Daily Archives: July 17, 2019

Sprint Data Breach Due To Samsung.com Bug Revealed

U.S. telecom giant, Sprint has recently revealed that a certain number of Sprint customer accounts were taken over by unauthorized users using a loophole in Samsung.com’s “add a line” feature. The company disclosed this information as per their June 22 internal report and the following information of affected users are now in the hands of unknown personalities:

  • Full name
  • Billing address
  • Subscriber ID
  • Account creation date
  • Account number
  • Phone number
  • Device ID
  • Device Type
  • Monthly recurring charges
  • Upgrade eligibility
  • Add-on services

Even with a huge laundry list of information was stolen, Sprint remains calm as the telecom giant claims that the information lost to the Samsung.com breach was not substantial enough to for identity theft to thrive. Sprint on their part issued a force reset of their customer’s PIN in order to lessen the chance of further security breaches. The forced PIN change was initiated on June 25, three full days after the discovery of the incident.

“Sprint has taken appropriate action to secure your account from unauthorized access and has not identified any fraudulent activity associated with your account at this time. Sprint re-secured your account on June 25, 2019. We apologize for the inconvenience that this may cause you. Please be assured that the privacy of your personal information is important to us. Please contact Sprint at 1-888-211-4727 if you have any questions or concerns regarding this matter,” explained Sprint in its official press release.

The company urges all its affected customers to visit www.indentitytheft.gov, a website operated by the U.S. Federal Trade Commission. Sprint claims that the preventive and security measures provided by the FTC will be very helpful for customers that continue to worry about the data breach incident. As of this writing, Sprint has not disclosed the details on what actually happened to Samsung.com’s “add a line” feature, and how it caused Sprint customers to get hacked through the use of the website.

On their part, Samsung claims that they keep their systems and website secure, and no Samsung customer info from their systems was leaked to the outside world. “We recently detected fraudulent attempts to access Sprint user account information via Samsung.com, using Sprint login credentials that were not obtained from Samsung. We deployed measures to prevent further attempts of this kind on Samsung.com and no Samsung user account information was accessed as part of these attempts,” said a Samsung spokesperson.

Also Read;

Five Important Things about Data Security

Data Breaches have become a common threat in online transactions

Beware of Fake Samsung Firmware Update App

 

The post Sprint Data Breach Due To Samsung.com Bug Revealed appeared first on .

Skills gap remains a top barrier to SD-WAN adoption

SD-WAN security drives selection, skills gaps remain a primary obstacle to adoption, and adoption continues to rise, according to Masergy. The survey, conducted in partnership with IDG Research, analyzed responses from IT decision makers in global enterprises across a variety of industries. This survey was also conducted in 2017 as a benchmark in order to measure SD-WAN trends over time. Optimizing the network to support cutting-edge technology stands out as the most prominent objective that … More

The post Skills gap remains a top barrier to SD-WAN adoption appeared first on Help Net Security.

The true potential of 5G for businesses

Technology is transforming our world beyond recognition and both public and private sector organizations are at a tipping point where they must embrace digital transformation or risk being left behind. Concepts which once seemed futuristic and out of reach – autonomous vehicles, remote surgery, and smart cities – are now within our sights and 5G is being touted as the key to unlocking the door to this digital future. Yet, with all the excitement and … More

The post The true potential of 5G for businesses appeared first on Help Net Security.

Adoption rates of basic cloud security tools and practices still far too low

As organizations migrate more of their data and operations to the cloud, they must maintain a robust cybersecurity posture, a Bitglass report reveals. Each year, Bitglass conducts research on the state of enterprise cloud security in order to identify key trends and common vulnerabilities. This year’s report found that 75 percent of organizations leverage multiple cloud solutions, but only 20 percent have visibility over cross-app anomalous behavior. With more and more organizations storing sensitive information … More

The post Adoption rates of basic cloud security tools and practices still far too low appeared first on Help Net Security.

Plugins

Every plugin or add-on you install in your browser can expose you to more danger. Only install the plugins you need and make sure they are always current. If you no longer need a plugin, disable or remove it from your browser via your browser's plugin preferences.

Certificate-related outages impact the reputation of financial services organizations

Financial services organizations are more likely to have digital certificate-related outages than other industries, a Venafi study reveals. Over 100 CIOs in the financial services industry from the U.S., U.K., France, Germany and Australia participated in the study. In the last six months, 36 percent experienced an outage that impacted critical business applications or services. In addition, financial services CIOs are more concerned about the impact of certificate-related outages on their customers. “Organizations from every … More

The post Certificate-related outages impact the reputation of financial services organizations appeared first on Help Net Security.

Federal and SLED IT managers say AI will be a game changer

AI is not a concept of the future, a MeriTalk study confirms. A new study, underwritten by Arrow and NetApp, surveyed 300 Federal, state, local, and higher education (SLED) IT managers to explore where they think their agencies are with AI as a broader concept, and to understand their usage of foundational AI technologies like chatbots, intelligent analytics, high performance computing, and more. Between February’s executive order and the launch of AI.gov in March, AI … More

The post Federal and SLED IT managers say AI will be a game changer appeared first on Help Net Security.

MobileIron launches zero sign-on technology for secure and passwordless authentication

MobileIron, the company that introduced the industry’s first mobile-centric, zero trust platform for the enterprise, announced the availability of zero sign-on technology for secure and passwordless authentication to enterprise cloud services from desktops. Users can now log into software-as-a-service (SaaS) applications, such as Office 365 and Salesforce, from any laptop or desktop using their secured iPhone as their identity – eliminating the need for passwords entirely. A zero password experience is critical as a recent … More

The post MobileIron launches zero sign-on technology for secure and passwordless authentication appeared first on Help Net Security.

Privitar extends data-protection and safe data-analysis capabilities of its Publisher product

Privitar, whose software delivers the uncompromised data privacy that is essential for organizations worldwide to conduct safe and ethical data analysis, released version 3.0 of its Publisher product, extending both its data-protection and safe data-analysis capabilities. With Privitar Publisher 3.0, companies can use its centralized, policy-based approach to data privacy more widely within their organizations, automate more processes, and make data available to data scientists more quickly. Publisher 3.0 also enables companies to create richer … More

The post Privitar extends data-protection and safe data-analysis capabilities of its Publisher product appeared first on Help Net Security.

Smarter Security’s new optical technology to prevent sidegating

Smarter Security, the intelligent entrance controls company, announced new optical technology that reduces the risk of “sidegating” when two people attempt unauthorized side-by-side entry through a turnstile. Sidegating is a growing security issue as changing regulations and customer demands for increased pedestrian and wheelchair user comfort dictate the need for wider turnstiles. If a lane is wide enough to comfortably fit a wheelchair, it is also wide enough to fit two pedestrians side-by-side. Until now, … More

The post Smarter Security’s new optical technology to prevent sidegating appeared first on Help Net Security.

Cohesity Runbook enables enterprises to systematically move workloads to the cloud

Cohesity announced a new application called Cohesity Runbook. Cohesity Runbook provides organizations with a new automation design canvas that makes it incredibly simple and formulaic for enterprises to move workloads systematically between on-premises data centers and the public cloud – a critical need as more and more organizations rely on the cloud for everything from dev/test to security to disaster recovery. The Cohesity Runbook application, available through the Cohesity Marketplace, automates the process of moving … More

The post Cohesity Runbook enables enterprises to systematically move workloads to the cloud appeared first on Help Net Security.

Communication – The Forgotten Security Tool

Security professionals have many tools in their toolbox. Some are physical in nature. (WireShark, Mimikatz, endpoint detection and response systems and SIEMs come to mind.) Others not so much. (These assets include critical thinking faculties, the ability to analyze complex processes, a willingness—some call it a need—to dig in and find the root cause of […]… Read More

The post Communication – The Forgotten Security Tool appeared first on The State of Security.

PremiumSoft releases new version of Navicat Monitor

PremiumSoft announces the immediate release of Navicat Monitor version 2.0, a new version of Navicat Monitor, now supported SQL Server. Navicat Monitor is a safe, simple and agentless remote server monitoring tool for MySQL, MariaDB and SQL Server. It includes a rich set of real-time and historical graphs that allow you to drill down into server statistic details. In the latest version of Navicat Monitor, you can easily uncover the problematic queries, such as identifying: … More

The post PremiumSoft releases new version of Navicat Monitor appeared first on Help Net Security.

Symantec’s new cloud access security solution enforces consistent security and data protection policies

Symantec, the world’s leading cyber security company, announced its new cloud access security solution to help secure cloud and internet access and use in an enterprise environment. These enhancements and integrations across Symantec’s network security portfolio further position Symantec as the only security provider to offer an integrated cloud-delivered solution that lessens operational costs and complexity, while lowering operational risk. In today’s business environment, there is a tremendous volume of enterprise network traffic directed to … More

The post Symantec’s new cloud access security solution enforces consistent security and data protection policies appeared first on Help Net Security.

Synack launches a new crowdsourced penetration test designed specifically for government

Synack, the most trusted leader in crowdsourced penetration testing, announces the availability of the market’s first comprehensive crowdsourced penetration test designed specifically for government, by offering a bug bounty-based vulnerability discovery model coupled with NIST 800-53 guidelines. Synack co-founders and technical security experts Jay Kaplan and Mark Kuhr came out of the NSA and the US Department of Defense with a shared vision to create a scalable, effective, and trusted security solution for the government. … More

The post Synack launches a new crowdsourced penetration test designed specifically for government appeared first on Help Net Security.

Perimeter 81 ensures zero trust access to web applications without an agent

Perimeter 81, the leading Zero Trust Secure Network as a Service provider, announced that it has officially unveiled its new cornerstone solution: Zero Trust Application Access. The service is designed to meet the demands of today’s ever-expanding modern network and ensure fully secured, isolated and agentless access to an organization’s critical web applications, secure shell (SSH), remote desktop (RDP), virtual network computing (VNC) and Telnet in an emulated, streamlined and seamless way, regardless of where … More

The post Perimeter 81 ensures zero trust access to web applications without an agent appeared first on Help Net Security.

CyberGRX Auto Inherent Risk provides users with immediate visibility into potential threats

CyberGRX, provider of the world’s first and largest global cyber risk exchange, announced the recent release of a groundbreaking new feature that provides users with immediate visibility into potential threats in their ecosystem: Auto Inherent Risk (AIR) insights. As digital transformation and interconnected ecosystems continue to expand, effective third-party cyber risk management (TPCRM) is increasingly becoming a top priority for CISO’s and Risk Managers. CyberGRX AIR automates what was once a very time-consuming and manual … More

The post CyberGRX Auto Inherent Risk provides users with immediate visibility into potential threats appeared first on Help Net Security.

ShiftLeft Ocular enhancements to help orgs discover business logic flaws faster

ShiftLeft, an innovator in automated application security, announced enhancements to its Ocular solution that empower organizations to discover business logic flaws during application development 10 times faster than manual code reviews. Updates to Ocular include support for four new programming languages, C#, C, C++ and Scala, which improve development efforts with coverage for the top cloud, Internet of Things (IoT) and embedded applications. The updates also include blazing fast automated security regression testing in CI/CD, … More

The post ShiftLeft Ocular enhancements to help orgs discover business logic flaws faster appeared first on Help Net Security.

Signal Sciences and Datadog provide real-time web app attacks monitoring and response

Signal Sciences, the fastest growing web application security company in the world, announced its integration with Datadog, the monitoring and analytics platform for modern cloud environments. The integration provides engineering and operations teams with an easy way to monitor and respond to real-time web application attacks from the Datadog platform. By activating the new Signal Sciences dashboard, Datadog users can quickly see the volume and types of attacks against their applications, APIs, and microservices. The … More

The post Signal Sciences and Datadog provide real-time web app attacks monitoring and response appeared first on Help Net Security.

FireEye launches two new service delivery options for managed detection and response

FireEye, the intelligence-led security company, announced the availability of two new managed detection and response (MDR) service offerings – FireEye Managed Defense Nights and Weekends and FireEye Managed Defense for Endpoint Security. “Managed Defense has led the managed detection and response market since 2011 when we saw the need to provide ongoing, proactive detection and investigations following incident response engagements,” said Marshall Heilman, Senior Vice President, Managed Defense and TORE, FireEye. “Customer needs continue to … More

The post FireEye launches two new service delivery options for managed detection and response appeared first on Help Net Security.

Smashing Security #137: Porn trolling lawyers, Insta hacking, and Ctrl-Alt-LED

Erection your honour! Lawyers find themselves behind bars after they make porn movies in an attempt to scam internet users, boffins in Israel detail a way to steal data from an air-gapped computer, and Instagram coughs up $30,000 after a researcher finds a simple way to hack into anybody’s account.

All this and much more is discussed in the latest edition of the award-winning “Smashing Security” podcast.

Western Digital enhances its IntelliFlash data center systems portfolio

Western Digital announced new additions and enhancements to its IntelliFlash data center systems portfolio, giving customers even greater choice and flexibility to design modern hybrid-cloud infrastructures that accelerate the speed of business and help extract greater value from data. By doubling available performance and density, combined with enhanced capabilities for data migration and hybrid-cloud mobility, Western Digital’s IntelliFlash family of NVMe-flash, all-flash and hybrid-flash arrays delivers a superior overall value proposition for accelerating today’s most … More

The post Western Digital enhances its IntelliFlash data center systems portfolio appeared first on Help Net Security.

Party Like a Russian, Carder’s Edition

“It takes a certain kind of man with a certain reputation
To alleviate the cash from a whole entire nation…”

KrebsOnSecurity has seen some creative yet truly bizarre ads for dodgy services in the cybercrime underground, but the following animated advertisement for a popular credit card fraud shop likely takes the cake.

The name of this particular card shop won’t be mentioned here, and its various domain names featured in the video have been pixelated so as not to further promote the online store in question.

But points for knowing your customers, and understanding how to push emotional buttons among a clientele that mostly views America’s financial system as one giant ATM that never seems to run out of cash.

WARNING: Some viewers may find this video disturbing. Also, it is almost certainly Not Safe for Work.

The above commercial is vaguely reminiscent of the slick ads produced for and promoted by convicted Ukrainian credit card fraudster Vladislav “BadB” Horohorin, who was sentenced in 2013 to serve 88 months in prison for his role in the theft of more than $9 million from RBS Worldpay, an Atlanta-based credit card processor. (In February 2017, Horohorin was released and deported from the United States. He now works as a private cybersecurity consultant).

The clip above is loosely based on the 2016 music video, “Party Like a Russian,” produced by British singer-songwriter Robbie Williams.

Tip of the hat to Alex Holden of Hold Security for finding and sharing this video.

Firmware Bugs Plague Server Supply Chain, 7 Vendors Impacted

Lenovo, Acer and five additional server manufacturers are hit with supply-chain bugs buried in motherboard firmware.

Canadian Credit Union Desjardins Data Breached by Employee

Canadian financial institution Desjardins reported a data breach that compromised the personal information of 2.7 million customers and 173,000 businesses.

The compromised data included names, addresses, birthdates, social insurance numbers, email addresses and transaction histories. The breach was reportedly the result of employee misconduct. Investigators believe an employee sold the data on the dark web. Evidence of fraudulent credit cards opened in customer names has been reported.

“This is a very serious situation,” said the Autorité des marchés financiers (AMF), an organization responsible for financial regulation in Québec in a statement.

“The AMF is satisfied with the actions taken to date by Desjardins Group to protect the interests and assets of its members. It remains confident that the institution’s officers have handled the situation with due rigour, transparency and speed and that the cooperation provided to law enforcement is full and complete,” it added.

Desjardins and its CEO were criticized following complaints by affected customers that registration for the five years of free credit monitoring offered by the company was difficult, with reports of crashed websites, long wait times on the phone, and limited support in French. After finding that only 13% of customers had signed up for the service, Desjardins expanded the service, offering lifelong identity theft protection for all of its clients, including those unaffected by the breach.

The Office of the Privacy Commissioner and the Québec Access to Information Commission have announced a joint investigation into the breach to determine if Desjardin was compliant with consumer protection regulations at the provincial and federal levels.

Read more about the story here.

The post Canadian Credit Union Desjardins Data Breached by Employee appeared first on Adam Levin.

75% of Security Awareness Pros Are Part Time

75% of Security Awareness Pros Are Part Time

The 2019 Security Awareness Report published by SANS Security Awareness, a division of SANS Institute, found that across many organizations, there is an increased emphasis on the need for awareness and training programs.

According to the report, more than 75% of those who are currently responsible for security awareness and training are spending less than half of their time on employee education programs. 

“The implication is that awareness is simply mounted on to their other job requirements. This is the largest single factor limiting the growth and maturity of programs,” the report said.

Though awareness professionals often bring more dynamic skills to their technical roles, the lack of candidates who possess the much needed soft skills of communication and marketing hinders the organization’s ability to build a program that truly engages employees.

Among the nearly 1,600 respondents who participated in the study, those who reported having programs that are effectively changing employee behavior have at least two full-time employees dedicated to awareness and training. 

“While there is a general tendency to isolate individual employees as the cause of security related issues, the data within the report demonstrates that addressing an organization’s human cyber risk is best handled by making consistent systemic training investments. This report examines the most effective steps to address them, enabling you to benchmark your awareness program against your peers and other organizations,” the report said. 

The report did find that the number of organizations with no program at all has decreased over the last two years, falling from 7.6% to 4.3% and indicating a slow but steady shift toward success.

“I’m absolutely thrilled about the release of the 2019 Security Awareness Report,” says SANS security awareness director Lance Spitzner. “Every year we are able to gain a better understanding of the most common challenges awareness professionals face and how to best address them, and after five years we are beginning to identify key trends.”

93% of Orgs Worry About Cloud Security

93% of Orgs Worry About Cloud Security

Two reports published independently of each other found that the majority of organizations are moderately to extremely concerned about the state of cloud security.

In Guardians of the Cloud, the 2019 cloud report published annually by Bitglass, researchers found that 93% of organizations are at least moderately concerned about their ability to use the cloud securely. The same number of respondents in the 2019 Cloud Security Report from Synopsys said that they were either moderately or extremely concerned about cloud security.

According to Guardians of the Cloud, 75% of organizations leverage multiple cloud solutions, while a mere 20% actually have visibility over cross-app anomalous behavior. Additionally, only 20% of participating organizations said that they use cloud data loss prevention (DLP), despite storing highly sensitive information in the cloud, including customer and employee data and intellectual property. Not surprisingly, malware is the most concerning data leakage vector.

The majority (67%) of companies said they believe cloud apps are either as secure as or more secure than on-premises apps. Two of the most popular cloud security capabilities among respondents are access control (52%) and anti-malware (46%). 

“Data is now being stored in more cloud apps and accessed by more devices than ever before,” said Rich Campagna, chief marketing officer of Bitglass, in today’s press release. “This report found that...the adoption rates of basic cloud security tools and practices are still far too low. Many organizations need to rethink their approach to protecting data, as traditional tools for safeguarding data on premises are not capable of protecting data in the cloud.”

Synopsys’ latest cloud security report likewise found that organizations have a wide range of cloud security concerns. Most notable, organizations are worried about data loss and leakage (64%) and data privacy and confidentiality (62%).

For 43% of organizations, monitoring new vulnerabilities in cloud services is one of the most challenging aspects of cloud compliance. 

“As workloads continue to move to the cloud, cybersecurity professionals are realizing the complications of protecting these workloads. The top two security headaches SOCs are struggling with are compliance (34%) and lack of visibility into infrastructure security (33%). Setting consistent security policies across cloud and on-premises environments (31%) and the continuing lack of qualified security staff (31%) are tied for third place,” the report said. 

New Malware Samples Resemble StrongPity

New Malware Samples Resemble StrongPity

Researchers have said with high confidence that the publicly reported adversary dubbed StrongPity has been engaged in an unreported and ongoing malware campaign, according to research from AT&T Alien Labs

Threat actors are using the new malware and infrastructure to control compromised machines and deploying malicious versions of the WinBox router management software, WinRAR, as well as other trusted software to compromise their targets, researchers said. 

“StrongPity was first publicly reported on in October 2016 with details on attacks against users in Belgium and Italy in mid-2016. In this campaign, StrongPity used watering holes to deliver malicious versions of WinRAR and TrueCrypt file encryption software,” researchers wrote in a blog post

StrongPity was reported on again in 2017 and 2018. New samples that strongly resembled the work of StrongPity were again identified in early July 2019. 

These most recent samples of the malware have been, as of yet, unreported but mirror those created and deployed to targets following a toolset rebuild that came after public reporting of the malware during the fourth quarter of 2018, researchers said. 

“The malicious version of the software installs StrongPity malware without any obvious signs to the victim, and then operates as if it were a standard unaltered version of the trusted software.”

While researchers were unable to identify specific details about how the malicious installers are delivered, they noted, “It is likely that methods previously documented by the previous reports of StrongPity, such as regional download redirecting from ISPs, is still occurring. Based on the type of software used as the installer (WinRAR, WinBox, IDM, etc.), the type of targets may continue to be technically-oriented, again similar to past reports.”

Cybersecurity In Mid-2019: Nothing To See Here, Same Problems

The need for cybersecurity measures has been viewed as an issue, however, many companies have problems with countermeasures, as proven by our many years of coverage of cybersecurity news here at hackercombat.com. Due to insufficient security investment and security personnel shortage, the risks in conducting business in today’s technology-driven economy. We at hackercombat.com defines cybersecurity as the act of protecting information data from cyber attacks such as computer intrusion, virus infection, information leakage, data alteration, and destruction. The most common threats against firms include targeted attack, malware infiltration and lack of security personnel.

A targeted attack is one of the cyber attack methods. It is conducted aiming at the information in a specific organization such as a company and will steal various information regardless of the method. As an example, after collecting information on employees who belong to you, you may be spoofed by employees of affiliated companies, etc.

Three Foundations of a secure enterprise:

  1. Enforce security measures including not only the company but also supply partners such as business partners and system management.
  2. Appropriate communication with related parties such as information disclosure related to cybersecurity risks and measures to combat them.
  3. Recognize cybersecurity risks and take appropriate leadership in allocating resources, etc.

It is necessary for companies to take appropriate measures, such as whether they have bases overseas, along with the strengthening of domestic and foreign laws and regulations and security measures. In the case of the European Union-enforced GDPR (General Data Protection Regulation), for example, all global companies that provide Web services for domestic and foreign users, and handle IP addresses and cookies (data sent from the browser to the server according to the past user behavior), Even if you do not have branch offices overseas, if you do not respond according to the GDPR, you may be subject to disposal and compensation.

It is essential to work on strengthening cybersecurity measures throughout the entire organization. And for implementation, securing security personnel is one of the important items. Lack of security personnel and human resource development have become major issues in cybersecurity measures. In addition to hiring outside personnel, implementing human resources development in-house as a measure is the first step in cybersecurity measures. When it comes to cybersecurity measures, there is a tendency for security enhancement of systems and electronic devices to precede.

On the other hand, many of the security damage is triggered by human factors, and we must be aware that employee literacy may lead to security vulnerabilities. Conversely, if you raise security awareness and enable all employees to respond appropriately, you can effectively strengthen corporate cybersecurity. In order to improve employee security literacy, it is necessary to improve IT literacy and to hold regular training sessions on the latest cyber-attack methods and countermeasures. The important thing is that each and every employee has an active role in security measures. Along with the progress of digitization, cybersecurity measures have been taken for granted. In addition to proactive measures, when an incident such as an information leak occurs, the employees involved must immediately make a sure decision and create a system that does not aggravate the damage.

On the other hand, IT and security fields are very diverse, so it is difficult to decide how much literacy should be acquired, and it is necessary to have a training system to learn appropriately. In such cases, it is recommended to outsource cybersecurity training to a specialized school. By asking for a specialized training period, you can efficiently improve security skills using a structured IT and security curriculum. In addition, there is also the merit that it is possible to carry out education and training without having to spend the work hours of senior employees by requesting training to the outside.

Also Read,

What’s New With Separ Malware Family in 2019

Why We Need the Antivirus Software Even in 2019

A Brief Look At The Shade Ransomware (2019 variant)

The post Cybersecurity In Mid-2019: Nothing To See Here, Same Problems appeared first on .

NIST Mapping


Mapping PCI DSS v. 3.2.1 to the NIST Cybersecurity Framework v. 1.1  

How meeting PCI DSS requirements can help toward achieving Framework outcomes for payment environments.  On the blog, we cover basic questions about the newly released Mapping of PCI DSS to the NIST Cybersecurity Framework (NCF)with PCI SSC Chief Technology Officer Troy Leach. 

Binary Review: Rachio WiFi Smart Sprinkler

This is a personal review of the Rachio WiFi Smart Sprinkler controller. I was so impressed by what it did for my watering and my water bill I felt I had to write a review about it. A month ago my 10 year old, standard sprinker controler started to malfunction. It wouldn’t start properly, the […]

The post Binary Review: Rachio WiFi Smart Sprinkler appeared first on Security In Five.

New Azure Marketplace Pay-As-You-Go Billing for Trend Micro Deep Security as a Service

Cloud adoption continues to rise as organizations reduce their data center footprint, look to cloud native technologies to improve their application design and output, and strive to improve scalability and management of resources and systems.

In a recent survey conducted by analyst firm ESG, 87% of respondents indicated that they currently run production applications and workloads on a public cloud infrastructure-as-a-service platform. However only 10% of respondents run more than half of their workloads in the cloud.  This means that while cloud adoption is on the rise, businesses are still heavily vested in on-premises and hybrid-cloud environments.

With all this change comes the task of understanding how best to secure new cloud technologies and environments, while maintaining protection for traditional server platforms against threats and risks which present both technical and cost challenges.

So, what options does your business have to tackle this?

Trend Micro is excited to announce pay-as-you-go billing with its leading cloud solution, Deep Security as a Service (DSaaS) on the Microsoft Azure Marketplace. As a launch partner for pay-as-you-go billing at Microsoft’s Inspire 2019 conference, Trend Micro’s offering enables organizations to combine the benefits of security software-as-a-service (SaaS) with the convenience of usage-based metered pricing and consolidated cloud billing.

“Providing Trend Micro’s Deep Security as a Service offering through Azure Marketplace gives customers more ways to enable, automate, and orchestrate cloud security,” said Jeana Jorgensen, GM, Cloud and AI for Microsoft. “Customers can pay for only what they use with Trend Micro’s flexible, metered pricing or negotiate more a more traditional enterprise agreement using private offers while enjoying a consolidated bill for software and cloud infrastructure.”

Trend Micro Deep Security as a Service is purpose built to deliver a multi-layered automated approach to protect hybrid cloud workloads and container environments against known and unknown threats. Deep Security’s capabilities include network controls such as a host firewall and Intrusion Prevention/Detection (IPS) to shield servers and web applications from vulnerabilities and exploits. Deep Security also has system security capabilities such as log inspection, application control to detect and lockdown unauthorized executables, and real-time integrity monitoring to alert the security team of any suspicious or unexpected changes to registry values, registry keys, services, processes, installed software, ports, or files.

Additionally, Deep Security provides this same complete protection for your containers, with real-time malware protection, container vulnerability shielding, full traffic inspection for both North-South and East-West traffic between containers, as well as network and system controls, extending protection to the container and Kubernetes platforms. This also helps to meet compliance obligations across major regulations and industry guidelines, like PCI DSS, HIPAA, NIST, GDPR and more from within one trusted security solution.

Microsoft’s new Azure Marketplace offerings and billing methods allow IT and developers a means to quickly identify what software-as-a-service offerings they need and pay only for what is consumed with no additional costs. This makes purchasing easy for customers, with one transaction and a single invoice helping to remove friction across budget planning, capacity, and scaling.

“Our priority is to make cloud security as effortless as possible, which starts by meeting IT users and developers where they are and then offering comfortable usage and pricing options,” said Sanjay Mehta, SVP, Business Development & Strategic Alliances at Trend Micro. “Trend Micro is proud to continue our close relationship with Microsoft Azure as one of its top global security partners. Being part of their consumption-based billing launch for SaaS offerings helps customers looking to secure workloads and containers through their Azure instances.”

Trend Micro’s Deep Security as a Service will provide Microsoft Azure customers a fully hosted security management experience, starting at only $0.01 per workload per hour.

Learn more visit https://www.trendmicro.com/azure/

 

 

The post New Azure Marketplace Pay-As-You-Go Billing for Trend Micro Deep Security as a Service appeared first on .

How to recover from a cyber attack

One in three UK organisations fell victim to a cyber attack in 2018, costing £17.8 billion in total.

Your first – obviously valid – thought might be that we all need to get better at preventing security incidents, but it’s not the whole story.

Cyber attacks are so widespread, and criminals’ tactics so varied, that it’s impossible to prevent breaches altogether. That organisations invest the majority of their resources into preventing attacks is the reason attacks are so costly.

The damages would be a lot less expensive if organisations prepared for the inevitability of cyber attacks and implemented an incident response plan to help them respond to and recover from incidents quickly and effectively.

What is an incident response plan?

An incident response plan is a document that outlines the steps an organisation must take following a cyber security incident.

What goes in an incident response plan?

Incident response plans can help organisations identify vulnerabilities in their networks and processes, mitigate the effects of a variety of situations and limit the damage caused by security incidents.

They also help organisations:

  • Spot when a security incident has occurred;
  • Assess the immediate damage;
  • Identify who needs to be made aware of the situation; and
  • Document the steps towards recovery.

Incident response in action

Let’s take a look at a real-life example of an organisation using an incident response plan to recover from a cyber attack.

On 19 March 2019, the aluminium producer Norsk Hydro’s systems were infected with ransomware, but instead of acquiescing to the criminals’ demands, the organisation turned to its incident response procedure.

Norsk wiped its systems and restored clean versions from backups, knowing that its cyber insurance policy would help cover the costs.

Meanwhile, employees from across the organisation were drafted in to ensure operations continued.

The incident cost Norsk about £60 million, but given the organisation’s moral stand against paying a ransom (an approach every organisation should take), it was an exemplary recovery effort.

See also:

Despite having to shut down 40 networks and 22,000 computers, Norsk was able to continue operating, all the while garnering praise from security experts and knowing that profits will bounce back in the coming months.

Let’s compare that to an organisation that had no idea what to do when it suffered a major disruption.

Response efforts found wanting at British Airways

In May 2017, British Airways was reportedly hit by a power surge that shut down its IT systems and caused the airline to ground all its flights for 48 hours. (This is a separate incident to the one that led to the recently announced £183 million fine.)

The airline struggled to respond to the disruption, with one passenger telling the Guardian that the response “felt very improvised, and not very successful at all. It was honestly the angriest place I’ve ever been […] No one knew what was going on, which is why everyone was so miserable.”

Other passengers struggled to contact the airline to reclaim their baggage, while those in Heathrow Airport at the time were told to leave without the bags and collect them later.

Hundreds of people stood around waiting for guidance. Many missed their flights over the coming days – not necessarily because of cancellations but because the airline’s online and in-terminal check-in systems were down. This caused massive queues as staff had to handle huge numbers of requests at check-in desks.

Given British Airways’s reliance on technology, an incident response plan was essential. It would have helped the airline identify the main problems and find suitable solutions.

Don’t have time to create an incident response plan?

If you suffer a data breach before you’ve had time to implement an incident response plan, don’t panic. Our cyber security incident response service provides you with the expert help you need.

With years of cyber security experience, our consultants know how to tackle any type of security incident. They’ll help you identify the source of the compromise, guide you through the response effort and ensure that you return to business as usual.

Find out more >>

The post How to recover from a cyber attack appeared first on IT Governance Blog.

Hackers are breaking into the enterprise through content collaboration platforms CCPs

Estimated reading time: 4 minutes

Globally, as enterprises gather and integrate optimum avenues to secure their information technology infrastructure from cyber threats, somehow, hackers are still managing to find a way to break-in. Cybersecurity vigilance has driven business stakeholders to secure core networks with the latest and best-in-breed anti-virus and malware detection capabilities. Since this initiative, hackers are now changing routes to trespass, penetrate and annihilate businesses – one such channel being content collaboration platforms (CCPs).

Today’s corporations are heavily dependent on CCPs coming from popular brands like Box, Dropbox, Google, etc. to gratify a variety of enterprise needs. But before we discuss what these needs are, here is a glance at important statistics on CCPs.

  • About 33% of Millenials prefer to work in companies that promote collaborative workspaces
  • Nearly 83% of the workforce globally is dependent on technology to collaborate
  • Roughly 85% of employees that leverage on collaborative management tools perceive themselves as happy at their workplace
  • The content collaboration market will be around a US$ 45 billion industry by the end of 2019

The numbers provide satisfactory evidence about the success and adoption of CCPs in the enterprise. However, why did they become so popular with the corporate workforce?

Effective Communication

CCPs have facilitated a channel for internal customers to easily share their ideas with colleagues. This location-agnostic development is helping enterprise workforce to be in-sync about a plethora of business elements, globally. Before CCPs emails were the go-to source for internal communication, however, it didn’t turn out that well because of factors such as loss of documents, excessive to-and-fro, decentralization, etc.

Improved Project Management

Enterprises have hundreds of projects-in-process at any given point in time. Managing one or two projects is easy, but to manage a large number of projects simultaneously is not an easy task. Furthermore, when the task force chosen to execute projects is spread out globally, project management software becomes a must.

Strengthening the Workflow of Teams That Function on the Agile Model

The use of CCPs has drastically optimized the performance of Agile teams facilitating better remote working possibilities, improved scheduling, and quick talent identification.

Increasing the Speed of Work

CCPs are helping in saving a lot of time for teams which in-turn permits them to focus on other important things, increasing the speed of work, consistency, and performance.

Employee Satisfaction

We live in a surging trend of remote working in today’s day. Employees have time and again chosen remote working as a preferred choice over working from an office location. Managing remote employees was a daunting challenge, now resolved due to effective CCPs. Enterprises are seeing a spike in their approval ratings through employee satisfaction surveys, courtesy CCPs.

With such a strong employee sentiment towards CCPs, they are here to stay and grow year-after-year. This brings us to an important point about the possible ways in which CCPs can become a soft target for malware attacks.

CCPs are an ideal target to execute the dreaded ‘cyber kill chain.’ With hundreds of users leveraging collaboration platforms, all hackers need is that one user for spreading a harmful malware in enterprise systems – they can easily do so through phishing techniques such as social engineering with nothing to stop them.

Some of the best-guarded companies in the world also have an IT policy that suggests that users need to practice safety while dealing with enterprise data. Unfortunately, this not always the case. Employees are bound to make mistakes even if made unintentionally. The result – employees end up clicking on that one infected file that can disable the entire enterprise.

CCPs (unlike emails) are not under the control of an organization’s IT department. History is full of examples wherein files coming from emails were responsible to crash entire networks. So, if a channel as well-guarded as company email can get infected, CCPs become extremely soft targets for hackers to spread malware. Moreover, malware coming into an enterprise through CCPs can further cripple IT systems.

Typically, what hackers are doing is attempting to gain access to an employee’s home computer. Currently, social engineering messages act as bait for employees to click on malicious files. These files enter from the home computer into the enterprise network and move into a cloud-hosted collaboration platform. Once, even a single file gets contaminated, employees interacting with these files transform into carriers of malware that may cripple the entire enterprise. What’s worst is that such attacks may take days to be identified.

An add-on to this problem is how employees use CCPs to share files. In the event of a breach, documents that are being shared either internally or externally containing highly-sensitive business data can be viewed by a hacker with the simplest of web tools. This also applies to user workflows of attaching weak passwords to business applications. Businesses all over the world need to make rigid policies around employee workflows. If not, cybercriminals all over the world will continue to breach enterprises and gain access to highly-sensitive data.

Companies that provide CCPs themselves claim that the only line of defense that they employ to counter cyberattacks are anti-viruses and that’s not enough. What companies need to do is integrate enterprise-grade cyber defense solutions like Seqrite Endpoint Security (EPS) for comprehensive security across various endpoints.

Some good-to-follow tips for enterprises dealing with CCPs in general include –

  • Uploading a file in the company server instead of CCP for a more advanced scan
  • Ensuring that the file is checked automatically every time an employee saves a change on it
  • Allowing IT departments to reclaim ownership on enterprise data

 

The post Hackers are breaking into the enterprise through content collaboration platforms CCPs appeared first on Seqrite Blog.

Is Network Security Complexity Holding You Back?

At its most fundamental level, the objective of network security is a simple one. Organizations need to protect their people, assets, and the data that travels across and resides within their networks. They do this by setting security policies that detail parameters like who or what is allowed to access which resources.

Over time, even small organizations can accumulate large libraries of security policies across a variety of different security products. The old processes used to create, update and audit these policies become a burden for the IT team and cause a number of problems for the organization.

Research firm Enterprise Strategy Group (ESG) recently surveyed 200 IT and cybersecurity decision-makers to understand their views on network security complexity and its consequences. They examine some of the top challenges facing these organizations today in their new report “Navigating Network Security Complexity.”

It’s not just your imagination. Security is getting more complex.

Unsurprisingly, a majority (83%) of respondents felt that network security has gotten more complicated in the last two years. There are many reasons for this, but the top responses included:

  1. More devices deployed on the network
  2. More traffic on the network
  3. The operations team managing more networking and security technologies

Taken together, these responses paint the picture of a growing attack surface and increasing workload for teams responsible for protecting organizations’ critical assets.

Challenges on the horizon

What are the biggest network security challenges facing organizations in the next few years? According to the survey, they are:

  1. Business initiatives being adopted without the proper security involvement
  2. A lack of dedicated network security staff
  3. It takes too long to manage network security policies

Businesses are innovating at a record pace, and they aren’t waiting for the security team. Hiring staff continues to be challenging, and outdated processes are compounding the issue.

Brace for impact: outages, disruption and data breaches

Nearly a third (29%) of organizations said they experienced a security event resulting from network security complexity. The most common incidents included network outages, application or network availability, loss of sensitive data, and lost productivity. Given the critical nature of these risks, it’s clear that network security management needs to be addressed when assessing an organization’s risk management strategy.

Recommendations: technology integration, automation, simplification

ESG offers three headline recommendations for CISOs dealing with network security complexity today. First, look for solutions that are integrated and centrally managed when possible. Next, seek out solutions that emphasize ease-of-use and time-to-value. Finally, organizations should strive for process automation and use technology to accomplish this.

Whether you’re directly involved in managing your organization’s security policies or not, you’re likely experiencing negative effects of the drain that these manual tasks can have on an IT department. It’s time to prioritize making security policy management more efficient, consistent and effective. Reading the full research report is a great place to get started.

Simplify network security management with Cisco Defense Orchestrator

At Cisco, we’re working hard to help our customers streamline their security operations. Cisco Defense Orchestrator is a cloud-based security policy and device manager that uses automation to eliminate complexity. Manage consistent security policies across Cisco ASA, FTD and Meraki MX devices, and reduce time spent on security management tasks by up to 90%. Visit the Cisco Defense Orchestrator webpage to learn more and sign up for a free trial.

Ransomware Attack Disrupts Some Services at Onondaga County Libraries

A crypto-ransomware attack has disrupted some services at all library locations across Onondaga County in New York State. On 16 July, the Onondaga County Public Library system published a tweet in which it explained that many of its public services were unavailable. 07/16/19 UPDATE: Library services continue to be unavailable. We apologize for the frustration, […]… Read More

The post Ransomware Attack Disrupts Some Services at Onondaga County Libraries appeared first on The State of Security.

CEOs’ Cyber Ignorance Costing Firms Dear

CEOs’ Cyber Ignorance Costing Firms Dear

A lack of CEO awareness and engagement with cybersecurity could be placing their organizations at unnecessary risk of attack, according to new findings from RedSeal.

The security vendor polled over 500 IT professionals in the UK to better understand the cyber-risks posed by business leaders.

Over half (54%) said they don’t believe their CEO follows correct security procedure and in so doing is potentially exposing their organization to compromise. Over a third (38%) weren’t sure what technology their CEO used at home, with the majority (95%) claiming to be concerned that home smart devices could be hacked.

Over one in 10 (11%) respondents claimed that CEO or senior managers’ actions had put corporate security at risk, and three-quarters (75%) argued that their CEOs should pay more attention to cybersecurity in the future.

However, poor security policies and processes also seem to be to blame: 14% of UK CEOs still haven’t had any security training, while only 29% of respondents said they provide a daily cyber-report to their boss. A quarter (26%) said they only report major breaches to the CEO, perpetuating disengagement from cyber-related issues at the highest level.

In reality, cyber matters to CEOs as breaches could have a major impact on the bottom line and corporate reputation. Following a major incident, a third of respondents said they lost customers, 34% said it damaged reputation and over a fifth (23%) lost revenue.

“CEOs have wide access to their organization’s network resources, the authority to look into most areas, and frequently see themselves as exempt from the inconvenient rules applied to others. This makes them ideal targets,” argued RedSeal CTO, Mike Lloyd.

“The internet is a dangerous place where new security threats can evolve and rapidly mutate. Perfect defense is illusory; in a complex and interdependent world, some attacks are bound to succeed. Organizations must look to a strategy of resilience. They’ll survive only by planning in advance for how the inevitable successful attacks will be handled.”

UK Government Staff Lost 500+ Devices Last Year

UK Government Staff Lost 500+ Devices Last Year

UK government workers have lost over 500 mobile devices and laptops over the past year, with just a small percentage ever recovered, according to new research from MobileIron.

The security vendor issued Freedom of Information (FOI) requests to nine government departments, all but one of which replied.

It found that public sector employees managed to lose 508 mobiles and laptops between January 2018 and April 2019.

It’s unclear whether these devices were password protected and/or if the data on them was encrypted, or if they had a remote wipe functionality to protect sensitive information. However, attackers could theoretically gain access to sensitive accounts if a device gets into the wrong hands without proper security controls in place.

“As the amount of business data that flows across devices, apps, networks, and cloud services continues to increase, it is essential that organizations have the right security protocols in place to minimize risk and prevent unauthorized access to sensitive data if a device is lost or stolen. Even one lost or stolen device provides a goldmine of readily accessible and highly critical data to potential fraudsters and hackers,” argued MobileIron UK and Ireland regional director, David Critchley.

The answer is to implement a zero-trust model, whereby users are forced to authenticate at all times, he said.

“This approach validates the device, establishes user context, checks app authorization, verifies the network, and detects and remediates threats before granting secure access to a device or user,” he added. “The zero-trust model allows organisations, including government departments, to significantly reduce risk by giving them complete control over their business data – even on lost or stolen devices.”

It’s not just the government that has been found wanting regarding the loss of devices. Last year, an FOI request revealed that the BBC had reported over 170 lost or stolen devices over the previous two years.

UK’s NCSC Hails Another Successful Year of Cyber Defense

UK’s NCSC Hails Another Successful Year of Cyber Defense

The UK’s National Cyber Security Centre (NCSC) has dismantled tens of thousands of phishing campaigns and fraudulent websites over the past year as its Active Cyber Defence (ACD) program continues to lead by example globally.

In an update on Tuesday, the GCHQ off-shoot revealed a successful second year for the initiative.

It dismantled over 22,000 phishing campaigns hosted in UK IP space, linked to over 142,000 attacks, and removed more than 14,000 phishing sites, as part of an overall takedown of over 192,000 fraudulent sites – most (64%) of which were offline within 24 hours.

The NCSC also pointed to a 100-fold increase in the number of web checks run, with a total of 111, 853 advisories issued to public sector users. This comes on top of a Protective DNS service which now prevents 1.4m public sector employees from visiting malicious sites, DMARC to prevent email attacks, and other initiatives designed to bolster the security of the UK’s internet space and set an example for other governments.

“By taking down phishing and malware attacks when we see them in UK IP space, regardless of the brand abused, we intend to make the UK a more difficult place to host these attacks. While in and of itself this doesn’t affect the global attacks against the UK, we hope to lead by example,” the report claimed.

“If we can show that a relatively simple set of actions can make a delegated IP space a harder place to host badness, we can get on our high horse and try to get other responsible countries and entities to do similar things. Coordinated action would make hosting badness globally much harder and therefore increase the cost of launching these attacks in the first place and reduce the return on investment.”

The NCSC is not stopping there: it’s working with Action Fraud to produce a new automated fraud reporting system for the public; developing an Internet Weather Centre to provide insight into the digital landscape of the UK; and producing a vulnerability scanning tool for CNI and public sector providers.

Anti-Debugging Techniques from a Complex Visual Basic Packer

One of the latest trends for the attackers is to leverage the ISO files to avoid detection, the technique has also been used in a recent Hawkeye campaign.

Introduction

As we described in our previous post, one of the latest trends for the attackers is to leverage the ISO files in order to reduce detection chances. This technique has also been used by a recent Hawkeye spreading campaign.

“Hawkeye Keylogger” is an info-stealing malware for sale in the dark-web. Anyone can  easily subscribe to the malware service by paying a fee. It has been in continuous development at least since 2013  and the malware authors behind Hawkeye have improved the malware service adding new capabilities and techniques. It can collect credentials from various applications, mostly email clients, web browser and FTP clients, and send them to the crooks via various protocols such as FTP, HTTP, and SMTP.

So, our Cybaze-Yoroi ZLAB decided to take a look at this recent Hawkeye attack, tacking its anti-analysis protection and the anti-debugging techniques enforced by the Visual Basic packer used by the crooks.

Technical Analysis

The delivered file is an ISO image. Inside of it, there is a bat file, but actually is a well formed PE file. So, we can extract the “bat” file and replace its extension in “exe”.

Figure 1: Fake .bat file inside the ISO archive
Hash32951a56e3fcd8f5b006c0b64ec694ddf722eba71e2093f7ee90f57856941f3d
ThreatHawkey Spyware
Brief DescriptionHawkey Spyware inside a Visual Basic Packer
Ssdeep12288:GVwYvwrMkE9LfRUXkpW7zGidwY/rwxOp8mH:COrI9zRUJfGCfzw0

Table 1: Information about the PE file inside the ISO image

The ISO file has low AV detection rate, but only by extracting the executable from  the ISO image, the rate raises:

Figure 2: AV Detection of the ISO compressed file (left) and of the extracted file (right)

The PE file is packed with a Visual Basic 5.0 stub. It has the duty to protect the core of the malware and complicate the analysis:

Figure 3: Visual Basic packer evidence

As seen above, the malware is written in Visual Basic 5.0. So it is possible to decompile the malware through the use of the ad-hoc decompilers.

Figure 4: Visual Basic code decompilation in P-Code

The decompiled code has been translated in P-Code and it is quite obfuscated in the same way. The only solution to obtain more information about the infection mechanisms is to debug the program.

The first trick to complicate the analysis is to dynamically create a new memory section where inject some code, through the use of the “VirtualAlloc” function. The malware decodes some a piece of code, and choose a random new virtual address space to alloc memory, in this case “0x00260000” loaded into the EAX register.

Figure 5: Memory allocation through the VirtualAlloc API

The GetTickCount Anti-Debug Technique

After the context switch inside the new allocated area, the malware adopts the well known “GetTickCount()” anti-debug technique. According to the MSDN documentation, GetTickCount retrieves the number of milliseconds that have elapsed since the system was started, up to 49.7 days. This API call is used by the malicious actors to retrieve the time of the execution of the process, and if it is higher than a preset threshold, the malware terminates its execution:

Figure 6: GetTickCount routine a new address space

The first malicious action of the created address space is the invoking of the GetTickCount API and the result is:

Figure 7: GetTickCount result in EAX register

The result of the GetTickCount function is stored in EAX register. After doing some other decrypting operations, the malware invokes it another time.

Figure 8: GetTickCount subtraction anti-debug trick

After the second invocation of GetTickCount, there is immediately the subtraction of the two values and it is placed in EAX register. The next instruction is a comparison between the EAX register and a preset threshold value, “0x5DC”, which is 1500 in decimal representation. According to the Microsoft documentation, the resolution of the GetTickCount function is 10ms, thus we can deduce that the decided threshold by the cyber criminal is 15 seconds. After understood the trick, it quite easy to bypass and go on to analyze the sample.

Figure 9: ShellExecute routine to run the payload

The malware allocates another memory space to write an entire file with the MZ header and it is opened through the “ShellExecute” API function. Dumping the process in this moment, another piece of code hidden in a resource, which did not exist before the anti-debug trick, emerges:

Figure 10: Resource comparison between the original exe and the self-modified exe

As shown in the above figure, the original file (on the left) presents as resources only the icons and the manifest, instead the self-manipulated file presents a resource called “RCData” with a resource named “__”. It is the encrypted final payload.

Figure 11: Malicious resource retrieving routine

In order to protect itself and to make more difficult the analysis, the malware respawns itself through the “CreateProcessInternalW” API call:

Figure 12: Execution routine of the final payload

Now the real payload is ready to be self-decrypted with a custom internal routine. 

Figure 13: Decoding routine of the final payload

After the decryption routine, the malware copies this new code into another piece of memory through the “memcpy” function. Moreover, in order to validate the correct extraction of the payload, the malware checks if the first two bytes of the memory spare are “0x5A4D” which is “MZ” in ASCII code.

Figure 14: Validation check of the correct decoding of the final payload

Dumping the file, the real payload is unveiled.

The Payload

The extracted payload is a PE file compiled in .NET C# language with the following static information:

Hasha3aa6e220591f05f4e2ecc4f4741ac6b6715ebb2b5c42c2b7bb52142c54be30b
ThreatHawkey Spyware
Brief DescriptionHawkey Spyware obfuscated payload
Ssdeep6144:HuXT5iKKhhSHCMA2g22fB1YbcLetS7iz+K3hk:OXtxc/r1fXrwgil3h

Table 2: Static information about the final payload

The payload sample is obfuscated with the .NET Reactor tool, but the cleared version can be easily restored:

Figure 15: Usage of .NET Reactor obfuscator evidence

Below some static information of the final payload is reported:

Hasha848c84a1306ea7cc4704eced4067db1012c0bf1b9b65f8c04a8379d71464eaa
ThreatHawkey Spyware
Brief DescriptionHawkey Spyware clear payload
Ssdeep6144:37iz+K3hkCAg3JhmkuEFZ+1WjsroyGh0DBabr:Lil3hdhmOF

Table 3: Static information about the cleared version of the final payload

Due to the fact that the payload is written in .NET framework, it is possible to debug the code in order to retrieve all the details of this new sample. The debugging of the sample lets emerge the attribution of the malware, HawkEye.

Figure 16: Recurrent string decryption routine through the usage of Rijndael algorithm

Every sensitive information, string or other information  is encrypted through Rijndael algorithm, as shown in figure 16. Before starting any operation, the malware tries to make a simple evasion trick. It retrievers the username of the victim machine and it compares this one with a series of usernames hardcoded. These usernames are the classical ones adopted by the sandboxes and if one of them is matched, probably the malware is run inside a virtual machine.

Figure 17: Sandbox evasion trick

After the simple check, the info stealer starts to perform its malicious operations. The first malicious operation is the persistence mechanism adopted by the malware:

Figure 18: Persistence mechanism

The persistence is guaranteed through the setting of the classic registry key “HKCU\Software\Microsoft\Windows\CurrentVersion\Run” with the value “C:\Users\Admin\AppData\Roaming\MyApp\MyApp.exe”, having already copied itself in this path. However, it’s important to say that if the malware is launched from the original wrapper, it copies in the “MyApp” path the entire executable, because the payload is executed inside the wrapper process as a thread; instead if only the final payload is executed, only this part is stored. 

Figure 19: Task Manager disabling

A particular auto-protection mechanism adopted by the malware is the disabling the possibility to open the Task Manager process from the user, through the setting of the highlighted registry key in the Figure 19. At this point the malware can start the information stealing routines.

Figure 20: Password retrieving routine from Internet Explorer

The first information retrieved is the password stored inside Internet Explorer through the routine described in the above figure. This is only the starting point: it retrieves all sensitive data and login data from a large list of browsers. A little example is shown in the following figure:

Figure 21: Piece of the browser list harvested by the malware

Below, the complete list:

  • Google Chrome
  • Yandex
  • Comodo Dragon
  • Cool Novo
  • Chromium
  • Torch Browser
  • 7Star
  • Amigo
  • Brave
  • Cent Browser
  • Chedot
  • Coccoc
  • Elements Browser
  • Epic Privacy
  • Kometa
  • Orbitum
  • Sputnik
  • Uran
  • Vivaldi
  • UC Browser
  • Flock Browser

In the same way, the malware looks for other credentials coming from other services, like CoreFTP, FileZilla and JDownloader. The last information stolen by the malware is the registered email accounts on the victim machine. The searched email clients are:

  • Outlook
  • SeaMonkey
  • Postbox
  • Thunderbird

Now, we wanted to deepen the password gathering routine of the malware on the Microsoft Outlook application. So, we created a fake account and we logged on the Microsoft email account software. 

Figure 22: Registry key where it is stored the Microsoft Outlook client user configuration

Themalware retrieves a particular registry key: “HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook”. Inside of it is stored the configuration of the Microsoft Outlook user profile.

Figure 23: Outlook password decryption routine

The method “smethod_50”  in figure 23 shows how is simple to decrypt the password saved in that registry key: it is enough retrieve the array of bytes and use it as parameter, together with the CurrentUser DataProtectionScope,  to the static method provided from the .NET framework, “ProtectedData.Unprotect()”. After that, the harvested information are collected in a list, ready to be sent to the server.

Figure 24: Creation of the list of the gathered accounts

The last action is properly the preparation to send the information to the recipient. As the classic HawkEye malware, the communication protocol designed to transmit the stolen info is SMTP. For this reason the malware needs to use the API provided by the .NET framework in order to  instantiate an SMTP client. Debugging until the right point, the malware configuration are revealed:

Figure 25: SMTP client account configuration

Conclusion 

Hawkeye is nowadays a well known threat. The security firms analyzed in an excellent way the malware and all the infection chain, but this sample, like our latest ones, has the peculiarity to be protected by a complex and evasive packer. 

In the last two posts we saw a tough Delphi packer to analyze, but also this one has some points to analyze that make challenging  the reverse engineering process for the analyst. In the end, we were able to dissect all the malware chain revealing the threat actor exfiltration address.

Further technical details, including IoCs and Yara rules are reported in the analysis published on the Yoroi blog:

https://blog.yoroi.company/research/anti-debugging-techniques-from-a-complex-visual-basic-packer/

Pierluigi Paganini

(SecurityAffairs – anti-debugging, malware)

The post Anti-Debugging Techniques from a Complex Visual Basic Packer appeared first on Security Affairs.

12 dark secrets of cloud security

The promise of cloud computing is irresistible. For pocket change, you can spin up a server. Backups can be created with a click. No more worries about buying hardware or keeping the server closet cool. Just log in and go.

But what you gain in convenience, you lose a little control. And anyone with an ounce of paranoia might start pondering the catch. What’s going on behind the curtain?

(Insider Story)

Security Affairs 2019-07-17 03:53:53

Tesla paid $10,000 a researcher that found a stored cross-site scripting (XSS) vulnerability that could have been exploited to change vehicle information.

The security researcher Sam Curry has earned $10,000 from Tesla after reporting a stored cross-site scripting (XSS) flaw that could have been exploited to obtain vehicle information and potentially modify it.

Curry discovered the issue in the software on his Tesla Model 3. He used the XSS Hunter tool to insert a payload in the “Name Your Vehicle” field in the infotainment system.

The XSS Hunter works by hosting specialized XSS probes which, upon firing, scan the page and send information about the vulnerable page to the XSS Hunter service. 

Curiously Carry discovered the XSS issue months later when he used the mobile app to contact Tesla support after his windshield was cracked by a rock.

He was setting up an appointment when he noticed from the XSS Hunter panel that the flaw was triggered. He discovered that some information about the vehicle was collected from a page of Tesla application that was used to see the vital statistics of the car.

The exposed information included the vehicle’s VIN, speed, temperature, version number, whether it was locked or not, tire pressure, and alerts. The data also included other firmware info such as geofense locations, CAN viewers, and configurations.

“The thing that was very interesting was that live support agents have the capability to send updates out to cars and, most likely, modify configurations of vehicles. My guess was that this application had that functionality based off the different hyperlinks within the DOM,” Curry wrote. “I didn’t attempt this, but it is likely that by incrementing the ID sent to the vitals endpoint, an attacker could pull and modify information about other cars.”

“If I were an attacker attempting to compromise this I’d probably have to submit a few support requests but I’d eventually be able to learn enough about their environment via viewing the DOM and JavaScript to forge a request to do exactly what I’d want to do.” he added.

The researcher reported the flaw to Tesla that acknowledged it and addressed it is only 12 hours. Below the timeline of the flaw:

  • 20 Jun 2019 06:27:30 UTC – Reported
  • 20 Jun 2019 20:35:35 UTC – Triaged, hot fix
  • 11 Jul 2019 16:07:59 UTC – Bounty and resolution

Curry was awarded $10,000 for reporting the flaw to Tesla.

“Looking back, this was a very simple issue but understandably something that could’ve been overlooked or regressed somehow. Although I’m unsure of the exact impact of the vulnerability, it seems to have been substantial and at the very least would’ve allowed an attacker to view live information about vehicles and likely customer information,” Curry concludes.

Pierluigi Paganini

(SecurityAffairs – Tesla, XSS)

The post appeared first on Security Affairs.

Flaw in Iomega, LenovoEMC NAS devices exposes millions of files on the Internet

A vulnerability in legacy Iomega and LenovoEMC network-attached storage (NAS) devices has led to many terabytes of potentially sensitive data being accessible to anyone via the Internet. About Iomega and LenovoEMC Iomega Corporation was acquired in 2008 by EMC. In 2013, Iomega became LenovoEMC – a joint venture between Lenovo and EMC Corporation – and Iomega’s products were rebranded under the new name. Iomega’s and LenovoEMC’s storage products were aimed at small and medium-sized businesses. … More

The post Flaw in Iomega, LenovoEMC NAS devices exposes millions of files on the Internet appeared first on Help Net Security.

Security Affairs 2019-07-17 02:18:54

Threat actors used the Extembro DNS-changer Trojan in an adware campaign to prevent users from accessing security-related websites.

Security experts at Malwarebytes observed an adware campaign that involved the Extembro DNS-changer Trojan to prevent users from accessing websites of security vendors.

“Recently, we uncovered a new DNS-changer called Extenbro that comes with an adware bundler. These DNS-changers block access to security-related sites, so the adware victims can’t download and install security software to get rid of the pests.” reads the post published by Malwarebytes.

The Extenbro Trojan is delivered by a bundler that is tracked by the security firm as Trojan.IStartSurf.

The Extenbro Trojan is used to change the DNS settings, victims can only notice that it adds four DNS servers to the Advanced DNS tab in Windows.

extenbro trojan

To malware gain persistence by creating a randomly-named Scheduled Task that points to a fixed-location folder.

The Extenbro Trojan adds a certificate to the set of Windows Root certificates, it has no “Friendly Name” and experts believe it was registered to abose[at]reddit[dot]com.

The malware also disables IPv6 by changing the registry value DisabledComponents under the key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\TCPIP6\Parameters. Thus, it forces the system to use the new DNS servers.

On top of that, the Trojan makes a change in the Firefox user.js file and configures the browser to use the Windows Certificate Store where its root certificate was added.

The Extenbro Trojan also modifies the Firefox user.js file and sets the security.enterprise_roots.enabled setting to true, in this way it forces Firefox to use the Windows Certificate Store that includes the newly-added root certificate.

The analysis published by Malwarebytes includes the removal instructions.

To restore their DNS settings, users should remove the DNS entries added by the malware from the DNS advanced settings without rebooting the system.

“To get to your security sites, you may need a restart of the browser. Do NOT reboot your system or the DNS servers might be changed for the worse again by the Scheduled Task that belongs to the Trojan. If your existing solution does not pick up on the malware, download  Malwarebytes to your desktop.” concludes the analysis.

To restore Firefox to the initial settings, users should type about:config in the address bar, search for security.enterprise_roots.enabled and change it to the default setting, “False.”

Pierluigi Paganini

(SecurityAffairs – Extembro Trojan, adware)

The post appeared first on Security Affairs.

Turla APT group adds Topinambour Trojan to its arsenal

Kaspersky researchers revealed that since earlier this year, Russia-linked APT group Turla used new variants of the KopiLuwak Trojan in targeted attacks.

Security experts at Kaspersky revealed that the Russia-linked APT group Turla used new variants of the KopiLuwak Trojan in targeted attacks since early 2019.

The Turla APT group (aka SnakeUroburosWaterbugVenomous Bear and KRYPTON) has been active since at least 2007 targeting diplomatic and government organizations and private businesses in the Middle East, Asia, Europe, North and South America and former Soviet bloc nations.

The list of previously known victims is long and includes also the Swiss defense firm RUAG, US Department of State, and the US Central Command.

In the past months, security experts reported the APT group has been updating its arsenal. In May, ESET experts revealed that Turla has been using a sophisticated backdoor, dubbed LightNeuron, to hijack Microsoft Exchange mail servers.

Now Kaspersky published a detailed analysis of a new modular tool dubbed Topinambour (aka Sunchoke – the Jerusalem artichoke). Kaspersky researchers also found .NET and PowerShell versions of the KopiLuwak Trojan that was involved in targeted attacks since the beginning of this year. 

Topinambour is spread via tainted legitimate software installers, the dropper includes a tiny .NET shell that is used to deliver commands to the target machine and deliver other modules via SMB.

“Using this and SMB shares on rented virtual private servers (VPS), the campaign operators spread the next-stage modules using just “net use” and “copy” Windows shell commands. It’s hard to believe, but SMB still works through public networks.” reads the analysis published by Kaspersky.

“These campaign-related VPSs are located in South Africa. Interestingly, their external IP addresses start with “197.168”. Possibly these first two bytes are there to mimic LAN addresses that start with “192.168”

The dropper sample analyzed by the experts is able to deliver the payload to a specific location, gain persistence for the malicious code with a scheduled task that starts every 30 minutes, and drop the original application the dropper tries to mimic. 

The tiny .NET shell dropped on the target system connects the C2 server and fetches the KopiLuwak dropper, that gains persistence and drops a JavaScript file that leads to the final stage Trojan.

Recent operations also involved another .NET Trojan along with the KopiLuwak JavaScript, it was called RocketMan and supports commands to download/upload a file, and to halt the Trojan activity. 

Hackers also used a PowerShell Trojan tracked as MiamiBeach, it differs from the RocketMan Trojan due to its ability to take a screenshot.

“The reason behind the development of KopiLuwak’s PowerShell and .NET analogues may be simply to minimize detection of the well-knownpublicly discussed JavaScript versions.” concludes Kaspersky.

“Using the Windows system registry to store encrypted data that is later used by the malware also seems to be aimed at minimizing detection and reducing the digital footprint on any victim’s computer, where only a tiny starter would be left,”

Pierluigi Paganini

(SecurityAffairs – Turla APT, Topinambour)

The post Turla APT group adds Topinambour Trojan to its arsenal appeared first on Security Affairs.