Daily Archives: October 8, 2020

Amid an Embarrassment of Riches, Ransom Gangs Increasingly Outsource Their Work

There’s an old adage in information security: “Every company gets penetration tested, whether or not they pay someone for the pleasure.” Many organizations that do hire professionals to test their network security posture unfortunately tend to focus on fixing vulnerabilities hackers could use to break in. But judging from the proliferation of help-wanted ads for offensive pentesters in the cybercrime underground, today’s attackers have exactly zero trouble gaining that initial intrusion: The real challenge seems to be hiring enough people to help everyone profit from the access already gained.

One of the most common ways such access is monetized these days is through ransomware, which holds a victim’s data and/or computers hostage unless and until an extortion payment is made. But in most cases, there is a yawning gap of days, weeks or months between the initial intrusion and the deployment of ransomware within a victim organization.

That’s because it usually takes time and a good deal of effort for intruders to get from a single infected PC to seizing control over enough resources within the victim organization where it makes sense to launch the ransomware.

This includes pivoting from or converting a single compromised Microsoft Windows user account to an administrator account with greater privileges on the target network; the ability to sidestep and/or disable any security software; and gaining the access needed to disrupt or corrupt any data backup systems the victim firm may have.

Each day, millions of malware-laced emails are blasted out containing booby-trapped attachments. If the attachment is opened, the malicious document proceeds to quietly download additional malware and hacking tools to the victim machine (here’s one video example of a malicious Microsoft Office attachment from the malware sandbox service any.run). From there, the infected system will report home to a malware control server operated by the spammers who sent the missive.

At that point, control over the victim machine may be transferred or sold multiple times between different cybercriminals who specialize in exploiting such access. These folks are very often contractors who work with established ransomware groups, and who are paid a set percentage of any eventual ransom payments made by a victim company.

THE DOCTOR IS IN

Enter subcontractors like “Dr. Samuil,” a cybercriminal who has maintained a presence on more than a dozen top Russian-language cybercrime forums over the past 15 years. In a series of recent advertisements, Dr. Samuil says he’s eagerly hiring experienced people who are familiar with tools used by legitimate pentesters for exploiting access once inside of a target company — specifically, post-exploit frameworks like the closely-guarded Cobalt Strike.

“You will be regularly provided select accesses which were audited (these are about 10-15 accesses out of 100) and are worth a try,” Dr. Samuil wrote in one such help-wanted ad. “This helps everyone involved to save time. We also have private software that bypasses protection and provides for smooth performance.”

From other classified ads he posted in August and September 2020, it seems clear Dr. Samuil’s team has some kind of privileged access to financial data on targeted companies that gives them a better idea of how much cash the victim firm may have on hand to pay a ransom demand. To wit:

“There is huge insider information on the companies which we target, including information if there are tape drives and clouds (for example, Datto that is built to last, etc.), which significantly affects the scale of the conversion rate.

Requirements:
– experience with cloud storage, ESXi.
– experience with Active Directory.
– privilege escalation on accounts with limited rights.

* Serious level of insider information on the companies with which we work. There are proofs of large payments, but only for verified LEADs.
* There is also a private MEGA INSIDE , which I will not write about here in public, and it is only for experienced LEADs with their teams.
* We do not look at REVENUE / NET INCOME / Accountant reports, this is our MEGA INSIDE, in which we know exactly how much to confidently squeeze to the maximum in total.

According to cybersecurity firm Intel 471, Dr. Samuil’s ad is hardly unique, and there are several other seasoned cybercriminals who are customers of popular ransomware-as-a-service offerings that are hiring sub-contractors to farm out some of the grunt work.

“Within the cybercriminal underground, compromised accesses to organizations are readily bought, sold and traded,” Intel 471 CEO Mark Arena said. “A number of security professionals have previously sought to downplay the business impact cybercriminals can have to their organizations.”

“But because of the rapidly growing market for compromised accesses and the fact that these could be sold to anyone, organizations need to focus more on efforts to understand, detect and quickly respond to network compromises,” Arena continued. “That covers faster patching of the vulnerabilities that matter, ongoing detection and monitoring for criminal malware, and understanding the malware you are seeing in your environment, how it got there, and what it has or could have dropped subsequently.”

WHO IS DR. SAMUIL?

In conducting research for this story, KrebsOnSecurity learned that Dr. Samuil is the handle used by the proprietor of multi-vpn[.]biz, a long-running virtual private networking (VPN) service marketed to cybercriminals who are looking to anonymize and encrypt their online traffic by bouncing it through multiple servers around the globe.

Have a Coke and a Molotov cocktail. Image: twitter.com/multivpn

MultiVPN is the product of a company called Ruskod Networks Solutions (a.k.a. ruskod[.]net), which variously claims to be based in the offshore company havens of Belize and the Seychelles, but which appears to be run by a guy living in Russia.

The domain registration records for ruskod[.]net were long ago hidden by WHOIS privacy services. But according to Domaintools.com [an advertiser on this site], the original WHOIS records for the site from the mid-2000s indicate the domain was registered by a Sergey Rakityansky.

This is not an uncommon name in Russia or in many surrounding Eastern European nations. But a former business partner of MultiVPN who had a rather public falling out with Dr. Samuil in the cybercrime underground told KrebsOnSecurity that Rakityansky is indeed Dr. Samuil’s real surname, and that he is a 32- or 33-year-old currently living in Bryansk, a city located approximately 200 miles southwest of Moscow.

Neither Dr. Samuil nor MultiVPN have responded to requests for comment.

Securing an Agile and Hybrid Workforce

Guest article by Andrea Babbs, UK General Manager, VIPRE

2020 has forced businesses to revise many of their operations. One significant transition being the shift to a remote working model, for which many were unprepared in terms of equipment, infrastructure and security. As the government now urges people to return to work, we’re already seeing a shift towards a hybrid workforce, with many employees splitting their time between the office and working from home.

As organisations are now reassessing their long-term office strategies, front and centre to that shift needs to be their IT security underpinned by a dependable and flexible cloud infrastructure. Andrea Babbs, UK General Manager, VIPRE, discusses what this new way of working means long-term for an organisation’s IT security infrastructure and how businesses can successfully move from remote working to a secure and agile workforce.

Power of the Cloud
In light of the uncertainty that has plagued most organisations, many are looking to options that can future-proof their business and enable as much continuity as possible in the event of another unforeseen event. The migration of physical servers to the Cloud is therefore a priority, not only to facilitate agile working, but to provide businesses with greater flexibility, scalability and more efficient resources. 

COVID-19 accelerated the shift towards Cloud-based services, with more data than ever before now being stored in the Cloud. For those organisations working on Cloud-based applications and drives, the challenges of the daily commute, relocations for jobs and not being able to ‘access the drive’ are in the past for many. Cloud services are moving with the user – every employee can benefit from the same level of security no matter where they are working or which device they are using. However, it’s important to ensure businesses are taking advantage of all the features included in their Cloud subscriptions, and that they’re configured securely for hybrid working. 

Layered Security Defence
Cloud-powered email, web and network security will always underline IT security defences, but these are only the first line of defence. Additional layers of security are also required to help the user understand the threat landscape, both external and internal. Particularly when working remotely with limited access to IT support teams, employees must be ready to question, verify the authenticity and interrogate the risk level of potential phishing emails or malicious links. 

With increased pressure placed on users to perform their roles faster and achieve greater results than ever before, employees will do what it takes to power through and access the information they need in the easiest and quickest way possible. This is where the cloud has an essential role to play in making this happen, not just for convenience and agility but also to allow users to stay secure – enabling secure access to applications for all devices from any location and the detection and deletion of viruses – before they reach the network. 

Email remains the most-used communication tool, even more so when remote working, but it also remains the weakest link in IT security, with 91%of cybercrimes beginning with an email. By implementing innovative tools that prompt employees to double-check emails before they send them, it can help reduce the risk of sharing the wrong information with the wrong individual. 

Additional layers of defence such as email checking tools, are removing the barriers which slow the transition to agile working and are helping to secure our new hybrid workforce, regardless of the location they’re working in, or what their job entails. 

Educating the User
The risk an individual poses to an organisation can often be the main source of vulnerability in a company’s IT infrastructure. When remote working became essential overnight, businesses faced the challenges of malware spreading from personal devices, employees being distracted and exposing incorrect information and an increase in COVID-related cyber-attacks. 

For organisations wanting to evolve into a hybrid work environment, their IT security policies need to reflect the new reality. By re-educating employees about existing products and how to leverage any additional functionality to support their decision making, users can be updated on these cyber risks and understand their responsibilities.

Security awareness training programmes teach users to be alert and more security conscious as part of the overall IT security strategy. In order to fully mitigate IT security risks and for the business to benefit from an educated workforce, both in the short and long term, employees need to change their outdated mindset. 

Changing the Approach
The evolution of IT and security over the past 20 years means that working from home is now easily achievable with cloud-based setups, whereas in the not too distant past, it would have been impossible. But the key to a successful and safe agile workforce is to shift the approach of full reliance on IT, to a mindset where everyone is alert, responsible, empowered and educated with regular training, backed up by tools that reinforce a ‘security first’ approach. 

IT departments cannot be expected to stay one step ahead of cybercriminals and adapt to new threats on their own. They need their colleagues to work mindfully and responsibly on the front lines of cyber defence, comfortable in the knowledge that everything they do is underpinned by a robust and secure IT security infrastructure, but that the final decision to click the link, send the sensitive information or download the file, lies with them. 

Conclusion
As employees prove they can work from home productively, the role of the physical office is no longer necessary. For many companies, it is a sink or swim approach when implementing a hybrid and agile workforce. Introducing and retaining flexibility in operations now will help organisations cope better with any future unprecedented events or crises.

By focusing on getting the basics right and powered by the capabilities of the Cloud, highlighting the importance of layered security and challenging existing mindsets, businesses will be able to shift away from remote workers being the ‘exception,’ to a secure and agile workforce as a whole.

5 Lessons About Software Security for Cybersecurity Awareness Month

October is cybersecurity awareness month, and this year, the overarching theme is ???Do Your Part. #BeCyberSmart.??? When considering what ???cybersmart??? means in application security, we realized we unearthed some data this year that made us a little cybersmarter and could help other security professionals and developers increase their AppSec smarts as well. We???re sharing those data gems below.

1. Lack of developer participation in and engagement with security training is a problem.

A recent research report, sponsored by Veracode and conducted by Enterprise Strategy Group (ESG), found that most organizations require their developers to consume AppSec training, but 35 percent said less than half of development teams are participating in formal training. In addition, most respondents reported that they lack programs to measure the effectiveness of developer security training. What???s the lesson here? Given that developers have been increasingly tasked with implementing security measures, including writing secure code and remediating vulnerabilities, it???s vital that they are trained to do so. But it has to be relevant, engaging training that will encourage participation.

2. It???s nearly impossible to have effective AppSec without integrating into developer workflows.

In the ESG survey, 43 percent of organizations agreed that DevOps integration is critical to improving application security (AppSec) programs. With the speed of development today, security tests that slow or block developers are simply not feasible. Lesson No. 2: AppSec should be integrated and automated. Integrating security measures into the CI/CD toolchain not only makes it easier for developers to run AppSec tests, but it also helps organizations discover security issues sooner, which speeds up time to deployment.

3. Open source code is pervasive, vulnerable, and typically not checked for security.

Our most recent State of Software Security (SOSS) report found that a typical Java application is made up of 97 percent open source and third-party libraries. In addition, our State of Software Security: Open Source Edition report published this year found that 70.5 percent of applications have a security flaw in an open source library. But ??? shockingly ??? the ESG report referenced above found that less than 50 percent of organizations scan their open source libraries for security. Why? It???s not uncommon for application developers to assume that third-party libraries were already scanned for vulnerabilities by library developers. Unfortunately, you can???t rely on library developers to keep your applications safe. The cybersmart practice is to scan third-party libraries on a regular basis.

4. You could be pulling in more open source code than you think.

Developers pull in one open source library, but that library is dependent on another library, which is dependent on another library, and so on. In fact, research for our State of Software Security: Open Source Edition report found that most applications have a large percentage of secondary (and tertiary, and more) dependencies.

Take a look at the image below taken from our Software Composition Analysis solution. The empty circle in the middle is your application, and all of the sections around it are different direct and indirect libraries. In this specific example, all of the colored sections are libraries containing vulnerabilities that affect the application either directly or indirectly. Bottom line: Get a handle on all the code that makes up your applications, even the open source code reaching your app indirectly.

software composition analysis

5. The majority of open source flaws are pulled into the code indirectly.

As mentioned above, flaws can be introduced into code directly by the application developer or indirectly by another library in use. And flaws introduced indirectly, known as transitive dependencies, make up the majority of open source flaws. In fact, in our recent report, State of Software Security: Open Source Edition, we found that 70.5 percent of the applications had an open source flaw, and of those applications, 46.6 percent of the flaws were transitive, and 41.9 percent were direct (11.5 percent were both).

Direct and transitive dependencies

Takeaway: You can have vulnerabilities lurking several layers deep; don???t be complacent if you???re just assessing the security of your direct dependencies.

Learn more

#BeCyberSmart about application security, this month and every month. To learn more, watch this short video. ツ?

ツ?

Election 2020 – Fake Election Websites: Five Tips So You Don’t Get Fooled

Protect Your Vote

Election 2020 – Fake Election Websites: Five Tips So You Don’t Get Fooled

When you spot a .GOV web domain tacked onto the end of a U.S. election website, that’s a strong sign you can turn to it for trustworthy election information. However, the overwhelming majority of local county election websites fail to use the .GOV domain.

Recent research by McAfee found that more than 80% of the 3,089 county election administration websites in the U.S. don’t use a .GOV domain.  The concern behind that stat is this: the lack of .GOV domain usage could allow bad actors to create fake election websites—which could in turn spread disinformation about the election and potentially hamper your ability to cast a valid ballot.

Moreover, nearly 45% of those 3,089 sites fail to use HTTPS encryption, a security measure which can further prevent bad actors from re-directing voters to fake websites that can misinform them and potentially steal their personal information.

And it appears that a number of fake sites have cropped up already.

Let’s take a closer look at what’s happening and what you can do to protect your vote.

Why .GOV domains matter

Not anyone can get a .GOV domain. It requires buyers to submit evidence to the U.S. government that they represent a legitimate government entity, such as a local, county, or state election administrative body. Thus, .GOV sites are quite difficult to fake.

Compare that to elections site that use publicly available domains like .COM, .ORG, and .US. A bad actor could easily create fake election sites by purchasing a URL with a similar or slightly mis-typed name to the legitimate election site—a practice known as typosquatting—and use it spread false information.

A rise in fake election sites?

Typosquatted election sites are more than a theory. Just this August, it was reported that the Federal Bureau of Investigation (FBI) and Department of Homeland Security (DHS) issued a warning bulletin to election officials that stated, ““The FBI between March and June 2020 identified suspicious typosquatting of U.S. state and federal election domains, according to recent FBI reporting from a collaborative source.”

And just last week, the Feds issued another warning about the risk of fake websites exploiting the lack of .GOV in the names of election websites.

What makes this approach of mimicry and typosquatting so attractive to bad actors? Rather than clear the much more difficult hurdle of meddling with ballots and other vote-tabulating infrastructure, bad actors can take the relatively easier route of faking websites that pass along incorrect voter information, all in an effort to keep people from casting a valid vote in the first place.

Protect your vote

While we have no direct control over the use of the .GOV domain and HTTPS encryption by our local election sites, there are still steps we can take to protect our vote. Here’s what you can do:

  1. Stay informed. Check that the site you’re visiting is a .GOV website and that HTTPS security protection is in place to ensure your security. If your local site is one of the many that does not use one, the other, or both, contact your local officials to confirm any election instructions you receive. gov provides an excellent resource for this as does the U.S. Election Assistance Commission.
  2. Look out for suspicious emails. Scrutinize all election-related emails you receive. An attacker could use time-tested phishing techniques to misinform you with emails that can sometimes look strikingly legitimate. Check this blog for tips on how to spot such phishing attacks.
  1. Trust official voting literature. The U.S. Postal Service is the primary channel state and local governments use to send out voting information. Look to those printed materials for proper information. However, be sure to validate the polling information you find in them as well—such as with a visit this list of polling places by state compiled by Vote.org.
  2. Steer clear of social media. It’s quite easy for bad actors to spread bad information by setting up phony social media groups or profiles. For more on spotting fake news in your social media feed and election misinformation, check out my recent blogs on those topics.
  3. Protect yourself and your devices. Using strong security software that protects your computers, tablets, and smartphones will help prevent phishing attacks, block links to suspicious sites, and help protect your privacy and identity. Also, disable pop-ups in your browser. Together, these will offer a line of defense against attempts to steer you toward a phony election site.

Stay Updated 

To stay updated on all things McAfee and for more resources on staying secure from home, follow @McAfee_Home on Twitter, listen to our podcast Hackable?, and ‘Like’ us on Facebook.

The post Election 2020 – Fake Election Websites: Five Tips So You Don’t Get Fooled appeared first on McAfee Blogs.

Sophisticated new Android malware marks the latest evolution of mobile ransomware

Attackers are persistent and motivated to continuously evolve – and no platform is immune. That is why Microsoft has been working to extend its industry-leading endpoint protection capabilities beyond Windows. The addition of mobile threat defense into these capabilities means that Microsoft Defender for Endpoint (previously Microsoft Defender Advanced Threat Protection) now delivers protection on all major platforms.

Microsoft’s mobile threat defense capabilities further enrich the visibility that organizations have on threats in their networks, as well as provide more tools to detect and respond to threats across domains and across platforms. Like all of Microsoft’s security solutions, these new capabilities are likewise backed by a global network of threat researchers and security experts whose deep understanding of the threat landscape guide the continuous innovation of security features and ensure that customers are protected from ever-evolving threats.

For example, we found a piece of a particularly sophisticated Android ransomware with novel techniques and behavior, exemplifying the rapid evolution of mobile threats that we have also observed on other platforms. The mobile ransomware, detected by Microsoft Defender for Endpoint as AndroidOS/MalLocker.B, is the latest variant of a ransomware family that’s been in the wild for a while but has been evolving non-stop. This ransomware family is known for being hosted on arbitrary websites and circulated on online forums using various social engineering lures, including masquerading as popular apps, cracked games, or video players. The new variant caught our attention because it’s an advanced malware with unmistakable malicious characteristic and behavior and yet manages to evade many available protections, registering a low detection rate against security solutions.

As with most Android ransomware, this new threat doesn’t actually block access to files by encrypting them. Instead, it blocks access to devices by displaying a screen that appears over every other window, such that the user can’t do anything else. The said screen is the ransom note, which contains threats and instructions to pay the ransom.

Screenshot of mobile ransom note in Russian language

Figure 1. Sample ransom note used by older ransomware variants

What’s innovative about this ransomware is how it displays its ransom note. In this blog, we’ll detail the innovative ways in which this ransomware surfaces its ransom note using Android features we haven’t seen leveraged by malware before, as well as incorporating an open-source machine learning module designed for context-aware cropping of its ransom note.

New scheme, same goal

In the past, Android ransomware used a special permission called “SYSTEM_ALERT_WINDOW” to display their ransom note. Apps that have this permission can draw a window that belongs to the system group and can’t be dismissed. No matter what button is pressed, the window stays on top of all other windows. The notification was intended to be used for system alerts or errors, but Android threats misused it to force the attacker-controlled UI to fully occupy the screen, blocking access to the device. Attackers create this scenario to persuade users to pay the ransom so they can gain back access to the device.

To catch these threats, security solutions used heuristics that focused on detecting this behavior. Google later implemented platform-level changes that practically eliminated this attack surface. These changes include:

  1. Removing the SYSTEM_ALERT_WINDOW error and alert window types, and introducing a few other types as replacement
  2. Elevating the permission status of SYSTEM_ALERT_WINDOW to special permission by putting it into the “above dangerous” category, which means that users have to go through many screens to approve apps that ask for permission, instead of just one click
  3. Introducing an overlay kill switch on Android 8.0 and later that users can activate anytime to deactivate a system alert window

To adapt, Android malware evolved to misusing other features, but these aren’t as effective. For example, some strains of ransomware abuse accessibility features, a method that could easily alarm users because accessibility is a special permission that requires users to go through several screens and accept a warning that the app will be able to monitor activity via accessibility services. Other ransomware families use infinite loops of drawing non-system windows, but in between drawing and redrawing, it’s possible for users to go to settings and uninstall the offending app.

The new Android ransomware variant overcomes these barriers by evolving further than any Android malware we’ve seen before. To surface its ransom note, it uses a series of techniques that take advantage of the following components on Android:

  1. The “call” notification, among several categories of notifications that Android supports, which requires immediate user attention.
  2. The “onUserLeaveHint()” callback method of the Android Activity (i.e., the typical GUI screen the user sees) is called as part of the activity lifecycle when the activity is about to go into the background as a result of user choice, for example, when the user presses the Home key.

The malware connects the dots and uses these two components to create a special type of notification that triggers the ransom screen via the callback.

Screenshot of malware code

Figure 2. The notification with full intent and set as “call’ category

As the code snippet shows, the malware creates a notification builder and then does the following:

  1. setCategory(“call”) – This means that the notification is built as a very important notification that needs special privilege.
  2. setFullScreenIntent() – This API wires the notification to a GUI so that it pops up when the user taps on it. At this stage, half the job is done for the malware. However, the malware wouldn’t want to depend on user interaction to trigger the ransomware screen, so, it adds another functionality of Android callback:

Figure 3. The malware overriding onUserLeaveHint

As the code snippet shows, the malware overrides the onUserLeaveHint() callback function of Activity class. The function onUserLeaveHint() is called whenever the malware screen is pushed to background, causing the in-call Activity to be automatically brought to the foreground. Recall that the malware hooked the RansomActivity intent with the notification that was created as a “call” type notification. This creates a chain of events that triggers the automatic pop-up of the ransomware screen without doing infinite redraw or posing as system window.

Machine learning module indicates continuous evolution

As mentioned, this ransomware is the latest variant of a malware family that has undergone several stages of evolution. The knowledge graph below shows the various techniques this ransomware family has been seen using, including abusing the system alert window, abusing accessibility features, and, more recently, abusing notification services.

Knowledge graph showing techniques used by the Android rasomware family

Figure 4. Knowledge graph of techniques used by ransomware family

This ransomware family’s long history tells us that its evolution is far from over. We expect it to churn out new variants with even more sophisticated techniques. In fact, recent variants contain code forked from an open-source machine learning module used by developers to automatically resize and crop images based on screen size, a valuable function given the variety of Android devices.

The frozen TinyML model is useful for making sure images fit the screen without distortion. In the case of this ransomware, using the model would ensure that its ransom note—typically fake police notice or explicit images supposedly found on the device—would appear less contrived and more believable, increasing the chances of the user paying for the ransom.

The library that uses tinyML is not yet wired to the malware’s functionalities, but its presence in the malware code indicates the intention to do so in future variants. We will continue to monitor this ransomware family to ensure customers are protected and to share our findings and insights to the community for broad protection against these evolving mobile threats.

Protecting organizations from threats across domains and platforms

Mobile threats continue to rapidly evolve, with attackers continuously attempting to sidestep technological barriers and creatively find ways to accomplish their goal, whether financial gain or finding an entry point to broader network compromise.

This new mobile ransomware variant is an important discovery because the malware exhibits behaviors that have not been seen before and could open doors for other malware to follow. It reinforces the need for comprehensive defense powered by broad visibility into attack surfaces as well as domain experts who track the threat landscape and uncover notable threats that might be hiding amidst massive threat data and signals.

Microsoft Defender for Endpoint on Android, now generally available, extends Microsoft’s industry-leading endpoint protection to Android. It detects this ransomware (AndroidOS/MalLocker.B), as well as other malicious apps and files using cloud-based protection powered by deep learning and heuristics, in addition to content-based detection. It also protects users and organizations from other mobile threats, such as mobile phishing, unsafe network connections, and unauthorized access to sensitive data. Learn more about our mobile threat defense capabilities in Microsoft Defender for Endpoint on Android.

Malware, phishing, and other threats detected by Microsoft Defender for Endpoint are reported to the Microsoft Defender Security Center, allowing SecOps to investigate mobile threats along with endpoint signals from Windows and other platforms using Microsoft Defender for Endpoint’s rich set of tools for detection, investigation, and response.

Threat data from endpoints are combined with signals from email and data, identities, and apps in Microsoft 365 Defender (previously Microsoft Threat Protection), which orchestrates detection, prevention, investigation, and response across domains, providing coordinated defense. Microsoft Defender for Endpoint on Android further enriches organizations’ visibility into malicious activity, empowering them to comprehensively prevent, detect, and respond to against attack sprawl and cross-domain incidents.

Technical analysis

Obfuscation

On top of recreating ransomware behavior in ways we haven’t seen before, the Android malware variant uses a new obfuscation technique unique to the Android platform. One of the tell-tale signs of an obfuscated malware is the absence of code that defines the classes declared in the manifest file.

Malware code showing manifest file

Figure 5. Manifest file

The classes.dex has implementation for only two classes:

  1. The main application class gCHotRrgEruDv, which is involved when the application opens
  2. A helper class that has definition for custom encryption and decryption

This means that there’s no code corresponding to the services declared in the manifest file: Main Activity, Broadcast Receivers, and Background. How does the malware work without code for these key components? As is characteristic for obfuscated threats, the malware has encrypted binary code stored in the Assets folder:

Screenshot of Assets folder with encrypted executable code

Figure 6. Encrypted executable code in Assets folder

When the malware runs for the first time, the static block of the main class is run. The code is heavily obfuscated and made unreadable through name mangling and use of meaningless variable names:

Figure 7. Static block

Decryption with a twist

The malware uses an interesting decryption routine: the string values passed to the decryption function do not correspond to the decrypted value, they correspond to junk code to simply hinder analysis.

On Android, an Intent is a software mechanism that allows users to coordinate the functions of different Activities to achieve a task. It’s a messaging object that can be used to request an action from another app component.

The Intent object carries a string value as “action” parameter. The malware creates an Intent inside the decryption function using the string value passed as the name for the Intent. It then decrypts a hardcoded encrypted value and sets the “action” parameter of the Intent using the setAction API. Once this Intent object is generated with the action value pointing to the decrypted content, the decryption function returns the Intent object to the callee. The callee then invokes the getAction method to get the decrypted content.

Figure 8. Decryption function using the Intent object to pass the decrypted value

Payload deployment

Once the static block execution is complete, the Android Lifecycle callback transfers the control to the OnCreate method of the main class.

Malware code showing onCreate method

Figure 9. onCreate method of the main class decrypting the payload

Next, the malware-defined function decryptAssetToDex (a meaningful name we assigned during analysis) receives the string “CuffGmrQRT” as the first argument, which is the name of the encrypted file stored in the Assets folder.

Malware code showing decryption of assets

Figure 10. Decrypting the assets

After being decrypted, the asset turns into the .dex file. This is a notable behavior that is characteristic of this ransomware family.

Comparison of code of Asset file before and after decryption

Figure 11. Asset file before and after decryption

Once the encrypted executable is decrypted and dropped in the storage, the malware has the definitions for all the components it declared in the manifest file. It then starts the final detonator function to load the dropped .dex file into memory and triggers the main payload.

Malware code showing loading of decrypted dex file

Figure 12. Loading the decrypted .dex file into memory and triggering the main payload

Main payload

When the main payload is loaded into memory, the initial detonator hands over the control to the main payload by invoking the method XoqF (which we renamed to triggerInfection during analysis) from the gvmthHtyN class (renamed to PayloadEntry).

Malware code showing handover from initial module to main payload

Figure 13. Handover from initial module to the main payload

As mentioned, the initial handover component called triggerInfection with an instance of appObj and a method that returns the value for the variable config.

Malware code showing definition of populateConfigMap

Figure 14. Definition of populateConfigMap, which loads the map with values

Correlating the last two steps, one can observe that the malware payload receives the configuration for the following properties:

  1. number – The default number to be send to the server (in case the number is not available from the device)
  2. api – The API key
  3. url – The URL to be used in WebView to display on the ransom note

The malware saves this configuration to the shared preferences of the app data and then it sets up all the Broadcast Receivers. This action registers code components to get notified when certain system events happen. This is done in the function initComponents.

Malware code showing initializing broadcast receiver

Figure 15. Initializing the BroadcastReceiver against system events

From this point on, the malware execution is driven by callback functions that are triggered on system events like connectivity change, unlocking the phone, elapsed time interval, and others.

 

Dinesh Venkatesan

Microsoft Defender Research

 

The post Sophisticated new Android malware marks the latest evolution of mobile ransomware appeared first on Microsoft Security.

Podcast: Taking the unconventional career path in cybersecurity

Security Stories podcast
Security Stories Podcast

In the latest episode of the Security Stories podcast, we take on the topic of cybersecurity careers.

Myself, Ben Nahorney and Noureen Njoroge are joined by guests Mitch Neff, Marketing Lead at Cisco Talos, and Corien Vermaak, Cybersecurity Partner Sales Lead for Cisco APJC.

We each discuss on how we all got our starts in the cybersecurity industry. As it turns out, none of us took a conventional path!

The five of us also talk about the people and the mentors that helped us along the way, including some practical advice for anyone who wants to be a mentor, or gain a mentor.

We then passionately tackle the topic of job descriptions and why they might be contributing to the so called “cybersecurity skills gap”. We also talk about what hiring managers can do to make sure they’re not putting the right people off with their words.

The interview

Curtis Simpson, Chief Information Security Officer at Armis

For our main interview, I had the pleasure of chatting to Curtis Simpson, Chief Information Security Officer at Armis to discover his story.

A self taught cybersecurity geek, Curtis spent 20 years at Sysco, building a decentralized network before moving to Armis.

Curis talks about how he changed perceptions of cybersecurity being “just a cost centre”. He gave some great examples of how cybersecurity is directly tied to business outcomes, such as the productivity of the sales team.

He also touches on just how difficult a decision it was to leave after 20 years, but ultimately he knew it was the right thing.

Finally, we discuss how his organization has reacted to the global pandemic, and I learn about Curtis’ take on the current threat landscape, particularly around securing IoT devices.

We hope this episode proves that that there is no singular footpath into cybersecurity.  And that’s no bad thing.

Time stamps

0.00 Intro
3.46 Interview with Curtis Simpson
47.26 Discussion on careers in cybersecurity
1.42.00 Close

Play the episode

You can listen to this podcast on Apple Podcasts, Spotify, Google Podcasts, or wherever you normally get your podcasts from! You can also listen right here and now:

More career related resources

Here are some more resources as mentioned in our careers discussion:

Noureen’s cybersecurity mentoring hub: https://cybersecmentorship.org
Noureen’s mentor and mentee group on LinkedIn: https://www.linkedin.com/groups/8673525/
Cisco NetAcademy courses: https://www.netacad.com/courses/cybersecurity
Blue Team Village Discord of which Talos are a sponsor: https://discord.com/invite/blueteamvillage

Also check out our just published eBook: Diversity in Cybersecurity: A Mosaic of Career Possibilities

The post Podcast: Taking the unconventional career path in cybersecurity appeared first on Cisco Blogs.

Researchers Find Vulnerabilities in Microsoft Azure Cloud Service

As businesses are increasingly migrating to the cloud, securing the infrastructure has never been more important. Now according to the latest research, two security flaws in Microsoft's Azure App Services could have enabled a bad actor to carry out server-side request forgery (SSRF) attacks or execute arbitrary code and take over the administration server. "This enables an attacker to quietly

Cyber Security Awareness: A Critical Checklist

October 2020 marks the 17th year of National CyberSecurity Awareness Month, where users and organizations are encouraged to double their efforts to be aware of cybersecurity issues in all their digital dealings—and to take concrete steps to increase their privacy and security as necessary. The Cybersecurity & Infrastructure Security Agency (CISA), in conjunction with the National Cyber Security Alliance (NCSA) has announced a four-week security strategy under the theme “Do Your Part. #BeCyberSmart”. (You can use the NCSAM hashtag #BeCyberSmart during October to promote your involvement in raising cybersecurity awareness.) Their schedule includes the following:

 

 

  • Week of October 5 (Week 1):If You Connect It, Protect It
  • Week of October 12 (Week 2):Securing Devices at Home and Work
  • Week of October 19 (Week 3):Securing Internet-Connected Devices in Healthcare
  • Week of October 26 (Week 4):The Future of Connected Devices

Here in Trend Micro’s Consumer Division, we’d like to do our part by providing a breakdown of the security issues you should be aware of as you think about cybersecurity—and to give you some tips about what you can do to protect yourself and your family while working, learning, or gaming at home. To help, we’ve also taken a look back at articles we’ve written recently to address each category of threat—and to provide some quick links to access our library of relevant blogs all in a single place.

The range of threats

As you think about potential threats during Cybersecurity Awareness Month and beyond, keep in mind our basic breakdown of where and how threats arise, which we outlined at the beginning of the year in our Everyday Cyber Threat Landscape blog. An updated summary is given here:

Home network threats: Our homes are increasingly powered by online technologies. Over two-thirds (69%) of US households now own at least one smart home device: everything from voice assistant-powered smart speakers to home security systems and connected baby monitors. But gaps in protection can expose them to hackers. There were an estimated 105m smart home attacks in the first half of 2019 alone. With home routers particularly at risk, it’s a concern that 83% are vulnerable to attack. In the first half of 2020, Trend Micro detected over 10.6 billion suspicious connection attempts on home routers’ unavailable ports—an issue made more worrisome by recent lab-based evidence that home routers are riddled with insecurities, as the Fraunhofer Home Router Security Report 2020 shows. This means you need to take steps to mitigate your router’s weaknesses, while deploying a home network security solution to address other network insecurities and to further secure your smart devices.

Relevant Blogs:

Endpoint threats: These are attacks aimed squarely at you the user, usually via the email channel. Trend Micro detected and blocked more than 26 billion email threats in the first half of 2019, nearly 91% of the total number of cyber-threats. These included phishing attacks designed to trick you into clicking on a malicious link to steal your personal data and log-ins or begin a ransomware download. Or they could be designed to con you into handing over your personal details, by taking you to legit-looking but spoofed sites. Endpoint threats sometimes include social media phishing messages or even legitimate websites that have been booby-trapped with malware. All this means is that installing endpoint security on your PCs and Macs is critical to your safety.

Relevant Blogs:

Mobile security threats: Hackers are also targeting our smartphones and tablets with greater sophistication. Malware is often unwittingly downloaded by users, since it’s hidden in normal-looking mobile apps, like the Agent Smith adware that infected over 25 million Android handsets globally in 2019. Users are also extra-exposed to social media attacks and those leveraging unsecured public Wi-Fi when using their devices. Once again, the end goal for the hackers is to make money: either by stealing your personal data and log-ins; flooding your screen with adverts; downloading ransomware; or forcing your device to contact expensive premium rate phone numbers that they own. The conclusion? Installing a mobile security solution, as well as personal VPN, on your Android or iOS device, should be part of your everyday security defense.

Relevant Blogs:

Identity data breaches are everywhere: The raw materials needed to unlock your online accounts and help scammers commit identity theft and fraud are stored by the organizations you interact with online. Unfortunately, these companies continued to be targeted by data thieves in 2019. As of November 2019, there were over 1,200 recorded breaches in the US, exposing more than 163 million customer records. Even worse, hackers are now stealing card data direct from the websites you shop with as they are entered in, via “digital skimming” malware. That said, an increasingly popular method uses automated tools that try tens of thousands of previously breached log-ins to see if any of them work on your accounts. From November 2017 through the end of March 2019, over 55 billion such attacks were detected. Add these to the classical phishing attack, where email hoaxes designed to get you to unwittingly hand over your data—and your data and identity can be severely compromised. In this category, using both a password manager and an identity security monitoring solution, is critical for keeping your identity data safe as you access your online accounts.

Relevant Blogs:

How Trend Micro can help

Trend Micro fully understands these multiple sources for modern threats, so it offers a comprehensive range of security products to protect all aspects of your digital life—from your smart home network to your PCs and Macs, and from your mobile devices to your online accounts. We also know you need security for your email and your social networks, or simply when browsing the web itself.

Trend Micro Home Network Security: Provides protection against network intrusions, router hacks, web threats, dangerous file downloads and identity theft for every device connected to the home network.

Trend Micro Premium Security Suite: Our new premium offering provides all of the products listed below for up to 10 devices, plus Premium Services by our highly trained pros. It includes 24×7 technical support, virus and spyware removal, a PC security health check, and remote diagnosis and repair. As always, however, each solution below can be purchased separately, as suits your needs.

  • Trend Micro Security:Protects your PCs and Macs against web threats, phishing, social network threats, data theft, online banking threats, digital skimmers, ransomware and other malware. Also guards against over-sharing on social media.
  • Trend Micro Mobile Security:Protects against malicious app downloads, ransomware, dangerous websites, and unsafe Wi-Fi networks.
  • Trend Micro Password Manager:Provides a secure place to store, manage and update your passwords. It remembers your log-ins, enabling you to create long, secure and unique credentials for each site/app you need to sign-in to.
  • Trend Micro WiFi Protection:Protects you on unsecured public WiFi by providing a virtual private network (VPN) that encrypts your traffic and ensures protection against man-in-the-middle (MITM) attacks.
  • Trend Micro ID Security (AndroidiOS): Monitors underground cybercrime sites to securely check if your personal information is being traded by hackers on the Dark Web and sends you immediate alerts if so, so you can take steps to address the problem.

The post Cyber Security Awareness: A Critical Checklist appeared first on .

Hackers disguise malware attack as new details on Donald Trump’s COVID-19 illness

The confirmation that US President Donald Trump has been infected by the Coronavirus, and had to spend time this weekend in hospital, has – understandably – made headlines around the world. And there are plenty of people, on both sides of the political divide, who are interested in learning more about his health status. It’s […]… Read More

The post Hackers disguise malware attack as new details on Donald Trump’s COVID-19 illness appeared first on The State of Security.

NIST Cybersecurity Expert Donna Dodson Receives Service to America Medal

Donna Dodson, a cybersecurity expert who worked for her entire 33-year career at the National Institute of Standards and Technology (NIST), has been honored this week with a Samuel J. Heyman Service to America Medal for her numerous contributions to the field. Since 2002, the Partnership for Public Service has awarded “Sammies” medals to honor outstanding civil servants. One of just 11 winners chosen from a pool of more than 350 nominations, Dodson received her medal in the Safety, Security and International Affairs category. “Donna Dodson demonstrates the profound impact that a single

New ‘MontysThree’ Toolset Used in Targeted Industrial Espionage Attacks

Researchers uncovered a new toolset they’ve dubbed “MontysThree” that has played a role in targeted industrial espionage attacks stretching back to 2018. In the summer of 2020, Kaspersky Lab discovered that an unknown actor had been using a modular C++ toolset called “MT3” to conduct targeted industrial espionage campaigns for years. The security firm analyzed […]… Read More

The post New ‘MontysThree’ Toolset Used in Targeted Industrial Espionage Attacks appeared first on The State of Security.

ZecOps for Mobile DFIR 2.0 – Now Supporting iOS *AND* Android

ZecOps for Mobile DFIR 2.0 – Now Supporting iOS *AND* Android

ZecOps is excited to announce the release of ZecOps for Mobile 2.0, which includes full support for Android. With this release, ZecOps has extended its best-in-class automatic digital forensics capabilities to the two most widespread and important mobile operating systems in the world, iOS and Android.

We see it in the news everyday: sophisticated threat actors can bypass all existing security defenses. These mistakes lead to sudden reboots, crashes, appearances in logs / OS telemetry, bugs, errors, battery loss, and other “unexplained” anomalies. ZecOps for Mobile analyzes the associated events against databases of attack techniques, common weaknesses (CWEs), and common vulnerabilities (CVEs). ZecOps’s core technology utilizes machine learning for insights, correlation and identifying anomalous behavior for 0-day attacks. Following a quick investigation, ZecOps produces a detailed assessment of if, when, and how a mobile device has been compromised.

World-leading governments, defense agencies, enterprises, and VIPs rely on ZecOps to automate their advanced investigations, greatly improving their threat intelligence, threat detection, APT hunting, and risk & compromise assessment capabilities. With support for Android, ZecOps can now extend this threat intelligence across an entire organization’s mobile footprint.

Supported versions:

  • Android 8 and above – until latest
  • iOS 10 and above – until latest

Supported HW Models:

  • All device models are supported on both Android and iOS.

ZecOps provides the most thorough operating system telemetry analysis as part of its advanced digital forensics. By focusing on the trails that hackers leave (“Attackers’ Mistakes”), ZecOps can provide sophisticated security organizations with critical information on the attackers’ tools, advanced persistent threats, and even discovery of attacks leveraging zero-day vulnerabilities.