A week ago, KrebsOnSecurity broke the news that someone was attempting to disrupt the Trickbot botnet, a malware crime machine that has infected millions of computers and is often used to spread ransomware. A new report Friday says the coordinated attack was part of an operation carried out by the U.S. military’s Cyber Command.
On October 2, KrebsOnSecurity reported that twice in the preceding ten days, an unknown entity that had inside access to the Trickbot botnet sent all infected systems a command telling them to disconnect themselves from the Internet servers the Trickbot overlords used to control compromised Microsoft Windows computers.
On top of that, someone had stuffed millions of bogus records about new victims into the Trickbot database — apparently to confuse or stymie the botnet’s operators.
In a story published Oct. 9, The Washington Postreported that four U.S. officials who spoke on condition of anonymity said the Trickbot disruption was the work of U.S. Cyber Command, a branch of the Department of Defense headed by the director of the National Security Agency (NSA).
The Post report suggested the action was a bid to prevent Trickbot from being used to somehow interfere with the upcoming presidential election, noting that Cyber Command was instrumental in disrupting the Internet access of Russian online troll farms during the 2018 midterm elections.
The Post said U.S. officials recognized their operation would not permanently dismantle Trickbot, describing it rather as “one way to distract them for at least a while as they seek to restore their operations.”
Alex Holden, chief information security officer and president of Milwaukee-based Hold Security, has been monitoring Trickbot activity before and after the 10-day operation. Holden said while the attack on Trickbot appears to have cut its operators off from a large number of victim computers, the bad guys still have passwords, financial data and reams of other sensitive information stolen from more than 2.7 million systems around the world.
Holden said the Trickbot operators have begun rebuilding their botnet, and continue to engage in deploying ransomware at new targets.
“They are running normally and their ransomware operations are pretty much back in full swing,” Holden said. “They are not slowing down because they still have a great deal of stolen data.”
Holden added that since news of the disruption first broke a week ago, the Russian-speaking cybercriminals behind Trickbot have been discussing how to recoup their losses, and have been toying with the idea of massively increasing the amount of money demanded from future ransomware victims.
“There is a conversation happening in the back channels,” Holden said. “Normally, they will ask for [a ransom amount] that is something like 10 percent of the victim company’s annual revenues. Now, some of the guys involved are talking about increasing that to 100 percent or 150 percent.”
These days, spending time with friends face-to-face still isn’t always an option for teens. So, finding a fun, new app can be a little like discovering your own private beach where you can chill out, connect with friends, and be thoroughly entertained. Keeping them safe on that digital beach? That’s where parents can make a difference.
With all the popular, increasingly sophisticated video apps available, it’s easy to understand why safety ends up being the last thing on our kids’ minds. I get it. My daughter and I recently sat for hours watching Tik Tok videos and laughing until we cried.
However, October is National Cybersecurity Month and the perfect time to hit pause and talk about how to stay safe on all the apps vying for our attention.
Popular Apps to Monitor
Triller. The Triller app is a video-based platform, much like Tik Tok, that has been around since 2015. Triller has a variety of filters, and music kids can use with the videos they create.
What to monitor: Triller’s content may not always be appropriate, and because viewers can leave comments on videos, there’s a risk of cyberbullying. Also, Triller has some privacy loopholes such as data collection, location tracking, and a public account default — all of which can be modified in Settings.
HouseParty is a group video chat platform nicknamed the “Quarantine App” since its popularity increased by an additional 10 million users during the COVID lockdown. Houseparty allows users to invite friends and “friends of friends” into group video-chat sessions — much like a party. The app displays up to eight live streams on the screen at a time, creating an instant sense of community.
What to monitor. Because the app allows “friends of friends” to livestream in a group, that unknown element opens the door to a number of safety issues. Encourage kids to deny join requests from unknown people. While some users leave rooms unlocked while live streaming their party, encourage your child to use the padlock function to limit conversations to people who know each other.
Yubo. The Yubo app (formerly Yellow) is also called the “Tinder for Teens.” Kids can connect and live stream with people they know — and easily connect with people they don’t. If two users swipe right, Yubo will match them, and they can share Snapchat or Instagram names. Another app very similar to Yubo is the Hoop app.
What to monitor. Content on Yubo can be explicit and cyberbullying can arise more often since fake accounts are common. Yubo’s swipe format promotes a appearance driven match standard may not be healthy for some teens.
Byte. Another app similar to Tik Tok, Byte, features short-form videos. Byte, created by the Founders of the now defunct Vine app, lacks the filters and music of other video apps, but that’s okay; the simplicity is a plus for Byte fans.
What to monitor: Be aware of inappropriate content, cyberbullying in comments, and unknown “friends” who may be part of your child’s Byte community. Online predators have been known to reach out to kids on this app. While unwanted followers can be blocked, surprisingly, Byte doesn’t give you the ability to make your account private.
App Safety Basics
Practice personal responsibility. The theme for Cybersecurity Month 2020 is Do Your Part #BeCyberSmart. With this in mind, discuss the responsibility that comes with owning technology, be it a smartphone, a game system, a smartwatch, or any other connected device. The goal, says The National Cyber Security Alliance,
“If you connect it, protect it.”
Privacy settings. To protect privacy and keep unknown people from connecting with minors, maximize privacy Settings on each new app.
Increase safeguards. Apps can be addictive and siphon family time, study time, and sleep. A comprehensive security solution can help parents limit device time, monitor activity, and block risky content and apps.
Share wisely. Even a 15-second video shared with “close friends only” can end up in the public stream. Advise your child to only share videos or photos they’d feel good sharing with the world.
Protect personal information. Remind your child not to share private details about themselves or their family members with anyone online. This includes emails, full names, phone numbers, pet names, school names, or location.
Block and report. Talk with your child about what you consider appropriate versus inappropriate content, how to block strangers, and how to report cyberbullying and scams.
Finally, keep talking with your kids — about everything. Ultimately, it will be your consistency in having honest, ongoing dialogue with your child that will be your most valuable tool in keeping them safe online.
Vor dem Hintergrund des IT-Fachkräftemangels gestaltet es sich für Unternehmen immer schwieriger, mit der wachsenden Zahl sowie Raffinesse von Cyber-Angriffen Schritt zu halten und drängt Sicherheitsteams dazu, oft nur noch reaktiv agieren zu können. Wie Sie mithilfe einer umfassenden Bedrohungsdatenbank sowie proaktiver Reaktionsmaßnahmen Ihre Endgerätesicherheit verbessern und Reaktionszeiten von Monaten auf Stunden verkürzen können, diskutieren wir in diesem Podcast. Hierfür zusammengekommen sind Heiko Brückle, McAfee Senior Security Engineer, sowie Chris Trynoga, McAfee Regional Solution Architect.
Today, Talos is publishing a glimpse into the most prevalent threats we’ve observed between September 25 and October 2. As with previous roundups, this post isn’t meant to be an in-depth analysis. Instead, this post will summarize the threats we’ve observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.
As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.
20201009-tru.json – this is a JSON file that includes the IOCs referenced in this post, as well as all hashes associated with the cluster. The list is limited to 25 hashes in this blog post. As always, please remember that all IOCs contained in this document are indicators, and that one single IOC does not indicate maliciousness. See the Read More link above for more details.
Officials have decided to pay roughly $670,000 in ransom
following a ransomware attack on the University
Hospital in New Jersey. The hospital was likely forced into this decision after
being unable to restore from backups the 240GB of data stolen in the attack on
their systems. It’s not entirely clear what information was stolen, but given the
haste of payment it was likely highly sensitive patient data.
COVID-Related Cyberattacks Target Canadian Companies
A recent survey revealed that over 25% of all Canadian
business organizations had been targeted by a COVID-19-themed
cyberattack since the beginning of the year. Most of the organizations surveyed
also reported seeing a significant rise in overall cyberattacks since the pandemic
began. Worrisome findings also revealed that 38% of organizations surveyed were
unsure if they had fallen victim to any type of cyberattack, which could mean
the amount of customer information for sale on black markets could be
Boom! Mobile Website Compromised
Customer data has been compromised for users of the Boom!
unclear how the unauthorized code got onto the site or how long was active.
Officials for the mobile company have confirmed they do not store payment card
data and that no Boom! Mobile accounts were compromised.
Major Ransomware Attacks Increase Through Q3
Researchers have reported a massive increase in ransomware
attacks in Q3 of 2020, with the Maze group being responsible for 12% of all
attacks. They also reported that Ryuk ransomware variants were responsible for
an average of 20 attacks per week. With the ongoing neglect of cybersecurity in
major corporations, ransomware attacks will likely continue as long as their
authors find them profitable.
Chicago Food Delivery Service Stricken with Data Breach
Nearly 800,000 customer records were compromised following a
data breach at ChowBus,
a Chicago-based food delivery service. With roughly 440,000 unique email
addresses exposed, many individuals are now more susceptible to additional phishing
attacks or identity theft. Fortunately, however, ChowBus does not store payment
card information on its site.
Distributed cloud computing is the first cloud model that incorporates physical location of cloud-delivered services as part of its definition. Historically, location has not been relevant to cloud computing definitions.
By Melissa Lukings, JD Candidate, Faculty of Law, University of New Brunswick (UNB) AND Dr. Arash Habibi Lashkari, Assistant Professor and Research Coordinator, Canadian Institute for Cybersecurity (CIC), University of New Brunswick (UNB) Introduction The prevalence of digital communication has created nearly limitless possibilities for the rapid, large-scale sharing of private communications, intimate images, and personal…
Open source software is the foundation of many modern software products. Over the years, developers increasingly have relied on reusable open source components for their applications. It is paramount that these open source components are secure and reliable, as weaknesses impact those that build upon it.
Google cares deeply about the security of the open source ecosystem and recently launched the Open Source Security Foundation with other industry partners. Fuzzing is an automated testing technique to find bugs by feeding unexpected inputs to a target program. At Google, we leverage fuzzing at scale to find tens of thousands of security vulnerabilities and stability bugs. This summer, as part of Google’s OSS internship initiative, we hosted 50 interns to improve the state of fuzz testing in the open source ecosystem.
The fuzzing interns worked towards integrating new projects and improving existing ones in OSS-Fuzz, our continuous fuzzing service for the open source community (which has 350+ projects, 22,700 bugs, 89% fixed). Several widely used open source libraries including but not limited to nginx, postgresql, usrsctp, and openexr, now have continuous fuzzing coverage as a result of these efforts.
Some interns chose to write fuzzers for Android and Chrome, which are open source projects that billions of internet users rely on. For Android, the interns contributed several new fuzzers for uncovered areas - network protocols such as pppd and dns, audio codecs like monoblend, g722, and android framework. On the Chrome side, interns improved existing blackbox fuzzers, particularly in the areas: DOM, IPC, media, extensions, and added new libprotobuf-based fuzzers for Mojo.
Over the course of the internship, our interns have reported over 150 security vulnerabilities and 750 functional bugs. Given the overall success of these efforts, we plan to continue hosting fuzzing internships every year to help secure the open source ecosystem and teach incoming open source contributors about the importance of fuzzing. For more information on the Google internship program and other student opportunities, check out careers.google.com/students. We encourage you to apply.
Technology is moving at a breakneck pace and there is nothing to indicate it will ever slow down. With 90 per cent of new apps slated to be cloud native by 2025, companies are challenged to be resilient and agile enough to meet business and customer expectations. “This is a critical challenge,” says Jim Love,…
The wait is no more. AMD lifted the curtains off of its Ryzen 5000 series processors and its Zen 3 core architecture at its “Where Gaming Begins” conference yesterday.
Zen 3, like Zen 2, uses a separate CPU die and I/O die on the same package. The CPU die is manufactured using TSMC’s 7nm node, while the I/O die is made on the 12nm node. Separating the I/O die and CPU dies help with yields as smaller chips are easier to manufacture.
AMD’s Zen 3 architecture continues to improve on Zen 2’s modular design. In the previous generation, AMD’s Ryzen 3000 series desktop processors used multiple core chiplet dies (CCD) consisting of two 4-core compute core complexes (CCX) connected over the Infinity Fabric Interconnect. Each CCX had its own, separate 16MB cache. With Zen 3, AMD has unified the pools of cache into a single 32MB pool, thus decreasing latency and increasing resource sharing across the cores.
AMD has also reworked the front to back operation stack, including widening the integer and floating-point execution units (EU), load/storage operations, and the branch predictor. AMD also announced a feature called “Zero Bubble” that hides latency, a major roadblock of previous generations of Zen architectures.
All-in-all, AMD claims that Zen 2 will have 19 per cent higher instructions per clock while being 24 per cent more power-efficient compared to Zen 2. Further, it underscored Zen 3’s single-threaded performance by demonstrating the Ryzen 9 3900X achieving 631 points in Cinebench R20, a rendering benchmark. The company claimed that this is the first processor to break the 600 points barrier in the benchmark.
The initial launch lineup on Nov. 5 will have four SKUs: the Ryzen 9 5950X, Ryzen 7 5900X, Ryzen 7 5800X, and the Ryzen 5 5600X.
AMD Ryzen 9 5950X
AMD Ryzen 9 5900X
AMD Ryzen 7 5800X
AMD Ryzen 5 5600X
4.9GHz / 3.4GHz
4.8GHz / 3.7GHz
4.7GHz / 3.8GHz
4.9GHz / 3.4GHz
There is a price hike this time around. All Ryzen 5000 series processors cost $50 more than the products they’re designed to replace. Moreover, AMD has pulled the stock coolers from the Ryzen 7 5900X and the Ryzen 7 5800X which, in the previous generations, granted it a big value lead compared to Intel processors.
For the first time in a long time, AMD processor prices have outpaced Intel’s. At MSRP, the Ryzen 7 5800X costs US$125 more than Intel’s Core i7-10700K ($499 vs. $374), which brings it into price parity with Intel’s consumer flagship CPU, the 10-core Core i9-10900K. The price difference narrows on the mid-range, though, with the Ryzen 5 5600X being just $37 more than the Core i5-10600K (US$299 vs. US$260). The increased prices hint at AMD being confident that its products will win against Intel’s Comet Lake-S. With that said, Intel’s Rocket Lake processors–built on Intel’s 14nm process–is expected to land March 2020 to challenge the market.
Finally, the Ryzen 5000 series will be the last generation of processors to use the AM4 socket. The socket is now 4 years old and has lasted through three generations of Ryzen processors.
Motherboards with AMD’s 500 series chipsets will natively support the new Ryzens. Motherboards with the 400 series chipsets, however, will have to wait until January for the new beta BIOS to be released. The upgrade is forward only for X470 and B450 motherboards, meaning that once the BIOS is flashed, they will no longer support older generations of Ryzen processors. To avoid a “no-boot” situation, users will need to provide proof that they’ve purchased a Zen 3 desktop processor and a 400 series motherboard before they can download the BIOS.
AMD has also confirmed that its 5nm products are on track and that its graphics solutions built on “Big Navi” will be announced on Oct. 21.
Read our previous coverages for backgrounders on the topics covered here.
understanding—require a lot of additional explanation. For example, what is a vulnerability assessment? If five cyber professionals are sitting around a table discussing this question, you will end up with seven or eight answers. One will say that a vulnerability assessment is vulnerability scanning only. Another will say an assessment is much bigger than scanning and addresses ethical hacking and internal security testing. Another will say that it is a passive review of policies and controls. All are correct in some form, but the answer really depends on the requirements or criteria you are trying to achieve. And it also depends on the skills and experience of the risk owner, auditor, or assessor. Is your head spinning yet? I know mine is! Hence the “three parts art.”
There is quite a bit of subjectivity in the cyber security business. One auditor will look at evidence and agree you are in compliance; another will say you are not. If you are going to protect sensitive information, do you encrypt it, obfuscate it, or segment it off and place it behind very tight identification and access controls before allowing users to access the data? Yes. As we advise our client base, it is essential that we have all the context necessary to make good risk-based decisions and recommendations.
Let’s talk about Connection’s artistic methodology. We start with a canvas that addresses the core components of cyber security: protection, detection, and reaction. By addressing each of these three pillars in a comprehensive way, we ensure that the full conversation around how people, process, and technology all work together to provide a comprehensive risk strategy is achieved.
People Users understand threat and risk and know what role they play in the protection strategy. For example, if you see something, say something. Don’t let someone surf in behind you through a badge check entry. And don’t think about trying to shut off your end-point anti-virus or firewall. In today’s remote workforce environment, good employee security awareness, especially related to phishing is essential.
Process Policy are established, documented, and socialized. For example, personal laptops should never be connected to the corporate network. Also, don’t send sensitive information to your personal email account so you can work from home.
Technology Some examples of the barriers used to deter attackers and breaches are edge security with firewalls, intrusion detection and prevention, sandboxing, and advanced threat detection. Security leaders need to become a student of threat, and deploy the correct technology to protect, detect, and react to threat.
The average mean time to identify an active incident in a network is 197 days. The mean time to contain an incident is 69 days.
People Incident response teams need to be identified and trained, and all employees need to be trained on the concept of “if you see something, say something.” Detection is a proactive process.
Process What happens when an alert occurs? Who sees it? What is the documented process for taking action?
Technology What is in place to ensure you are detecting malicious activity? Is it configured to ignore noise and only alert you of a real event? Will it help you bring that 197-day mean time to detection way down?
People What happens when an event occurs? Who responds? How do you recover? Does everyone understand their role? Do you War Game to ensure you are prepared WHEN an incident occurs?
Process What is the documented process to reduce the Kill Chain—the mean time to detect and contain—from 69 days to 69 minutes? Do you have a Business Continuity and Disaster Recovery Plan to ensure the ability to react to a natural disaster, significant cyber breach such as ransomware, DDoS, or—dare I say it—a pandemic?
Technology What cyber security consoles have been deployed that allow quick access to patch a system, changing firewall rules, adjusting ACLs, or policy setting at an end point, or track a security incident through the triage process?
All of these things are important to create a comprehensive InfoSec Program. The science is the technology that will help you build a layered, in-depth defense approach. The art is how to assess the threat, define and document the risk, and create a strategy that allows you to manage your cyber risk as it applies to your environment, users, systems, applications, data, customers, supply chain, third party support partners, and business process.
More Art – Are You a Risk Avoider or Risk Transference Expert?
A better way to state that is, “Do you avoid all risk responsibility, or do you give your risk responsibility to someone else?” Hint: I don’t believe in risk avoidance or risk transference.
Yes, there is an art to risk management. There is also science if you use, for example, The Carnegie Mellon risk tools. But a good risk owner and manager documents risk, prioritizes it by risk criticality, turns it into a risk register or roadmap plan, remediates what is necessary, and accepts what is reasonable from a business and cyber security perspective. Oh, by the way, those same five cyber security professional we talked about earlier, they have 17 definitions of risk.
As we wrap up this conversation, let’s talk about the importance of selecting a risk framework. It’s kind of like going to a baseball game and recognizing the program helps you know the players and the stats. What framework will you pick? Do you paint in watercolors or oils? Are you a National Institute of Standards (NIST) artist, an Internal Standards Organization artist, or have you developed your own framework like the Nardone puzzle chart? I developed this several years ago when I was the CTO/CSO of the Commonwealth of Massachusetts. It has been artistically enhanced over the years to incorporate more security components, but it is loosely coupled on the NIST 800-53 and ISO 27001 standards.
When it comes to selecting a security framework as a CISO, I lean towards the NIST Cyber Security Framework (CSF) pictured below. This framework is comprehensive and provides a scoring model that allows risk owners to measure and target what risk level they believe they need to achieve based on their business model, threat profile, and risk tolerance. It has five functional focus areas. The ISO 27001 framework is also a very solid and frequently used model. Both of these frameworks can result in a Certificate of Attestation demonstrating adherence to the standard. Many commercial corporations do an annual ISO 27001 assessment for that very reason. More and more are leaning towards the NIST CSF, especially commercial corporations doing work with the government. Keep in mind that frameworks mature, and compliance requirements change. For example, if you are a commercial corporation doing business with the federal government, you will need to comply with the new Cyber Security Model Certification (CMMC) soon to continue doing business with the government.
As I reflect upon my 40 years as a cyber security professional, I think of the many instances where the basic tenets of cyber security—those we think have common understanding—require a lot of additional explanation. For example, what is a vulnerability assessment? If five cyber professionals are sitting around a table discussing this question, you will end up with seven or eight answers. One will say that a vulnerability assessment is vulnerability scanning only. Another will say an assessment is much bigger than scanning and addresses ethical hacking and internal security testing. Another will say that it is a passive review of policies and controls. All are correct in some form, but the answer really depends on the requirements or criteria you are trying to achieve. And it also depends on the skills and experience of the risk owner, auditor, or assessor. Is your head spinning yet? I know mine is! Hence the “three parts art.”
GPS tracks sea turtle traffickers; Netflix Canada is hiking its prices, and IBM says goodbye to its managed infrastructure services. It’s all the tech news that’s popular right now. Welcome to Hashtag Trending! It’s Friday, October 9, and I’m your host Alex Coop. ===== Fake eggs fitted with GPS track sea turtle traffickers in…
IBM is saying goodbye to its legacy business by spinning off its managed infrastructure services into a new company and embracing a "$1 trillion hybrid cloud opportunity," according to chief executive officer Arvind Krishna.
Welcome to our weekly roundup, where we share what you need to know about the cybersecurity news and events that happened over the past few days. This week, learn about how cybercriminals secure their assets and survive in the business in a new Trend Micro report. Also, read about a how cybercriminals are tapping into Amazon’s Prime Day with phishing and malicious websites that are fraudulently using the Amazon brand.
Trend Micro researchers observed a new modus operandi involving a clever BEC campaign that uses social engineering to target French companies. Malicious actors impersonated a French company in the metal fabrication industry that provides services to several organizations. They then registered a domain very similar to the legitimate one used by the business and used it to send emails to their targets.
Cybercriminals are tapping into Amazon’s annual Prime Day with researchers warning of a recent spike in phishing and malicious websites that are fraudulently using the Amazon brand. There has been a spike in the number of new monthly phishing and fraudulent sites created using the Amazon brand since August, the most significant since the COVID-19 pandemic forced people indoors in March.
The big move to working remotely wasn’t completely difficult for Mark Houpt, CISO at DataBank. After all, he has been doing so since before COVID-19. However, when the pandemic hit, DataBank, like many other companies across the globe, had to help most of their employees transition securely and smoothly to virtual work. Read up on the several important security considerations this experience highlighted.
This summer, Google removed more than 240 Android applications from the Play Store for showing out-of-context ads and breaking a newly introduced Google policy against this type of intrusive advertising. Out-of-context ads are mobile ads that are shown outside an app’s normal container and appear as pop-ups or as full-screen ads.
As a result of our work-from-home (WFH) arrangements, there is an increased demand on networks as remote operations have created greater dependence on the IoT. Subsequently, now is a good time to re-examine the security of your network. Rather than only focusing on securing individual devices that can compromise a network, users should also secure the network to minimize threats across several devices.
The use of underground infrastructure is inherent to the modus operandi of a cybercriminal. In Trend Micro’s Underground Hosting series, it differentiates how cybercrime goods are sold in marketplaces and what kinds of services are offered. In this final part of the Underground Hosting report series, Trend Micro explores the methods criminals employ to secure their assets and survive in the business.
The Comcast XR11 voice remote controller was recently found to be vulnerable and could be turned into a spying tool that eavesdrops on users. Discovered by researchers at Guardicore, the attack has been named WarezTheRemote and is said to be a very serious threat, considering that the remote is used for over 18 million devices across the U.S.
In the first half of 2020, there was a 70% increase in inbound attacks on devices and routers compared to the second half of 2019, which included attacks on IoT systems. To protect customers effectively by continuously monitoring trends in IoT attacks, Trend Micro examined Mirai and Bashlite (aka Qbot), two notorious IoT botnet malware types, and shares the figures relating to these botnets’ command and control (C&C) servers, IP addresses, and C&C commands.
Last week the Cybersecurity and Infrastructure Security Agency published an advisory that hackers had penetrated a US federal agency. Now, clues uncovered by a researcher at cybersecurity firm Dragos and an FBI notification to hacking victims obtained by WIRED in July suggest that it was Fancy Bear, a team of hackers working for Russia’s GRU also known as APT28.
Like legitimate businesses across the globe seeking to improve their information security and protect their network infrastructure, cybercriminal businesses take similar precautions. Trend Micro Research released the final report in a series focused on this part of cybercriminal business: Underground hosting providers. Based on the report, it’s clear that understanding both the criminal business and the attacks themselves better prepares defenders and investigators to identify and eliminate threats.
As businesses are increasingly migrating to the cloud, securing the infrastructure has never been more important. According to research by Paul Litvak of Intezer Labs, two security flaws in Microsoft’s Azure App Services could have enabled a bad actor to carry out server-side request forgery (SSRF) attacks or execute arbitrary code and take over the administration server.
October 2020 marks the 17th year of National Cybersecurity Awareness Month, where users and organizations are encouraged to increase awareness of cybersecurity issues. To help raise awareness, Trend Micro’s Consumer Division breaks down of the security issues you should be aware of and shares tips about how you can protect yourself and your family while working, learning, or gaming at home.
In part one of this blog series, Trend Micro talked about the different ways developers can protect control plane components, including Kube API server configurations, RBAC authorization, and limitations in the communication between pods through network policies. In this second part, Trend Micro focuses on best practices that developers can implement to protect worker nodes and their components.
Are you surprised that Comcast voice activated remote controllers could be turned into a spying tool? Share your thoughts in the comments below or follow me on Twitter to continue the conversation: @JonLClay.
A new variant of a sophisticated Android locker family used an innovative sequence to load its ransom note on infected devices. On October 8, Microsoft Defender Research Team revealed that it had spotted a new Android locker variant using novel techniques to display its ransom note to its victims. This threat specifically targeted two components […]… Read More
The Smurf Attack is one of the oldest, simplest and effective cyber-attacks, one that can draw down many unpleasant consequences for any targeted company. Before trying to understand what is a Smurf Attack, we must first understand the concepts of DoS and DDoS. Denial-of-Service or Distributed Denial-of-Service attacks generally try to make a network’s resources […]
We often hear of security experts speak about the benefits of using VPN services when using the Internet. VPNs certainly offer functionalities that make them very useful in the digital era. But, have you ever got wondered what exactly VPNs are and how to use them? If you have, then…
A team of five security researchers analyzed several Apple online services for three months and found as many as 55 vulnerabilities, 11 of which are critical in severity.
The flaws — including 29 high severity, 13 medium severity, and 2 low severity vulnerabilities — could have allowed an attacker to "fully compromise both customer and employee applications, launch a worm capable of
It's a bit of a mega one this week running over the 1-hour mark, but there's been an awful lot happen during the last week that I reckon is of interest. There's a decidedly adult theme running across the topics not by design, but just by pure coincidence between the Grindr incident, a query I got regarding erasing one's adult website browsing history and the IoT male chastity device full of security holes and potential requiring a grinder (not Grindr!) to remove. We live in interesting times...
Nowadays malware authors use a lot of techniques to hide malicious payloads in order to bypass security products and to make malware analyst life harder and fun. There are many tools that you can use to extract content from malware and there is not a standard process, you can use different tools, different techniques and different approaches to solve the same problem.
During this post I am going to quickly describe three (well, actually kind of four) of the main flows that takes me in succeed to unpack malware. But let me repeat that there are many ways to perform such a topic, I simply want to share some personalnotes on my favorite flows, withoutpretendingto write a full course material on how to Unpack Malware, which it worth of a full university class.
NB: there is a lot to say about packers, how they are, how they behave, there is much to say even on how many packers family are known, but this is not the place for that. What I am doing here is to mostly focusing on quick shot-cuts useful when you are on rush but not such powerful as debugging the entire process.
Method 0: Just Unpack It, I don’t care more
Well, if you are on rush and you just need to try to unpack a sample as quickest as possible, if you don’t care about what is going on, well Sergei Frankoff (@herrcore) and Sean Wilson (@seanmw) did a great job in releasing Unpac.ME. A web application that tries to unpack your sample, there is a limited free plan for using it, it works most of the times especially with known malware families
Method 1: The quick way
One of the quickest way to simply unpack malware is to try to figure out what packer has been used to pack your sample. Once you have the used packer you just need to run the relative un-packer and that’s it, you have done. Detect it Easy or bettern known as DiE would help you in performing such research. It has a wide signature database tracking hundreds different packers. The following image shows DiE spotting a simple (and very didactic, not really real) UPX packer.
Once you know it has been packed through UPX 3.91, just go and grab the used packer (in such case go to https://upx.github.io/) take the relative unpacker and run it against your original sample, you would see a new PE file.
Method 2: The slow but fun way to do !
This is my favorite method since it’s definitely faster than using debug and performing every step by yourself but quite powerful as well getting you the control of many actions happening into memory. Before going into this method you need to know the following main assumptions.
The packerwouldperforms some operations on bytes (read from external file or from the same file or taken from the network) then it will aggregate such a bytes and later on it will pass executionflow (EIP) to those bytes. We call those bytes the “payload“.
Injecting control flows is the mainstrategy used by packers.
Intercepting the injection flow will abstract us from the used packer
It is now interesting to understand how injection happens on Windows machine. Once we nailed it, we would agree that a quick way to unpack malware is just to grab content from the allocated and injected memory before the main sample (or stub) will make a change of control by passing EIP and Stack to new code.
Main Injection techniques to look for
Fortunately there are not thousands of different possibilities to inject shellcode into memory, so let take a closer look to the main ones. The most used is named process injection.
The process injection schema follows these main steps:
OpenProcess – The OpenProcess function returns a handle of an existing process object.
VirtualAllocEX – The VirtualAllocEx function is used to allocate the memory and grant the access permissions to the memory address.
WriteProcessMemory – The WriteProcessMemory function writes data to an area of memory in a specified process.
CreateRemoteThread – The CreateRemoteThread function creates a thread that runs in the virtual address space of another process.
Another very used technique is the DLLInjection which follows these steps:
OpenProcess to Obtain the handle of the target process in which we intend to inject our DLL.
Find the address of the LoadLibraryA function using GetProcAddress & GetModuleHandleA functions. LoadLibraryA function is used for loading the DLL into the calling process.
VirtualAllocEX to allocate the memory space for the DLL path from where we will be loading the DLL.
WriteProcessMemory for writing the DLL path into the allocated memory space.
CreateRemoteThread for creating a new thread and passed the address of LoadLibraryA as the start address and the address of the DLL file as the parameter for LoadLibraryA function.
Process Hollowing is a nice and very used trick to evade endpoint security and to inject control floes. The main idea is to build a suspended process within un-mapped memory. Then replace the un-mapped memory section with the shellcode and later on map and start the process. The steps follows:
Create a new target process in suspended state. This can be achieve by passing Create_Suspended value in dwCreationFlags parameter of CreateProcess Windows API.
Once the process is created in suspended state we will create a new executable section. It wont be bind to any process. This can be done by using ZwCreateSection function.
We need to locate the base address of the target process. This can be done by querying the target process using ZwQueryInformationProcess function. We can find the address of the process environment block (PEB) and then use ReadProcessMemory function to read the PEB. Once the PEB is read ReadProcessMemory function is used once again to locate the entry point from the buffer.
We need to bind the section to the target process in order to copy the shellcode in it. To achieve this we need to map the section into current process. This can be done by using ZwMapViewOfSection function and passing handle of the current process by using GetCurrentProcess function.
Now we will copy each byte of the shellcode into the mapped section which is created in Step 2.
Once the shellcode is copied we can proceed to map the section into the target process. This can be done by using ZwMapViewOfSection function and passing handle of the target process.
Once the section is mapped we will locate and construct the patch for the target process so that it can our malicious shellcode instead of the original application code.
Once the patch is constructed we will use WriteProcessMemory to write the constructed patch into the target process entry point.
After writing the constructed patch to the target process entry point we need to resume the thread. This can be achieve by using ResumeThread function.
Abusing the AsynchronousProcedureCall (APC) is another way to inject shellcode into processes. The way to exploit this Microsoft functionality follows theses teps:
Create a new target process in suspended state. This can be achieve by passing Create_Suspended value in dwCreationFlags parameter of CreateProcess Windows API.
Once the process is created obtain the handle of the target process using OpenProcess Windows API.
Allocate the memory space for our shellcode in the target process using VirtualAllocEX Windows API.
Obtain the handle of the primary thread from the target process using OpenThread Windows API.
After obtaining the handle of the thread from the target process we will add a user-mode asynchronous procedure call (APC) object to the APC queue of the specified thread using QueueUserAPC Windows API which will point to the memory address of our shellcode.
To trigger our shellcode we will resume the suspended thread using ResumeThread Windows API.
The last method that I’am going to describe in my personal notes (but there are many more out there) is called: Process Doppelgänging. Quite a recent technique it uses a very little known API for NTFS transactions.
Briefly speaking, we can create a file inside a transaction, and for no other process this file is visible, as long as our transaction is not committed. It can be used to drop and run malicious payloads in an unnoticed way. If we roll back the transaction in an appropriate moment, the operating system behaves like our file was never created.
The process Doppelgänging is a similar technique used to inject control and to evade common AV. It follows these steps:
All these methods are useful to inject payload into memory and to run them keeping a very low rate of detection. Our goal is to intercepts those techniques and to dump the just injected paylaod.
Intercepts these techniques and drop the payload
Now we know the main techniques used by malware to unpack themselves into memory, so we are ready to understand how to hook such functions in order to grab the payload (holding the real behavior). Again there are many techniques to perform that memory extractions, I did change at least 4 workflows until now, but the one I prefer so far is using PE-sieve (download from HERE) to extract injected objects. PE-Sieve is not able to judge the dropped file (are they malicious or not?), so you cannot consider every extracted artifact as a malicious one, you rather need to manually analyze them and express your own assumptions on them.
But let’s start with a practical example. The following image represents a PE file pretending to be a PNG image.
Looking for sections and import table (IAT) we might observe the samples imports only some of the well-known functions we ‘ve just seen in the previous section (VirtualProtect, GetProcAddress, MoveMemory, etc..) and very often used to unpack malware in memory without touching hard-drive.
Even the embedded resources are quite “heavy” which would probably hide some piece of code (??). So … we have a PE file which pretends to be an image, it only imports suspicious functions and it has got a quite heavy resource. Would it be a Malware ?
Well we do have ideas and suspects but let’s see if it injects pieces of code into the memory and let’s see what they do. Here PE-sieve comes to help us. First of all you need to sacrifice a system :D. Yep, really… you need to run on your target the sample and on the other side you need to run pe-sieve by giving the PID of the suspicious sample. PE-sieve will hook and monitor the previous injection patterns and as soon as it find the right pattern it will drop whatsoever (good files, malicious implant, etc etc) the sample injects. The following image shows the found implants running that sample.
The dropped files are placed into a directory named with the monitored PID.
We get some files into that directory. We do have .json report in order to automate results and to wrap them into external projects without using the provided PE-sieve.dll. We have a couple of shellcode (.shc) and three PE. Interesting the 400000.cursor.exe since has 600KB of code and it is executable, and a new ICO different from the original one. Let’s check it’s own property (following image)
Now, let’s roll back our scarified VM and run this new file on it. Now let’s check its memory to see if something more is happening there.
It looks like we have clear text, no additional encryption/packing stage as shown in memory. We now can follow with classic malware analyses techniques by staging static and dynamic analysis. And, yes, since you are re-scarify your virtual machine, let maximize your effort to grab network traffic and see where it tries to communicate with.
We are facing a nice example of TrickBot version: 1000512 tag: tot793 . The following image shows the same information but coming from the internal systemcall rather then network traces.
So we nailed it. We’ve just extracted the real payload and later on we figured out it was a TrickBot.
Method 3: The old fashion way (debugger)
Everything can be done from the debugger. You can find the above API patterns by yourself and then follow the System calls and stop and copy whenever you want. you can extract or modify the sample behavior on fly and decide to re-run it as many times you need. Yes, you can, but this would take you a lot of time. Time runs against the economy. More time you need to perform your anlaysis more expensive you are, more expensive you are less customers you could have in both ways: money-wise (expensive = for few ~ cheap = for many) and time-wise (sine you have 24h a day, after that hours you cannot accept more customers). So you would need to mediate between quality/fun and time.