Daily Archives: May 12, 2020

I, CyBOK – An Introduction to the Cyber Security Body of Knowledge Project

The Cyber Security Body of Knowledge project or CyBOK is a collaborative initiative mobilised in 2017 with an aspiration to “codify the foundational and generally recognized knowledge on Cyber Security.” Version 1.0 of the published output of this consultative exercise was quietly released last year and then more publicly launched in January 2020. Yet, this […]… Read More

The post I, CyBOK – An Introduction to the Cyber Security Body of Knowledge Project appeared first on The State of Security.

Cynet Offers IR Specialists Grants up to $1500 for each IR Engagement

In the past, the autonomous breach protection company Cynet announced that it is making Cynet 360 threat detection and response platform available at no charge for IR (incident response) service providers and consultants. Today Cynet takes another step and announces a $500 grant for Incident Responders for each IR engagement in which Cynet 360 was used, with an additional $1,000 grant if the

CIO Strategy Council director says its new standards needed while legislation ‘catches up’

The CIO Strategy Council published a new National Standard of Canada for third-party access to data last week, news that quickly got buried after Sidewalk Labs announced it was pulling the plug on its smart city project in Toronto.

And while the rest of the country argues over whether or not the project’s demise is good or bad for the country, the absence of such standards during the early planning stages of the project becomes increasingly evident in retrospect, according to Keith Jansa, executive director of the CIO Strategy Council.

“This is where standards become a very effective tool, because you have a consensus built across diverse interest groups, and you have that dialogue on a national level that effectively provides a high level of assurance that these minimum requirements benefit the businesses and individuals,” Jansa said.

A quick look at Waterfront Toronto’s initial request for proposal reveals next to zero mention of third-party access to people’s data or a set of standards interested applicants would have to adhere to. Meanwhile, Sidewalk Labs’ attempts to quell fears among the public when it came to protecting people’s information came in the form of an urban data trust, a concept that was eventually scrapped after pushback from privacy experts.

And while the project likely collapsed due to a number of reasons – Dan Doctoroff, Sidewalk Labs’ chief executive officer, published a blog post citing “unprecedented economic uncertainty” from the COVID-19 pandemic as the primary reason – a set of standards, such as the ones published by the CIO Strategy Council, could have helped Waterfront Toronto and Sidewalk Labs reach consensus on a number of items, including third-party access to data, much faster, Jansa explained.

“Whether you’re a public or private company, the government, a not-for-profit, the scope of these standards can be applied across all industries and across all the organizations,” he said, noting these guidelines help those organizations establish a strong baseline to combat the rising number of cyber and privacy threats.

The two standards that are currently published are around the ethical design and use of automated decision systems and third-party access to data. Another standard focusing on the data protection of digital assets was submitted to the Standards Council of Canada for approval as a National Standard of Canada on May 8, indicated Jansa on Twitter. The latest standard about third-party access to data is a 10-page document covering organizational and risk management, as well as control access and confidentiality. It got the attention of Navdeep Bains, Minister of Innovation, Science and Industry, who praised the new standard in a recent statement.

Several more are planned, including standards offering organizations guidance around de-identification. It’s unclear when, if at all, these standards will eventually be reflected in future legislation or amendments to current ones, but Jansa mentioned how the standards help support Canada’s 10-principle Digital Charter. The Charter is a series of proposals that would bring federal privacy private sector legislation — the Personal Information Protection and Electronic Documents Act (PIPEDA) — close to the European Union’s General Data Protection Regulation.

“These standards serve as an effective mechanism as regulation and legislation catch up,” Jansa said.

The government has confirmed that it wants the Digital Charter to apply to all federal legislation and regulations. However, PIPEDA, the Competition Act, the Canada Anti-Spam Legislation (CASL) and possibly the Competition Act would have to be changed.

Anyone interested in participating in the development of these standards, Jansa encourages people to contact him. The standards are formed with the help of technical committees featuring more than 100 stakeholders and experts spanning government, industry, academia and civil society groups, according to Jansa, who reinforced the notion that these standards can’t be built without a diverse group of participants engaged in the process.

“Any stakeholder can engage in the process. There’s no fee to participate,” he said.

 

Correction: A previous version of this article said the data protection of digital assets standard was submitted to the National Standards of Canada. However, the standard was submitted to the Standards Council of Canada for approval as a National Standard of Canada. IT World apologizes for the error.

Microsoft Patch Tuesday, May 2020 Edition

Microsoft today issued software updates to plug at least 111 security holes in Windows and Windows-based programs. None of the vulnerabilities were labeled as being publicly exploited or detailed prior to today, but as always if you’re running Windows on any of your machines it’s time once again to prepare to get your patches on.

May marks the third month in a row that Microsoft has pushed out fixes for more than 110 security flaws in its operating system and related software. At least 16 of the bugs are labeled “Critical,” meaning ne’er-do-wells can exploit them to install malware or seize remote control over vulnerable systems with little or no help from users.

But focusing solely on Microsoft’s severity ratings may obscure the seriousness of the flaws being addressed this month. Todd Schell, senior product manager at security vendor Ivanti, notes that if one looks at the “exploitability assessment” tied to each patch — i.e., how likely Microsoft considers each can and will be exploited for nefarious purposes — it makes sense to pay just as much attention to the vulnerabilities Microsoft has labeled with the lesser severity rating of “Important.”

Virtually all of the non-critical flaws in this month’s batch earned Microsoft’s “Important” rating.

“What is interesting and often overlooked is seven of the ten [fixes] at higher risk of exploit are only rated as Important,” Schell said. “It is not uncommon to look to the critical vulnerabilities as the most concerning, but many of the vulnerabilities that end up being exploited are rated as Important vs Critical.”

For example, Satnam Narang from Tenable notes that two remote code execution flaws in Microsoft Color Management (CVE-2020-1117) and Windows Media Foundation (CVE-2020-1126) could be exploited by tricking a user into opening a malicious email attachment or visiting a website that contains code designed to exploit the vulnerabilities. However, Microsoft rates these vulnerabilities as “Exploitation Less Likely,” according to their Exploitability Index.

In contrast, three elevation of privilege vulnerabilities that received a rating of “Exploitation More Likely” were also patched, Narang notes. These include a pair of “Important” flaws in Win32k (CVE-2020-1054, CVE-2020-1143) and one in the Windows Graphics Component (CVE-2020-1135). Elevation of Privilege vulnerabilities are used by attackers once they’ve managed to gain access to a system in order to execute code on their target systems with elevated privileges. There are at least 56 of these types of fixes in the May release.

Schell says if your organization’s plan for prioritizing the deployment of this month’s patches stops at vendor severity or even CVSS scores above a certain level you may want to reassess your metrics.

“Look to other risk metrics like Publicly Disclosed, Exploited (obviously), and Exploitability Assessment (Microsoft specific) to expand your prioritization process,” he advised.

As it usually does each month on Patch Tuesday, Adobe also has issued updates for some of its products. An update for Adobe Acrobat and Reader covers two dozen critical and important vulnerabilities. There are no security fixes for Adobe’s Flash Player in this month’s release.

Just a friendly reminder that while many of the vulnerabilities fixed in today’s Microsoft patch batch affect Windows 7 operating systems — including all three of the zero-day flaws — this OS is no longer being supported with security updates (unless you’re an enterprise taking advantage of Microsoft’s paid extended security updates program, which is available to Windows 7 Professional and Windows 7 enterprise users).

If you rely on Windows 7 for day-to-day use, it’s time to think about upgrading to something newer. That something might be a PC with Windows 10. Or maybe you have always wanted that shiny MacOS computer.

If cost is a primary motivator and the user you have in mind doesn’t do much with the system other than browsing the Web, perhaps a Chromebook or an older machine with a recent version of Linux is the answer (Ubuntu may be easiest for non-Linux natives). Whichever system you choose, it’s important to pick one that fits the owner’s needs and provides security updates on an ongoing basis.

Keep in mind that while staying up-to-date on Windows patches is a must, it’s important to make sure you’re updating only after you’ve backed up your important data and files. A reliable backup means you’re not losing your mind when the odd buggy patch causes problems booting the system.

So backup your files before installing any patches. Windows 10 even has some built-in tools to help you do that, either on a per-file/folder basis or by making a complete and bootable copy of your hard drive all at once.

And if you wish to ensure Windows has been set to pause updating so you can back up your files and/or system before the operating system decides to reboot and install patches on its own schedule, see this guide.

As always, if you experience glitches or problems installing any of these patches this month, please consider leaving a comment about it below; there’s a better-than-even chance other readers have experienced the same and may chime in here with some helpful tips. Also, keep an eye on the AskWoody blog from Woody Leonhard, who keeps a reliable lookout for buggy Microsoft updates each month.

Further reading:

SANS Internet Storm Center breakdown by vulnerability and severity

Microsoft’s Security Update catalog

BleepingComputer on May 2020 Patch Tuesday

Cyber News Rundown: HMRC Takes Down COVID-19 Scam Sites

Reading Time: ~ 2 min.

Adult Website Leaks Trove of Sensitive Data

An recently discovered unsecured database belonging to the adult streaming site Cam4 was found to contain nearly 11 billion unique records amounting to seven terabytes of data. For a site with billions of visitors each year, the exposed data could affect millions who have visited the site since March 16 of this year, and could be used to further harm individuals whose connection to the site could be politically or socially sensitive. While the database was quickly taken offline, an analysis of the data showed that, though much of the data belonged to U.S. citizens, millions of others were from South America and Europe.

Hundreds of COVID-19 Scam Sites Taken Down by HMRC

Her Majesty’s Revenue & Customs (HMRC) has recently taken down nearly 300 COVID-related scam sites and domains. Hackers are opportunistic and have taken to preying on people trying to get information on the current pandemic but are finding themselves as victims of financial scams and phishing attempts. Fortunately, many organizations have taken up the cause of identifying and removing these harmful sites.

Nearly One Million WordPress Sites Under Attack

At least 24,000 unique IP addresses have been identified in a series of on-going attacks targeting vulnerabilities in more than 900,00 WordPress sites. Many vulnerabilities have been patched in recent months, but some sites have yet to update their plugins and remain at risk. The attacks inject malicious scripts into website headers when the WordPress user is logged in. Otherwise, the victim is redirected to another malicious advertisement, in hopes of gaining some profitable information.

Tokopedia Breach Leaves 91 Million User Records Up for Grabs

Over 91 million user records belonging to Tokopedia, a major Indonesian e-commerce firm, were recently found for sale on a dark web. The sale offered records for 15 million individual, likely stolen during a security incident in March, for $5,000. With millions of users and merchants using the site regularly, the company has issued a notice for users to change passwords as they investigate the breach.

Ransomware Demanding More as Corporations Continue to Payout

In recent fiscal quarters, the earnings for Sodinokibi and Ryuk ransomware have been rising steadily as SMBs and corporations are increasingly paying ransoms for data. Over the first quarter of 2020, the average ransom payout hovered around $111,000. A year prior, the average neared only $12,000 for large companies, typically very willing to pay for the quick return of their data, so limiting the amount of downtime an attack may cause. The top earning ransomware variants, Ryuk and Sodinokibi, both have shifted their focus from service providers to carefully targeted large corporations and have even pushed ransom demands over $1 million in some instances.

The post Cyber News Rundown: HMRC Takes Down COVID-19 Scam Sites appeared first on Webroot Blog.

VERT Threat Alert: May 2020 Patch Tuesday Analysis

Today’s VERT Alert addresses Microsoft’s May 2020 Security Updates. VERT is actively working on coverage for these vulnerabilities and expects to ship ASPL-884 on Wednesday, May 13th. In-The-Wild & Disclosed CVEs None of the vulnerabilities resolved this month have been publicly disclosed or exploited according to Microsoft. CVE Breakdown by Tag While historical Microsoft Security […]… Read More

The post VERT Threat Alert: May 2020 Patch Tuesday Analysis appeared first on The State of Security.

Balsillie, Trecroce, Padelford added to Digital Transformation Week lineup

Three more heavy hitters in the tech industry with extensive experience in digital transformation have joined the lineup for ITWC’s  Digital Transformation Week Conference in mid-July. Jim Balsillie, a former Chairman and co-CEO of Research In Motion (BlackBerry), will offer a keynote address on July 16, the closing day of the four-day virtual conference.  Loren…

Veracode’s Leslie Bois, Robin Montague, and Lisa Quinby Earn Recognition on CRN 2020 Women of the Channel List

Leslie Bois, Veracode???s Vice President of Global Channels and Alliances, Robin Montague, Veracode's National Partner Director, and Lisa Quinby, Veracode???s Director of Global Field and Channel Marketing, have been recognized on the esteemed CRNツ?2020 Women of the Channel list. The annual list recognizes a select group of high-achieving women for their contributions to channel advocacy, growth, thought leadership, and dedication to the IT channel.

Leslie Boisツ?is responsible for global indirect channel sales growth. She develops and executes Veracode's global strategy to build a strong partner network that plays a significant role in the company's go-to-market efforts. Bois works cross-functionally to align all aspects of the business to support channel partners to grow their businesses with Veracode's leading application security solutions. A 15-year channel veteran in the software and IT industry, Leslie built her career developing highly successful partner organizations by building world-class channel teams, partner programs, and partner enablement.

This year, Bois led the transition to our channel-first initiative, which has helped us better enable partners to bring the Veracode platform to market. Driving new business through our partners has created new opportunities in markets in North America, Europe, the Middle East, Asia Pacific, and Latin America.

Aside from being selected for the CRNツ?2020 Women of the Channel list, Leslie Bois has also been named to CRN???s Most Powerful Women of the Channel 2020: Power 100 list. The Power 100 list is comprised of standout individuals selected from the annual CRN Women of the Channel list.

ツ?

???I???m honored to be recognized on the CRNツ?2020 Women of the Channel list and Power 100 list,??? said Bois. ???I am confident we are the best application security provider in the world for channel partners to align with, and our SaaS-based platform means our partners have the ability to immediately get started with helping their customers address software security.???

Robin Montague is responsible for collaborating with our largest national partner to set and execute a joint strategy to drive incremental revenue. This involves coordinating efforts between our channel, partner, executive, sales, marketing, legal, finance, practice areas, and technical teams to cross-educate and build strong relationships.

Over the past year, Montague launched "Software Assurance," an offering that helps our customers eliminate risk and remove roadblocks to faster innovation and larger revenues. As the offering was developed, she collaborated with Veracode leaders and departments to not only advance Veracode's award-winning application security solutions but to marry them with the strength of our partner's world-class AppSec expertise and to expand our footprint in the market. The result was a much stronger awareness within Veracode of the value that a Channel partner can bring to our sales and innovation environment.

???It???s a wonderful honor to be recognized on the CRNツ?2020 Women of the Channel list for the third year in a row,??? said Montague. ???Increasing Channel utilization through the development of innovative partner services is key for me.???

Lisa Quinby is in charge of driving Veracode???s global channel and field marketing strategy. She oversees a team of regional marketing professionals to promote marketing programs through high-touch, integrated marketing campaigns and account-based marketing to help meet sales objectives, including programs for, through, and with partners.

This year, Quinby supported the growth of our channel business by refining the onboarding process, developing our channel sales and marketing toolkits, and developing relationships with partners in EMEA, LATAM, and APJ. Under Quinby???s leadership, we???ve seen more engagement from our partners across the globe, including a continued increase in opportunities brought forward by partners.

???I am thrilled to be recognized on the CRNツ?2020 Women of the Channel list,??? said Quinby. ???I hope to continue refining the onboarding process and developing marketing relationships with our global partners.???

This prestigious list honors channel leaders who are paving the way for future generations with their innovative ideas and achievements. These women come from all areas of the IT ecosystem and are dedicated to the partner community.

???CRN???s 2020 Women of the Channel list recognizes an accomplished group of influential women leaders whose strategic vision and unique achievements accelerate channel growth through cultivated partnerships, innovative thought leadership, and unwavering dedication to the IT channel,??? said Bob Skelley, CEO of The Channel Company. ???We are proud to honor them for their accomplishments and contributions to driving channel success.???

The full list of CRNツ?2020 Women of the Channel can be found onツ?www.CRN.com/WOTC.

Visitツ?hereツ?to find out more about partnering with Veracode.

leslierobinlisa

McAfee Recognized on CRN’s 2020 Women of the Channel

Every year CRN recognizes the women who are leading the channel and their unique strengths, vision, and achievements. This prestigious, annual list acknowledges channel leaders who are blazing a trail for future generations. These women are from all areas of the IT ecosystem, including technology vendors, distributors, solution providers, and other IT organizations.

This year, we’re proud to recognize the six outstanding individuals who have been selected by CRN to be part of the 2020 Women of the Channel (WOTC) list. Each is recognized for her outstanding leadership, vision and unique role in driving channel growth and innovation.

If that weren’t exciting enough, we’re thrilled to share that Chari Rhoades received the honor of being named to CRN’s WOTC Power 100 List. The Power 100 List is a subset of the 900+ women recognized and highlights the women who are leading their organization from a variety of backgrounds and experiences. See below to learn more about each McAfee honoree.

Chari Rhoades – Director, Channel Operations and Distribution – Americas

Chari Rhoades joined McAfee in 2013 and currently leads two teams. One team focuses on the growth and development of our distribution partners. The second team is responsible for the enablement and communications to the Americas’ partners. In 2019, Chari led her distribution team to focus on executing the plan to ensure new business growth via targeted campaigns, enablement activities and leveraging key distribution services resulting in a material contribution to bookings for the channel. Chari contributed to the development and launch of the McAfee Channel Promise that defines who the channel is to McAfee and its internal teams while articulating the value of the channel. She also led the development of an internal training to ensure McAfee’s own sellers understand the channel and how to engage the channel for mutual success.

Kristin Carnes – Director, Global Channel Programs and Operations

Kristin Carnes joined McAfee through the acquisition of Skyhigh Networks. As Director of Global Channel Programs and Operations she supports a robust partner community that represents sales for more than 90% of the McAfee Enterprise business. In 2019, she accelerated McAfee’s investment in the PRM platform which gives partners a more comprehensive, simple view of their business with McAfee. In addition, she launched a new rebate program that provides predictability and greater earning potential for partners.

Gabriela Ferado – Manager, Channel Sales

Gabriela Ferado has been with McAfee for eight years and started as a sales rep with the Latin America team before joining the Channel team where she has learned, grown, and found a passion to help partners be a multiplying force for the company. As a former teacher, sharing knowledge and enabling others is an integral part of what she does and thrives on. In 2019, as part of the Cloud Service Provider team, she extended McAfee’s channel efforts to Latin America which helped our teams understand the CSPs as another route to market

Judy Kent – Director, Global Channel Programs and Communications

Judy Kent joined McAfee through the acquisition of Skyhigh Networks bringing more than 25 years of channel marketing and sales experience. In her role leading the global partner incentive programs she has driven new business revenue through the channel and has trained thousands of partners in a pre-sales technical enablement global webinar series. In addition, in January 2020, she successfully launched a new 13 language McAfee Partner Portal. She was previously recognized on CRN’s list of Women in the Channel in 2015 and 2016, and was recognized on CRN’s list of Channel Chiefs in 2016 and 2018.

Sheri Leach – Senior Distribution Account Manager

Sheri Leach has more than 25 years of experience working with distribution partners and has spent the last 14 years growing Ingram Micro with their McAfee business. In 2019, Sheri played a key role in working with Ingram Micro and delivering a Business Intelligence program that helped achieve net new logos which was one of McAfee’s 2019 initiatives. In addition, she played an integral role in developing operational excellence and automation within Ingram Micro when McAfee implemented their CPQ enhancement. She was also tightly aligned with Ingram Micro’s marketing team on the creation of a “no touch” McAfee sales program via demand generation and product attachment. Finally, Sheri helped facilitate a creative finance program between Ingram Micro and McAfee to bring in deals that would not have been possible before.

Natalie Tomlin – Director, Channel Sales Cloud and Service Providers

Natalie Tomlin is a McAfee veteran who joined when the company was known as Network Associates more than 20 years ago. She has held roles in sales and channel sales and has been a Channel Director for the past four years. In 2019, Natalie developed strong business relationships with the top Cloud Service Providers as they helped their customers on their journey to the cloud as a de facto security provider, facilitated discussions for operational efficiencies so McAfee can transact with the CSPs in both public and gov cloud, and brought in incremental revenue from the channel.

This recognition is special and underscores the work that we’ve done as an organization to hire diverse talent, implement a return to workplace initiative to assist people who have paused their careers, and achieve gender pay parity across the company.

Please join me in congratulating these six outstanding women who are at the core of the McAfee Channel program. Their leadership and execution have been paramount to our success and will continue to help lead us onwards.

The post McAfee Recognized on CRN’s 2020 Women of the Channel appeared first on McAfee Blogs.

The KonMari Method: Sparking Joy with a Tidy Security Closet

Japanese decluttering expert Marie Kondo has taken the world by storm with her book, “The Life-Changing Magic of Tidying Up”. The KonMari Method is a decluttering and organizing system that promises improvements in every aspect of your life. Marie Kondo meticulously goes through every item one by one to understand which items really “spark joy.” If something doesn’t spark joy, she recommends thanking it and letting it go.

It seems this underlying philosophy could be relevant to security. Think about this for a minute. Security organizations are grappling with anywhere from five to 50+ different security vendors. It is getting increasingly difficult to empower security teams to make decisions based on complete and actionable insights.

Imagine if we could “tidy up” security using the KonMari method.

Complexity is the worst enemy of security

Security expert Bruce Schneier summed it up best when he said, “Complexity is the worst enemy of security.”  Your teams are constantly undertaking ambitious projects to take the next exponential leap. And they have continued to onboard products from best-of-breed vendors to meet their evolving security needs. We have fallen into the trap of bolting on more and more security technologies. Over 30% of survey respondents in ESG’s 2020 Integrated Platform Report stated that their organization uses more than 50 different security products, while 60% said they use more than 25. This constant onboarding of new technology has led to a massive proliferation of siloed data sets and a lack of accountability from vendors. It is becoming increasingly difficult to enable a unified front-end experience for your team to collaborate effectively, which causes gaps in your security ecosystem. We’ve increased the level of complexity to the point where your teams are spending the majority of their time finding the needle in the haystack while the legitimate threats are left unattended. The siloed technologies fail to connect the dots and improve the fidelity of your alerts.

How does one deal with the increasing noise and the cacophony of alerts?

We need a new security paradigm; one that simplifies the way you secure your business so you can confidently pursue key initiatives such as digital transformation. The bottom line is that the simpler we can make our security platforms, the more secure you will be.

According to Marisa Chancellor, senior director of the Security & Trust Organization at Cisco, “If we can reduce the vendor footprint and have a more integrated architecture, that helps us significantly. I would rather have more automation on the back-end through an integrated architecture than having to slap something on top of it and write some new scripts to bring it all together.”

Isn’t it time to rewrite the rules?

At Cisco, we’ve are doing that with SecureX, an integrated platform approach that changes the way you experience your security environment. We believe that security solutions should learn from one another and respond as a coordinated unit. And, that security should be built in versus bolted on, making it simpler and effective.

Taming the chaos

Coming back to the KonMari Method, your first step is to imagine your ideal security ecosystem. If you’re serious about tidying in a way that will change your team’s productivity, this step is critical. Visualize how your team members will collaborate with one another. Imagine how you could automate manual tasks. What will a day look like for your incident response teams? What role will analytics play in driving your decisions? These are the sorts of questions to consider before you tackle your cybersecurity tidying. Then, follow the guiding philosophy and evaluate your security choices to support your broader vision. Check out these practical recommendations from ESG analyst, Jon Oltsik, featured in the Cisco ESG Research Insights paper for CISOs:


  1. Commit yourself to tidying up :Assess current challenges across people, process, and technology. Leading platforms should go beyond technology alone, helping organizations increase staff productivity while streamlining operations. CISOs should look for current bottlenecks impacting areas like employee training, MTTD/MTTR, and process automation. This assessment should help produce a list of platform requirements beyond technology integration alone.
  1. Identify the players: Include IT and network operations in RFIs and product evaluations. Remember that security is a collective activity, dependent upon strong communications and collaboration between security and IT/network operations teams. Smart CISOs will work with IT peers to uncover current challenges and then seek solutions in RFIs, product evaluations, and testing/piloting that can be used effectively by both groups.
  1. Plan for the long term: Cybersecurity technology platforms will likely grow organically, integrating more product categories and capabilities over time. Therefore, platform research should go beyond what’s available today. CISOs should press vendors for a 24 to 36-month roadmap. Leading vendors should have comprehensive plans but also be willing to work with customers as new requirements arise. On the enterprise side, CISOs should create metrics so they can assess progress and create programs for continual improvement as they deploy cybersecurity technology platforms more broadly through phases.
  1. Ask your peers if it sparks joy: Reach out to the community. Note to CISOs: You are not alone—just about every other enterprise organization is going through a similar transition. CISOs should seek out guidance from other industry organizations of a similar size. In this way, organizations may be able to work together to press vendors on some industry-specific nuances that can be added to cybersecurity technology platforms over time.

                                                                                                                                                                                                                                                                                                                                                 Author: Jon Oltsik


Sparking joy with Cisco SecureX

Many of the aspects discussed above – such as automation, integration, collaboration, and a platform approach to security – are addressed by Cisco SecureX. Just as Marie Kondo advises individuals to evaluate every item and ask whether it sparks joy, organizations should reconsider their technology choices and ask whether they support an integrated, platform approach to security that will simplify and strengthen defenses. A security platform like Cisco SecureX ties together various technologies (including those from third parties) to unify visibility, enable automation, and strengthen security across network, endpoint, cloud, and applications. With Cisco SecureX, you can:

  • Reduce complexity and maximize portfolio benefits by adopting an integrated platform.
  • Create a foundation that allows you to meet the security needs of today and tomorrow.
  • Reveal the true potential of your tools and people by redefining your security experience through collaboration.

Let the tidying up conversations begin in your organization, and may your security stack soon resemble Marie Kondo’s perfectly organized linen closet. Consider products that fit into a platform that harmonizes your security architecture and brings you unparalleled joy. If that is not the case, thank the piece of technology for everything it’s given you, and politely say goodbye.

 

Learn more about Cisco SecureX and read the detailed ESG Research Insights Paper to find out why organizations should consider a more integrated cybersecurity approach.

 

 

The post The KonMari Method: Sparking Joy with a Tidy Security Closet appeared first on Cisco Blogs.

Analyzing Dark Crystal RAT, a C# backdoor

The FireEye Mandiant Threat Intelligence Team helps protect our customers by tracking cyber attackers and the malware they use. The FLARE Team helps augment our threat intelligence by reverse engineering malware samples. Recently, FLARE worked on a new C# variant of Dark Crystal RAT (DCRat) that the threat intel team passed to us. We reviewed open source intelligence and prior work, performed sandbox testing, and reverse engineered the Dark Crystal RAT to review its capabilities and communication protocol. Through publishing this blog post we aim to help defenders look for indicators of compromise and other telltale signs of Dark Crystal RAT, and to assist fellow malware researchers new to .NET malware, or who encounter future variants of this sample.

Discovering Dark Crystal RAT

The threat intel team provided FLARE with an EXE sample, believed to contain Dark Crystal RAT, and having the MD5 hash b478d340a787b85e086cc951d0696cb1. Using sandbox testing, we found that this sample produced two executables, and in turn, one of those two executables produced three more. Figure 1 shows the relationships between the malicious executables discovered via sandbox testing.


Figure 1: The first sample we began analyzing ultimately produced five executables.

Armed with the sandbox results, our next step was to perform a triage analysis on each executable. We found that the original sample and mnb.exe were droppers, that dal.exe was a clean-up utility to delete the dropped files, and that daaca.exe and fsdffc.exe were variants of Plurox, a family with existing reporting. Then we moved to analyzing the final dropped sample, which was dfsds.exe. We found brief public reporting by @James_inthe_box on the same sample, identifying it as DCRat and as a RAT and credential stealer. We also found a public sandbox run that included the same sample. Other public reporting described DCRat, but actually analyzed the daaca.exe Plurox component bundled along with DCRat in the initial sample.

Satisfied that dfsds.exe was a RAT lacking detailed public reporting, we decided to perform a deeper analysis.

Analyzing Dark Crystal RAT

Initial Analysis

Shifting aside from our sandbox for a moment, we performed static analysis on dfsds.exe. We chose to begin static analysis using CFF Explorer, a good tool for opening a PE file and breaking down its sections into a form that is easy to view. Having viewed dfsds.exe in CFF Explorer, as shown in Figure 2, the utility showed us that it is a .NET executable. This meant we could take a much different path to analyzing it than we would on a native C or C++ sample. Techniques we might have otherwise used to start narrowing down a native sample’s functionality, such as looking at what DLLs it imports and what functions from those DLLs that it uses, yielded no useful results for this .NET sample. As shown in Figure 3, dfsds.exe imports only the function _CorExeMain from mscoree.dll. We could have opened dfsds.exe in IDA Pro, but IDA Pro is usually not the most effective way of analyzing .NET samples; in fact, the free version of IDA Pro cannot handle .NET Common Language Infrastructure (CLI) intermediate code.


Figure 2: CFF Explorer shows that dfsds.exe is a .NET executable.


Figure 3: The import table for dfsds.exe is not useful as it contains only one function.

Instead of using a disassembler like IDA Pro on dfsds.exe, we used a .NET decompiler. Luckily for the reverse engineer, decompilers operate at a higher level and often produce a close approximation of the original C# code. dnSpy is a great .NET decompiler. dnSpy’s interface displays a hierarchy of the sample’s namespaces and classes in the Assembly Explorer and shows code for the selected class on the right. Upon opening dfsds.exe, dnSpy told us that the sample’s original name at link time was DCRatBuild.exe, and that its entry point is at <PrivateImplementationDetails>{63E52738-38EE-4EC2-999E-1DC99F74E08C}.Main, shown in Figure 4. When we browsed to the Main method using the Assembly Explorer, we found C#-like code representing that method in Figure 5. Wherever dnSpy displays a call to another method in the code, it is possible to click on the target method name to go to it and view its code. By right-clicking on an identifier in the code, and clicking Analyze in the context menu, we caused dnSpy to look for all occurrences where the identifier is used, similar to using cross-references in IDA Pro.


Figure 4: dnSpy can help us locate the sample's entry point


Figure 5: dnSpy decompiles the Main method into C#-like code

We went to the SchemaServerManager.Main method that is called from the entry point method, and observed that it makes many calls to ExporterServerManager.InstantiateIndexer with different integer arguments, as shown in Figure 6. We browsed to the ExporterServerManager.InstantiateIndexer method, and found that it is structured as a giant switch statement with many goto statements and labels; Figure 7 shows an excerpt. This does not look like typical dnSpy output, as dnSpy often reconstructs a close approximation of the original C# code, albeit with the loss of comments and local variable names. This code structure, combined with the fact that the code refers to the CipherMode.CBC constant, led us to believe that ExporterServerManager.InstantiateIndexer may be a decryption or deobfuscation routine. Therefore, dfsds.exe is likely obfuscated. Luckily, .NET developers often use obfuscation tools that are somewhat reversible through automated means.


Figure 6: SchemaServerManager.Main makes many calls to ExporterServerManager.InstantiateIndexer


Figure 7: ExporterServerManager.InstantiateIndexer looks like it may be a deobfuscation routine

Deobfuscation

De4dot is a .NET deobfuscator that knows how to undo many types of obfuscations. Running de4dot -d (for detect) on dfsds.exe (Figure 8) informed us that .NET Reactor was used to obfuscate it.

> de4dot -d dfsds.exe

de4dot v3.1.41592.3405 Copyright (C) 2011-2015 de4dot@gmail.com
Latest version and source code: https://github.com/0xd4d/de4dot

Detected .NET Reactor (C:\...\dfsds.exe)

Figure 8: dfsds.exe is obfuscated with .NET Reactor

After confirming that de4dot can deobfuscate dfsds.exe, we ran it again to deobfuscate the sample into the file dfsds_deob.exe (Figure 9).

> de4dot -f dfsds.exe -o dfsds_deob.exe

de4dot v3.1.41592.3405 Copyright (C) 2011-2015 de4dot@gmail.com
Latest version and source code: https://github.com/0xd4d/de4dot

Detected .NET Reactor (C:\Users\user\Desktop\intelfirst\dfsds.exe)
Cleaning C:\Users\user\Desktop\intelfirst\dfsds.exe
Renaming all obfuscated symbols
Saving C:\Users\user\Desktop\intelfirst\dfsds_deob.exe

Figure 9: de4dot successfully deobfuscates dfsds.exe

After deobfuscating dfsds.exe, we ran dnSpy again on the resulting dfsds_deob.exe. When we decompiled SchemaServerManager.Main again, the results were much different, as shown in Figure 10. Contrasting the new output with the obfuscated version shown previously in Figure 6, we found the deobfuscated code much more readable. In the deobfuscated version, all the calls to ExporterServerManager.InstantiateIndexer were removed; as suspected, it was apparently a string decoding routine. In contrast, the class names shown in the Assembly Explorer did not change; the obfuscator must have irrecoverably replaced the original class names with meaningless ones obtained from a standard list. Next, we noted that ten lines in Figure 10 hold base64-encoded data. Once the sample was successfully deobfuscated, it was time to move on to extracting its configuration and to follow the sample’s code path to its persistence capabilities and initial beacon.


Figure 10: Deobfuscating dfsds.exe shows that the method begins with some path manipulation and then accesses Base64-encoded data

Configuration, Persistence and Initial Beacon

Recall that in Figure 10 we found that the method SchemaServerManager.Main has a local variable containing Base64-encoded data; decoding that data revealed what it contains. Figure 11 shows the decoded configuration (with C2 endpoint URLs de-fanged):

> echo TUhvc3Q6aHR0cDovL2RvbWFsby5vbmxpbmUva3NlemJseGx2b3Uza2NtYnE4bDdoZjNmNGN5NXhnZW
80dWRsYTkxZHVldTNxYTU0LzQ2a3FianZ5a2x1bnAxejU2dHh6a2hlbjdnamNpM2N5eDhnZ2twdHgy
NWk3NG1vNm15cXB4OWtsdnYzL2FrY2lpMjM5bXl6b24weHdqbHhxbm4zYjM0dyxCSG9zdDpodHRwOi
8vZG9tYWxvLm9ubGluZS9rc2V6Ymx4bHZvdTNrY21icThsN2hmM2Y0Y3k1eGdlbzR1ZGxhOTFkdWV1
M3FhNTQvNDZrcWJqdnlrbHVucDF6NTZ0eHpraGVuN2dqY2kzY3l4OGdna3B0eDI1aTc0bW82bXlxcH
g5a2x2djMvYWtjaWkyMzlteXpvbjB4d2pseHFubjNiMzR3LE1YOkRDUl9NVVRFWC13TGNzOG8xTlZF
VXRYeEo5bjl5ZixUQUc6VU5ERUY= | base64 -d

MHost:hxxp://domalo[.]online/ksezblxlvou3kcmbq8l7hf3f4cy5xgeo4udla91dueu3qa54/
46kqbjvyklunp1z56txzkhen7gjci3cyx8ggkptx25i74mo6myqpx9klvv3/akcii239myzon0xwjl
xqnn3b34w,BHost:hxxp://domalo[.]online/ksezblxlvou3kcmbq8l7hf3f4cy5xgeo4udla91
dueu3qa54/46kqbjvyklunp1z56txzkhen7gjci3cyx8ggkptx25i74mo6myqpx9klvv3/akcii239
myzon0xwjlxqnn3b34w,MX:DCR_MUTEX-wLcs8o1NVEUtXxJ9n9yf,TAG:UNDEF

Figure 11: Decoding the base64 data in SchemaServerManager.Main reveals a configuration string

Figure 11 shows that the data decoded to a configuration string containing four values: MHost, BHost, MX, and TAG. We analyzed the code that parses this string and found that MHost and BHost were used as its main and backup command and control (C2) endpoints. Observe that the MHost and BHost values in Figure 11 are identical, so this sample did not have a backup C2 endpoint.

In dnSpy it is possible to give classes and methods meaningful names just as it is possible to name identifiers in IDA Pro. For example, the method SchemaServerManager.StopCustomer picks the name of a random running process. By right-clicking the StopCustomer identifier and choosing Edit Method, it is possible to change the method name to PickRandomProcessName, as shown in Figure 12.


Figure 12: Assigning meaningful names to methods makes it easier to keep analyzing the program

Continuing to analyze the SchemaServerManager.Main method revealed that the sample persists across reboots. The persistence algorithm can be summarized as follows:

  1. The malware picks the name of a random running process, and then copies itself to %APPDATA% and C:\. For example, if svchost.exe is selected, then the malware copies itself to %APPDATA%\svchost.exe and C:\svchost.exe.
  2. The malware creates a shortcut %APPDATA%\dotNET.lnk pointing to the copy of the malware under %APPDATA%.
  3. The malware creates a shortcut named dotNET.lnk in the logged-on user’s Startup folder pointing to %APPDATA%\dotNET.lnk.
  4. The malware creates a shortcut C:\Sysdll32.lnk pointing to the copy of the malware under C:\.
  5. The malware creates a shortcut named Sysdll32.lnk in the logged-on user’s Startup folder pointing to C:\Sysdll32.lnk.
  6. The malware creates the registry value HKCU\Software\Microsoft\Windows\CurrentVersion\Run\scrss pointing to %APPDATA%\dotNET.lnk.
  7. The malware creates the registry value HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Wininit pointing to C:\Sysdll32.lnk.

After its persistence steps, the malware checks for multiple instances of the malware:

  1. The malware sleeps for a random interval between 5 and 7 seconds.
  2. The malware takes the MD5 hash of the still-base64-encoded configuration string, and creates the mutex whose name is the hexadecimal representation of that hash. For this sample, the malware creates the mutex bc2dc004028c4f0303f5e49984983352. If this fails because another instance is running, the malware exits.

The malware then beacons, which also allows it to determine whether to use the main host (MHost) or backup host (BHost). To do so, the malware constructs a beacon URL based on the MHost URL, makes a request to the beacon URL, and then checks to see if the server responds with the HTTP response body “ok.” If the server does not send this response, then the malware unconditionally uses the BHost; this code is shown in Figure 13. Note that since this sample has the same MHost and BHost value (from Figure 11), the malware uses the same C2 endpoint regardless of whether the check succeeds or fails.


Figure 13: The malware makes an HTTP request based on the MHost URL to determine whether to use the MHost or BHost

The full algorithm to obtain the beacon URL is as follows:

  1. Obtain the MHost URL, i.e., hxxp://domalo[.]online/ksezblxlvou3kcmbq8l7hf3f4cy5xgeo4udla91dueu3qa54
    /46kqbjvyklunp1z56txzkhen7gjci3cyx8ggkptx25i74mo6myqpx9klvv3/akcii239my
    zon0xwjlxqnn3b34w
    .
  2. Calculate the SHA1 hash of the full MHost URL, i.e., 56743785cf97084d3a49a8bf0956f2c744a4a3e0.
  3. Remove the last path component from the MHost URL, and then append the SHA1 hash from above, and ?data=active. The full beacon URL is therefore hxxp://domalo[.]online/ksezblxlvou3kcmbq8l7hf3f4cy5xgeo4udla91dueu3qa54
    /46kqbjvyklunp1z56txzkhen7gjci3cyx8ggkptx25i74mo6myqpx9klvv3/56743785cf
    97084d3a49a8bf0956f2c744a4a3e0.php?data=active
    .

After beaconing the malware proceeds to send and receive messages with the configured C2.

Messages and Capabilities

After performing static analysis of dfsds.exe to determine how it selects the C2 endpoint and confirming the C2 endpoint URL, we shifted to dynamic analysis in order to collect sample C2 traffic and make it easier to understand the code that generates and accepts C2 messages. Luckily for our analysis, the malware continues to generate requests to the C2 endpoint even if the server does not send a valid response. To listen for and intercept requests to the C2 endpoint (domalo[.]online) without allowing the malware Internet access, we used FLARE’s FakeNet-NG tool. Figure 14 shows some of the C2 requests that the malware made being captured by FakeNet-NG.


Figure 14: FakeNet-NG can capture the malware's HTTP requests to the C2 endpoint

By comparing the messages generated by the malware and captured in FakeNet-NG with the malware’s decompiled code, we determined its message format and types. Observe that the last HTTP request visible in Figure 14 contains a list of running processes. By tracing through the decompiled code, we found that the method SchemaServerManager.ObserverWatcher.NewMerchant generated this message. We renamed this method to taskThread and assigned meaningful names to the other methods it calls; the resulting code for this method appears in Figure 15.


Figure 15: The method that generates the list of running processes and sends it to the C2 endpoint

By analyzing the code further, we identified the components of the URLs that the malware used to send data to the C2 endpoint, and how they are constructed.

Beacons

The first type of URL is a beacon, sent only once when the malware starts up. For this sample, the beacon URL was always hxxp://domalo[.]online/ksezblxlvou3kcmbq8l7hf3f4cy5xgeo4udla91dueu3qa54/46kqbjvyklunp1z56txzk
hen7gjci3cyx8ggkptx25i74mo6myqpx9klvv3/<hash>.php?data=active, where <hash> is the SHA1 hash of the MHost URL, as described earlier.

GET requests, format 1

When the malware needs to send data to or receive data from the C2, it sends a message. The first type of message, which we denote as “format 1,” is a GET request to URLs of the form hxxp://domalo[.]online/ksezblxlvou3kcmbq8l7hf3f4cy5xgeo4udla91dueu3qa54/46kqb
jvyklunp1z56txzkhen7gjci3cyx8ggkptx25i74mo6myqpx9klvv3/akcii239myzon0xwjlxqnn
3b34w/<hash>.php? type=__ds_setdata&__ds_setdata_user=<user_hash>&__ds_setdata_ext=<message_hash>&__ds_setdata_data=<message>
, where:

  • <hash> is MD5(SHA1(MHost)), which for this sample, is 212bad81b4208a2b412dfca05f1d9fa7.
  • <user_hash> is a unique identifier for the machine on which the malware is running. It is always calculated as SHA1(OS_version + machine_name + user_name) as provided by the .NET System.Environment class.
  • <message_hash> identifies what kind of message the malware is sending to the C2 endpoint. The <message_hash> is calculated as MD5(<message_type> + <user_hash>), where <message_type> is a short keyword identifying the type of message, and <user_hash> is as calculated above.
    • Values for <message_type> exist for each command that the malware supports; for possible values, see the “msgs” variable in the code sample shown in Figure 19.
    • Observe that this makes it difficult to observe the message type visually from log traffic, or to write a static network signature for the message type, since it varies for every machine due to the inclusion of the <user_hash>.
    • One type of message uses the value u instead of a hash for <message_hash>.
  • <message> is the message data, which is not obscured in any way.

The other type of ordinary message is a getdata message. These are GET requests to URLs of the form hxxp://domalo[.]online/ksezblxlvou3kcmbq8l7hf3f4cy5xgeo4udla91dueu3qa54/46kqb
jvyklunp1z56txzkhen7gjci3cyx8ggkptx25i74mo6myqpx9klvv3/akcii239myzon0xwjlxqnn
3b34w/<hash>.php? type=__ds_getdata&__ds_getdata_user=<user_hash>&__ds_getdata_ext=<message_hash>&__ds_getdata_key=<key>
, where:

  • <hash> and <user_hash> are calculated as described above for getdata messages.
  • <message_hash> is also calculated as described above for getdata messages, but describes the type of message the malware is expecting to receive in the server’s response.
  • <key> is MD5(<user_hash>).

The server is expected to respond to a getdata message with an appropriate response for the type of message specified by <message_hash>.

GET requests, format 2

A few types of messages from the malware to the C2 use a different format, which we denote as “format 2.” These messages are GET requests of the form hxxp://domalo[.]online /ksezblxlvou3kcmbq8l7hf3f4cy5xgeo4udla91dueu3qa54/46kqbjvyklunp1z56txzkhen7gj
ci3cyx8ggkptx25i74mo6myqpx9klvv3/akcii239myzon0xwjlxqnn3b34w/<user_hash>.<mes
sage_hash>
, where:

  • <user_hash> is calculated as described above for getdata messages.
  • <message_hash> is also calculated as described above for getdata messages, but describes the type of message the malware is expecting to receive in the server’s response. <message_hash> may also be the string comm.

Table 1 shows possible <message_types> that may be incorporated into <message_hash> as part of format 2 messages to instruct the server which type of response is desired. In contrast to format 1 messages, format 2 messages are only used for a handful of <message_type> values.

<message_type>

Response desired

s_comm

The server sends a non-empty response if a screenshot request is pending

m_comm

The server sends a non-empty response if a microphone request is pending

RDK

The server responds directly with keystrokes to replay

comm

The server responds directly with other types of tasking

Table 1: Message types when the malware uses a special message to request tasking from the server

POST requests

When the malware needs to upload large files, it makes a POST request. These POST requests are sent to hxxp://domalo[.]online/ksezblxlvou3kcmbq8l7hf3f4cy5xgeo4udla91dueu3qa54/46kqb
jvyklunp1z56txzkhen7gjci3cyx8ggkptx25i74mo6myqpx9klvv3/akcii239myzon0xwjlxqnn
3b34w/<hash>.php
, with the following parameters in the POST data:

  • name is <user_hash> + "." + <message_type>, where <user_hash> is calculated as described above and <message_type> is the type of data being uploaded.
  • upload is a file with the data being sent to the server.

Table 2 shows possible <message_type> values along with the type of file being uploaded.

<message_type>

Type of File

jpg

Screenshot

zipstealerlog

Cookie stealer log

wav

Microphone recording

file

Uploaded file

bmp

Webcam image

RD.jpg

Remote control screenshot

Table 2: Message types when files are uploaded to the server

Capabilities

By analyzing the code that handles the responses to the comm message (format 2), it was possible for us to inventory the malware’s capabilities. Table 3 shows the keywords used in responses along with the description of each capability.

Keyword

Description

shell

Execute a shell command

deleteall

Recursively delete all files from C:, D:, F:, and G:

closecd

Close the CD-ROM drive door

setwallpaper

Change the background wallpaper

ddos

Send TCP and UDP packets to a given host or IP address

logoff

Log off the current user

keyboardrecorder

Replay keystrokes as if the user had typed them

fm_newfolder

Create a new folder

fm_rename

Rename or move a file

desktopHide

Hide desktop icons

keyloggerstart

Start logging keystrokes

exec_cs_code

Compile and execute C# code

msgbox

Open a Windows MessageBox

fm_upload

Transfer a file from the C2 to the client

rdp

Re-spawn the malware running as an administrator

fm_zip

Build a ZIP file from a directory tree and transfer it from the client to the C2

webcam

Take a webcam picture

fm_unzip

Unzip a ZIP file to a given path on the client

keyloggerstop

Stop logging keystrokes

fm_drives

Enumerate drive letters

cookiestealer

Transfer cookies and browser/FileZilla saved credentials to the C2

fm_delete

Recursively delete a given directory

dismon

Hide desktop icons and taskbar

fm_uploadu

Transfer a file from the C2 to the client

taskstart

Start a process

cleardesktop

Rotate screen

lcmd

Run shell command and send standard output back to C2

taskbarShow

Show taskbar

clipboard

Set clipboard contents

cookiestealer_file

Save cookies and credentials to a local file

newuserpass

Create a new local user account

beep

Beep for set frequency and duration

speak

Use speech synthesizer to speak text

openchat

Open chat window

taskbarHide

Hide the taskbar

RDStart

Start remote control over user’s desktop

closechat

Close chat window

RDStop

Stop remote control over user’s desktop

fm_opendir

List directory contents

uninstall

Remove the malware from the client

taskkill

Kill a process

forkbomb

Endlessly spawn instances of cmd.exe

fm_get

Transfer a file from the client to the C2

desktopShow

Show desktop icons

Clipboardget

Transfer clipboard contents to C2

playaudiourl

Play a sound file

opencd

Open the CD-ROM drive door

shutdown

Shut down the machine

restart

Restart the machine

browseurl

Open a web URL in the default browser

Table 3: Capabilities of DCRat

Proof-of-Concept Dark Crystal RAT Server

After gathering information from Dark Crystal RAT about its capabilities and C2 message format, another way to illustrate the capabilities and test our understanding of the messages was to write a proof-of-concept server. Here is a code snippet that we wrote containing a barebones DCRat server written in Python. Unlike a real RAT server, this one does not have a user interface to allow the attacker to pick and launch commands. Instead, it has a pre-scripted command list that it sends to the RAT.

When the server starts up, it uses the Python BaseHTTPServer to begin listening for incoming web requests (lines 166-174). Incoming POST requests are assumed to hold a file that the RAT is uploading to the server; this server assumes all file uploads are screenshots and saves them to “screen.png” (lines 140-155). For GET requests, the server must distinguish between beacons, ordinary messages, and special messages (lines 123-138). For ordinary messages, __ds_setdata messages are simply printed to standard output, while the only __ds_getdata message type supported is s_comm (screenshot communications), to which the server responds with the desired screenshot dimensions (lines 63-84). For messages of type comm, the server sends four types of commands in sequence: first, it hides the desktop icons; then, it causes the string “Hello this is tech support” to be spoken; next, it displays a message box asking for a password; finally, it launches the Windows Calculator (lines 86-121).

Figure 16 shows the results when Dark Crystal RAT is run on a system that has been configured to redirect all traffic to domalo[.]online to the proof-of-concept server we wrote.


Figure 16: The results when a Dark Crystal RAT instance communicates with the proof-of-concept server

Other Work and Reconnaissance

After reverse engineering Dark Crystal RAT, we continued reconnaissance to see what additional information we could find. One limitation to our analysis was that we did not wish to allow the sample to communicate with the real C2, so we kept it isolated from the Internet. To learn more about Dark Crystal RAT we tried two approaches: the first was to browse the Dark Crystal RAT website (files.dcrat[.]ru) using Tor, and the other was to take a look at YouTube videos of others’ experiments with the “real” Dark Crystal RAT server.

Dark Crystal RAT Website

We found that Dark Crystal RAT has a website at files.dcrat[.]ru, shown in Figure 17. Observe that there are options to download the RAT itself, as well as a few plugins; the DCLIB extension is consistent with the plugin loading code we found in the RAT.


Figure 17: The website files.dcrat[.]ru allows users to download Dark Crystal RAT and some of its plugins

Figure 18 shows some additional plugins, including plugins with the ability to resist running in a virtual machine, disable Windows Defender, and disable webcam lights on certain models. No plugins were bundled with the sample we studied.


Figure 18: Additional plugins listed on the Dark Crystal RAT website

Figure 19 lists software downloads on the RAT page. We took some time to look at these files; here are some interesting things we discovered:

  • The DCRat listed on the website is actually a “builder” that packages a build of the RAT and a configuration for the attacker to deploy. This is consistent with the name DCRatBuild.exe shown back in Figure 4. In our brief testing of the builder, we found that it had a licensing check. We did not pursue bypassing it once we found public YouTube videos of the DCRat builder in operation, as we show later.
  • The DarkCrystalServer is not self-contained, rather, it is just a PHP file that allows the user to supply a username and password, which causes it to download and install the server software. Due to the need to supply credentials and communicate back with dcrat[.]ru (Figure 20), we did not pursue further analysis of DarkCrystalServer.


Figure 19: The RAT page lists software for the RAT, the server, an API, and plugin development


Figure 20: The DarkCrystalServer asks for a username and password and calls back to dcrat[.]ru to download software, so we did not pursue it further

YouTube Videos

As part of confirming our findings about Dark Crystal RAT capabilities that we obtained through reverse engineering, we found some YouTube demonstrations of the DCRat builder and server.

The YouTube user LIKAR has a YouTube demonstration of Dark Crystal RAT. The author demonstrates use of the Dark Crystal RAT software on a server with two active RAT instances. During the video, the author browses through the various screens in the software. This made it easy to envision how a cyber threat would use the RAT, and to confirm our suspicions of how it works.

Figure 21 shows a capture from the video at 3:27. Note that the Dark Crystal RAT builder software refers to the DCRatBuild package as a “server” rather than a client. Nonetheless, observe that one of the options was a type of Java, or C# (Beta). By watching this YouTube video and doing some additional background research, we discovered that Dark Crystal RAT has existed for some time in a Java version. The C# version is relatively new. This explained why we could not find much detailed prior reporting about it.


Figure 21: A YouTube demonstration revealed that Dark Crystal RAT previously existed in a Java version, and the C# version we analyzed is in beta

Figure 22 shows another capture from the video at 6:28. The functionality displayed on the screen lines up nicely with the “msgbox”, “browseurl”, “clipboard”, “speak”, “opencd”, “closecd”, and other capabilities we discovered and enumerated in Table 6.


Figure 22: A YouTube demonstration confirmed many of the Dark Crystal RAT capabilities we found in reverse engineering

Conclusion

In this post we walked through our analysis of the sample that the threat intel team provided to us and all its components. Through our initial triage, we found that its “dfsds.exe” component is Dark Crystal RAT. We found that Dark Crystal RAT was a .NET executable, and reverse engineered it. We extracted the malware’s configuration, and through dynamic analysis discovered the syntax of its C2 communications. We implemented a small proof-of-concept server to test the correct format of commands that can be sent to the malware, and how to interpret its uploaded screenshots. Finally, we took a second look at how actual threat actors would download and use Dark Crystal RAT.

To conclude, indicators of compromise for this version of Dark Crystal RAT (MD5: 047af34af65efd5c6ee38eb7ad100a01) are given in Table 4.

Indicators of Compromise

Dark Crystal RAT (dfsds.exe)

Handle artifacts

 

Mutex name

bc2dc004028c4f0303f5e49984983352

Registry artifacts

 

Registry value

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\scrss

Registry value

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Wininit

File system artifacts

 

File

C:\Sysdll32.lnk

File

%APPDATA%\dotNET.lnk

File

Start Menu\Programs\Startup\Sysdll32.lnk

File

Start Menu\Programs\Startup\dotNET.lnk

File

%APPDATA%\<random process name>.exe

File

C:\<random process name>.exe

Network artifacts

 

HTTP request

hxxp://domalo[.]online/ksezblxlvou3kcmbq8l7hf3f4cy5xgeo4udla91due
u3qa54/46kqbjvyklunp1z56txzkhen7gjci3cyx8ggkptx25i74mo6myqpx9kl
vv3/212bad81b4208a2b412dfca05f1d9fa7.php?data=active

HTTP request

hxxp://domalo[.]online/ksezblxlvou3kcmbq8l7hf3f4cy5xgeo4udla91due
u3qa54/46kqbjvyklunp1z56txzkhen7gjci3cyx8ggkptx25i74mo6myqpx9kl
vv3/akcii239myzon0xwjlxqnn3b34w212bad81b4208a2b412dfca05f1d9f
a7.php? type=__ds_getdata&__ds_getdata_user=<user_hash>&__ds_getdata_ex
t=<message_hash>&__ds_getdata_key=<key>

HTTP request

hxxp://domalo[.]online /ksezblxlvou3kcmbq8l7hf3f4cy5xgeo4udla91dueu3qa54/46kqbjvyklunp
1z56txzkhen7gjci3cyx8ggkptx25i74mo6myqpx9klvv3/akcii239myzon0xw
jlxqnn3b34w/<user_hash>.<message_hash>

TCP connection

domalo[.]online:80

TCP connection

ipinfo[.]ip

DNS lookup

domalo[.]online

DNS lookup

ipinfo[.]ip

Strings

 

Static string

DCRatBuild

Table 4: IoCs for this instance of DCRat

FireEye Product Support for Dark Crystal RAT

Table 5 describes how FireEye products react to the initial sample (MD5: b478d340a787b85e086cc951d0696cb1) and its Dark Crystal RAT payload, or in the case of Mandiant Security Validation, allow a stakeholder to validate their own capability to detect Dark Crystal RAT.

FireEye Product

Support for Dark Crystal RAT

FireEye Network Security (NX)

Backdoor.Plurox detection

FireEye Email Security (EX & ETP)

Backdoor.MSIL.DarkCrystal, Backdoor.Plurox, Malware.Binary.exe, Trojan.Vasal.FEC3, Win.Ransomware.Cerber-6267996-1, fe_ml_heuristic detections

FireEye Endpoint Security (HX)

Trojan.GenericKD.32546165, Backdoor.MSIL.DarkCrystal detections

FireEye Malware Analysis (AX)

Backdoor.Plurox.FEC2 detection

FireEye Detection on Demand (DoD)

Backdoor.Plurox.FEC2, FireEye.Malware detections

Mandiant Security Validation

Built-in Action coming soon

Table 5: Support in FireEye products to detect Dark Crystal RAT or validate detection capability

Celebrity Data Stolen in Major Data Breach

A major entertainment and media law firm experienced a massive data breach that may have compromised the data of many celebrities including Bruce Springsteen, Lady Gaga, Madonna, Nicki Minaj, Christina Aguilera, and others.

Grubman Shire Meiselas & Sacks, a New York-based law firm, was hit by a ransomware attack that compromised at least 756 gigabytes of client data, including contracts, non-disclosure agreements, contact information and personal correspondence. The hackers appear to have used REvil, or Sodinkobi, a ransomware strain behind several high-profile cyberattacks on targets including Kenneth Cole, Travelex, and Brooks International.

Whoever is behind the hack has threatened to publish the stolen data in nine installments unless the law firm pays an undisclosed ransom. They have since released documents belonging to Madonna and Christina Aguilera on the dark web to prove they have the goods and are willing to make them public.

Grubman Shire Meiselas & Sacks has yet to issue a statement on the breach. As of May 12, their website is still currently offline. 

The post Celebrity Data Stolen in Major Data Breach appeared first on Adam Levin.

Are you ready for the new FINTRAC rules on identity verification?

Canadian financial institutions must revamp their identity verification procedures by June 1 of this year to comply with new anti-money laundering regulations. The Proceeds of Crime (Money Laundering) and Terrorist Financing Act (PCMLTFA) was updated last year to allow regulated businesses to rely on digital identification from customers when they conduct financial transactions. Now, the…

IBM Think 2020: How 5G can benefit satellite networks

The ubiquity of 5G will cover everything from IoT sensors, to smart devices, to cloud communication. But the technology that spawned from 5G development can extend well beyond just global networks. At IBM Think 2020, MIT Professor Muriel Médard spoke about how satellites can also benefit from the development of 5G.

Also:

 

One of 5G’s plethora of features is a coding technique called Random Linear Network Coding (RLNC). Médard defined network coding as a “mathematical manipulation of data that to be reliably retrieved, reliably represented and transported in a network”.

In essence, through complex encoding and decoding techniques, RLNC can reassemble lost packets in a data stream by the receiver. This reduces the need to resend data when they become lost. It can increase reliability when sending sensitive information like financial data, as well as be applied to monitor sensors and vehicles in remote areas.

RLNC’s encoding, transmission, and decoding process. Source: Random Linear Network Coding for 5G Mobile Video Delivery

As a backgrounder, to transmit large quantities of data between two devices, the information must first be cut up and encapsulated into packets. Sending data via small packets provides many benefits, including higher efficiency and increased reliability. If data becomes corrupted or lost during transmission, only the affected packets need to be resent rather than the entire dataset.

In urban centres, radio towers are relatively near the user, thus creating stronger signals that are more resistant to environmental factors. In satellite networks, however, the long-distance between the sender and the receiver renders it vulnerable to disruptions from inclement weather. In addition, high latency compounds the finicky signal; if data becomes lost during transit, it will take longer to resend.

Despite its shortcomings, underserved communities in Canada and around the world rely on satellite to stay connected. Due to geographical and business limitations, it’s not always feasible to pull landlines and install towers to these locations. It’s critical for satellite network technologies to advance in parallel with the networks back on the ground.

Keep Website Away From the Hackers, Learn WordPress Security Issues

As much as you love WordPress, hackers also love getting access to its websites. Yes, there is no doubt that it is one of the most popular Content Management Systems. Still, there are always loopholes that pave a path for these black hat hackers to do malicious activities. Each year we hear of many WordPress security issues, and those are very vital to learn. 

It is crucial because once your site gets hacked, it becomes tough to cope up. There are many problems that your brand will have to face if someone hacks it. The first and most significant loss will be the loss of brand reputation that you built hardly over time. Secondly, Google blacklists almost 10,000 plus sites for Malware each day, and your website can also come under that list. Last but not least, there are chances that you might never get the access back to your site.

Therefore it is prevalent to think about this topic if you had been ignoring it for a long time. Here are some of the sore points that occur in WordPress. So quickly get your pen and note these down. 

Note Down the Most Common WordPress Security Issues

Malware Alert!

If you are still unaware of the fact that how the word Malware originated, then you should know it is a combination of two words, malicious and software. Yes, this word is your enemy, but having a bit of knowledge about your foes is also vital. So, it is one of the most common security issues that you might face while working on a website made using WordPress.  

Malware is a malicious code that hackers use to get illegal access to your website, and the information inside it. They inject the infectious codes to the files and folders of the sites to gain control over it. Furthermore, it is one of the widespread WordPress security risks that you must learn. 

But the question here is, how can you detect Malware on your website? Remember, it is very crucial first to analyze whether your site is hacked or not. Once you have confirmed that yes, there is a hack, then move forward. Hence, if you want to know whether Malware is there on your website or not, you can check if there are any modifications in the files and folder.

There are various types of Malware, such as:

  •       Backdoor attacks
  •       Nasty redirects
  •       Driven by downloads

Furthermore, you do not need to panic! One good factor is that, along with the detection of these Malware’s, you can also delete them manually. For this, all you need to have is the backup of the non-infectious files and folder of the website. If you have them, then install a new version and restore the backup.

Brute Force Attacks

Another most common type of attacks done by these black hat hackers is the Brute Force Attacks. It refers to the trial and error method of entering multiple usernames and passwords. Yes, in this way of hacking, these hackers try to insert several combinations repeatedly, unless they hit the right one. 

Furthermore, it is one of the easiest and the most used methods of getting access to your website. The motive of the hackers is to get access to your home page. One disadvantage that you get here is that WordPress does not have any limit to enter the username and password combinations. 

Therefore bots can enter your website conveniently using this method of brute force attack. The best way to be safe from this sort of hack is by creating an extreme and unique username and passwords for your website.

Why The Hackers Create WordPress Security Issues?

There is an infinite number of reasons behind these suspicious minds to hack WordPress security. One cannot judge why these hackers want to get access to sites, which are even not very popular. But there are some of the common motives that you can figure out. Here are some of the reasons:

Get The Access To Crucial Info

Undoubtedly, your website comprises of vital data that is like a treasure for these hackers. The data is just not confined to you; instead, it is also about the information of your customers. Be it your client’s email, their card attached to your site, their contacts, and more; everything comes under this crucial info.

A hacker can use the emails to send spams from your website’s site to hack your user’s account too. They can also insist on your customer to make purchases on your behalf to gain black money.

Attacking Other Websites

Sometimes the hacker also plays ladder games. There are chances that these people hack a small site first to each a huge site after. Hackers attack your website to pave their path towards something bigger and significant.

Conclusion

So these were some of the fundamental and most common WordPress security issues that one might face. So, be careful and be safe!

The post Keep Website Away From the Hackers, Learn WordPress Security Issues appeared first on .

Attack Against PC Thunderbolt Port

The attack requires physical access to the computer, but it's pretty devastating:

On Thunderbolt-enabled Windows or Linux PCs manufactured before 2019, his technique can bypass the login screen of a sleeping or locked computer -- and even its hard disk encryption -- to gain full access to the computer's data. And while his attack in many cases requires opening a target laptop's case with a screwdriver, it leaves no trace of intrusion and can be pulled off in just a few minutes. That opens a new avenue to what the security industry calls an "evil maid attack," the threat of any hacker who can get alone time with a computer in, say, a hotel room. Ruytenberg says there's no easy software fix, only disabling the Thunderbolt port altogether.

"All the evil maid needs to do is unscrew the backplate, attach a device momentarily, reprogram the firmware, reattach the backplate, and the evil maid gets full access to the laptop," says Ruytenberg, who plans to present his Thunderspy research at the Black Hat security conference this summer­or the virtual conference that may replace it. "All of this can be done in under five minutes."

Lots of details in the article above, and in the attack website. (We know it's a modern hack, because it comes with its own website and logo.)

Intel responds.

EDITED TO ADD (5/14): More.

Over 4000 Android Apps Expose Users’ Data via Misconfigured Firebase Databases

More than 4,000 Android apps that use Google's cloud-hosted Firebase databases are 'unknowingly' leaking sensitive information on their users, including their email addresses, usernames, passwords, phone numbers, full names, chat messages and location data. The investigation, led by Bob Diachenko from Security Discovery in partnership with Comparitech, is the result of an analysis of 15,735