and technology-specific. For instance, different programming languages have different security idiosyncrasies, and each has its own propensity for different vulnerability types, so it’s important that your training is specific to your language.
Train on-the-job
Reinforce traditional training with on-the-job learning. When developers get instant feedback and learn to code securely as they are actively coding, they create more secure code faster and make less security missteps going forward. And some application security testing solutions offer this option. As our director of product marketing notes in a recent blog post, “The security testing serves as a feedback loop for developers and as a gate to stop security defects escaping to production.”
A recent Forrester report, Show, Don't Tell, Your Developers How To Write Secure Code, states that “the best application security testing tools … now come with good remediation advice for developers.” They recommend to “look for tools that include clickable and brief training modules and can be inserted as early into the SDLC as possible, such as spellchecker-like plug-ins to the integrated developer environment (IDE).”
For example, Veracode Greenlight, an IDE or CI integrated continuous flaw feedback and secure coding education solution, returns scans in seconds, helping you answer the question “is my code secure?”
Greenlight provides on-the-job developer security training through:
Remediation advice with code examples
Positive feedback when best practices are followed
In line education, learning as you code
Embrace security champions
Finally, one of the best ways to reinforce all your security training efforts is to employ security champions on your development teams. A security champion is a developer with an interest in security who helps amplify the security message at the team level. Security champions don’t need to be security pros; they just need to act as the security conscience of the team, keeping their eyes and ears open for potential issues. Once the team is aware of these issues, it can then either fix the issues in development or call in your organization’s security experts to provide guidance.
With a security champion, an organization can make up for a lack of security coverage or skills by empowering a member of the development team to act as a force multiplier who can pass on security best practices, answer questions, and raise security awareness.
Expect a full slate of enterprise-class open source tools to take the spotlight when security researchers share their bounties with the community at large.
Capital One’s data breach may be one for the record books, impacting as many as 106 million U.S. and Canadian credit applicants dating back to as early as 2005. While it’s natural to want to draw parallels to the 2017 Equifax breach, there are a couple of details in this story that make it remarkably different – including Capital One’s quick response to a tip submitted through its Responsible Disclosure process.
According to multiple reports, 33-year-old Paige A. Thompson allegedly gained access to approximately 140,000 Social Security numbers, 1 million Canadian Social Insurance numbers, and 80,000 linked bank account numbers. Other affected personal information included phone numbers and credit scores. Thompson, who is facing five years in prison and a fine of up to $250,000, was previously an employee of Amazon Web Services, which hosted the Capital One database that was breached.
“The attacker was an ex-AWS employee, which did not give her special privileges, but does go to explain expertise of the AWS platform,” said Veracode Co-Founder and CTO Chris Wysopal. “The attacker found a configuration error in a Web Application Firewall (WAF) that allowed privileged commands to be executed with the credentials of Capital One. These commands had privileges that allowed her to access the storage where the Capital One PII was stored.”
Paul Farrington, Veracode EMEA CTO, noted that WAF log files are likely to have been stored in the AWS S3 storage system, which may be how the attacker was able to access the customer data that contain PII. What’s yet to be understood is who the WAF vendor is – if this breach is indeed the result of a configuration error, this vulnerability may be undocumented and many other organizations could be at risk.
It's looking likely that CapOne was only one of many organizations whose data was obtained by the defendant in this case. CapOne may be the only one that is public so far though.
What Does Coordinated Disclosure Have To Do With It?
Many news outlets are drawing parallels to the 2017 Equifax breach, saying that this may not have happened if adequate measures had been taken legislatively to ensure significant consequence following breaches of this magnitude. The facts of the Capital One breach are certainly alarming, particularly when you consider that this is yet another example of consumers experiencing a significant privacy breach with far-reaching consequences. Certainly, the $700 million settlement Equifax is paying sets a precedent in penalizing companies that have not adequately protected their customers’ personal information – and failed to act quickly when a breach is brought to its attention.
That’s just one of the ways in which the Capital One breach is different. If the company was indeed breached through a WAF provided to them by a third-party vendor, it could be said that Capital One was doing its diligence to ensure the security of its customer data. We could get into how complicated supply chain security can be (think back to the AMCA data breach in June) and where the fault really lies in this case, but that seems fruitless given we don’t yet have all the facts.
It’s what we do know that deserves to be highlighted, both to differentiate this breach from Equifax and to highlight a critical best practice for all organizations with software underpinning the success of their business: Capital One has a working responsible disclosure process.
Thompson was not shy or discreet about her hack into the financial institution, posting the data she exfiltrated back in March to her GitHub account, which included her full name and resume. According to Wired, she also talked openly about it on Slack. The court documents indicate that on July 17, an anonymous tipster informed Capital One about the flaw and breach by emailing the responsible disclosure address with a warning about the data as well as the GitHub link.
In a statement made on July 29, Capital One said it, “immediately fixed the configuration vulnerability that this individual exploited and promptly began working with federal law enforcement. The FBI has arrested the person responsible and that person is in custody. Based on our analysis to date, we believe it is unlikely that the information was used for fraud or disseminated by this individual. However, we will continue to investigate."
Meaning that once informed through its disclosure process, Capital One alerted the FBI, fixed the vulnerability, and the suspect was arrested – all within 12 days. Although consumers are still waiting to see if their data has been impacted, this response and resolution is much faster than others we have historically seen.
When a vulnerability in Zoom was made public earlier this month, it was done so by a security researcher who had disclosed the vulnerability to the video conferencing company 90 days before he published his blog post. At that time, they still hadn’t fixed it, and it became major news in the hours and days following the public disclosure.
The Capital One data breach could have been far worse had it not been for the openness of the hacker and the financial institution’s responsible disclosure process. Consumers may still be waiting to find out whether or not their information was breached, but it is clear that Capital One either learned from the massive breaches that came before or has a security leader hip to the value of working with outside security researchers.
The debates around responsible disclosure – now more commonly referred to as coordinated disclosure – have been going on for many, many years. We know that both businesses and the security community see the value, and that there is frustration from security researchers when they are either ignored or feel the issue isn’t being remedied fast enough. While it is important to consider how best to handle these breaches when it comes to legislative involvement, it is just as important to strengthen the relationship between enterprise and security researchers to ensure smooth reporting and resolution of flaws.
Vulnerabilities and flaws aren’t going anywhere – but we can all work together better to make sure they’re harder to exploit, and that resolution is swift after there has been a breach.
You can keep up with AppSec news like this, plus get trends and best practices, by subscribing to our content.
Physical and cyber are two sides of the same “security industry” coin, said George Finney, CISO, Southern Methodist University, in his keynote speech on the closing day of the Cyber: Secured Forum.
“There’s not really a difference from the hacker perspective. They are trying to use whatever avenue they can to exploit your company,” Finney said. Where once penetration testers might have only tested the network, now Finney has pen testers come to campus and try to break into the wireless network or use social engineering methods to access areas of campus where they aren’t supposed to be.
While the university is charged with protecting student data, Finney said, “We also want to protect them, wherever they are.”
The security industry is made up of people. In physical and cybersecurity, “both of us make our spouses sit with their backs to the restaurant so that we can see all the exits. We both integrate highly complex technologies, and we both know that the bad guys are going to figure out what our defenses are,” Finney said.
For years, it was believed that you couldn't have cybersecurity without physical security, but today, Finney said, the opposite is also true.
Finney shared lessons he learned as the CISO of Southern Methodist University, which has integrated support for physical security technologies and cybersecurity on the same team, promoted by a major event on campus.
The opening ceremony of the George W. Bush Presidential Library and Museum was planned on the SMU campus, and Finney explained that the Secret Service told him that the event would be the biggest security event because five living presidents would be in attendance.
Finney said that his team has completed a campus-wide lock-down initiative, centralized support and increased response time to improve security for the event with the help of an integrator. The initiatives then had the lingering effect of improving the student experience, which has successfully helped to reduce crime on campus – all while hardening systems against hacking.
We Must Weaken Encryption, Say ‘Five Eyes’ Ministers
Senior ministers from the UK, Australia, Canada, New Zealand and the United States have announced their support of weakening encryption, essentially asking tech companies to install backdoors in encrypted communications.
The news comes following a two-day security summit in London, where home affairs, interior security and immigration ministers of the ‘Five Eyes’ countries discussed current and emerging threats which could undermine national and global security.
As detailed in the an official UK government release, “During a roundtable with tech firms, ministers stressed that law enforcement agencies’ efforts to investigate and prosecute the most serious crimes would be hampered if the industry carries out plans to implement end-to-end encryption, without the necessary safeguards.”
Home Secretary Priti Patel said: “The Five Eyes are united that tech firms should not develop their systems and services, including end-to-end encryption, in ways that empower criminals or put vulnerable people at risk.
“We heard today about the devastating and lifelong impact of child sexual exploitation and abuse, and agreed firm commitments to collaborate to get ahead of the threat.
“As Governments, protecting our citizens is our top priority, which is why through the unique and binding partnership of Five Eyes we will tackle these emerging threats together.”
Also speaking at the conclusion of the two-day conference was United States Attorney General William P. Barr. Barr said that encryption presents a unique challenge and the Five Eyes partnership has a duty to protect public safety, including those related to the internet.
“We must ensure that we do not stand by as advances in technology create spaces where criminal activity of the most heinous kind can go undetected and unpunished.”
However, Javvad Malik, security awareness advocate at KnowBe4, said that calls to weaken encryption, or to place backdoors in, are periodically made by ill-informed politicians.
“No matter how hotly this is debated, it can't change the maths behind encryption, which will either work or not. Weakening encryption will do more harm than good, as it will leave all communication vulnerable and allow bad actors to compromise legitimate traffic,” he argued.
The report found that 50% of all the companies impacted by observed phishing domains were in the financial services sector. The report reflects the analysis of 3.5 billion attempts during an 18-month period that have put the personal data and banking information of financial services customers at risk.
Researchers observed that, between December 2, 2018, and May 4, 2019, 197,524 phishing domains were discovered. Customers were directly targeted in 66% of those attacks. In addition, “94% of the attacks against the financial services sector came from one of four methods: SQL Injection (SQLi), Local File Inclusion (LFI), Cross-Site Scripting (XSS), and OGNL Java Injection (which accounted for more than 8 million attempts during this reporting period), based on Akamai’s calculations,” according to the report.
“We’ve seen a steady rise in credential stuffing attacks over the past year, fed in part by a growth in phishing attacks against consumers,” said Martin McKeay, security researcher at Akamai and editorial director of the State of the Internet/Security Report. “Criminals supplement existing stolen credential data through phishing, and then one way they make money is by hijacking accounts or reselling the lists they create. We’re seeing a whole economy developing to target financial services organizations and their consumers.”
Criminals are using "bank drops," which researchers explained are packages of data that include a person’s stolen identity, that can be used to open accounts at a given financial institution. The packages are known as "fullz" by criminals online and include an individual’s name, address, date of birth, Social Security details, driver’s license information and credit score.
While financial institutions are trying to understand the methods criminals are using to open these drop accounts, attackers are gaining more success because they continue to target the financial services industry.
“Attackers are targeting financial services organizations at their weak points: the consumer, web applications and availability, because that’s what works,” said McKeay. “Businesses are becoming better at detecting and defending against these attacks, but point defenses are bound to fail. It requires being able to detect, analyses, and defend against an intelligent criminal who’s using multiple different types of tools for a business to protect its customers.”
In this piece of research, attackers successfully attack a driverless car system -- Renault Captur's "Level 0" autopilot (Level 0 systems advise human drivers but do not directly operate cars) -- by following them with drones that project images of fake road signs in 100ms bursts. The time is too short for human perception, but long enough to fool the autopilot's sensors.
Gadsden Independent School District (GISD) announced that it was working to recover from a malware infection on its network. Travis L. Dempsey, superintendent of the Sunland Park school district, posted a notice about the attack on GISD’s website. Our Technology Department has been working to address a virus in our network. Our goal is to […]… Read More
X.509 certificates help secure the identity, privacy, and communication between two endpoints, but these digital certificates also have built-in expirations and must be managed.
UK Firms Move Operations as Brexit Data Fears Grow
UK businesses are stepping up their preparations for a potentially tortuous split from the EU, with a third moving some operations to the continent to avoid data privacy regulatory issues, according to new research.
Business process outsourcer Parseq polled 500 decision makers in businesses with 250+ employees about how Brexit might impact their current data privacy obligations.
Although the GDPR is technically transposed into UK law, the country will require an “adequacy decision” from the European Commission to ensure unhindered data flows after it leaves the trading bloc – something that is certainly not guaranteed.
That’s why the vast majority (89%) of firms polled by Parseq said they’d taken proactive measures.
Around a third (35%) said they’d refocused their client base to the UK, while a similar number (32%) had transferred operations to the EU.
Nearly two-fifths (37%) said they have audited data flows to and from the EU and even more (42%) have sought advice from regulator the Information Commissioner’s Office (ICO).
Craig Naylor-Smith, managing director at Parseq, argued that UK firms are currently operating on shifting sands given the lack of clarity over post-Brexit data transfer arrangements.
“The Data Protection Act (2018) transposed the GDPR into UK law, but if the rules in Europe diverge once we leave the EU it could make transferring personal data to and from the continent more difficult — a vital consideration for businesses in our increasingly connected, digital world,” he added.
“With this in mind, it’s encouraging to see so many firms take proactive steps to prepare for the prospect of regulatory changes. However, with an even proportion of firms increasing their European presence and refocusing their position to the UK, it’s clear the best course of action will depend on individual strategies.”
The bottom line is: UK businesses must consider how Brexit could impact data privacy regulations as a matter of urgency, he said.
There are a number of ways attackers can exploit public information about your organization's employees. CSO Online's Susan Bradley walks through how an attacker can gain access to your organization's Office 365 accounts and how you can protect your enterprise from these potential attacks.
Vulnerabilities in Apple Wireless Direct Link (AWDL), the wireless protocol that underpins Apple’s AirPlay and AirDrop services, could allow attackers to track users in spite of MAC randomization, to intercept and modify transmitted files, and to prevent transmission or crash devices altogether. Apple has already fixed one of the DoS vulnerabilities, but the other holes are not that easy to plug. What is AWDL? “With deployments on over one billion devices, spanning several Apple operating … More →
The US-CERT has been forced to issue an ICS alert after a security researcher revealed major cybersecurity shortcomings in small aircraft which could enable attackers to cause crashes.
The issues lie with the CAN bus networks, a common feature of automobiles which connect electronic sensors and actuators.
“An attacker with physical access to the aircraft could attach a device to an avionics CAN bus that could be used to inject false data, resulting in incorrect readings in avionic equipment,” the alert noted.
“The researchers have outlined that engine telemetry readings, compass and attitude data, altitude, airspeeds, and angle of attack could all be manipulated to provide false measurements to the pilot. The researchers have further outlined that a pilot relying on instrument readings would be unable to distinguish between false and legitimate readings, which could result in loss of control of the affected aircraft.”
The research itself was carried out by Rapid7’s Patrick Kiley, who is also a pilot. He spotted an over-reliance in the avionics sector on physical security and called for more defense-in-depth.
“Just as football helmets may actually raise the risk of brain injuries, the increased perceived physical security of aircraft may be paradoxically making them more vulnerable to cyber-attack, not less,” he argued in a blog post introducing the research.
“Think about it: if you felt like your internal LAN was totally and completely untouchable by attackers, you probably wouldn't worry much about software patching or password management. Of course, LANs aren't impregnable, and neither are CAN bus networks, so we're worried about this mindset when it comes to avionics security.”
The hope is that, just as greater scrutiny of these systems in the automotive industry has led to steps being taken to mitigate risk, the same can happen in the light aircraft space.
Researchers are warning of a potentially serious Android ransomware threat that spreads via malicious links in SMS messages and posts in forums.
ESET malware researcher, Lukas Stefanko, explained in a blog post that Android/Filecoder.C has been active since at least July 12 — distributed via Reddit posts and an Android developers forum known as “XDA Developers.”
“Using victims’ contact lists, it spreads further via SMS with malicious links,” he continued.
“Due to narrow targeting and flaws in execution of the campaign, the impact of this new ransomware is limited. However, if the operators start targeting broader groups of users, the Android/Filecoder.C ransomware could become a serious threat.”
Once the malware sends itself out via malicious SMS links it will encrypt most files on the victim device and request a ransom. The texts that contacts of the victim receive try to socially engineer them into clicking by claiming that their photos have been found in an app.
Most of the malicious forum and Reddit posts discuss porn-related topics, although some are also tech-related. Links, sometimes shortened, or QR codes are used to point to the malware, explained Stefanko.
“To maximize its reach, the ransomware has the 42 language versions of the message template seen in Figure 5. Before sending the messages, it chooses the version that fits the victim device’s language setting. To personalize these messages, the malware prepends the contact’s name to them,” he continued.
“The malware contains hardcoded C&C and Bitcoin addresses in its source code. However, it can also dynamically retrieve them: they can be changed any time by the attacker, using the free Pastebin service.”
If users delete the ransomware app then their device will be encrypted for good, although there’s nothing to support the claim on the lock screen that affected data will be lost after 72 hours, ESET said.
The ransom itself is relatively small, around $94-$188.
The security vendor urged Android users to stick to the official Google Play store for app downloads, keep their devices up-to-date at all times, pay attention to permissions requested by apps and download AV to their handsets.
In this interview, Mark Sangster, VP & Industry Security Strategist at eSentire, gives SMBs advice on how to minimize the risk of a data breach through better security practices, sets out priorities for a successful data security plan, and opines on the key challenges for the information security industry over the next five years. Massive data breaches have unquestionably demonstrated that no organization, regardless of size, is immune to risky security practices. While large organizations … More →
Researchers at RIPS Technologies discovered vulnerabilities in the OXID eShop platform that could expose eCommerce websites to hack.
Experts at RIPS Technologies discovered several flaws in the OXID eShop platform that could be exploited by unauthenticated attackers to compromise eCommerce websites.
OXID eShop is a popular e-commerce software platform used by important brands like Mercedes and Edeka.
Experts discovered two critical security issues that affect recent versions of Enterprise, Professional, and Community Editions of OXID eShop software.
The vulnerabilities could be exploited by an attacker without any user interaction.
The first issue, tracked as CVE-2019-13026, is an SQL injection vulnerability that could be exploited by an unauthenticated attacker to create a new administrator account.
“The eShop software is prone to a SQL Injection which is fully exploitable from an unauthenticated remote session. The exploit requires no specific shop configuration.” reads the report published by RIPS Technologies.
“This means an attacker can pivot via the session variable to inject straight into ORDERBYstatement of the SQL query. Since the underlying database driver is per default set to PDO, an attacker can make use of stacked queries to insert a brand new admin user with a password of his choice. He can then log into the backend and continue the exploitation process which is described in the following section.”
The second flaw in the OXID eShop is a PHP Object injection vulnerability that affects the administration panel of the platform. The vulnerability is caused by the lack of sanitization for user-supplied that being passed to the unserialize() PHP function.
The flaw can be exploited by a remote attacker to execute arbitrary code on the server. Experts pointed out that the exploitation of this flaw requires administrative access to the system that can be obtained triggering the first SQL Injection vulnerability.
“As soon as the adversary has access to the backend, he can escalate his access into a Remote Code Execution by exploiting a PHP Object Injection vulnerability in the import section.” continues the post. “The administrator has the possibility to import articles by uploading a CSV file which is loaded into the $data array of the following code snippet.”
The expert successfully chained the two issues in a Python2.7 exploit that can be exploited to compromise OXID eShops by just knowing their URL.
The experts published a video that shows the PoC code in action.
Chaining the two flaw, attackers can remotely execute malicious code on the underlying server and take full control over the installation of the eCommerce platform. This means, for example, that attackers can install software skimmer to steal payment card data from visitors.
Experts warn of a new campaign carried out by threat actors that are wiping Iomega NAS devices exposed online.
Security experts are warning of a campaign carried out by attackers that are deleting files on publicly accessible Lenovo Iomega NAS devices.
Likely attackers use the Shodan search engine to find unprotected IOmega NAS exposed online and access them using the publicly accessible web interface.
Once wiped the devices, attackers will leave a ransom note asking for the payment of a ransom in Bitcoin. It is not clear if the attackers will give back the files to the victims after they have made the payment.
“In a topic in the BleepingComputer forums, users are reporting that all of the files on their Lenovo Iomega NAS devices have been deleted or hidden and a ransom note was left in their place.” reported BleepingComputer. “This ransom note is named YOUR FILES ARE SAFE!!!.txt and state that the user’s files have been encrypted and moved to a safe location.”
Experts observed several notes that request the payment of different ransom amounts and have different messages. Most of the notes request victims to pay an amount between 0.01 to 0.05 Bitcoin.
One of the ransom notes observed by the victims threaten them to sell their files on the dark web if the user does not make the payment
YOUR FILES HAVE BEEN ENCRYPTED AND MOVED TO A SAFE LOCATION. IF YOU NEED THEM BACK PLEASE SEND 0.01 BITCOIN TO THIS ADDRESS:
172bnrSX351TEEVrFJTPAA9ktBxfjnweLm
YOU HAVE UNTIL THE 15th OF AUGUST 2019 TO MAKE THE PAYMENT OR YOUR FILES WILL BE SOLD ON THE DARK WEB.
YOUR UNIQE ID IS: "xxx".
BE SURE TO INCLUDE IT IN THE PAYMENT COMMENTS, OR EMAIL ME THE CODE AND PAYMENT CONFIRMATION TO: decryptiega@protonmail.com
AFTER THE PAYMENT YOU WILL RECEIVE A NEW FILE ON YOUR FTP DEVICE WITH THE LINK TO YOUR DECRYPTED FILES.
THANK YOU FOR YOUR COOPERATION.
Unfortunately, some of the victims prefer to pay the ransom to get back their files. Analyzing one of the Bitcoin addresses associated with this campaign, the 13gMN3sJFxoLvoDzyGxq31sr4k9P2qqMDQ wallet, we can verify that at the time of writing 10 victims have paid the ransom.
BleepingComputer discovered that the files are being deleted by the attackers and hidden somewhere on the drive, this means that it is possible to recover them using file recovery software.
Some users reported difficulty using file recovery software with the NAS devices because they use ext2 filesystem.
Recently experts reported a series of attacks involving the eCh0raix ransomware that was targeting QNAP NAS devices.
QNAP published a security advisory to explain to its users how to secure their NAS devices.
Capital One is the latest victim of a large-scale breach, which happened from 2005 and 2019. The 14-year worth data collection may be considered as the data breach with the most number of records stolen for the longest period in the history of computing. In view of the gravity of the situation, Capital One released its official press release providing more information about the incident. The company claimed that they expect that around 6 million Canadian and 100 million American had their information stolen from the company’s database due to a clever chain of cyberattacks against unpatched system vulnerabilities. Capital One admitted that the data breach was discovered through the responsible disclosure of ethical hackers last July 17, 2019. The company’s internal team confirmed the incident actually happened with results of the internal investigation completed last July 19, 2019. For a short period of just one day, from March 22 to 23, 2019, the attackers harvested 14-years worth of customer records.
“While I am grateful that the perpetrator has been caught, I am deeply sorry for what has happened. I sincerely apologize for the understandable worry this incident must be causing those affected and I am committed to making it right,” explained Richard D. Fairbank, Capital One’s Chief Executive Officer who concurrently also serving as the company’s Chairman. In the latest information provided in the press release, the company confirms that the suspect in the incident is already under the custody of the Federal Bureau of Investigation. The company continues to coordinate with the FBI team headed by FBI Seattle Field Officer Joel Martini in partnership with U.S. Attorney Brian T. Moran who is responsible for the arrest of the unnamed suspect. It is not yet confirmed if the information stolen is already being used for identity theft campaigns. Capital One cleared initial rumors that the data breach was due to unchecked cloud access, the company strongly denied such a claim. Cloud infrastructure that Capital One sign-up with is a separate system, and not affected by the incident.
“The Company carries insurance to cover certain costs associated with a cyber risk event. This insurance is subject to a $10 million deductible and standard exclusions and carries a total coverage limit of $400 million. The timing of recognition of costs may differ from the timing of recognition of any insurance reimbursement,” added Capital One.
The company assured the public that no credit card information were part of the breach, but the company also disclosed 140,000 of the records stolen included the victim’s Social Security numbers. Based-on initial probe, the loss records contain data from both consumers and business clients who transact with Capital One from the period of 2005 to 2019. Records of customers in that 14-year timeframe includes their:
Fullname
Residential address
Postal code
Email address
Contact number
Birthdate
Self-declared income
“We will notify affected individuals through a variety of channels. We will make free credit monitoring and identity protection available to everyone affected. Safeguarding our customers’ information is essential to our mission and our role as a financial institution. We have invested heavily in cybersecurity and will continue to do so. We will incorporate the learnings from this incident to further strengthen our cyber defenses,” emphasized Capital One.
The proliferation of data is causing a security and governance challenge across the hybrid cloud. Estimates project the global datasphere will grow from 33 zettabytes in 2018 to 175 by 2025. As new, data-intensive systems are spun up to keep pace with business needs, maintaining security and data governance is becoming a top concern. The complexity is such that a report on cloud security asserts that through 2022, 95% of security failures will be the … More →
The majority of organizations don’t know if the security tools they deploy are working, and are not confident they can avoid data breaches, according to AttackIQ. AttackIQ released the report based on Ponemon Institute research evaluating the efficacy of enterprise security strategies. Ponemon surveyed 577 IT and IT security practitioners in the United States who are knowledgeable about their organization’s IT security strategy, tactics and technology investments. “The significant number of security experts who have … More →
Technology companies could be doing much more to protect individuals and organizations from the threats posed by phishing, according to research by the University of Plymouth. However, users also need to make themselves more aware of the dangers to ensure potential scammers do not obtain access to personal or sensitive information. Academics from Plymouth’s Centre for Security, Communications and Network (CSCAN) Research assessed the effectiveness of phishing filters employed by various email service providers. They … More →
Flaws that allow attackers to bypass the payment limits on Visa contactless cards have been discovered by researchers Leigh-Anne Galloway and Tim Yunusov at Positive Technologies. The attack was tested with five major UK banks, successfully bypassing the UK contactless verification limit of £30 on all tested Visa cards, irrespective of the card terminal. The researchers also found that this attack is possible with cards and terminals outside of the UK. These findings are significant … More →
DevOps has transformed the way software engineers deliver applications by making it possible to collaborate, test and deliver software continuously. Dotscience, the pioneer in DevOps for machine learning (ML), emerged from stealth to signal the rise of a new paradigm where ML engineering should be just as easy, fast and safe as modern software engineering when using DevOps techniques. For data science and ML organizations to achieve this DevOps for ML nirvana, the right tooling … More →
Skyworks Solutions, an innovator of high performance analog semiconductors connecting people, places and things, unveiled its latest high reliability solutions for demanding military and space applications with stringent operating requirements. Skyworks’ hermetically sealed, broadband low-noise and impedance-matched amplifiers function in harsh environments and can be leveraged in a multitude of communication platforms. With all peripheral components integrated into an optimized ceramic QFN package, these devices simplify the design process and reduce board space while delivering … More →
CoreSite, a premier provider of secure, reliable, high-performance data center and interconnection solutions in major U.S. metropolitan areas, announced that it is offering SDN inter-site connectivity between seven of its edge markets. SDN connectivity between markets and campuses through CoreSite’s Open Cloud Exchange With the CoreSite Inter-Site Connectivity solution customers can: Secure their distributed IT infrastructure with private SDN connections, versus accessing data over the Internet Simplify hybrid cloud architectures for multi-cloud and multi-site network … More →
Spirent Communications, a leading provider of test, measurement, assurance, and analytics solutions for next-generation devices and enterprise networks, announced that at Black Hat USA in Las Vegas (August 7-8) it will demonstrate a number of new capabilities in its CyberFlood Data Breach Assessment solution and preview new use cases for security assessment in 5G networks. The new Reconnaissance Mode feature in CyberFlood Data Breach Assessment mirrors the activity of an actual hacker to identify the … More →
Rambus, a premier silicon IP and chip provider making data faster and safer, announced it has signed a definitive agreement to acquire Northwest Logic, a market leader in memory, PCIe and MIPI digital controllers. Northwest Logic’s high-performance, high-quality and silicon-proven digital IP controller cores are optimized for use in both ASICs and FPGAs. Interface IP solutions consisting of a physical interface (PHY) and companion digital controller make it possible to optimize the transfer of data … More →
Amazon Web Services (AWS), an Amazon.com company, announced the opening of the AWS Middle East (Bahrain) Region. With this launch, AWS now spans 69 Availability Zones within 22 geographic regions around the world, and has announced plans for nine more Availability Zones across three more AWS Regions in Indonesia, Italy, and South Africa. Developers, startups, and enterprises, as well as government, education, and non-profit organizations can run their applications and serve end-users from data centers … More →
250ok, an email analytics and deliverability platform, unveiled its proprietary email validation feature providing marketers a better way to ensure their marketing emails are reaching engaged, real consumers. According to benchmark tests run by 250ok, on average, 250ok Validation is up to 40% better at finding undeliverable addresses and returned 9-15 times less “unknown” results, with up to 99.5% of competitors’ unknown results returning as Verified ValidTM. 250ok’s entry into the validation market, currently including … More →
Perimeter 81, a pioneer in zero trust software-defined network access, has partnered with SentinelOne, the autonomous endpoint protection company. The partnership will provide a wide range of businesses, from midsize companies to Fortune 500s, with unified network and endpoint security, ensuring more effective threat defense for the cloud and mobile-first world. “We’re proud to have helped hundreds of clients ensure simplified, zero trust access to their on-premise and cloud environments with our Zero Trust Network … More →
Organizations are increasingly turning to containers even though they are not as confident in the security of those containers, according to a new survey.
Connected2Fiber, the Industry Cloud for Connectivity, announced that it has closed a $5.3 million round of funding from Ascent Venture Partners, Osage Venture Partners, Nauta Capital, and NXT Ventures. The company plans to use its latest round of funding to accelerate growth through further investment in product development and go-to-market activities. Connected2Fiber’s core platform, The Connected World, provides trusted, location-based insight and applications to network sellers and buyers. The SaaS platform automates many of the … More →
Capital One is one of the 10 largest banks based on U.S. deposits. As with many big-name brands, cybercriminals see these companies as an ideal target to carry out large-scale attacks, which has now become a reality for the financial organization. According to CNN, approximately 100 million Capital One users in the U.S. and 6 million in Canada have been affected by a data breach exposing about 140,000 Social Security numbers, 1 million Canadian Social Insurance numbers, and 80,000 bank account numbers, and more.
According to the New York Post, the alleged hacker claimed the data was obtained through a firewall misconfiguration. This misconfiguration allowed command execution with a server that granted access to data in Capital One’s storage space at Amazon. Luckily, Capital One stated that it “immediately fixed the configuration vulnerability.”
This breach serves as a reminder that users and companies alike should do everything in their power to keep personal information protected. If you think you might have been affected by this breach, follow these tips to help you stay secure:
Check to see if you’ve been notified by Capital One. The bank will notify everyone who was affected by the breach and offer them free credit monitoring and identity protection services. Be sure to take advantage of the services and check out the website Capital One set up for information on this breach.
Review your accounts. Be sure to look over your credit card and banking statements and report any suspicious activity as soon as possible. Capital One will allow you to freeze your card so purchases can no longer be made.
Change your credentials. Err on the side of caution and change your passwords for all of your accounts. Taking extra precautions can help you avoid future attacks.
Freeze your credit. Freezing your credit will make it impossible for criminals to take out loans or open up new accounts in your name. To do this effectively, you will need to freeze your credit at each of the three major credit-reporting agencies (Equifax, TransUnion, and Experian).
Consider using identity theft protection. A solution like McAfee Identify Theft Protection will help you to monitor your accounts and alert you of any suspicious activity.
And, of course, to stay updated on all of the latest consumer and mobile security threats, follow @McAfee_Home on Twitter, listen to our podcast Hackable?, and ‘Like’ us on Facebook.
Consumer audio recorded by Apple’s Siri platform has been shared with external contractors.
A whistleblower working as a contractor revealed that the company’s digital voice assistant software records audio collected by consumer devices–including iPhones, Apple Watches, and HomePods–and shares it with external contractors. The recordings contained potentially sensitive information.
“A small portion of Siri requests are analysed to improve Siri and dictation. User requests are not associated with the user’s Apple ID. Siri responses are analysed in secure facilities and all reviewers are under the obligation to adhere to Apple’s strict confidentiality requirements,” Apple told the Guardian, which broke the story.
Apple’s customer-facing privacy policy does not explicitly say that recordings from devices could be shared with contractors, which raises concerns for privacy and consumer advocates.
“Amazon and Google allow users to opt out of some uses of their recordings; Apple offers no similar choice short of disabling Siri entirely,” wrote Alex Hern for the Guardian.
Privacy concerns about the practice are compounded by the fallibility of Apple’s voice recognition software. The phrase “Hey, Siri” can be triggered by other sounds and words. Siri is also activated in Apple Watches when the user raises their wrist and speaks.
News about Apple’s overshare followed on the heels of news about Google’s virtual assistant software.
Apple has recently attempted to distance itself from Google and other IoT devices with ad campaigns directly targeting their competitors as less privacy-friendly.
Lack of security in the default settings of Internet-enabled video cameras make co-opting video feeds not just a movie-hacker technique, but a reality for millions of cameras.
Posted by Max Moroz, Fuzzing Evangelist, and Ned Williamson, Fuzzing Entrepreneur
TL;DR We increased the Chrome Fuzzer Program bonus from $500 to $1,000 as part of our recent update of reward amounts.
Chrome Fuzzer Program is a part of the Google Chrome Vulnerability Reward Program that lets security researchers run their fuzzers at scale on the ClusterFuzz infrastructure. It makes bug reporting fully automated, and the fuzzer authors get the same rewards as if they reported the bugs manually, plus an extra bonus ($1,000 as of now) on top of it for every new vulnerability.
We run fuzzers indefinitely, and some of the fuzzers contributed years ago are still finding security issues in ever changing Chrome code. This is a win-win for both sides, as security researchers do not have to spend time analyzing the crashes, and Chrome developers receive high quality bug reports automatically.
To learn more about the Chrome Fuzzer Program, let’s talk to Ned Williamson, who’s been a participant since 2017 and now works on the Google Security team.
Q: Hey Ned! It looks like you’ve received over $50,000 by participating in the Google Chrome Vulnerability Reward Program with your quic_stream_factory_fuzzer.
A: Yes, it’s true. I wrote a fuzzer for QUIC which helped me find and report two critical vulnerabilities, each worth $10,000. Because I knew my fuzzer worked well, I submitted it to the Chrome Fuzzer Program. Then, in the next few months, I received that reward three more times (plus a bonus), as the fuzzer caught several security regressions on ClusterFuzz soon after they happened.
Q: Have you intentionally focused on the areas that yield higher severity issues and bigger rewards?
A: Yes. While vulnerabilities in code that is more critical to user security yield larger reward amounts, I actually started by looking at lower severity bugs and incrementally began looking for more severe bugs until I could find critical ones. You can see this progression by looking at the bugs I reported manually as an external researcher.
Q: Would you suggest starting by looking for non-critical bugs?
A: I would say so. Security-critical code is generally better designed and more thoroughly audited, so it might be discouraging to start from there. Finding less critical security bugs and winning bounties is a good way to build confidence and stay motivated.
Q: Can you share an algorithm on how to find security bugs in Chrome?
A: Looking at previous and existing bug reports, even for non-security crashes, is a great way to tell which code is security-critical and potentially buggy. From there, if some code looks like it’s exposed to user inputs, I’d set up a fuzzing campaign against that component. After you gain experience you will not need to rely on existing reports to find new attack surface, which in turn helps you find places that have not been considered by previous researchers. This was the case for my QUIC fuzzer.
Q: How did you learn to write fuzzers?
A: I didn’t have any special knowledge about fuzzing before I started looking for vulnerabilities in Chrome. I followed the documentation in the repository and I still follow the same process today.
A: The key insight in the QUIC fuzzer was realizing that the parts of the code that handled plaintext messages after decryption were prone to memory corruption. Typically, fuzzing does not perform well with encrypted inputs (it’s pretty hard to “randomly” generate a packet that can be successfully decrypted), so I extended the QUIC testing code to allow for testing with encryption disabled.
Q: Are there any other good examples of fuzz targets employing a similar logic?
A: Another example is pdf_formcalc_context_fuzzer that wraps the fuzzing input around with a valid hardcoded PDF file, therefore focusing fuzzing only on the XFA script part of it. As a researcher, you just need to choose what exactly you want to fuzz, and then understand how to execute that code properly. Looking at the unit tests is usually the easiest way to get such an understanding.
If there’s a gap you bridge it, if there’s a hole you plug it. These are simple musts that businesses have to follow – they need to right wrongs and adjust processes to create better outcomes. The same thing goes for the security teams tasked with safeguarding these organizations, who know they must always bridge the gap between exposed and secure. These security teams know that in order to plug any holes they must at minimum apply standard endpoint security to their infrastructure. While most teams know one solution can’t be the be-all and end-all for their strategy, many are still slow to adopt new technologies to their defense strategy. Here’s why.
Outdated Adoption Mindsets
I meet a lot of security professionals that are aware a better mousetrap exists, but feel as though the pains of making a change outweigh the advantages of better detection or threat detail. I get it, I’m up against my own list of critical projects and nice-to-have things that are difficult to move to the top of the list. Maybe that’s why so many businesses are stating they intend to adopt next-gen technologies but are struggling with the expertise to move ahead with a product or deploy it.
When it comes to getting more tactical against the latest generation of threats that are designed to evade detection, the natural next step for these teams is to add a product like McAfee MVISION EDR. This type of product is top of mind for many right now, as 82% of IT leaders say they don’t have the visibility they need. As a threat hunting tool, EDR tells security teams how exactly threats entered an environment, what these threats did while inside, and how teams can pivot to action against them now and prevent similar attacks from happening again. The value of the EDR might be understood, but adopting it is usually hindered by pre-existing mindsets.
Many security professionals out there think of products, such as McAfee ENS and McAfee MVISION EDR as two separate entities. The same thing goes for solutions such as DLP and CASB. These teams often adopt one solution at a time, with the hope of eventually being able to collect them all one day. Compounding this issue, many fear they’re going to overwhelm existing staff with all the new training and education required for proper adoption. But therein lies the problem – these solutions shouldn’t be viewed as a burden or mutually exclusive, given accurate threat protection in today’s modern threat landscape is reliant on multiple success factors working together at the same time. Adoption should be holistic and simultaneous.
The Importance of Integration
Just like one size typically doesn’t fit all, one solution cannot address all threats. That means your defense strategy shouldn’t rely on just one defense or detection method to protect every user from every kind of threat. Therefore, security teams need to clear out old notions and start looking at solution adoption with the idea of integration and a platform that is sustainable for the long term, not just a product. Meaning, by achieving the right convergence of solutions, teams will establish a holistic security posture for their organization, ultimately positioning it for success.
So, what does this blend of solutions look like? To cover all the bases, organizations should look toward adopting solutions designed with collaboration and integration in mind. Take McAfee’s EPP for example, which is built with the future in mind. Our cloud-first MVISION products are designed to help you transform your IT environment. Specifically, our EDR solution is designed to meet you where you are with AI-guided investigations, detecting and remediating both the opportunistic and targeted attacks.
The more defense solutions can work together, the more actions can be automated and burdens can be reduced for the IT staff. So, instead of making your buying decision in order to fill a gap in today’s environment, make sure you buy with tomorrow’s gaps in mind. Focus on how the product you buy today will work or not work with the purchases you make in the future. From there, security will move beyond a simple must, becoming second nature.
To learn more about effective endpoint security strategy, be sure to follow us @McAfee and @McAfee_Business.
Sephora has notified customers in the Asia-Pacific region who have online accounts that the cosmetics and beauty products retailer suffered a data breach, according to Malay Mail.
Customers reportedly received an email in which the company explained that an unauthorized third party had gotten access to the personal information of “some customers,” reportedly those in Australia, Hong Kong, Indonesia, Malaysia, New Zealand, the Philippines, Singapore and Thailand.
The exposed information included the users’ first and last name, date of birth, gender, email address, encrypted password and data related to “beauty preferences,” according to what Alia Gogi, managing director of Sephora Southeast Asia, reportedly wrote in an email.
Additionally, Gogi added that no credit card information was accessed and the company has “no reason to believe that any personal data has been misused,” the report said.
"It is a great challenge for many organizations to standardize their cybersecurity operations globally. Varying regulations for both security and privacy come into play, especially when dealing with an enterprise that operates around the globe,” said George Wrenn, founder and CEO of CyberSaint Security.
“This breakdown is why we see many large organizations flock to an integrated risk management (IRM) approach. IRM is allowing organizations to aggregate risk and compliance data from all business units and make smarter and more informed decisions. With the patchwork of regulations that are emerging around the world, cybersecurity leaders must be prepared to integrate their organizations to stay wholly aware of the posture of their organization."
Fraudsters and cyber-criminals have easy access to customer data given the mega breaches of the past few years, and Kevin Gosschalk, CEO, Arkose Labs, said that each subsequent breach only adds to the available information on the dark web, creating a paradigm of fraudulent activity.
“These types of incidents provide cyber-criminals with the incentive and tools they need in order to commit ongoing, lucrative and easy fraud. In this case, the information hackers had access to, including encrypted passwords and email addresses, can now be weaponized in future account takeover (ATO) attacks. While Sephora has cancelled all existing passwords as an immediate first step, customers are inherently still at risk,” Gosschalk added.
"There is an ongoing onus on Sephora to safeguard its customers against future cybercrime associated with their password vulnerabilities. Our reality is that cybercrime is a well-funded and connected business where fraudsters have access to sophisticated tools and resources to launch attacks. This breach is yet another incident that provides them with the exact ammunition they need. The longer-term solution will come from eliminating the economic incentives behind these attacks through the use of integrated strategies that detect fraud in real time and block attacks from being successful.”
The lack of an attack has puzzled some security experts, but the general advice remains that companies should patch their vulnerable systems more quickly.
Last March, the Council of the European Union announced the new EU Law Enforcement Emergency Response Protocol to address the growing problem of planning and coordinating between governments, agencies, and companies when cyberattacks occur across international boundaries. Remember well-known incidents such as NotPetya and WannaCry? They’re good examples of how cyberattacks can simultaneously impact organizations and other entities in two or more countries. This especially applies to multinational corporations since they have footprints in multiple jurisdictions.
In reading through the Protocol, a few key items are worth noting:
There’s a focus on process—It’s so good to see them focusing on process (and not only on technology). Too many regulations and rulesets talk about technology as if it’s the sole solution to all problems. To truly resolve cybersecurity attacks and to mitigate downstream implications quickly, it takes the combination of technology + people + process.
Operational Technology (OT) systems and risks need more attention—For many years, OT systems have been increasingly attacked by adversaries. While the focus on IT in the Protocol is logical, the omission of OT factors keeps it from being an even stronger and more robust document. The new Protocol explicitly calls out this problem when it says, “…to establish the criminal nature of the attack, it’s fundamental that the first responders perform all required measures … to preserve the electronic evidence that could be found within the IT systems affected by the attack, which are essential for any criminal investigation or judicial procedure.” This omission of OT systems is all the more confusing when the website announcing the Protocol states that, “The possibility of a large-scale cyber-attack having serious repercussions in the physical world and crippling an entire sector or society, is no longer unthinkable.”
Important cross-border thinking adds value—Cyber-adversaries pay no attention to boundaries, so it’s important to defend against these problems with a similar mindset that embraces diverse thinking. Countries that cooperate and coordinate their efforts are likely to detect and identify cyber-adversaries faster and more comprehensively if they approach the problem as a united front. This cross-border way of thinking should be an example for other regions of the world.
The improvements to the EU Law Enforcement Emergency Response Protocol are invaluable. By streamlining and strengthening their cross-border approaches, protocols, and ways of communicating, efforts to thwart attacks can begin immediately and proceed more effectively.
Preserving electronic evidence makes finding and punishing the perpetrators a priority. However, work still must be done on developing plans and protocols to mitigate damage to OT systems, and I hope they prioritize this focus for their next iteration.
Learn more
Complete an offline assessment of your Active Directory—Assess your Active Directory security posture and reduce support costs by exposing and remediating configuration and operational security issues before they affect your business.
Learn more about the cybersecurity risk landscape—Watch this Microsoft Digital Crimes Unit overview video to learn more about how Microsoft is working with public and private partners.
Discover how the Microsoft Incident Response and Recovery Process can help—Read about our expert security services that are available in case an incident occurs.
In September 2018, the Zero Day Initiative published a proof of concept for a vulnerability in Microsoft’s Jet Database Engine. Microsoft released a patch in October 2018. We investigated this flaw at that time to protect our customers. We were able to find some issues with the patch and reported that to Microsoft, which resulted in another vulnerability, CVE-2019-0576, which was fixed on 8-Jan-2018 (Microsoft Jan 2019 Patch Tuesday).
The vulnerability exploits the Microsoft Jet Database Engine, a component used in many Microsoft applications, including Access. The flaw allows an attacker to execute code to escalate privileges or to download malware. We do not know if the vulnerability is used in any attacks; however, the proof of concept code is widely available.
Overview
To exploit this vulnerability, an attacker needs to use social engineering techniques to convince a victim to open a JavaScript file which uses an ADODB connection object to access a malicious Jet Database file. Once the malicious Jet database file is accessed, it calls the vulnerable function in msrd3x40.dll which can lead to exploitation of this vulnerability.
Although the available proof of concept causes a crash in wscript.exe, any application using this DLL is susceptible to the attack.
The following error message indicates the vulnerability was successfully triggered:
The message shows an access violation occurred in the vulnerable DLL. This vulnerability is an “out-of-bounds write,” which can be triggered via OLE DB, the API used to access data in many Microsoft applications. This type of vulnerability indicates that data can be written outside of the intended buffer, resulting in a crash. The cause of the crash is the maliciously crafted Jet database file. The file exploits an index field in the Jet database file format with an unexpectedly large number, resulting in an out-of-bounds write and, ultimately, the preceding crash.
The following diagram provides a high-level view of how the exploit works:
Exploit in Action
The proof of concept code contains one JavaScript file (poc.js), which calls a second file (group1). This is the Jet database file. By running poc.js through wscript.exe, we can trigger the crash.
As we see in the preceding image, we can review debug information to determine the function that crashes is “msrd3x40!TblPage::CreateIndexes.” Furthermore, we can determine that the program is trying to write data and failing. Specifically, we can see that the program is using the “esi” register to write to the location [edx+ecx*4+574h], but that location is not accessible.
We need to understand how this location is constructed to provide clues to the root cause. The debug information shows that register ecx contains the value 0x00002300. Edx is a pointer to memory that we will see again later. Finally, they are added together with an offset of 574 hexadecimal bytes to reference the memory location. From this information, we can guess the type of data that is stored there. It appears to be an array in which each variable is 4 bytes long and starts at the location edx+574h. While tracking the program, we determined the value 0x00002300 comes from the proof-of-concept file group1.
We know that the program attempts to write out of bounds and we know where the attempt occurs. Now we need to determine why the program attempts to write at that location. We investigate the user-provided data of 0x00002300 to understand its purpose. To do this we must understand the Jet database file.
Analyzing the Jet Database File
Many researchers have extensively analyzed the Jet database file structure. Some of the details of previous work can be found at the following links:
To summarize, a Jet database file is organized as a collection of pages, as shown in the following image:
The header page contains various information related to the file:
After the header come 126 bytes, RC4 encrypted, with the specific key 0x6b39dac7, which is the same for every JetDB file. Comparing the key value with the proof-of-concept file, we can identify that group1 is a Jet Version 3 file.
Further examination leads to a Table Definition Pages section, which describes various data structures for a table. (Click here for details.)
The table definition data has various fields, including two of note: Index Count and Real Index Count.
We can determine the value of these in our proof-of-concept file. When we check this with the group1 file, we see following:
There are total of two indexes in the Index Count. When we parse both indexes we see the familiar value of 0x00002300:
Our offending value 0x00230000 is the index number for index2 in the table. This index seems rather large and leads to the crash. Why does it crash the program? Further parsing the file, we find the names of the two indexes:
Debugging
With a debugger attached, we can see that first program calls the function “msrd3x40!operator new.” This allocates memory that stores the memory pointer address in eax:
After the memory is allocated, the program creates the new index:
This index number is used later in the execution. The function msrd3x40!Index::Restore copies that index number to the index address + 24h. This process is repeated in a loop for all indexes. First it calls the “new” operator, which allocates the memory. It then creates an index on that address and moves the index number to the base address of the index +24h. We see this move in the following code, which shows the malicious index value copied to newly created index:
Once successfully moved, the function msrd3x40!NamedObject::Rename is called and copies the index name value to the index address +40h:
If we look at the esi register, we see it points to the address of the index. The ecx register has a value of [esi+24h], which is the index number:
After a few more instructions, we can observe the original crash instructions. Edx points to the memory location. Ecx contains a very large number from the file group1. The program tries to access memory at location [edx+ecx*4+574h], which will cause the out-of-bounds write and the program crashes:
What is happening with the data the program tries to write? If we watch the instructions, we see that program tries to write the value of esi to [edx+ecx*4+574]. If we print esi or the previous value, we see that it contains the index name ParentIdName, which we saw in group1:
Ultimately, the program crashes while trying to process ParentIDName with a very large index number. The logic:
Allocate the memory and get the pointer to the start of the memory location.
From the start of memory location +574h, the program saves pointers to index names with each occupying 4 bytes multiplied by the index number mentioned in the file.
If the index number is very large, as in this case, and no validation is done, then the program will try to write out of bounds and crash.
Conclusion
This is a logic error and such errors are sometimes hard to catch. Many developers take extra precautions to avoid these types of bugs in their code. It is even more unfortunate when these bugs lead to serious security issues such as with CVE-2018-8423. When these issues are discovered and patched, we recommend applying the vendor patch as soon as possible to reduce your security risks.
Microsoft patches can be downloaded and installed from the following locations for respective CVEs:
McAfee HIPS, GBOP (Generic Buffer Overflow Protection) feature might cover this, depending on the process used to exploit the vulnerability.
We thank Steve Povolny of McAfee’s Advanced Threat Research team, and Bing Sun and Imran Ebrahim of McAfee’s Hybrid Gateway Security team for their support and guidance with this analysis.
While Hollywood often gets hacking wrong, “Mr. Robot” is acclaimed for its commitment to authenticity and technical accuracy. And it’s ridiculously entertaining. Inspired by the efforts of the main character Elliot and his band of hackers, we’ve compromised Wi-FI networks, dropped malicious USB drives, and cracked car key fobs — all legally and with permission, of course. With the show’s final season set to air this fall, we want to pay tribute to our favorite show with a “Mr. Robot” spectacular. On the latest episode of “Hackable?” Pedro invites three white-hat hackers to Geoff’s office for attacks straight from past episodes of “Mr. Robot.”
Listen now to the award-winning podcast “Hackable?”.
The value and importance of information change depending on how much information there is and the actual “perceived value” that the observer sees when they get a hold of the information. Content creators of generations ahead of us generated new knowledge, discuss concepts and explains their point of view without advance knowledge on how we, their successors will treat their work. Writers are not separated from the general population, and all of us are in treating what we perceive as text, images and motion video on the screen or on paper in a certain context. The dynamic relationship between content creators who impart knowledge and the level of acceptance from the receivers of the information is highly dependent on our own bias.
Nevertheless, the information should be preserved with a high level of importance, no different from how civilization built museums and other archival locations to preserve the past. With our very advanced high-tech, gadget-driven everyday life, we become unofficial guardians of information. We are no different from a full-time librarian of physical books from the past and present. We provide these services to individuals and groups. However, there is a question whether the information source should be treated as having a private and commercial purpose, or should it be open to the public. We have seen many counterarguments and exchange of opinion, is information a public utility like water and electricity, or information may be treated like a state-secret or a corporate patent that should remain closed to the chest of its creators.
So basically speaking, we recommend the following actions to preserve data:
Digital information file should be stored in such a way that it can not be changed without approval. Preserving data is needed for integrity purposes
It must be made available as it is, that means unauthorized copying should be prevented.
If there is a need to distribute many copies of the information, always assume that there is a copy of it left somewhere in the world. Any information already released publicly cannot be stored in secrecy again.
In addition, it is important to save top-secret files so that they can not be used unless truly necessary, this is something all government is doing at the turn of the computer age. The problem is that we have to cope with the transition of authority in our civilization. Those baby boomers who worked in preserving and security-critical data are now in the age of retirement. Changing IT personnel regularly is a new normal, this may eventually lead to data loss if no strict data security protocols are in place.
In addition, as the technology improves, the relevance of certain storage technology becomes outdated. We are in an era of slowly decommissioning optical storage for example.
To make it available means to save it in a storage technology that can easily be migrated to a newer storage medium. Whether it is a digital or paper book, the viability of the information it contains becomes a debatable concept. Are we continuing to publish books on paper, on a digitally readable format or on an audio form? Also, although writing is only once, it can be read many times, and it does not hurt to still publish a physically readable material, as it requires no electricity to maintain its readability compared to a digital electronic format. Basically, there is no need for an external device to read a book. You do not need a screen to read a book. You can take it out and read it with your eyes without tools.
Threats to the system include media failure, paper wear, hardware failure, lack of space in the bookcase, software failure, and wear on your own eyes. However, digital information is not affected by age, but natural disasters such as floods and fires are very serious obstacles for preservation. With all the inherent limitations of paper, we at hackercombat.com discourage you from digitizing all your data. The problem is that once information is digitalized, reproducing multiple copies of it are very easy. Don’t become the next guy who took pictures of his credit/debit card and posted it on social media. Have a sense of awareness that not all data about you needs to be public. Physical restrictions on accessing data are still the best type of security, far outweighs encryption and other ways to preserve digital privacy today.
Enterprises in the midst of digital transformation are finding that physical security and its convergence with cyber and information security requires that they consider new approaches to risk management, according to a panel of industry leaders at today’s Cyber: Secured Forum in Dallas.
Concerns range from active shooters and the physical safety of students to how to secure the critical data sources that more and more employees within the organization are accessing.
The challenge with cybersecurity in some organizations is that they have to sell cyber within the organization because of existing cultures, but integrating and blending IT and physical security has the potential to bring everything together in a single pane of glass, said Mark Weatherford, global information security strategist at Booking Holdings.
Technology can solve some of the physical and IT integration issues, including those related to the provisioning and de-provisioning of employees. The pace of innovation is accelerating, and the longer you put off a focus on cybersecurity, the greater the challenge will be when you finally address it, according to the panelists.
Security orchestration is an issue that is improving, according to the panelists, which helps organizations manage and identify in order to mitigate risk. In the IT culture, there’s long been a habit of getting rid of products that don’t work, which hasn’t always been the case in the physical security world. “They don’t integrate as fast,” Weatherford said. “In the physical security world it’s been a different culture with respect to buying things.”
The panelists speculated on how convergence and integration will continue to play out over the next several years, and one panelist said there is a great opportunity for physical security companies to acquire cybersecurity providers in order to converge capabilities. The very definition of physical devices is changing, which has created a lot of opportunity for the physical feature set moving forward, one panelist noted.
The biggest challenges in dealing with the convergence of physical and cybersecurity are culture, language, perception and budget, according to Mark Weatherford, global information security strategist at Booking Holdings, who delivered the keynote speech at today’s Cyber: Secured Forum in Dallas.
Weatherford shared an anecdote of a story from a few months ago when he came to realize that “sometimes we get so wrapped up in technology and thinking about how we can solve the world’s problems that we don’t realize the issue is really about money.”
Admittedly hyperbolic, Weatherford said he sees some truth in a quote from Allan Schiffman, who said, “Amateurs study cryptography; professionals study economics.”
The adversary’s goals are about money, which is why the providence of the supply chain is critically important. “Cybersecurity can now interrupt that supply chain in a variety of different ways,” Weatherford said.
Because organizations depend on a vast and complex supply chain ecosystem, the industry is facing a perfect storm in which the internet of things (IoT) is innovating faster than the speed of security. “Laws and law enforcement are limited, inconsistent and unenforced,” Weatherford said.
Despite the rapid pace of innovation, cybersecurity has no national boundaries and no international norms of behavior and is complicated further by the reality that everyone can have anonymous access to vast resources and information. Some companies still rely on 30- to 40-year-old protocols with little to no security.
“The security community hasn’t down ourselves any favors,” said Weatherford. “When a naïve user can take down an entire company by clicking on a bad link, face it, our security stinks.”
Still, businesses are integrating technologies faster than they can keep up with it. “There are three basic components that we always talk about: people, processes and technology. But it is harder to hire people and develop processes, so they buy technology,” said Weatherford.
The good news is, according to Weatherford, that the industry is starting to see a trend where companies that are spending money are having a positive effect on the security of their organizations. Still, insider threats remain the number-one vector into companies today.
“Security convergence refers to the convergence of two historically distinct security functions – physical security and information security – within enterprises. Both are integral parts of any coherent risk management program,” Weatherford said.
The value proposition in convergence is that it helps eliminate silos, provides situational awareness and more unified and strategic security governance, eliminates duplicate processes, allows for more distributed resources and guides strategic planning, Weatherford said.
A new strain of ransomware emerged on Android mobile devices. It targets those who are running the operating system Android 5.1 and higher. This Android ransomware strain has been dubbed by security researchers FileCoder (Android/Filecoder.c) and it spreads via text messages containing a malicious link.
How Does the Android Ransomware FileCoder Spread?
The SMS messages which are spreading Filecoder contain an invitation to download and install a sex simulator game app. Here is an example of how such an SMS can look like.
Usually, the message will be clickbait-y and will mean to entice the recipient into installing the app at least out of curiosity. Part of the bait is the promise that the app will use the victim’s own photos in creating sex simulation imagery.
Message screenshot via WeLiveSecurity
Furthermore, security researchers have detected 42 languages in which the malicious text messages were coming in. The reach and potential user pool of the infected app were thus pretty big.
If the recipient has doubts about the harmlessness of the app, they may then research it online. Unfortunately, some websites and forums (including Reddit) were advertising the app (the posts were malicious themselves). If this helped relax the user into trusting the invitation, they would then install the app and proceed to use it as advertised.
It seems that the sex simulator game promised will indeed work, as not to alert the user. Still, after a short time, the Android ransomware will send out these messages to the user’s entire list of phone contacts.
After sending out the malicious SMS messages, FileCoder will encrypt the user’s local files (photos, notes, login data, messages and so on), displaying a typical ransomware message.
Ransom note screenshot
In the ransom note screen, the FileCoder creators threaten that the data will be permanently gone after 72 hours. However, security researchers have uncovered that the ransomware strain does not have the ability to delete the files.
Still, it will ask for a certain amount of money to be paid in Bitcoin before the user gets the decryption key. The equivalent in dollars for the Bitcoin money asked for ranges from $94 to $188.
Security researchers confirm that the FileCoder Android ransomware strain is not extremely dangerous. First of all, it doesn’t actually delete the locked data if the ransom is not paid within 72 hours.
Second of all, the value used for encrypting the key is hardcoded into the malware code, so with a bit of tech-savviness, the victims could decrypt the files themselves, without waiting for key.
Thirdly, unlike other strains of Android ransomware, the FileCoder infection doesn’t lock the screen of the phone. If your phone gets infected, you can still use it normally, it’s just the previously saved files that get locked.
The only thing which was coded into the malware in a more complex way was the Bitcoin address for payments. That one is dynamic, allowing the attackers to change it at any time and still get their money. This was probably a precaution, in case researchers or the police would get closer to uncovering the hackers’ identities.
Still, for most users, FileCoder poses a significant threat. If you receive a message inviting you to try a sex simulator app, don’t click it. Even if it comes from a friend you trust.
How to Stay Safe from FileCoder and Similar Threats
#1. Say no to steamy online proposals
First of all, learn to spot malicious proposals from the get-go. Sextortion is such a common tactic for scammers and hackers, that any invitation containing the promise of sexual images and content should raise the alarm.
Very few legitimate adult apps or websites are aggressive enough to invite you to use them directly. Most will simply rely on the fact that those who are interested will seek them out.
#2. Be Mindful of Messages from Friends: Not All Are Legit
Second of all, notice how devious the FileCoder strategy is: by sending you messages which are seemingly coming from friends, they make the message seem more trustworthy than if it came from a random spam address. Especially since the messages were targeting so many different languages.
Lots of other malware infections have a similar strategy, of sending malicious links to your list of online friends in order to infect them too. Stay on guard and don’t assume that all your messages from friends and contacts were really sent by them.
Tell-tale signs that a message from a friend might actually be malicious:
Besides sharing an invite to a link, the message doesn’t say much
The wording doesn’t necessarily sound like something your friend would use (just common words such as ‘cool’, ‘check this out’ etc.)
The link is shortened or doesn’t lead to any legitimate domain you already know (like YouTube or Facebook)
The message contains an attachment
These signs are just as suspicious whether it’s about a text message on your phone or an email and so on.
If you’re not sure whether a message is legit or not, just reach out to that friend and ask. You might alert them that their device is infected. Also, bear in mind that the same etiquette from real life should apply as netiquette, too: don’t open links from people you don’t really know.
#3. Keep Your Device Secure with a Mobile Security Product
With a good security suite for mobile devices, it’s much harder to become the victim of ransomware or any type of malware. Even if you do click on malicious links or make any other security mistakes, an intelligent cybersecurity product should still neutralize the threat.
Just like in the case of PCs and laptops, Antivirus is not enough, even if it’s next-gen. You also need a threat prevention solution, like our Thor Foresight Home (which can be installed on up to three devices, including Android mobile devices), or the stand-alone product, Thor Mobile Security.
If your Android phone and other devices aren’t already protected by some other solution, here’s a month on the house for Thor Foresight Home.
The easy way to protect yourself against malware
Here's 1 month of Thor Foresight Home, on the house!
Use it to:
Block malicious websites and servers from infecting your PCAuto-update your software and close security gapsKeep your financial and other confidential details safe
We at Heimdal Security and we in the cybersecurity world, broadly speaking, have stressed time and time again how important education is. Cybersecurity training and a bit of self-learning are the best strategies for staying safe in the long run.
No cybersecurity software is infallible if the user behaves recklessly or doesn’t practice the most basic online security hygiene. For example (an oversimplified example), you can have the best-protected computer in the world, but a hacker will still be able to get into it if your password is ‘password123’.
By reading about the latest threats and how they work, you will soon discover that you’ve built a solid knowledge base. Armed with it, you should be able to tell if something is fishy as soon as you encounter a new threat.
Of course, I can wholeheartedly recommend our own educational resources to start with, but don’t stop there. Stay in the loop regardless of where you get your info and you’ll become less and less vulnerable to scams and malware.
If you liked this post, you will enjoy our newsletter.
Federal prosecutors this week charged a Seattle woman with stealing data from more than 100 million credit applications made with Capital One Financial Corp. Incredibly, much of this breached played out publicly over several months on social media and other open online platforms. What follows is a closer look at the accused, and what this incident may mean for consumers and businesses.
Paige “erratic” Thompson, in an undated photo posted to her Slack channel.
On July 29, FBI agents arrested Paige A. Thompson on suspicion of downloading nearly 30 GB of Capital One credit application data from a rented cloud data server. Capital One said the incident affected approximately 100 million people in the United States and six million in Canada.
That data included approximately 140,000 Social Security numbers and approximately 80,000 bank account numbers on U.S. consumers, and roughly 1 million Social Insurance Numbers (SINs) for Canadian credit card customers.
“Importantly, no credit card account numbers or log-in credentials were compromised and over 99 percent of Social Security numbers were not compromised,” Capital One said in a statement posted to its site.
“The largest category of information accessed was information on consumers and small businesses as of the time they applied for one of our credit card products from 2005 through early 2019,” the statement continues. “This information included personal information Capital One routinely collects at the time it receives credit card applications, including names, addresses, zip codes/postal codes, phone numbers, email addresses, dates of birth, and self-reported income.”
The FBI says Capital One learned about the theft from a tip sent via email on July 17, which alerted the company that some of its leaked data was being stored out in the open on the software development platform Github. That Github account was for a user named “Netcrave,” which includes the resume and name of one Paige A. Thompson.
The tip that alerted Capital One to its data breach.
The complaint doesn’t explicitly name the cloud hosting provider from which the Capital One credit data was taken, but it does say the accused’s resume states that she worked as a systems engineer at the provider between 2015 and 2016. That resume, available on Gitlab here, reveals Thompson’s most recent employer was Amazon Inc.
Further investigation revealed that Thompson used the nickname “erratic” on Twitter, where she spoke openly over several months about finding huge stores of data that was intended to be secured on various Amazon instances.
The Twitter user “erratic” posting about tools and processes used to access various Amazon cloud instances.
According to the FBI, Thompson also used a public Meetup group under the same alias, where she invited others to join a Slack channel named “Netcrave Communications.”
KrebsOnSecurity was able to join this open Slack channel Monday evening and review many months of postings apparently made by Erratic about her personal life, interests and online explorations. One of the more interesting posts by Erratic on the Slack channel is a June 27 comment listing various databases she found by hacking into improperly secured Amazon cloud instances.
That posting suggests Erratic may also have located tens of gigabytes of data belonging to other major corporations:
According to Erratic’s posts on Slack, the two items in the list above beginning with “ISRM-WAF” belong to Capital One.
Erratic also posted frequently to Slack about her struggles with gender identity, lack of employment, and persistent suicidal thoughts. In several conversations, Erratic makes references to running a botnet of sorts, although it is unclear how serious those claims were. Specifically, Erratic mentions one botnet involved in cryptojacking, which uses snippets of code installed on Web sites — often surreptitiously — designed to mine cryptocurrencies.
None of Erratic’s postings suggest Thompson sought to profit from selling the data taken from various Amazon cloud instances she was able to access. But it seems likely that at least some of that data could have been obtained by others who may have followed her activities on different social media platforms.
Ray Watson, a cybersecurity researcher at cloud security firm Masergy, said the Capital One incident contains the hallmarks of many other modern data data breaches.
“The attacker was a former employee of the web hosting company involved, which is what is often referred to as insider threats,” Watson said. “She allegedly used web application firewall credentials to obtain privilege escalation. Also the use of Tor and an offshore VPN for obfuscation are commonly seen in similar data breaches.”
“The good news, however, is that Capital One Incidence Response was able to move quickly once they were informed of a possible breach via their Responsible Disclosure program, which is something a lot of other companies struggle with,” he continued.
In Capital One’s statement about the breach, company chairman and CEO Richard D. Fairbank said the financial institution fixed the configuration vulnerability that led to the data theft and promptly began working with federal law enforcement.
“Based on our analysis to date, we believe it is unlikely that the information was used for fraud or disseminated by this individual,” Fairbank said. “While I am grateful that the perpetrator has been caught, I am deeply sorry for what has happened. I sincerely apologize for the understandable worry this incident must be causing those affected and I am committed to making it right.”
Capital One says it will notify affected individuals via a variety of channels, and make free credit monitoring and identity protection available to everyone affected.
Bloombergreports that in court on Monday, Thompson broke down and laid her head on the defense table during the hearing. She is charged with a single count of computer fraud and faces a maximum penalty of five years in prison and a $250,000 fine. Thompson will be held in custody until her bail hearing, which is set for August 1.
The most common configuration problems found in the majority of penetration tests can be easily resolved with straightforward fixes.
Analysis from more than 50 engagements in the first half of 2019 by Lares, shared exclusively with Infosecurity, found that the top five penetration test discoveries are:
Brute forcing accounts with weak and guessable passwords
Kerberoasting
Excessive file system permissions
WannaCry/EternalBlue
Windows Management Instrumentation (WMI) lateral movement
Chris Nickerson, founder of Lares, said that these top five findings were common in “95% of the tests.”
Specifically, Lares confirmed that in three of the five most common findings, security basics including password, privilege and patch management could resolve the issues and that “every single vulnerability can be avoided or eliminated through better cybersecurity hygiene practices.”
In the case of brute forcing accounts, this can be resolved with the use of multi-factor authentication or with account lockout policies, while 'kerberoasting' can be managed with strong passwords, both in terms of length and complexity.
Meanwhile, “excessive file system permissions” can be mitigated with tools to detect file permissions abuse, enabling installer detection for all users and limiting the privileges of user accounts and groups.
Also, while they were publicly disclosed in 2017, the EternalBlue vulnerability can be mitigated by applying the Microsoft patch, disabling SMBv1 and blocking inbound SMB at your perimeter.
The only one of the top five which is not resolved with standard 'basics' is WMI lateral movement, which Lares said can be mitigated by disabling WMI or RPCS, restricting non-administrator users from connecting remotely to WMI, and preventing credential overlap across systems of administrator and privileged accounts.
In an email to Infosecurity, Nickerson said that WMI is rarely protected or restricted, so it tends to be a widely used vector for access/execution. “For instance: the most common way we bypass 2FA logins in RDP is using WMI directly,” he explained.
Asked if he felt that this shows a lack of network visibility, or whether that is not really possible as lateral movement is a common issue, he agreed saying “there are ways to correlate logs of using WMI on a host to detect spraying or one to many/many to one execution, so there is opportunity to pick up its use and artefacts of its execution on the host.”
He also said that east/west traffic analysis is lacking in many environments, and “the most optimal solution is to ‘chain’ the detection techniques to correlate UBA, network traffic analysis and host based execution.”
Infosecurity asked Nickerson if he felt that four of the top five most common findings being fixed with common techniques was a positive thing, or if it was demoralizing that basic securty is proving to be so difficult?
Nickerson said: “It seems to me that these techniques are not only the basics, but they have been a common way to compromise enterprises for years. It indicates to me that we are still stuck in the ‘buy a thing to make us secure’ mentality versus ‘tune what we have to work better.’
“The good part is that these techniques are addressable with fairly simple configuration. I think the industry is starting to catch on to the fact that they need to constantly tune their environment and not just buy ‘x’ new product.”
Nickerson praised the work of “purple team” type engagements that focus on defensive improvement, rather than the “traditional hack and report.
“Many teams are still operating from a ‘vulnerability focused perspective,’ the shift to including techniques in their protection/detection strategy is the next evolution of the defensive program and will be a major change in measuring the effectiveness of their controls,” he said.
“Testing for vulnerabilities and techniques (like integrating testing and tuning based on the descriptions provided by Mitre's ATT&CK framework) will help programs stay ahead of the curve and begin tracking how their defenses improve over time, opposed to the never ending vulnerability tail chase.”
Dynamic analysis (DAST) is a vital part of all application security programs. Effective application security secures software throughout its entire lifecycle — from inception to production. With the speed of today’s development cycles — and the speed with which software changes and the threat landscape evolves — it would be foolish to assume that code will always be 100 percent vulnerability-free after the development phase. Code in production will always need to be tested or, in some cases, patched. Dynamic analysis plays an important role in ensuring that security spans from left to right in the SDLC.
Veracode provides dynamic scanning using a best-in-class engine that provides speed, accuracy of results, and scale. You can submit large batches of URLs for authenticated scans and expect results you can trust within a timeframe that matches your development cycles.
To ensure the most thorough coverage possible, you want authentication to go smoothly. Here are five key things to keep in mind to set yourself up for dynamic scanning success:
Prescan: Always allow time to run a prescan to check your authentication and ensure your connection is stable.
If you are using login scripts, always use Selenium IDE to create them.
Schedule scans to occur when you know that the sites will be up (e.g., not during a maintenance window, or leverage the Pause & Resume feature), and when there is lighter traffic.
If you want support for advanced frameworks (Angular, React) or single page applications, select the advanced mode option for scanning to ensure thorough coverage.
Take advantage of app linking: You can link the results from a dynamic analysis to an application profile to evaluate the results against policy, and see the results for all types of scans of the application aggregated in a single report.
Learn more about Veracode Dynamic Analysis on our web site. Or, get more details on the above five tips on running dynamic scans in our Veracode Community, including how-to videos.
Security experts at Google disclosed details and proof-of-concept exploit codes for 4 out of 5 security vulnerabilities in Apple iOS.
Researchers at Google disclosed details and proof-of-concept exploit codes for 4 out of 5 security vulnerabilities in Apple iOS that could be exploited by attackers to hack Apple devices by sending a specially-crafted message over iMessage. The vulnerabilities required no user interaction to be exploited.
The flaws were reported by Google Project zero white hat hackers Samuel Groß and Natalie Silvanovich. Below the list of the flaws:
CVE-2019-8647 is a use-after-free flaw that resides in the Core Data framework that can cause arbitrary code execution due to insecure deserialization when the NSArray initWithCoder method is used. This flaw can be exploited remotely via iMessage and crash Springboard without any user interaction.
CVE-2019-8662 is a use-after-free flaw that resides in the QuickLook component of iOS, this flaw can be exploited remotely via iMessage without any user interaction.
CVE-2019-8660 is a memory corruption issue that resides in Core Data framework and Siri component. The flaw could be exploited by remote attackers to cause an unexpected application termination or to get arbitrary code execution. “This issue would likely be fairly difficult to exploit due to the uncontrolled nature of these copies.”
CVE-2019-8646 resides in the Siri and Core Data iOS components, it could be exploited by an attacker to read the content of files stored on iOS devices remotely without user interactions.
Google researchers did not disclose details for one these flaws, tracked as CVE-2019-8641, because the Apple iOS update patch did not completely address the flaw.
Apple addressed the vulnerabilities with the release of the latest iOS 12.4 update.
The other flaw, tracked as CVE-2019-8646, is an out-of-bounds read that can be exploited by a remote attacker to read files stored on the target’s device. The flaw could be exploited by just sending a specially-crafted message via iMessage.
Last week, Silvanovich also released details and a PoC exploit for another out-of-bounds read vulnerability, tracked as CVE-2019-8624, that could be exploited by remote attackers to leak memory and read files from the target devices.
The CVE-2019-8624 flaw resides in Digital Touch component of watchOS and affects Apple Watch Series 1 and later. Apple addressed the flaw with the release of watchOS 5.3.
Two years ago, the US government fined an international cybercriminal and his fraudulent bitcoin exchange over $100m. Now, it's going after them for the money.
Cybercriminals are abusing Twitter via tech support scams, command-and-control (C&C) operations and data exfiltration, according to Trend Micro. Misuse of social networks Researchers analyzed a large volume of Twitter data to identify relationships between various entities to spot anomalies and uncover key insights. “Social media is an inescapable part of modern life, and our new research shines an important light on how it’s being used positively by the security community, and abused by criminals,” said … More →
As end of support for the still-popular Windows 7 draws near, risks of unpatched operating systems are likely to be a significant security concern in the near future.
While Capital One incident is making the headlines, another incident may have severe consequences, the Los Angeles Police Department (LAPD) also suffered a data breach.
The Los Angeles Police Department (LAPD) suffered a data breach that exposed the names, email addresses, passwords, and birth dates for thousands of police officers and applicants.
The NBCLosAngeles confirmed that the data breach was discovered on July 20, 2019, the local media revealed that personal information for 2,500 LAPD officers and approximately 17,500 police officer applicants were exposed.
“A suspected hacker claimed he or she had stolen the personal information of about 2,500 LAPD officers, trainees, and recruits, along with approximately 17,500 police officer applicants, in what may be a large breach of data held by the city of Los Angeles’ Personnel Department.” reported the media.
“The city’s Information Technology Agency said it was contacted last week by someone who claimed to have accessed and downloaded the data, and the person offered some example files to show they actually had obtained the data, said agency General Manager Ted Ross.”
“Out of an abundance of caution we’re applying extra layers of security around our personnel system and enhancing defenses,” Ross told NBCLA Monday.
The City already notified impacted officers and applicants, currently, the LAPD is investigating the scope of the breach with City partners. LAPD will continue to update impacted people while investigating the incident.
LAPD is also implementing additional measures to protect the Department’s data from any further intrusions.
“Data security is paramount at the Los Angeles Police Department, and we are committed to protecting the privacy of anyone who is associated with our agency,” an LAPD spokesman said.
The officers’ union, the Los Angeles Police Protective League, defined the incident as a serious security issue.
“We also call upon the city to provide the necessary resources and assistance to any impacted officer who may become the victim of identity theft as a result of this negligence, so that they may restore their credit and/or financial standing,” the Protective League said.
The Office of Mayor Eric Garcetti revealed that the breach occurred in a legacy database that was no longer being used by the “Personnel Department” and exposed “limited information”.
“We take the protection of personal data very seriously, and the City has informed the individuals who may have been affected,” the spokesman for Mayor Eric Garcetti said. “The City’s Information Technology Agency has added additional layers of security to guard against future events of this kind.”
Any data breach that exposes personal information belonging to law enforcement is very dangerous, such events expose officers to identity theft, phishing attacks, and other malicious activities.
Back in January, two senior GCHQ officials proposed a specific backdoor for communications systems. Itwasuniversallyderided as unworkable -- by me, as well. Now Jon Callas of the ACLU explains why.
Many organizations, along with their tech teams, are questioning whether eliminating passwords as an authentication tool might augment their overall security posture.
ThreatConnect surveyed more than 350 cybersecurity decision makers in the UK. The result: Building a Threat Intelligence Programme discusses research findings on best practices and impact of those programmes. Cybersecurity decision makers in organisations with a threat intelligence programme say their organisation developed a threat intelligence programme to deal with data security (42%). Fewer note reducing risk (24%), response to a security incident (15%), compliance (12%), and cost reduction (7%) as motivation for developing a … More →
Capital One, one of the largest banks in the United States by assets, has announced that it has suffered a massive data breach affecting the personal and financial information of some 106 million individuals in the U.S. and Canada. Simultaneously, the U.S. Attorney’s Office for the Western District of Washington announced that the attacker that allegedly perpetrated the breach has been arrested by the FBI and already charged. What information was compromised? According to Capital … More →
Personal information on thousands of Los Angeles Police Department (LAPD) officers and applicants appears to have been stolen in a breach of local government security.
The suspected hacker claims they have their hands on the data of 2500 LAPD officers, trainees and recruits, and around 17,500 police officer applicants.
Reports suggest the City of LA was contacted by the individual last week, and its IT Agency has been forced to apply extra security around its IT systems. Those affected by the breach are said to have been contacted.
It’s not 100% clear if the hacker has access to all of the data they claim, although officer names, dates of birth, Social Security numbers, emails and passwords could be part of the trove.
“The data breach that exposed personal information of Los Angeles police officers and those applying to become police officers is a serious issue for our members. We urge the City of Los Angeles to fully investigate the lapse in security and to put in place the strongest measures possible to avoid further breaches in the future,” it said.
“We also call upon the city to provide the necessary resources and assistance to any impacted officer who may become the victim of identity theft as a result of this negligence so that they may restore their credit and/or financial standing.”
The FBI has arrested a 33-year-old software engineer in Seattle as part of an investigation into a massive data breach at financial services company Capital One.
Read more in my article on the Tripwire State of Security blog.
Experts spotted a Java ATM malware that was relying on the XFS (EXtension for Financial Service) API to “jackpot” the infected machine
Introduction
Recently our attention was caught by a really particular malware sample most probably linked toarecent cybercriminal operation against the banking sector.
This piece of malicious code is a so-called ‘ATM malware‘: a malicious tool that is part of a criminal arsenal able to interact with Automatic Teller Machine. ATM malware are used in modern bank robberies due to their ability to access the cash dispenser hardware, such as ATMitchmalware we analyzed on last May. In that case, the malware was relying on the XFS (EXtension for Financial Service) API to “jackpot” the infected machine.
Instead, this particular ATM malware does not rely on standard communication interfaces. It is using other more specific techniques, suggesting an increased level of customization, maybe achieved by leveraging knowledge from the inside of the target organizations.
For this reason, Yoroi-Cybaze ZLAB team decided to dig into this malicious tool.
The malware makes extensive use of Java Instrumentation techniques in order to manipulate the control flow of a legit Java-based ATM management software. The first action it performs is to identify the proper running Java Virtual Machine (JVM) used by the ATM software. The malware has the capability to:
display the list of all the JVM registered on the system
attach to a specific JVM defined in the arguments list
choose an arbitrary JVM which attaches to
This is done using the Java Attach API, a Sun Microsystems extension that provides a mechanism to attach to a Java virtual machine.
Figure1. Code to identify the JVM
Once identified the target JVM, the malware forces the loading of a Java agent in it using the “vm.loadAgent(path_to_jar, options)” method.
Figure 2. Code to load the Java Agent from Jar file
The loader identifies the agent class in the specified JAR file using the “MANIFEST.MF” file embedded into it, then it loads the class into the target JVM’s context.
Figure 3. Jar’s manifest file containing the agent class name
At this point, the main class terminates printing the banner “Freedom and glory” in different languages, as shown in Figure 2. Now, the control flow moves to the “agentmain” method belonging to Agent class. Its only goal is to invoke the “startagent” method through the following code line:
The malicious intents of the malware are exhibited starting from this method. It deploys an HTTP server which acts as an interface between the attacker and the ATM under attack.
Figure 4. Code to start the HTTP server
Exploring the HTTP handler class, in fact, some suspicious information immediately emerges. In the following figure it is possible to see a hardcoded IP address “150.100.248[.]18” which will be used later. Moreover, this class embeds three static variables containing Javascript code (one of this is Base64 encoded).
Figure 5. Static strings embedded into HTTP server code
Continuing the code analysis, we encounter the server logic, which provides several functionalities that can be triggered by the attacker using simple HTTP requests.
Figure 6. Part of server logic
It is possible to summarise all the malware capabilities, exposed through the HTTP server instance, in the following table:
HTTP Method
Path
Query string
Body
Description
POST
/
–
Base64-encoded command
Execute the specified command through cmdline
POST
/d
–
i={id}&d={amount}
Dispense the specified {amount} from the Dispenser cash unit identified by {id}
POST
/d
–
q=1
Return the current amount of each cash unit
POST
/eva
JS script
–
Execute the script using Java ScriptEngine
GET
/mgr
className1&className2
–
Return info about the specified running Java classes
POST
/mgr
className
method
Invoke the method belonging to the specified Java class
GET
/core
–
–
Display an HTML form to insert info about a JAR to load
Load a new JAR file and execute the specified method
Table 2. Malware capabilities
In the following screen, we report part of the server logic in which are highlighted the functions used by the malware to retrieve information about the ATM cash dispenser.
Figure 7. Evaluation of HTTP request
Most malicious actions are executed using Javascript code running on top of a JavaScript engine instance (included into the “runjs” method). For example, to retrieve the amount of cash stored in the dispenser the following code is invoked:
Figure 8. Javascript code to extract information about dispenser cash units
First of all, the malware retrieves the Java class associated with the Dispenser from the list of all the running classes. Then, for each dispenser’s cash unit, it invokes the “getValue” and “getActual”methods to obtain the right information from the dispenser interface.
A similar thing is done for money dispensing: after retrieving the associated object, the malware removes the “AnomalyHandler” using the “removeAnomalyHandler” method in order to stealthily achieve its objectives.
Figure 9. Javascript code used to remove the anomaly handler from dispenser
After that, it iterates the cash units dispensing the number of bills specified by the criminals through the following function calls sequence:
setDispense(amount);
dispense();
present();
waitForBillsTaken(30);
At the end of the theft, the malware restores the “AnomalyHandler”. The complete Javascript code is shown in the following figure.
Figure 10. Javascript code used to dispense money from all the cash units
On return, the malware communicates the success of the dispense operation connecting to the abovementioned IP (“150.100.248[.]18”) stored in the “urlreport” variable.
Figure 11. The malware contacts the embedded IP address after dispensing
This ATM malware has also additional capabilities increasing its flexibility and dangerousness. It is able to execute arbitrary batch commands, to invoke methods directly into the memory of the running Java classes and also to run new JAR applications. The “jscmd” variable, shown in Figure 5, contains the Base64-encoded Javascript snippet useful to load the commands in the Windows cmdline:
Figure 12. Javascript code to execute batch commands
Before launching the JS script, the malware replaces the following patterns:
%%shell%% with cmd.exe
%%arg%%with /c
%%cmdb64%% with the Base64-encoded command coming from the HTTP request
Then, it invokes the “java.lang.Runtime.getRuntime().exec()” function.
Figure 13. HTML form to specify the Jar to upload and run
Instead, in the JAR loading case the attacker preconfigured an HTML form to make the upload easier. In it, the criminal can specify which JAR to load, which is the main class and which method they want to execute first. A set of tools to ensure the criminals will be able to overcome eventual technical faults in their ATM cashouts.
Conclusion
Cyber criminals are threatening financial and banking sector for a long time. During the years, criminal groups evolved their operation and developed more sophisticated arsenals, achieving customization capabilities making them able to target specific organizations, even if they are not leveraging known Industry Standards.
As recently pointed by Kaspersky, these criminals reached such sophistication and customization levels by leveraging deep knowledge of the target systems, making the malware work just on a small fraction of the AMTs. How the crooks accessed this knowledge is the Question.
At the moment it’s not clear how the technical information required to develop ad hoc malware have been accessed. A wide range of scenario are possible, such as the involvement of an insider, the long term compromise of the whole target network or just a small subset of mailboxes, or maybe a compromise of the Software Development Supply Chain. A set of scenarios that need to be seriously taken into account by the financial and banking organizations aiming to tackle modern bank thieves.
Technical details, including Indicator of compromise and Yara rules are reported in the analysispublished on the Yoroi blog:
Total losses of data and devices by the UK’s Ministry of Defence (MoD) have risen by nearly 300% over the past two years, according to official figures.
The figure jumped from 117 incidents in 2017-18 to 463 in 2018-19, according to the MoD’s annual report.
Within that figure, “loss of inadequately protected electronic equipment, devices or paper documents from secured government premises” jumped over 180%, from 22 to 62.
There were fewer losses of that type from outside secured government premises: just 21 in 2018-19, up from 11 over the previous two years.
However, “unauthorized disclosure” incidents soared from 73 to 352 over the period.
“It’s very concerning to see sensitive documents or equipment go missing from secure locations, particularly as the UK faces a growing range of threats,” said shadow defense secretary, Nia Griffith.
“The new secretary of state must ensure his department does everything it can to trace these devices and prevent future security breaches.”
Andy Harcup of data of data security firm Absolute Software, also argued that rising thefts of mobiles and laptops pose a serious security risk.
“Each device contains a goldmine of confidential data which could be exploited by hackers, foreign states or even a rogue employee,” he added.
“It’s vital all government organizations ensure devices are properly protected with endpoint security, so they can track, secure and freeze them if they fall into the wrong hands.”
This isn’t the first time the MoD has been found wanting over cybersecurity. Last year reports emerged that there were 37 recorded breaches of security protocol over the previous 12 months.
These include: sending sensitive information unprotected over the internet, connecting mobile devices to ministry networks without checking first for malware and devices, documents and rooms left unsecured.
Qualys is making its Global IT Asset Discovery and Inventory app available to all businesses for free. In a world where connected devices are exploding, visibility across all devices and environments is critical. “As the recognized authority for cloud security best practices around the world, we are always advocating for strategic shifts in policies to improve the security of the global compute ecosystem. The principle of maximum IT asset visibility is a fundamental prerequisite to … More →
Capital One, one of the largest U.S. –card issuer and financial corporation suffered a data breach that exposed personal information from more than 100 million credit applications.
A hacker that goes online with the handle “erratic” breached the systems at Capital One and gained access to personal information from 106 million Capital One credit applications.
According to the financial institution, law enforcement already identified and arrested the hacker, the DoJ announced on Monday that Paige A. Thompson (33) is suspected to be responsible for the data breach.
“A former Seattle technology company software engineer was arrested today on a criminal complaint charging computer fraud and abuse for an intrusion on the stored data of Capital One Financial Corporation, announced U.S. Attorney Brian T. Moran.” reads the press release published by the DoJ. “PAIGE A. THOMPSON a/k/a erratic, 33, made her initial appearance in U.S. District Court in Seattle today and was ordered detained pending a hearing on August 1, 2019.”
Paige Thompson is a former Amazon Web Services software engineer who worked for a Capital One contractor from 2015 to 2016.
THOMPSON posted about the Capital One hack on GitHub, she exploited a misconfigured web application firewall to get access to the data. On July 17, 2019, Capital One was informed of the incident by a GitHub user who saw the post. On July 19, 2019, that financial institution discovered the intrusion and informed the FBI.
“Capital One quickly alerted law enforcement to the data theft — allowing the FBI to trace the intrusion,” said U.S. Attorney Moran. “I commend our law enforcement partners who are doing all they can to determine the status of the data and secure it.”
Capital One confirmed to have immediately fixed the configuration issue exploited by the hacker.
The feds identified the hackers and executed a search warrant at THOMPSON’s residence where they seized electronic storage devices containing a copy of the data.
Paige A. Thompson was charged with computer fraud and abuse in U.S. District Court in Seattle. She already appeared in court and was ordered to remain in custody pending a detention hearing Thursday.
The security breach data breach took place on March 22nd and 23rd, the hacker accessed information of customers who had applied for a credit card between 2005 and 2019.
“Based on our analysis to date, this event affected approximately 100 million individuals in the United States and approximately 6 million in Canada.
Importantly, no credit card account numbers or log-in credentials were compromised and over 99 percent of Social Securitynumbers were not compromised.” states a press release published by Capital One.
“The largest category of information accessed was information on consumers and small businesses as of the time they applied for one of our credit card products from 2005 through early 2019.”
Exposed data includes names, addresses, zip codes/postal codes, phone numbers, email addresses, dates of birth, and self-reported income. Attackers also obtained portions of credit card customer data, including:
Customer status data, e.g., credit scores, credit limits, balances, payment history, contact information
Fragments of transaction data from a total of 23 days during 2016, 2017 and 2018
The hacker accessed bank account numbers and Social Security numbers only for a limited number of customers:
About 140,000 Social Security numbers of our credit card customers
About 80,000 linked bank account numbers of our secured credit card customers
Capital One will notify the affected customers and will provide free credit monitoring services to those affected.
Thompson could face up to five years in prison and a $250,000 fine, a hearing has been scheduled for August 1, 2019.
In July 2019, UK Information Commissioner’s Office (ICO) announced its intention to fine two companies for violating the European Union’s General Data Protection Regulation (GDPR). ICO began by disclosing its intention to penalize British Airways in the amount of £183 million (approximately $224 million) on 8 July. This fine followed on the heels of a […]… Read More
Capital One Breached by Cloud Insider in Major Attack
Capital One has announced a major breach of customers’ personal data, affecting over 100 million Americans and a further six million in Canada.
The financial institution blamed “unauthorized access by an outside individual” who has been arrested by the FBI and is now in custody.
“The largest category of information accessed was information on consumers and small businesses as of the time they applied for one of our credit card products from 2005 through early 2019,” the firm explained.
“This information included personal information Capital One routinely collects at the time it receives credit card applications, including names, addresses, zip codes/postal codes, phone numbers, email addresses, dates of birth, and self-reported income.”
However, the trove also included 140,000 Social Security numbers, 80,000 linked bank account numbers and one million Canadian Social Insurance numbers.
The bank blamed a “configuration vulnerability” exploited by the suspected attacker, but said “this type of vulnerability is not specific to the cloud.
“The elements of infrastructure involved are common to both cloud and on-premises data center environments,” it added.
In fact, according to a statement from the US Department of Justice, it appears as if the individual is “a former Seattle technology company software engineer” at a cloud computing provider who posted the details of the breach on GitHub.
Reports suggest the person in question, Paige Thompson, worked at Amazon Web Services.
“The intrusion occurred through a misconfigured web application firewall that enabled access to the data,” it revealed.
“On July 17, 2019, a GitHub user who saw the post alerted Capital One to the possibility it had suffered a data theft. After determining on July 19, 2019, that there had been an intrusion into its data, Capital One contacted the FBI.”
The revelation that a tech insider stole highly sensitive customer data from a client should not affect the overall migration to public cloud environments, according to Igor Baikalov, chief scientist at Securonix.
“Capital One is a standout in the financial institutions community by going public cloud while most of its peers hedged the risk by implementing additional security controls around their private clouds,” he argued.
“This fact alone shouldn't be considered a setback for the adoption of public cloud. It should rather be viewed as another harsh reminder of the importance of third-party security and insider threat programs for both providers and consumers of public cloud services."
Data breaches are rarely out of the headlines, but the recent proposed fines against BA and Marriott will have pushed this risk back to the forefront for many businesses. Like many security threats, breaches are nothing new; we’ve covered this subject on our blog many times in the past.
A data breach can take many forms; it can involve an employee losing a laptop or mobile device that contains data about an organisation’s employees or customers. It might involve a criminal infiltrating IT systems to steal payment card numbers or bank account details. When the data involved is personally identifiable information, the General Data Protection Regulation comes into play. Under GDPR, organisations must report a breach to the data protection supervisory authority within 72 hours. A look through our archives netted us a valuable haul of nine lessons from past breaches that can help to guide you in forming an incident response plan.
Lesson 1: pay attention to security alerts
Let’s start back in March 2014. News of the now-infamous breach at the US retailer Target was still fresh, having happened the previous November. The security breach resulted in the loss of 40 million payment card details, as well as 70 million other personal records. The kicker? Not long before, Target had installed a network monitoring tool costing a cool $1.6 million. However, operators dismissed its early alerts that could have averted or at least mitigated the subsequent breach. Side note: back in those heady days, data breaches were still things that happened to other people. Our blog quoted the security expert Neira Jones, who confidently predicted that a retailer in the UK or Europe would suffer a data breach before long.
Lesson 2: scammers read the news, too
Fast forward to summer 2015 and the high-profile breach at Ashley Madison. The website’s interesting business model – encouraging extra-marital affairs – meant the loss of more than 30 million personal records had an extra sting. Apart from launching a thousand double entendres (we may have been guilty of a few ourselves), Ashley Madison catapulted the issue of data breaches firmly into the public consciousness. As it turned out, that proved to be a double-edged sword. As our blog writer Lee Munson noted, scammers often take advantage of the publicity surrounding a large breach. He warned companies to watch out for “spam email, identity theft, carefully crafted phishing emails and even potential blackmail attempts”.
Lesson 3: check password re-use
Later that year, four security breaches came to light in one single week. The victims were Experian, Patreon, and Australian retailers Kmart and David Jones. In our blog, we advised being aware of how information can be used against victims. For example, if someone’s password was compromised in one of those breaches, it’s worth checking whether they use the same passwords on other websites.
Lesson 4: check for vulnerability to SQL injection attacks
Soon after, the Chinese toy company Vtech revealed that an unauthorised party had accessed more than six million accounts. That was enough to make it the fourth largest ever breach to that point – however minor by today’s standards. Possibly the least surprising detail in the story was that the attacker used SQL injection to access the data. Lee Munson noted that even in 2015, this was an ancient and well known attack vector.
Lesson 5: employee negligence can lead to breaches too
Not all breaches are the work of external miscreants. ESET estimated that 138,000 smartphones and laptops are left behind in UK bars every year. Let’s leave aside some questionable maths in arriving at such an arresting stat. There’s no denying the risk from leaving devices just lying around when they could well hold personal information. That could include passwords, location history, personal photos and financial information. The survey found that two thirds of lost devices had no security protection. As anyone familiar with data protection and privacy issues will know, encrypting sensitive data is now a must.
Lesson 6: a data security breach can seriously harm your ability to do business
Whatever the source, the steady drip of breaches was starting to have an effect. By early 2016, data breaches ranked second on a listing of the biggest threats to business continuity. TalkTalk, victim of a serious breach the previous year, was a case in point. In the wake of the incident, and the company’s ham-fisted attempts at handling the fallout, a quarter of a million customers took their business elsewhere. Not long after, we covered a separate report that found the cost of online crime had tripled over the previous five years. Lee Munson wrote: “a data breach is not a one-time cost but rather an event that can cause extreme reputational damage (think TalkTalk) or additional loss of revenue when the damage is widespread”.
Lesson 7: mind your language
All too often, companies that have suffered a data breach are quick to throw about phrases like “sophisticated cyberattack”. But it’s often premature and just downright wrong, when any investigation is still ongoing, and the facts are unclear. “It’s hard to escape the suspicion that victim organisations reach for these terms as a shield to deflect blame. By definition, they imply the incident was beyond their means to prevent,” we wrote. Our post carried the headline “Time to remove ‘cyberattack’ from the infosecurity incident response manual?” Our inspiration was the Associated Press Stylebook’s decision to stop using the word cyberattack unless it specifically referred to widespread destruction. As AP lead editor Paula Froke said: “the word is greatly overused for things like hacking”.
That said, positive communication is a key part of any incident response plan. After detailing what word not to use, our post included advice for companies preparing post-incident statements.
Deal only in verified facts
Avoid speculation
Explain the incident in business terms
Include details of users or services affected by the breach.
Lesson 8: prepare a security incident response team
By mid-2017, the prospect of GDPR started coming into view, and the need to handle breaches appropriately started becoming clear. Senior management must lead the response efforts. “This is a business issue, not an IT problem,” said Brian Honan, who was speaking at an awareness-raising event. Brian recommended that organisations should assemble an incident response team from across all business functions. Ideally, the team should include people from:
IT operations (because they know how data storage systems work)
HR (because a data breach could involve staff data, or because a member of staff may have caused the breach inadvertently or deliberately)
Legal (because GDPR obliges organisations to notify the regulator)
PR or communications (because the company will need to deliver accurate messages to external stakeholders, the media, or internal staff as appropriate)
Facilities management (because the organisation may need to recover breach evidence from CCTV or swipe card systems).
Lesson 9: test the security incident response plan
The most critical lesson is to develop and test their incident response processes in advance. Speaking at the same GDPR event, Brian stressed that companies shouldn’t wait for a breach to happen before testing how its policies work. “Find out in advance how well your team works when an incident occurs. Carry out table-top exercises and scenario planning. It is important to have processes and infrastructure in place to respond to a security breach. Developing your incident response plan while responding to a security breach is not the best time to do it,” he said.
Our trawling expedition proves it’s worth planning for something even when you don’t intend for it to happen. The steps we’ve outlined here should help you to recover from a data breach or security incident faster.
If you would like to evaluate your breach response, see our risk assessment services page for more information. Or, if you need guidance in developing a structured incident response plan, contact us.
MegaCortex, a ransomware which was first spotted in January this year, has become active again and has changed the way it previously attacked/targeted the corporate world. In order to simplify its execution and increase its scale of operation, it uses ‘Command Prompt’ instead of ‘PowerShell’ in current targeted campaign. Key…
Security experts at Armis have discovered a dozen zero-day vulnerabilities affecting the VxWorks real-time operating systems (RTOS) for embedded devices.
Researchers at Armis Labs have discovered a dozen zero-day flaws in the VxWorks real-time operating systems (RTOS) for embedded devices.
The collection of vulnerabilities was dubbed URGENT/11, it includes 11 flaws, 6 of which are rated as critical in severity.
The critical flaws could allow remote attackers to execute arbitrary code on vulnerable devices, the other 5 issues could trigger a denial-of-service condition, could lead to information leaks or logical flaws.
VxWorks is one of the most popular OSs for embedded devices, it currently powers over 2 billion devices in different industries, including aerospace, defense, automotive, healthcare, and consumer electronics. It is quite easy to find Wind River VxWorks in IoT devices, including webcam, network appliances, VOIP phones, and printers.
The vulnerabilities could be exploited by a remote attacker to bypass traditional security solutions and take full control over vulnerable devices without requiring any user interaction. The experts warn that the exploitation could potentially “cause disruption on a scale similar to what resulted from the vulnerability.”
The vulnerabilities can be exploited by an unauthenticated, remote attacker by sending a specially crafted TCP packet to a vulnerable device without requiring any user interaction.
The URGENT/11 flaws reside in the IPnet TCP/IP networking stack of the RTOS implemented in VxWorks version 6.5 and later.
“URGENT/11 poses a significant risk to all of the impacted VxWorks connected devices currently in use. There are three attack scenarios, depending on the location of the device on the network and the attacker’s position. URGENT/11 can be used by an attacker to take control over a device situated either on the perimeter of the network or within it. Even a device that is reaching outbound to the internet could be attacked and taken over. Alternately, an attacker who has already managed to infiltrate a network can use URGENT/11 to target specific devices within it, or even broadcast an attack capable of taking over all impacted VxWorks devices in the network simultaneously.” reads the report published by Armis Labs. “It is important to note that in all scenarios, an attacker can gain complete control over the targeted device remotely with no user interaction required, and the difference is only in how the attacker reaches it.”
The critical Remote Code Execution vulnerabilities are:
A Stack overflow issue in the parsing of IPv4 options (CVE-2019-12256)
Four memory corruption vulnerabilities caused by the improper handling of TCP’s Urgent Pointer field (CVE-2019-12255, CVE-2019-12260, CVE-2019-12261, CVE-2019-12263)
Heap overflow in DHCP Offer/ACK parsing in ipdhcpc (CVE-2019-12257)
The remaining issues are:
TCP connection DoS via malformed TCP options (CVE-2019-12258)
Handling of unsolicited Reverse ARP replies (Logical Flaw) (CVE-2019-12262)
Logical flaw in IPv4 assignment by the ipdhcpc DHCP client (CVE-2019-12264)
DoS via NULL dereference in IGMP parsing (CVE-2019-12259)
IGMP Information leak via IGMPv3 specific membership report (CVE-2019-12265)
“As each vulnerability affects a different part of the network stack, it impacts a different set of VxWorks versions. As a group, URGENT/11 affects the VxWorks’ versions described above with at least one RCE vulnerability affecting each version.” continues the report. “The wide range of affected versions spanning over the last 13 years is a rare occurrence in the cyber arena and is the result of VxWorks’ relative obscurity in the research community. This timespan might be even longer, as according to Wind River, three of the vulnerabilities were already existent in IPnet when it acquired the stack from Interpeak in 2006.”
Researchers explained that the VxWorks OS implements some optional mitigations that could make it hard the exploitation of the above vulnerabilities.
The experts also described three attack scenarios that differ from the position of the attacker and the targeted vulnerable device.
Scenario 1: Attacking the Network’s Defenses
A remote attacker can exploit the flaws to bypass networking and security devices powered with the OS.
“As an example of this scenario, consider how such an attack can take over the SonicWall firewall, which runs on the impacted VxWorks OS.” continues the report.
“According to Shodan, there are over 808K SonicWall firewalls connected to the Internet, representing a similar number of networks that these devices defend.”
Scenario 2 – Attacking from Outside the Network Bypassing Security
This scenario sees attackers targeting IoT devices that are not directly connected to the Internet that anyway are able to communicate connected to the cloud from within a network protected behind a firewall or NAT solution.
An attacker can intercept the TCP connection in different ways, for example using DNS changer malware, targeting DNS servers and carrying out Man-in-The-Middle attacks.
Scenario 3: Attacking from within the Network
In this scenario, an attacker inside a network can compromise connected IoTdevices powered with VxWorks.
Armis reported the flaws to Wind River Systems, which are already released security patches and informed the impacted security vendors.
We live in a connected world – thanks to the rise of new trends and concepts like Internet of Things (IoT) or Bring Your Own Device (BYOD), enterprise networks can’t restrict themselves to a specific set of predefined devices. Hence, the number of devices that now exist on enterprise networks are rapidly multiplying.
Obviously, this would mean that the importance of network visibility has grown by multifold. Just a few years back, it was far simpler to get an outline of a business network, but courtesy to the ever-expanding number of devices that connect to business networks now, it is a whole new ball game. From a cybersecurity perspective, network visibility is extremely important – it is important to monitor what an enterprise is trying to secure.
How does network visibility help an enterprise? Here are some ways:
Identifying anomalies in network activity
Network visibility enables cybersecurity administrators to observe network activity. This can allow them to spot and benchmark patterns, leading to easy identification of anomalies. Normal activity is thus easily detected and anything which stands out can be sent for investigation.
User activity
Are employees following their information security policy seriously? Proper network visibility will provide answers to this question with detailed information on how employees are using confidential and sensitive data. Network administrators can also readily find out if their policies are being followed and if there are backdoors in the network.
Secure Remote Connectivity
A secure connection from an endpoint to the company’s network for its remote users is very important and a virtual private network (VPN) does just that. It also helps build site-to-site connections to ensure protected and seamless connectivity. Typically, Secure Sockets Layer or IPsec is used to verify the communication between the endpoint and the network.
Ease of use and operational benefits
A single centralized solution offering network visibility helps provide an easy snapshot to understand what is happening in an enterprise network. It allows for operational benefits by eliminating the need to have multiple security solutions to perform the task.
Sensitive assets
Network visibility allows administrators to understand their network’s weak points. What part of the network gets attacked the most and what kind of attack vectors are used? Through these trends, network administrators stay up-to-date on the everyday changes happening in a fairly massive enterprise network.
Seqrite’s Unified Threat Management (UTM) solution offers a one-stop solution for network visibility. UTM reduces security complexities by integrating key IT security features in one integrated network security product. The platform brings network security, management, backup and recovery of UTM data and many other critical network services together under a single unified umbrella, tailored to suit the complexity of emerging threat scenarios.
All traffic through the firewall is tracked and logged and pre-defined business rules are applied to block all threats and non-business traffic. This improves productivity and ensures security. The antivirus built into it scans all inbound and outbound traffic for malware at the gateway level. The IPS system can detect and prevent attacks from a wide range of DoS and DDoS attacks before they infiltrate the network.
It validates and encrypts every IP packet of communication using Perfect Forward Secrecy (PFS) and NAT traversal. VPN compression, Multiple Subnet Support, and DNS Setting for PPTP Server as well as SSL VPN, Remote Access VPN, Site-to-Site VPN, dead peer detection are some of the other features of this tool to ensure secure remote connectivity.
It includes mail antivirus and anti-spam as well as keyword blocking for emails and HTTP(S) traffic fortifying your email communication. Website category and custom web lists based filtering are also provided.
It boasts of a revamped ISP load balance and failover feature including policy-based failover routing and automatic divert of data traffic from inactive ISP to active ISPs. IPv6, VLAN, USB Internet support for 3G/4G and NTP support, configurable LAN/WAN/DMZ ports, and Layer 2 bridging and link aggregation are also provided.
A user-friendly web-based logging and reporting console gives a complete view of the network. Configurable scheduling of diagnostic tools and monitoring CPU/RAM/Disk usage with timely reports and alerts through SMS or email. Stronger access control with enhanced user/group bandwidth and quota management is also provided.
Seqrite UTM is a one-stop network security solution for your enterprise ensuring round-the-clock security for your network.
Do you happen to be a Sephora cosmetics online customer these past few weeks? If yes, and you are living in Australasia (Australia, New Zealand and the rest of the Southeast Asian region), then your personal customer information may be included in the records that were stolen in a data breach. Sephora sent all their Australasia customers an email providing specific details of the data loss in the breach, including the hopes to repair its reputation.
“We understand how important your personal information is and value the trust you place in us to protect it. Over the last two weeks, we discovered a breach in data related to some customers who have used our online services in Singapore, Malaysia, Indonesia, Thailand, Philippines, Hong Kong SAR, Australia, and New Zealand,” explained Alia Gogi, Sephora’s SEA Managing Director.
The public disclosure mentioned the following information from Australiasian customers may already be in the hands of unknown parties:
Full name
Birth date
Gender
Email address and its corresponding hashed password
Cosmetics, make-up and other beauty products personal preferences
As of this writing, cosmetics and make-up seller denies that customer credit card information was included in the data breach. Sephora, being a non-IT company has signed-up with a partnership with independent digital forensic investigations in order to further probe the incident.
“We are sorry for any concern or inconvenience this may cause you. As a precaution, we have cancelled all existing passwords for customer accounts and have thoroughly reviewed our security systems. We are also offering a personal data monitoring service, at no cost to you, through a leading third-party provider. We would like to assure you that we will continue to take all necessary steps to protect your privacy,” added Gogi.
The company clarified that their brick and mortar store customers are not affected by the breach. The customer records lost only include people who patronized their products through their official website’s shopping card and their Android and iOS apps. The database they used to store customer information for their online, the database specifically assigned for Southeast Asia, Australia, Hongkong, and New Zealand app and website users.
The “over the last two weeks” length of the data breach is enough time to extract a huge amount of information from a database. The company has not revealed how much information in gigabytes was leaked to unknown parties, nor if they have a suspicion who is behind the incident. Sephora also has not detailed how the personal data monitoring services will function for the victims, the company that customers need not to sign-up for a separate service, as the company will pay for one.
To scale more efficiently and serve customers better, companies are moving more workloads and services to the cloud. According to IDG, 37 percent of companies are increasing their digital business, and 45 percent are in the process of becoming digital-first businesses. In fact, almost half of executives believe the digital sphere will help drive bottom-line revenue growth. But digital transformation also brings a new set of worries about security. Managing access to company information no … More →
Black Hat USA 2019 is just around the corner! Selecting which sessions to attend from among the conference’s jam-packed catalog of training sessions, panels and briefings can be a daunting task without a clear strategy. In the run-up to every conference, we compile a list of the most engaging content and identify the most compelling cybersecurity trends highlighted in the agenda. We have seen a telling shift in emphasis between the 2018 and 2019 Black … More →
While the SOC is considered an essential or important component of business, most security professionals rate their SOC’s effectiveness as low, and 49 percent say it is not fully aligned with business needs, according to a survey conducted by Devo Technology in partnership with the Ponemon Institute. Problems such as a lack of visibility into the network and IT infrastructure, a lack of confidence in the ability to find threats, and workplace stress on the … More →
The worldwide infrastructure as a service (IaaS) market grew 31.3% in 2018 to total $32.4 billion, up from $24.7 billion in 2017, according to Gartner. Amazon was once again the No. 1 vendor in the IaaS market in 2018, followed by Microsoft, Alibaba, Google and IBM. “Despite strong growth across the board, the cloud market’s consolidation favors the large and dominant providers, with smaller and niche providers losing share,” said Sid Nag, research vice president … More →
With Thales’ new Gemalto Digital ID Wallet, governments will issue a secure digital version of official documents including identity cards, health cards and drivers licenses, available to all citizens on their smartphones. Citizens will therefore be able to prove who they are, both online and in the ‘real world’, and access their rights and services at the touch of a button. The solution uses multi-layered security techniques and sophisticated encryption to achieve robust protection of … More →
It’s that time of year again where Black Hat and DEF CON are fast approaching and everyone interested in security will descend upon Las Vegas. While Craig Young will be there with his sold out Introduction to IoT Pentesting with Linux, I will be keeping my 2008 promise to myself and avoiding Vegas like the […]… Read More
A software engineer in Seattle was able to hack into the records of a total of 100 million Capital One customers. According to reports, Paige A. Thompson tried to share the information with members of an online chat group. She was arrested by the Federal Bureau of Investigations.
“This news proves once again there’s no failproof when it comes to cybersecurity,” said Adam Levin, founder of CyberScout. “The threats are as persistent as our efforts to thwart them are relentless, but data breach and compromise are the third certainty.”
The list of compromised data reads like a privacy advocates worst case scenario. According to a company release, it included in some cases credit scores, credit limits, balances, payment history, and contact information.
Fragments of transaction data from a total of 23 days during 2016, 2017 and 2018 were also compromised as were the Social Security numbers of approximately 140,000 Capital One credit card customers, “about 80,000 linked bank account numbers of the company’s secured credit card customers.” Additionally, approximately one million Canadian Social Insurance Numbers were exposed.
The company says 100 million individuals were affected in the United States, and another 6 million in Canada. The information exposed was provided to the company at the time of application for credit. According to the company release, “This information included…names, addresses, zip codes/postal codes, phone numbers, email addresses, dates of birth, and self-reported income.”
The Equifax data breach settlement of $700 million barely left the news cycle. 150 million individuals were affected in that breach. Initial numbers often change in breach situations, so the 100 million reported here may increase. At any rate, the breach is profound and will be costly.
Capital One estimates the cost in the near terms to be between $100 to $150 million in 2019. Read more here.
ACI Worldwide, a leading global provider of real-time electronic payment and banking solutions, announced a number of tools and solution updates to ready payment service providers (PSPs), acquirers, issuers and merchants for Strong Customer Authentication (SCA) and exemptions. Under the new PSD2 regulations, all electronic online transactions in the European Economic Area (EEA) will require SCA, designed to tackle card fraud and protect the confidentiality of payment security credentials for consumers when purchasing goods and … More →
CertNexus, the global purveyor of vendor neutral, emerging technology certifications and micro-credentials and the Internet of Things Community (IoT Community), the world’s largest and longest standing global independent IoT Community, announced a partnership to facilitate and accelerate closing the rapidly expanding Internet of Things (IoT) skills gap. According to a report by Inmarstat, 76% of companies surveyed require additional senior, strategic-level staff with skills in IoT, and 80% do not possess the IoT skills required … More →
Vulnerabilities in VxWorks' TCP stack could allow an attacker to execute random code, launch a DoS attack, or use the vulnerable system to attack other devices.
Ransomware infection impacted police car laptops for the Georgia State Patrol, Georgia Capitol Police, and the Georgia Motor Carrier Compliance Division.
Marcus Hutchins, the “accidental hero” who helped arrest the spread of the global WannaCry ransomware outbreak in 2017, will receive no jail time for his admitted role in authoring and selling malware that helped cyberthieves steal online bank account credentials from victims, a federal judge ruled Friday.
Marcus Hutchins, just after he was revealed as the security expert who stopped the WannaCry worm. Image: twitter.com/malwaretechblog
The British security enthusiast enjoyed instant fame after the U.K. media revealed he’d registered and sinkholed a domain name that researchers later understood served as a hidden “kill switch” inside WannaCry, a fast-spreading, highly destructive strain of ransomware which propagated through a Microsoft Windows exploit developed by and subsequently stolen from the U.S. National Security Agency.
In August 2017, FBI agents arrested then 23-year-old Hutchins on suspicion of authoring and spreading the “Kronos” banking trojan and a related malware tool called UPAS Kit. Hutchins was released shortly after his arrest, but ordered to remain in the United States pending trial.
Many in the security community leaped to his defense at the time, noting that the FBI’s case appeared flimsy and that Hutchins had worked tirelessly through his blog to expose cybercriminals and their malicious tools. Hundreds of people donated to his legal defense fund.
In September 2017, KrebsOnSecurity published research which strongly suggested Hutchins’ dozens of alter egos online had a fairly lengthy history of developing and selling various malware tools and services. In April 2019, Hutchins pleaded guilty to criminal charges of conspiracy and to making, selling or advertising illegal wiretapping devices.
At his sentencing hearing July 26, U.S. District Judge Joseph Peter Stadtmueller said Hutchins’ action in halting the spread of WannaCry was far more consequential than the two malware strains he admitted authoring, and sentenced him to time served plus one year of supervised release.
Marcy Wheeler, an independent journalist who live-tweeted and blogged about the sentencing hearing last week, observed that prosecutors failed to show convincing evidence of specific financial losses tied to any banking trojan victims, virtually all of whom were overseas — particularly in Hutchins’ home in the U.K.
“When it comes to matter of loss or gain,” Wheeler wrote, quoting Judge Stadtmeuller. “the most striking is comparison between you passing Kronos and WannaCry, if one looks at loss & numbers of infections, over 8B throughout world w/WannaCry, and >120M in UK.”
“This case should never have been prosecuted in the first place,” Wheeler wrote. “And when Hutchins tried to challenge the details of the case — most notably the one largely ceded today, that the government really doesn’t have evidence that 10 computers were damaged by anything Hutchins did — the government doubled down and issued a superseding indictment that, because of the false statements charge, posed a real risk of conviction.”
Hutchins’ conviction means he will no longer be allowed to stay in or visit the United States, although Judge Stadtmeuller reportedly suggested Hutchins should seek a presidential pardon, which would enable him to return and work here.
“Incredibly thankful for the understanding and leniency of the judge, the wonderful character letter you all sent, and everyone who helped me through the past two years, both financially and emotionally,” Hutchins tweeted immediately after the sentencing. “Once t[h]ings settle down I plan to focus on educational blog posts and livestreams again.”
Security experts at Plugin Vulnerabilities have discovered an authenticated Persistent Cross-Site Scripting (XSS) flaw in Facebook Widget.
Researchers at Plugin Vulnerabilities have discovered an authenticated Persistent Cross-Site Scripting (XSS) flaw in the Facebook Widget (Widget for Facebook Page Feeds).
The plugin is one of the 1,000 most popular plugins and it was closed on the WordPress Plugin Directory yesterday. After being informed of the closure, the experts analyzed the plugin and discovered it is affected by an authenticated persistent cross-site scripting (XSS) vulnerability. The flaw is caused by the improper handling of the security of shortcode attributes.
“While we were looking in to the plugin to see if there were any vulnerabilities we should be warning users of the plugin that also use our service, we found that it contains an authenticated persistent cross-site scripting (XSS) vulnerability due to not properly handling the security of shortcode attributes.” read the analysis published by Plugin Vulnerabilities.
Experts pointed out that the shortcode “fb_widget” causes the function fb_plugin_shortcode() to run. Analyzing the function, experts found in the first line the code that sets attributes from a shortcode to the variable $defaults without sanitizing the input.
For lower level users, WordPress does not sanitize them for usage as HTML tag attributes. The code in the last line shows outputas HTML tag attributes that are not being escaped.
The flaw could be exploited by an attacker to trigger the execution of malicious JavaScript that has to be included on the page.
To protest against the moderators of the WordPress Support Forum’s, the experts decided to disclose the flaw and to share the proof-of-concept code.
“When logged in as an Author, which does not have the unfiltered_html capability, place the following shortcode on a post:
“When visiting the post on the frontend, when hovering over the facebook widget an alert box with any available cookies will be shown.” reads the analysis”
Threatpost talks to Jacob Serpa with Bitglass about how more enterprises are struggling with a cloud security conundrum when it comes to public cloud vs on prem.
One of the most active drug sellers on the Dark Web was charged by law authorities and ordered to forfeit over $4 million in cryptocurrency.
The US Department of Justice (DoJ) charged Richard Castro (36) (aka “Chemsusa,” “Chems_usa,” and “Jagger109”) with participating in a conspiracy to distribute carfentanil, fentanyl, and a fentanyl analogue over the “dark web,” including on AlphaBayand Dream Market.
“On one dark web marketplace, Dream Market, “Chemsusa” boasted that it had completed more than 3200 transactions on other dark web markets, including more than 1,800 on AlphaBay.” reads the press release published by the DoJ. “The customer feedback for “Chemsusa” included, “Extremely potent and definitely the real Carf,” as well as “The Carfent is unbelievably well synthesized, keep up the amazing work.”
Castro completed thousands of transactions with positive feedback from its buyers, but last year opted to leave the black markets in the Dark Web and continue to sell drugs directly to its customers via encrypted email.
Castro was requesting a fee up-front to connect and was identified by an undercover officer that paid the fee, obtained the encrypted email address, and placed orders with CASTRO.
The co-conspirator, Luis Fernandez (41), was shipped the drugs to the customers, including the police officer that also identified him.
“RICHARD CASTRO, 36, of Windermere, Florida, and LUIS FERNANDEZ, 41, of the Bronx, New York, are each charged with one count of conspiracy to distribute and possess with the intent to distribute three controlled substances – carfentanil, phenyl fentanyl, and fentanyl – as well as one count of distributing these controlled substances via the Internet.” continues the DoJ. “CASTRO is also charged with one count of laundering narcotics proceeds, which carries a maximum sentence of 20 years in prison. The statutory maximum sentences are prescribed by Congress and are provided here for informational purposes only, as any sentencing of the defendants will be determined by the judge.”
Castro was accepting payments in Bitcoin (BTC), that were distributed in seven cryptocurrency wallets. Then the popular drug seller laundered the narcotics proceeds through the purchase of valuable assets and a huge amount of Zimbabwe banknotes.
According to the investigators, the man purchased approximately 100 quadrillion Zimbabwe banknotes.
Castro has agreed to forfeit $4,156,198.18 in cryptocurrency.
“Manhattan U.S. Attorney Geoffrey S. Berman said: “As he admitted today, for years, Richard Castro used the dark web to distribute prolific quantities of powerful opioids, including fentanyl and carfentanil.” states the DoJ. “Castro thought he could hide behind the anonymity of the internet, and use online pseudonyms to deal drugs – like ‘Chems_usa’ and ‘Chemical_usa.’ Thanks to our law enforcement partners, ‘Chems_usa’ is now in U.S. prison.”
Castro faces a mandatory minimum sentence of 10 years in prison and a maximum sentence of life for drug distribution. He also faces one count of money laundering, which carries a maximum sentence of 20 years in federal prison.
“As he admitted today, for years, Richard Castro used the Dark Web to distribute prolific quantities of powerful opioids, including fentanyl and carfentanil,” said Manhattan US Attorney Geoffrey Berman. “Castro thought he could hide behind the anonymity of the Internet, and use online pseudonyms to deal drugs.”
The press release confirmed that sentencing is scheduled for October 25, 2019, at 2:30 p.m. before Judge Cote.
Several years later and containers are still the hype for application deployment and migration. CIO Online contributor Paul Rubens broke it down into digestible chunks – explaining benefits, gotchas, container management systems, security and much more. So now that we have figured out more reliable and efficient ways to deploy and scale software across platforms, it has also provided ways for nefarious actors to exploit these containers.
In the last couple of years, while there have been some great improvements around security with containers and their orchestration systems such as Kubernetes, there have been several major vulnerabilities and exploits discovered.
Modern security teams need to proactively, efficiently, and effectively hunt for threats across multiple attack vectors. To address this need, today we’re excited to give you a glimpse of a new threat hunting capability coming soon to Microsoft Threat Protection. Building off the threat hunting technology currently available in Microsoft Defender Advanced Threat Protection (ATP), we are adding the ability to hunt for threats across endpoints and email (Figure 1).
The new Microsoft Threat Protection advanced threat hunting allows:
Easy access to telemetry—The telemetry data is accessible in easy to use tables for you to query.
Enhanced portal experience—Certain query results, such as machine name, link directly to the relevant portal, consolidating the hunting query experience and the portal investigation experience.
Detailed query templates—A welcome page provides examples designed to get you started and get you familiar with the tables and the query language.
The example in Figure 1 demonstrates how Microsoft Threat Protection enables hunting for red teams leveraging a compromised account to store a payload on a local SharePoint site and for sending emails to individuals within the organization. Having the email come from an internal sender and pointing to a local SharePoint site guarantees a high click-through rate. With the advanced hunting capability in Microsoft Threat Protection, this scenario easier to identity, discover, and ultimately remediate. As Microsoft Threat Protection evolves, we’ll continue to extend the advanced hunting capability across the enterprise. Look for more details on threat hunting across endpoints and email in the coming weeks.
Figure 1. Hunting query example: Find the red team!
Connecting the dots to protect your users
As we’ve discussed previously, securing enterprise identities is paramount for effective threat protection in modern organizations. Microsoft Threat Protection is built on best-in-class identity protection, and we’re pleased to announce the general availability of our new identity threat investigation experience, which correlates identity events from Microsoft Cloud App Security, Azure Advanced Threat Protection, and Azure Active Directory Identity Protection into a single investigation experience for security analysts and hunters alike.
Leverage state-of-the-art User and Entity Behavior Analytics (UEBA) capabilities to provide a risk score and rich contextual information for individual users across on-premises and cloud services. With the high volume of threat signals today’s security teams must analyze, it’s a challenge to know which users and threats to prioritize for deeper investigations (Figure 2). The new identity threat investigation experience enables security analysts to prioritize their investigations, helping reduce investigation times and eliminating the need to toggle between identity security solutions.
Figure 2. Top user view by investigation priority.
Delivering on our promise to empower defenders
Earlier this year, we announced two capabilities for email security with the public preview of Threat & Vulnerability Management and the extension of our endpoint security capabilities to macOS. We’re excited to deliver on the promise of both these milestones for our endpoint security, which further empower defenders relying on our services to secure their organizations.
At the end of June, we announced the general availability of our endpoint security for macOS. Offered through Microsoft Defender ATP, it enables integrated experiences in Microsoft Defender Security Center across Windows and macOS clients. It supports the three latest versions of macOS: Mojave, High Sierra, and Sierra. Customers can use Microsoft Intune and Jamf to deploy and manage Microsoft Defender ATP for Mac. Just like with Microsoft Office applications on macOS, Microsoft Auto Update is used to manage Microsoft Defender ATP for Mac updates. Check out the public documentation to see what’s available now.
We further enhanced endpoint security with the general availability of Threat & Vulnerability Management for endpoints (Figure 3), which offers customers:
Continuous discovery of vulnerabilities and misconfigurations.
Prioritization based on business context and dynamic threat landscape.
Seamless correlation of vulnerabilities providing enhanced breach insights.
Ability to assess vulnerability at the single-machine level to enrich and provide greater detail on incident investigations.
Built-in remediation processes through unique integration with Intune and Microsoft System Center Configuration Manager.
Figure 3. The Threat & Vulnerability Management dashboard.
This month, we also enriched the experience for security teams managing email security by introducing an email submission feature offered through Office 365 ATP. Microsoft is home to 3,500 security professionals, and now your organization can leverage their expertise to get quick and accurate analysis of potential email threats with the click of a button (Figure 4). The submission process is easy to use, and our Microsoft experts provide quick feedback, including insights on configurations that may have caused a false positive or false negative, reducing the time to investigate issues and improving overall effectiveness.
The new submission process allows admins to:
Submit suspicious emails, files, and URLs to Microsoft for analysis.
Find and remove rules allowing malicious content into the tenant.
Find and remove rules blocking good content into the tenant.
Here’s a quick run-through of the experience. You can also learn more about it in our technical docs.
Figure 4. Admin submission experience with Office 365 ATP.
Experience the evolution of Microsoft Threat Protection
Begin a trial of Microsoft Threat Protection services, which also includes our newly launched SIEM and Azure Sentinel, to experience the benefits of the most comprehensive, integrated, and secure threat protection solution for the modern workplace.
New vulnerabilities give hackers the ability to bypass the payment limits on Visa contactless cards regardless of the card terminal, according to new research from Positive Technologies.
In a July 29 press release, Positive Technologies said that researchers tested the flaws several times with five major UK banks and with cards and terminals outside of the UK. They found that the limits could be bypassed 100% of the time and could allow an attacker to steal from accounts.
“The attack works by manipulating two data fields that are exchanged between the card and the terminal during a contactless payment. Predominantly in the UK, if payment needs an additional cardholder verification (which is required for payments over 30 pounds in the UK), cards will answer 'I can’t do that,' which prevents against making payments over this limit. Secondly, the terminal uses country specific settings, which demand that the card or mobile wallet provide additional verification of the cardholder, such as through the entry of the card PIN or fingerprint authentication on the phone,” the press release said.
Checks were bypassed by using a device acting as a proxy to intercept communication between the payment terminal and the card, an attack known as man in the middle (MITM). These MITM attacks can also be accomplished using mobile wallets, allowing a fraudster to charge up to £30 without unlocking the phone.
“The device tells the card that verification is not necessary, even though the amount is greater than £30. The device then tells the terminal that verification has already been made by another means. This attack is possible because Visa does not require issuers and acquirers to have checks in place that block payments without presenting the minimum verification,” according to the release.
"The payment industry believes that contactless payments are protected by the safeguards they have put in place, but the fact is that contactless fraud is increasing," said Tim Yunusov, head of banking security for Positive Technologies. "While it’s a relatively new type of fraud and might not be the number-one priority for banks at the moment, if contactless verification limits can be easily bypassed, it means that we could see more damaging losses for banks and their customers."
Internet-connected devices powered by VxWorks 6.5 and newer are affected by a vulnerability that allows remote attackers full control over targeted devices.
There is a growing trend for attackers to more heavily utilize tools that already exist on a system rather than relying totally on their own custom malware.
Using .hta files or its partner in crime, mshta.exe, is an alternative to using macro enabled document for attacks and has been around a long time. It is a tool so flexible it even has its own cell on the MITRE ATT&CK matrix.
What Makes Mshta Dangerous?
To start, it is a signed, native Microsoft binary that already exists on Windows that can execute code in a variety of ways, and in today’s living off the land culture that attackers love, this makes it a prime application of interest since code execution can be proxied through it.
Mshta.exe can also be used to bypass application whitelisting defenses and browser security settings.
These types of binaries have been colloquially dubbed “LOLBINs” but more formally have been turned into techniques within the Mitre tactic of Execution. Techniques T1218 and T1216: Signed binary proxy execution and Signed Script Proxy Execution, respectively.[1]
How It Is Used:
The most interesting abuse of native Windows binaries is the ability to run a program that will either execute passed in code, or that will execute a payload hosted remotely. This was quite popular with Casey Smith’s squibblydoo and squiblytwo attacks where regsvr32 and wmic (also considered LOLBINs) were both found to be signed windows binaries able to execute code hosted remotely.
Note: notice the similarities between the usage of mshta with the exec method and the corresponding use in regsvr32 in the above gist.
Alternatively, a file with a .hta extension can just as easily be double clicked on by the user where the code is set to autorun on open much like a macro enabled document.
Availability in Public Tools
There is no shortage of easily accessible repos to help someone quickly generate a payload to use mshta. .hta file type generation is available in nearly all public red-teaming tools such as Empire, Metasploit, Unicorn, and Koadic.
Do not forget, however, that mshta’s use is not limited to .hta files. It can also call code registered inside of com scriptlets (.sct) so it is relevant to other tools such as GreatSCT.
It’s also worth noting that even if you have powershell.exe blocked, tools like nps payload have .hta files that dynamically build a project and compile it with msbuild (another tool to be weary of) to create a tool that can execute powershell commands without using powershell.exe at all.
In The Wild:
One of my favorite tools to look for examples is app.any.run. It is an interactive online sandbox and is a great resource for finding new samples. You can even filter by MITRE ATT&CK Technique which is what I did here:
As you can see, there is no shortage of samples to go through. Another interesting detail is we can see several different file extensions used outside of the standard .hta and even some where the sandbox has found there are no threats detected. Is that true though?
Here we can see it has a dubious name of windows-update.hta running from a temp folder. This looks to be a binary embedded within an .hta file to trick automated sandbox detection.
Here we look at another sample with no threats detected.
We see multiple file extensions used in the name to try and fool end users into thinking it is a picture. The script appears to be using WMI to spawn a new process which breaks the “expected” process chain of mshta > PowerShell and can allow malware to bypass rules that look for a direct process relationship such as Word > PowerShell.
We can also see the sandbox believes this is not malicious based on its scoring. Luckily, we can look at the PowerShell code that it spawns and get a better idea.
Process tree for 0ab797e7546eaf7bf40971a1f5f979355ed77a16124ae749ef1e90b81e4a3f88
So, mshta can also be used to execute vbscript and WMI to break the process tree chain and launch PowerShell.
And in the below example you can see mshta’s role in continuing part of an infection chain in common malware.
Use of exploit then using mshta to execute remote code spawning the rest of the infection chain
Protection and Recommendations
One of the easiest things you can implement is to change the default applications for files with an .hta extension from mshta.exe to a plain text editor such as notepad to help keep users from unwittingly double clicking a malicious .hta attachment
If you are a McAfee customer, McAfee Endpoint Security (ENS) provides rules 322, which is now enabled by default, and 324 that can be enabled in ePO to help protect your environment against malicious mshta abuse.[2]
You should also spend some time exploring where abusable native binaries like mshta.exe are used in your environment. If there are no business needs that require it, blocking it outright is advised. If it is required, understand where and why so you can find the systems running things like mshta.exe that aren’t expected to be.
Working in the security operations center (SOC) is growing increasingly more painful because of an increasing workload and alert fatigue, according to new research, Improving the Effectiveness of the Security Operations Center, published by the Ponemon Institute and sponsored by Devo Security.
Respondents cited malware (98%), known vulnerabilities (80%), spear-phishing (69%) and insider threats (68%) as the most identified exploits in the SOC.
“Most respondents rate their SOC’s effectiveness as low and almost half say it is not fully aligned with business needs. Problems such as a lack of visibility into the network and IT infrastructure, a lack of confidence in the ability to find threats and workplace stress on the SOC team are diminishing its effectiveness,” the report said.
In fact, 65% of respondents said that these pain factors would cause them to consider changing careers or leaving their job, and those frustrations exist even in those organizations that consider the SOC essential to their cybersecurity strategy, according to the report. SOCs are struggling, and most of the participants ranked their SOC’s effectiveness as low, with nearly half reporting the SOC is not fully aligned with business needs.
As a result of these problems, 78% of respondents say the mean time to resolution (MTTR) can be weeks to months – even years. “Only 22 percent of respondents say resolution can occur within hours or days. Forty-two percent of respondents say the average time to resolve is months or years,” according to the report. In addition to the lack of visibility, threat hunting was also ranked as a top challenge.
“Threat hunting teams have a difficult time identifying threats because they have too many IOCs [indicators of compromise] to track, too much internal traffic to compare against IOCs, lack of internal resources and expertise and too many false positives. More than half of respondents (53 percent) rate their SOC’s ability to gather evidence, investigate and find the source of threats as ineffective. The primary reasons are limited visibility into the network traffic, lack of timely remediation, complexity and too many false positives,” the report said.
When Salesforce.com launched in 1999, it became the gateway of the cloud computing platform to the public. Today, cloud computing, known as “the cloud,” is one of the most used technologies around the world. Applications like Netflix, Amazon web service, and even Facebook all use the cloud. But the cloud’s popularity has made it a hot target for cyberattacks, which is why it’s important for businesses to have cloud encryption in place.
What Is Cloud Encryption?
Cloud encryption is a cybersecurity tool that encrypts data as it is sent to the cloud for storage. There are different forms of cloud encryption offered by many cloud-platform service providers. By using cloud security encryption, sensitive data can remain safe in cloud storage even if the cloud platform is compromised by hackers.
What Is Cloud Encryption? – Kinds of Cloud Computing Encryption
Cloud security encryption comes in various forms, depending on the cloud provider. Because cloud encryption uses more processing power than just sending data through the cloud, not all service providers can offer a high level of cloud computing encryption. Here are various forms of cloud computing encryption:
Encrypted cloud connection is a kind of cloud encryption where the cloud computing connection is secured through encryption; it’s similar to how VPNs encrypt your data through the VPN tunnel.
Cloud computing encryption of sensitive data is a kind of cloud security encryption where the cloud service provider only encrypts data known to be sensitive. This limits the amount of data being encrypted before being stored in the cloud. This method costs less bandwidth and processing power.
End-to-end encryption is one of the highest levels of cloud security encryption. In end-to-end encryption, the data is encrypted offline before being sent into the cloud for storage. Because the encryption is done offline, only authorized people have the decryption key, and even if the cloud service provider is compromised, the data remains safe.
What Is Cloud Encryption? — Why Proper Key Management Is Important
Cloud encryption works the same way as offline encryption. There are keys used for encryption and decryption of the data. But the main difference is who is managing the encryption and decryption keys.
When cloud service providers offer cloud security encryption, most of the time, they manage the keys instead of the client. This poses a vulnerability when the provider is compromised and hackers gain access to their key storage.
When picking a cloud service provider, companies should take note of the cloud security encryption method and encryption key management before applying for their services. Companies should also take note of how much security they need for the files they plan to transfer to the cloud.
Keeping decryption keys offline is a good key management practice, as well as frequent key auditing and setting up two-factor verification.
Conclusion
Cloud computing technology has opened doors to high-volume storage. Companies, whether big or small, have utilized it for their day-to-day operations and data storage needs. But even the cloud is not fully hack-proof. Secure your data in the cloud now by using cloud encryption.
Researchers have uncovered easy-to-exploit bugs that can impact physical safety, utilities, healthcare, critical infrastructure and more, setting the stage for widespread worm attacks.
In our previous blog post, Getting Started with Cloud Governance, enterprise security architect Wayne Anderson discussed the challenge of understanding the “sanctioned” path to the cloud and how governance was the initial building block for cloud security. To understand the sanctioned path, we must have visibility into our overall use of cloud services and further apply a set of intelligent controls that enforce our governance requirements. These steps become the building blocks for intelligent data control, which tightens our data security posture and allows accelerated business transformation.
Before we focus on the intelligent control of data in sanctioned services, we must have a good understanding of what services are being utilized in our environment, along with the associated risk they bring. Setting requirements for cloud service governance is a good first step in identifying and limiting services. To map a set of technical controls to the problem data protection in the cloud, we must start with an architecture and an intelligent model that helps us achieve the desired controls.
The application of intelligent data control starts with a centrally managed platform that is elastic and works across all cloud services models, from SaaS, to PaaS and IaaS. There must be a consistent model in place for the visibility and control of allowable services as well as the control of data for sanctioned applications. The data policies used by the platform should also be consistent in both device-to-cloud and cloud-and-cloud scenarios.
Here’s a diagram showing a common control plane across cloud models:
Once we have the platform defined and in place, we monitor the cloud services being used and build an inventory of discovered services.
Here’s a sample inventory of cloud services using McAfee MVISION Cloud as our platform:
The discovered cloud services inventory is mapped against a comprehensive cloud services risk registry that assesses each service against dozens of attributes that can be used for fine-grained governance policies.
Example cloud service risk profile and attributes:
Finally, we can craft and apply our governance policies, providing visibility and/or remediation of services that fall outside the governance requirements. Any future changes to governance requirements are monitored by an approval workflow system. The risk registry is updated dynamically and external to the policy execution. This allows for remediation of newly discovered and disallowed cloud services that are outside the acceptable governance requirements.
Intelligent application of governance requirements:
Using this arrangement allows us to implement governance requirements such as total risk (no services allowed with a risk score > 7 on a 1-to-10 scale), not allowing a service that is multi-tenant and does not encrypt data at rest, etc.
Providing intelligent control of cloud services governance policies helps to close the gap of data loss and malware from suspect services that have not been sanctioned. Establishing intelligent governance of cloud services allows for the next step of applying intelligent control to our sanctioned services.
In the future, we will continue the discussion on how intelligent data control can increase data security efficacy and accelerate your business as a result.
Armis researchers have discovered 11 vulnerabilities (including 6 critical RCE flaws) in Wind River VxWorks, a real-time operating system used by more than two billion devices across industrial, medical and enterprise environments. Collectively dubbed “Urgent11”, they are estimated to impact SCADA systems, elevators, industrial controllers, patient monitors and MRI machines, as well as firewalls, routers, satellite modems, VOIP phones and printers. About Wind River VxWorks VxWorks is a real-time operating system (RTOS), i.e., an OS … More →
A new scam is impersonating WhatsApp and using the fraudulent claim that its victims will receive "free internet," according to ESET researchers.
“Researchers in Latin America received a message on WhatsApp stating that the app was giving away 1,000 GB of internet data to celebrate its anniversary. It shouldn’t come as much of a surprise when we say that it was a scam,” the report said and then looked at the situation in greater detail.
The URL seemed suspect to the researchers, who noted that it wasn't an official WhatsApp domain. “Even though businesses may sometimes run promotions through third parties, the rule of thumb here is to check on the company’s website to make sure any promotion is real and valid,” researchers added.
Indeed, clicking on the link delivers the user to a survey page with the WhatsApp logo at the top. Not surprisingly, those who fall for the scam and start answering questions are then invited to share the link with 30 friends in order to be entered in the drawing to win.
Credit: ESET
“Apparently their goal here is click fraud – a highly prevalent monetization scheme that relies on racking up bogus ad clicks that ultimately bring revenues for the operators of any given campaign,” the report said. Because it can be repurposed to perform a variety of other functions, click fraud presents many different threats.
“Even though in this case we found no evidence that clicking the link led to the installation of malicious software or that there was any intention to phish for personal information, it doesn’t mean that this cannot change at any time.”
Researchers added that the domain used in this scam is also hosting other fraudulent offers from high-profile companies, including Adidas, Nestlé and Rolex.
Two of the biggest threats organisations face are phishing and ransomware, both of which exploit human error.
If employees who receive phishing emails (which often contain ransomware) are unable to spot them, the whole organisation is at risk.
Similarly, accidental breaches, privilege misuse and data loss are all the result of employees not understanding their information security obligations.
Educating staff on the ways they could put data at risk helps organisations turn one of their biggest vulnerabilities into an area of strength.
Training courses should be given to employees during their induction and then repeated annually.
A risk assessment is one of the first tasks an organisation should complete when preparing its cyber security programme.
It’s the only way to make sure that the controls you choose are appropriate to the risks your organisation faces.
Without a risk assessment, you could ignore threats or waste time and effort addressing events that are unlikely to occur or won’t cause significant damage.
There is, after all, little point implementing measures to defend against events that are unlikely to occur or won’t have much material impact on your organisation.
Policies and procedures are the documents that establish an organisation’s rules for handling data.
Policies provide a broad outline of the organisations principles, whereas procedures detail how, what and when things should be done.
The evolving cyber threat landscape makes it imperative that organisations regularly review their policies and procedures.
If a procedure isn’t working, it needs to be rewritten.
5) Assess and improve
Each of the steps listed here references the need to conduct regular reviews, but the assessment and improvement process is so important that it merits particular attention.
Every part of an organisation’s cyber security framework benefits from reviews of its effectiveness, but the process will inevitably take time and effort, meaning the frequency of reviews will depend on the resources you have.
How ISO 27001 can help
We recommend implementing to ISO 27001, the international standard that describes best practice for an information security management system (ISMS).
The Standard’s framework covers everything listed here, and is designed to help organisations manage their security practices in one place, consistently and cost-effectively.
We know that implementing an ISO 27001-compliant ISMS can be an intimidating task, especially if you have no prior knowledge of the Standard and don’t know where to start.
Cybercriminals and malicious hackers have been shifting their tactics, techniques, and procedures (TTPs) to improve their ability to infiltrate an organization and stay under the radar of security professionals and solutions. Moving to more targeted attack methods appears to be a mainstay among threat actors, which requires organizations to improve their visibility into the entire attack lifecycle. Gone are the days in which these attacks only target the endpoint, and as such, an expanded connected threat defense is paramount.
Many organizations have been adopting EDR (Endpoint Detection & Response) as a way to obtain more data about attacks on the endpoint. But as we’ve seen with even ransomware actors, the endpoint is being targeted less. Rather, attacks are laterally moving within an organization to find critical systems that will allow them to increase their chance of the organization paying the ransom. (See my recent webinar on trends in ransomware.)
This means the actors behind many financially motivated and targeted attacks will move across the network, and their tracks will be left in other areas of their network, not just on the endpoint. Expanding EDR to include other areas is the definition of XDR. The X could be network data, email or web data, data from cloud instances, and others. This would allow an organization to get visibility into the entire attack lifecycle, including infiltration, lateral movement, and exfiltration. This will improve the organization’s ability to prevent critical data exfiltration or the compromise of critical systems within their network.
The ability to do this requires a number of key components:
A security vendor who has solutions across the entire network, including cloud, gateway (email & web), network, server, endpoint (includes mobile), and IoT/IIoT
Support for threat intelligence and data analytics. This should be as automated as possible and should include 3rd party threat intelligence (i.e. CERT, ISAC, ISAO feeds)
History of expertise in correlating multiple threat vectors and the use of AI and Machine Learning
This will require a major shift from traditional security practices, as many organizations have supported a best-of-breed approach, utilizing multiple vendors (some say 50-100 security applications on average within a large enterprise). Instead, the future is moving to a more consolidated approach with fewer vendors. Having multiple vendors for different areas of security results in silos and segmentation due to a lack of integration across the security industry, but XDR could bring a shift in this practice as they include more support for 3rd party intelligence feeds.
Trend Micro has been innovating for 30 years and our breadth of security products allows us to successfully build an XDR solution. Also, our almost 15 years of investing in and building AI/Machine Learning technologies into our backend and frontend products will allow us to have the data analytics piece covered. Lastly, we have an extensive array of global threat intelligence that will allow us to ensure we can proactively detect and protect our customers.
Stay tuned for more information about this topic in upcoming blogs.
