Infosec Island Latest Articles https://infosecisland.infosecisland.com Adrift in Threats? Come Ashore! en hourly 1 The Upcoming Oracle CPU: Struggling to Keep Pace with Vulnerabilities https://www.infosecisland.com/blogview/24946-The-Upcoming-Oracle-CPU-Struggling-to-Keep-Pace-with-Vulnerabilities.html https://www.infosecisland.com/blogview/24946-The-Upcoming-Oracle-CPU-Struggling-to-Keep-Pace-with-Vulnerabilities.html Wed, 28 Jun 2017 11:27:00 -0500 Oracle releases a collection of security fixes for their products on every Tuesday closest to the 17th day of January, April, July, and October. These fixes are known as a Critical Patch Update (CPU), and are typically cumulative and address security vulnerabilities associated with Oracle products. April’s update, with fixes for 299 vulnerabilities across Oracle's platform, was its largest CPU to date.

With the next CPU landing on July 18, there’s plenty to consider.

The database and cloud computing giant sees its software used for vital operations by most of the Fortune 500. The Java-based open source software is used in mission-critical environments across the globe and on more than 15 billion devices.

April’s CPU contained patches for core components of Java products, many of them linked to commonly used third party software that is standard among large financial services firms, healthcare providers and transportation companies. These sectors are constantly under attack from malicious hackers, making it of utmost importance to apply the most recent security patches as soon possible – a task that can take even the most sophisticated organization months to complete.

With these releases, we have one of the largest software vendors in the world, with expert security resources and dedicated testing and remediation teams, belatedly discovering and responding to the presence of major, known-vulnerable components buried deep in the software stacks of their core software platforms.

To put things in perspective, Oracle finds a new flaw in their products every 100 hours. Some of the flaws included in the most recent CPU date back to 2012. Now, to be fair, every software developer releases the equivalent of the Oracle CPU. However, Oracle’s market share makes it the bellwether of the entire industry.

That’s five years of an open, unpatched vulnerability. Among the others are more than thirty Java-related Common Vulnerabilities and Exposures (CVEs), eight of which directly affect the core Java platform. Nearly 70% of the Java-related CVEs are remotely exploitable without authentication.

Addressing years-old vulnerabilities in current patches is proof that we’re approaching a crisis point where our ability to respond in a timely and effective manner is at risk. We continue to rely primarily on traditional approaches that can’t keep up with the pace and volume of vulnerabilities. That’s not a sustainable model. This should mean so much to so many organizations due to the ubiquity of third party software. In a recent report on more than a thousand commercial web applications, 96% included third party code. Of that, 67% had known vulnerabilities with 52% being high severity vulnerabilities.

Open source components are not automatically or routinely patched and it’s a challenge to keep up with vulnerabilities that require frequent patching. Unlike software from major developers where patches are sent on a schedule, open source code in libraries and central repositories normally require a user to seek a patch or develop their own.

Fortunately, proven technology exists to help alleviate the massive scope of these security updates. Many companies offer solutions that approach application monitoring in a new way, along with protection using a secure virtual container in server and cloud environments. Third party options offer approaches that behave like a patch without making code changes or affecting runtime speed, blocking attacks because it operates more deeply in the software, monitoring network packets, files system calls and CPU instructions.

The April CPU showed the scale of the challenge that the IT industry faces in securing modern modular enterprise applications that are composed of dozens or sometimes hundreds of third-party libraries and modules. Here’s something to think about next month: If a top vendor like Oracle struggles to account for and secure their third-party library dependencies in a major software platform like Oracle Fusion, then how can an “ordinary” enterprise that is not a sophisticated IT vendor be expected to do any better?

The fact that we’re still addressing vulnerabilities associated with Struts v1 and Apache Commons years after the issues were first raised is both surprising and troubling. The Struts 2 patch is less surprising because it was first announced in March 2017, but still no less troubling as it points to the continuing issues associated with third party software components.

An average of ten new open source flaws are reported every day. But the ability to find these problems isn’t the issue. It’s fixing them. Oracle's security team is doing the best it can, but like all cybersecurity teams, they struggle to keep up with the constant waves of vulnerabilities that are being discovered.

Every effective cybersecurity approach developed over the past two decades is fully integrated into the way businesses protect themselves today. The massive scale of vulnerabilities and ubiquity of software flaws, though, means that the measures we’ve relied upon for twenty-plus years are now unable to provide the level of protection required going forward.

Diligent system maintenance, consistent patching, and both automated and manual third-party security solutions are all necessary for end-users to be fully protected.

Avout the author: James Lee is the Executive Vice President and Chief Marketing Officer at Waratek Inc., a pioneer in the next generation of application security solutions.

Copyright 2010 Respective Author at Infosec Island]]>
Malware Prevention Key to Countering Evasive Attack Techniques https://www.infosecisland.com/blogview/24945-Malware-Prevention-Key-to-Countering-Evasive-Attack-Techniques.html https://www.infosecisland.com/blogview/24945-Malware-Prevention-Key-to-Countering-Evasive-Attack-Techniques.html Wed, 28 Jun 2017 09:26:52 -0500 Security teams had an unpleasant wake-up call on May 12, as a malware attack dubbed WannaCry spread rapidly to hundreds of companies, holding hundreds of thousands of systems hostage by ransomware until it was slowed down by a young security researcher. Those who know their systems are vulnerable were reminded once again of the potential damage these worms can cause: inability to access files leads to downtime, lost productivity, and more.

Instead of running fire drills and wringing their hands, companies should look at what happened as an opportunity to reflect upon their endpoint security architecture and try to better understand the role of the various defense layers that comprise it. As the post-WannaCry reports shed light on what happened, it’s useful to discuss questions like: What controls could have dampened the worm’s propagation? What measures could have been effective at preventing the infection? How might these security controls work or fail in future, copycat variations of this attack?

A widespread malware attack that exploits a known Microsoft vulnerability should not surprise anyone who is paying attention. Ransomware incidents have spiked, with damage totals increasing from $325 million in 2015 to a projected $5 billion in 2017. The SANS Institute reports that malware programs capable of evading detection rose 2000% in one year (2014-2015). Evasive techniques enable malware to bypass firewalls, gateways, and sandbox discovery tools. Configuration techniques like extended sleep and fast flux are quite common. Legacy systems, third-party devices and loosely administered computers are among those hit hardest. It’s important to assess risk regularly: confirm that endpoint defenses across the enterprise are in place, functioning as expected, and integrated to reinforce each other. More emphasis should be placed on prevention as a primary defense; detection methods are an important back-up layer, but are not foolproof and often lead to delayed incident response.

The best methods for defending against WannaCry and similar incidents are not a mystery; basic best practices can be executed with free and commercial tools. In any given attack, some security components might fail. Consider potential scenarios and plan to mitigate the biggest risks. For example, backing up important data is an essential defense against ransomware attacks. The following measures help establish a resilient environment:

  • Segment the network and block unnecessary protocols. WannaCry attacked over the SMB protocol. Microsoft recommends not using this protocol, but if you still need to, be sure to block access from outside the organization.
  • Keep up with security patches. WannaCry exploited a Microsoft Windows vulnerability that has been available for some time. Some machines cannot be patched quickly enough, and sometimes can’t be patched at all. In this case, be sure to harden the unpatched machines.
  • Install and regularly update anti-malware software. From the beginning, AV vendors were successfully identifying WannaCry components as malicious.

Stealthy attack methods are designed to evade these baseline mechanisms, so you also need endpoint defenses that disarm viruses not recognized by AV. This forces malware authors to “pick their poison.” If they design malware with evasive capabilities, prevention-oriented approaches can simulate an environment of security tools, which paralyzes evasive malware and forces it to abort the attack before any damage is done.  If the attacker doesn’t implement stealthy techniques, baseline antivirus will block the specimen.

It appears that the WannaCry authors didn’t implement evasion techniques (e.g., sandbox avoidance and memory injection), but it is quite possible that future derivatives will. By combining a preventative malware-neutralizing approach with baseline antivirus solutions, organizations will be protected regardless of which method malware developers choose.

It can be difficult to defend legacy systems and services without impeding performance, violating vendor contracts, or inconveniencing business users. Attackers are well aware that systems missing patches are often also missing baseline antivirus and other endpoint defenses; the WannaCry worm was optimized to propagate rapidly through vulnerable machines.

Malware vaccination can help stabilize legacy technology and distributed systems. Any enterprise not yet using an anti-evasion solution can immunize themselves against fast-spreading worms with vaccination. New approaches that simulate infection markers are proving to be effective in real world scenarios. Centrally managing vaccination through simulated infection eases deployment while preserving forensics capabilities and overall performance.

Some defenses (e.g., infection markers and sandbox malware analysis) are too computationally intensive to be practical for universal or continuous deployment. Detection-based solutions aren’t foolproof and generate false positives and alerts that have to be prioritized. Prevention-based solutions that account for evasive techniques can be extended to every endpoint via low-footprint agents that neutralize malware before it ever executes itself.

We can’t stay in the malware arms race by building a tool for every trick malware creators conjure up. It’s critical that we develop broadly applicable methods that frustrate their efforts by turning those tricks into defensive weapons. Creative countermeasures like malware prevention leverage the evasive mechanisms built into viruses to shut them down before they can sneak in and wreak havoc.

About the author: Eddy Boritsky is the CEO and Co-Founder of Minerva, an endpoint security solution provider. He is a cyber and information security domain expert. Before founding Minerva, Eddy was a senior cyber security consultant for the defense and financial sectors.

Copyright 2010 Respective Author at Infosec Island]]>
Don’t get lost in translation when managing mixed firewall estates https://www.infosecisland.com/blogview/24944-Dont-get-lost-in-translation-when-managing-mixed-firewall-estates.html https://www.infosecisland.com/blogview/24944-Dont-get-lost-in-translation-when-managing-mixed-firewall-estates.html Tue, 27 Jun 2017 09:07:00 -0500 The first commercial firewall, the DEC SEAL, shipped in 1992. 25 years later the firewall is still the core building block of organizations’ security infrastructures. Of course, it has evolved dramatically since those early days, with each stage of evolution adding ever more sophisticated security features.

We’ve evolved from the stateful firewall which filters bi-directional traffic streams as whole, requiring users to write policies only for outgoing traffic, to the next-generation firewall (NGFW), which supports more granular filtering and deep packet inspection to identify application-specific traffic, not just network protocols and port numbers. The adoption of virtualized datacenters lead to the development of virtualized firewalls, adding even more devices that need to be managed. And now, with the move to private and public clouds, there are even more security controls available:  commercial cloud firewalls, the cloud providers’ own controls, and host-based firewalls.

Translation problems

The current reality is that organizations typically have very mixed environments: a mixture of firewall generations, technologies, and vendors. Managing such a mix is a challenge because each generation of firewalls, and each vendor’s products, use different syntax and semantics for creating security policies.

For example, let’s look at an enterprise network which uses both traditional firewalls and NGFWs. The organization may have a company-wide policy of blocking access to social media sites, but its marketing department needs to be able to access Facebook. Facebook traffic passes through both types of firewall – which means new security policies need to be written for both.

For the NGFW, this is simple and intuitive. Facebook can be set as a predefined, ‘allowed’ application in the firewall rulesets, while access to other social media sites, and from other departments, is blocked. However, the traditional firewall cannot understand the term ‘Facebook’:  it needs to be given the default ‘source’, ‘destination’, ‘service’ and ‘action’ protocols that Facebook uses – http and https.

So actually, making the security policy changes on the NGFW and traditional firewall involves very different processes and languages. The engineers configuring the devices must clearly understand the mapping between the applications (as they are defined in the NGFW), and their respective services, protocols and ports (as defined in the traditional firewall), so that the rules and policies can be set properly across both environments.

Any mistake or ‘translation error’ between products when writing those policies or making network changes has the potential to cause unexpected application outages or introduce security holes, either because crucial traffic is inadvertently blocked, or other traffic accidentally allowed. Multiply this across the dozens or even hundreds of firewalls on a typical enterprise network, and it’s a recipe for a hot mess.

Cloud complications

When these processes are extended to cloud deployments, IT teams encounter additional challenges, depending on the cloud security controls being used. One cloud provider may offer the ability to have multiple security groups associated with a particular server; while another may allow only a single security groups – but may also allow security groups associated with all the servers in a VLAN. At a high level, you may be able to identify a lowest common denominator for basic traffic filtering, but once you want to start doing more elaborate, granular filtering required for enterprise networks, some providers will have certain capabilities and others will not.

And again, each provider has a different semantic model of what you can filter, and where those controls are applied; these will also differ from the on-premise firewalls that an organization will already have in place.

These different languages mean that taking an organization’s security policy, and applying it across several different types of firewall across a heterogeneous network environment is extremely complicated – meaning that making even outwardly simple changes (such as enabling Facebook or Youtube access for a department in the company) is fraught with risk.

Breaking down language barriers

So how do you remove the risk from making what should be simple, business-led changes to security policies – and reduce the need for IT teams to have to speak multiple firewall languages fluently?  What’s needed is a way to translate between the different syntaxes and phrases that each type of security control – whether on premise or in the cloud – used to build its rules and policies, so that IT teams can make their security estate understand the language of their business.

To transcend language barriers and effectively optimize and manage security across a mixed environment from a single console with a single set of commands, you need an automated management solution with four key capabilities:

  1. Visibility and control: You need to be able to visualize all of the firewalls, gateways and security controls on your entire network, in a single pane of glass.
  2. Managing normal changes. You need to be able to configure and manage these security products holistically as part of normal, day-to-day operations.  So the solution you choose must be able to translate and interpret the different syntax and logic used by all your various security controls, and automate the implementation of security policy changes consistently.  The solution should also document all these changes.
  3. Managing larger changes. Major network architecture changes also place great demands on security policy management. You need to be able to automatically adjust your security policies across the heterogeneous environment when you migrate data centers or applications to the cloud, for example, or when a team moves from one vendor to another.
  4. Demonstrating compliance. Network security is a key area that you need to be able to demonstrate compliance to auditors and regulators. A solution which automatically tracks all processes and changes, proactively assesses risk and provides out of the box audit reports, can help be audit-ready and maintain continuous compliance.

A common tongue

With the right solution, organizations can ensure that their entire estate of firewalls both understands and responds to a common security requirements, no matter where they are deployed. This enables policies to be applied consistently, without time-consuming, error-prone manual processes, and ensures network traffic can move securely across both on-premise networks and private or public clouds environments. After all, your business’ security and compliance are two things that you can’t afford to get lost in translation.

Copyright 2010 Respective Author at Infosec Island]]>
Make Sure We're Using the Same Language https://www.infosecisland.com/blogview/24942-Make-Sure-Were-Using-the-Same-Language.html https://www.infosecisland.com/blogview/24942-Make-Sure-Were-Using-the-Same-Language.html Tue, 27 Jun 2017 06:01:00 -0500 A new spin on an old cyberattack threat was uncovered earlier this year by a Chinese security researcher, and has been reported on extensively by security press and publications.

While this repurposed threat has not yet been seen or experienced publicly, it is a particularly devious one that can potentially lead to a spate of phishing attacks meant to spread malware and steal critical credentials.

The re-spun threat leverages non-ASCII characters found in non-English alphabets, many of which either strongly resemble or are identical to characters in the English or Latin alphabet. It was for this reason that the International Corporation for Assigned Names and Numbers (ICANN), the non-profit organization responsible for the maintenance and security of the databases constituting the Internet’s naming conventions, decided that using the computer industry standard for representing text in the most used writing systems, known as Unicode, would be too confusing, because many Unicode characters look alike. That could be confusing and could lead to insecurities in Internet naming; it could also easily spawn phishing attacks.

This sort of attack is known as an internationalized domain name (IDN) homograph attack. It’s akin to another form of attack, typosquatting, in which a hacker leverages a similar, but usually misspelled word or brand name for nefarious purposes, like creating websites for phishing and credential theft.

Instead, ICANN decided to use Punycode for Internet naming. Punycode is a way to represent various non-ASCII characters – such as characters in non-English or non-Latin writing systems – in ASCII characters using sequences of English alphabet letters, numbers and hyphens.

Web browsers were intended to read Punycode characters for a URL and then, in the browser, translate them into Unicode characters. But, many web browser developers realized that Punycode could be used for malicious purposes, such as cloaking URLs for websites created for phishing as valid URLs and websites.

Some web browsers, attempting to block spoofed URLs using different writing systems and their differing alphabets, included filters which would discern if a URL mixed various alphabets. If a URL contained both English/Latin and Cyrillic characters, for example, instead of rendering the URL in Unicode, the browser would render the URL characters in Punycode. These browsers would only render a URL in Unicode if all the characters contained in the URL were from the same language and alphabet. For instance, the word “Bank” is spelled as such using English/Latin alphabet letters in Punycode; but, if someone tried to spell “Bank” using the Cyrillic letter “ve” (в) at the start of the word, while the mixed alphabet word would look like “вank”, the URL would be displayed as “xn--ank-edd”, the Punycode equivalent, as it would be mixing English/Latin and Cyrillic letters.

This all made sense, until earlier this year, when Xudong Zheng, a Chinese security researcher, uncovered a new attack variation.

The variation is, if a domain were to be registered in a language with alphabet characters that closely resembled the English/Latin alphabet, the URL would remain in Unicode and not be translated into Punycode, thereby spoofing the real web site’s URL, enabling a malicious person to setup a phishing website using what appears to be a legitimate URL.

While this attack has not yet been found yet “in the wild”, it is an extremely dangerous variant because it is almost completely undetectable. Potentially, only a sharp-eyed, trained observer might notice the slightest differences between the URLs; and then, only a truly security-conscious person might look up the web page’s certificate, which would show the URL in Punycode.  Other than that, the phishing page and attack could be imperceptible.

The example Mr. Xudong used in his blog post was “apple.com”. Simply using Cyrillic letters, in lowercase, “a” (а), “er” (р), and “ye” (е), and “palochka” (ӏ), which, in Punycode, reads “xn--80ak6aa92e”, he created a phishing web page which appears to be from the “apple.com” domain.

Another example of a potential URL that could be created to fool users is “paypal.com”. Using the Cyrillic lowercase letters of “er” (р), “a” (а), and “u” (у), and an uppercase “palochka” (ӏ) – in Punycode, “xn--80aa0cbo66e” – in certain web browsers, the URL would appear as “раураӀ.com”. As you can see, it’s nearly impossible to tell the difference between the real URL using English/Latin letters versus the URL using Cyrillic letters.

In the initial research findings, several very popular web browsers fell victim to this homographic attack. Google Chrome, Mozilla Firefox, and Opera could not differentiate between the English/Latin letters and Cyrillic letters in a URL. And, since only one writing system or alphabet was used, and it wasn’t a mixed alphabet being used, there were no red flags raised.

Since this attack variant was first reported, Google has upgraded Chrome to address this issue.  A permanent fix to address the Punycode issue landed in Chrome Stable 58. Opera addressed the situation in a late April 2017 release (Opera Stable 44.0.2510.1449).

Mozilla has, to date, not made public whether it will address this issue in a dedicated patch or future release. However, Mozilla did augment their “whitelist with something based on ascertaining whether all the characters in a label all come from the same script, or are from one of a limited and defined number of allowable combinations." "Mozilla’s betting that any mixed language or “script” homographs “will be recognizable to people who understand that script.” However, there is a manual way in which Firefox users may turn on Punycode to display the URL instead of Unicode: In the address bar, type about:config, and change the network.IDN_show_punycode attribute to “true”.)

Microsoft Edge and Internet Explorer, and Apple Safari have thus far been immune to this attack. Other than changing web browsers, among other options that can alleviate this attack threat is isolation technology, making use of disposable virtual containers and advanced rendering technology. 

While it hasn’t been seen or released into the wild – yet – this IDN homographic attack is simultaneously, deviously innovative and treacherous, and something that needs to be planned for before it’s launched as an invisible, undetectable phishing assault.  

Copyright 2010 Respective Author at Infosec Island]]>
WannaCry: How We Created an Ideal Environment for Malware to Thrive, and How to Fix It https://www.infosecisland.com/blogview/24941-WannaCry-How-We-Created-an-Ideal-Environment-for-Malware-to-Thrive-and-How-to-Fix-It.html https://www.infosecisland.com/blogview/24941-WannaCry-How-We-Created-an-Ideal-Environment-for-Malware-to-Thrive-and-How-to-Fix-It.html Tue, 27 Jun 2017 05:00:49 -0500 On May 12, 2017 a ransomware attack began impacting organizations all over the globe and in just a few days had spread to over 230,000 computers across 150 countries. It’s quite a story with the vulnerability used to spread the ransomware coming from leaked NSA data, speculation that the malware authors were not particularly sophisticated despite the breadth of the attack, possible links to North Korea, and a security researcher stumbling upon a kill switch that largely halted further spread of the malware. Although these aspects are fascinating and worthy of investigation, there is a larger question that needs to be answered: How in the world did we end up with a security paradigm where a malware infection can spread so rapidly and so broadly? And, most importantly, how do we begin to fix it?

The ultimate scope of the WannaCry ransomware attack was a result of two primary factors: the ability to communicate laterally across environments without restriction and an abundance of vulnerable machines to compromise. It is perhaps not surprising that as malware has dramatically evolved over the preceding decades, security architectures would also need to have evolved to effectively defend against these attacks. However, as we look at the security infrastructures used by organizations today, it is clear that most organizations have not evolved their security approaches enough to keep pace with emerging threat vectors.

Standard practice for security teams only a few years ago was to construct as strong a barrier as possible between the internal resources of a network and the chaos of the internet. This perimeter-centric approach made sense at the time when the resources on the network were more or less stationary.  But things have changed.  The capabilities introduced by mobile computing, BYOD, IOT, cloud computing, and increased interconnectivity between business partners and third parties has created a situation where the old perimeter is near impossible to define, let alone control.

With adversaries able to cross an organization's perimeter with little trouble, they are able to reach the largely unprotected interior of the network and data center and then operate with very little standing in their way. A good example of this was observed during the Target breach in 2013 when attackers were able to communicate with a Point of Sale (POS) system in one Target store by connecting to it from a network-connected deli meat slicer in a second store location. The solution to this situation is fairly obvious: implement security policies to isolate machines that should not be talking to each other. For example, POS systems should only be able to communicate with other payment components, different store locations should only be able to access inventory systems for other store locations, and deli meat slicers shouldn’t be able to communicate with very much at all. The industry term for this approach to dividing up a network and data center into smaller zones of communication is called segmentation.

Without proper segmentation of an organization’s network infrastructure, adversaries are able to move about at will - either manually, or in the case of WannaCry, automatically via a computer worm

The second factor that contributed to the scale of the WannaCry attack was the sheer number of machines that were vulnerable to the EternalBlue exploit being leveraged. These vulnerable machines fall into one of two categories: either they were supported OSes that had not had critical security patches applied (Microsoft released a patch for the vulnerability on March 14, 2017 following the NSA leak), or they were unsupported OSes where no security patches were available (Microsoft has since released patches for these older OSes as well).

When you pull those threads a bit, it’s clear to see that organizations not having rigorous procedures for ensuring OSes are kept up to date with critical security patches directly led to the ability of WannaCry to spread as rapidly and broadly as it did. At the same time, the sheer number of organizations using older, unsupported OSes where critical security updates are no longer made available is shocking. According to the Spiceworks 2017 OS Adoption Trends survey, 52% of companies across North America, Europe, the Middle East, and Africa are still running some number of Windows XP systems. This means that more than half of all companies were vulnerable to WannaCry by default.

It’s easy to fault companies still running OSes that have been unsupported for years, however most of these companies are simply maintaining legacy applications they neither fully understand nor have the resources to recreate on a more current platform. They are in a tough spot needing to maintain these older systems while also needing to secure them in wide-open networks where attackers can move about freely. This is the exact situation that created the opportunity for WannaCry to thrive.

Obviously keeping systems up to date with security updates and retiring/migrating systems once their OS is no longer supported can go a long way toward preventing the spread of malware inside an environment, but this approach isn’t always viable. For all the companies that need to maintain legacy systems, regardless of the reason, focusing on isolating these systems as much as possible is a much more effective strategy.

The important points for all organizations to remember are: 1) keep your systems as patched and up to date as possible, and 2) do not leave your network wide open for adversaries to take advantage of but begin segmenting your infrastructure and reducing your attack surfaces. We’re sure to see additional widespread attacks going forward, but with by keeping systems up to date and preventing unauthorized communications via segmentation, your organization will be in a much better position to avoid being impacted by those threats.

About the author: Jesse McKenna is Director, Cybersecurity Product Management at vArmour. With over 12 years experience designing leading edge detection systems, he possesses deep expertise in fraud, security, behavioral analytics, and how theoretical detection and analytics concepts can be applied and operationalized in real world environments.

Copyright 2010 Respective Author at Infosec Island]]>
Ztorg Trojan-SMS Infects Google Play Apps https://www.infosecisland.com/blogview/24943-Ztorg-Trojan-SMS-Infects-Google-Play-Apps.html https://www.infosecisland.com/blogview/24943-Ztorg-Trojan-SMS-Infects-Google-Play-Apps.html Sat, 24 Jun 2017 08:35:29 -0500 Newly discovered Google Play applications infected with the Ztorg Trojan family no longer request root privileges on compromised devices, Kaspersky Lab security researchers reveal.

Late last year, Kaspersky warned of the high popularity Ztorg-infected applications had in Google Play, where one of them gathered over 50,000 downloads within a single day. Millions of users downloaded the various applications that were infected with the Trojan before being published in the official application store.

Now, the security firm says that newly observed infected apps no longer use exploits to gain root rights on the infected devices, although they continue to show malicious behavior. The programs, Kaspersky reveals, pack a Trojan-SMS that can send Premium rate SMS and delete incoming SMS.

Dubbed Magic browser, one of the applications was uploaded to Google Play on May 15, 2017 and has been installed more than 50,000 times before being removed from the store. Called Noise Detector, a second application was downloaded more than 10,000 times.

Both apps include a Ztorg Trojan variant designed to hinder analysis by waiting for 10 minutes before first attempting to contact the command and control (C&C) server. The malware makes two GET requests to the C&C and includes part of the International Mobile Subscriber Identity (IMSI) in both of them.

The first request contains IMSI’s first three digits, which are also the MCC (mobile country code), while the second request includes the first five digits, where the fourth and fifth are the MNC (mobile network code). This allows cybercriminals to identify the country and mobile operator of the infected user and determine which premium rate SMS should be sent.

The server responds with an encrypted JSON file with some data that should include a list of offers, with each offer carrying a string field called ‘url’, which may contain an actual URL. The Trojan tries to open the field using its own class and, if the value is an URL, the content is displayed to the user. If the field contains other data and an “SMS” substring, a message containing the text supplied is sent to the number provided.

Just after receiving URLs to visit or SMS messages to send, the Trojan turns off the device sound and starts deleting all incoming SMS, Kaspersky’s Roman Unuchek explains.

Malicious apps featuring the same functionality but distributed outside Google Play were also discovered, resembling more of an additional module for some Trojan, rather than a standalone malware. These threats were installed by a regular Ztorg Trojan along with other Ztorg modules, the researcher discovered.

Analysis of the JS files received by these Trojans revealed that they contained a function called “getAocPage,” most likely referencing to AoC (Advice of Charge). These files, Unuchek says, were designed to perform clickjacking attacks on web pages with WAP billing, which allowed the Trojan to steal money from the user’s mobile account.

“WAP billing works in a similar way to Premium rate SMS, but usually in the form of subscriptions and not one-time payments as most Premium rate SMS. It means that URLs which the Trojan receives from the C&C may not only be advertising URLs, but also URLs with WAP billing subscriptions,” the researcher explains.

All of the observed Trojans, including the Google Play ones, attempt to send SMS messages from the infected devices. Magic browser, for example, tries to send SMS from 11 different places in its code. This means that it can send messages on different Android versions and devices.

“The Magic browser app was promoted in a similar way to other Ztorg Trojans. Both the Magic browser and Noise detector apps shared code similarities with other Ztorg Trojans. Furthermore, the latest version of the Noise detector app contains the encrypted file girl.png in the assets folder of the installation package. After decryption, this file become a Ztorg Trojan,” the researcher notes.

The researcher also discovered other Trojans packing the same functionality, which were installed by a regular Ztorg Trojan. A malicious app called Money Converter observed in April 2017 was using Accessibility Services to install apps from Google Play without user interaction, even without root access. The app had over 10,000 installs in Google Play.

Related: Hundreds of Fake Android Antivirus Apps Deliver Malware

Related: Android Malware 'Dvmap' Delivered via Google Play

Related: Android Trojan Uses Sandbox to Evade Detection

Copyright 2010 Respective Author at Infosec Island]]>
SAP Cyber Threat Intelligence Report – June 2017 https://www.infosecisland.com/blogview/24940-SAP-Cyber-Threat-Intelligence-Report--June-2017.html https://www.infosecisland.com/blogview/24940-SAP-Cyber-Threat-Intelligence-Report--June-2017.html Thu, 15 Jun 2017 09:24:00 -0500 The SAP threat landscape is always growing thus putting organizations of all sizes and industries at risk of cyberattacks. The idea behind SAP Cyber Threat Intelligence report is to provide an insight on the latest security threats and vulnerabilities.

Key takeaways

  • In June, the vendor released 29 patches (slightly more than the average number of 25 fixes (as for 2017));
  • Among them, there is a critical DoS vulnerability affecting SAP Host Agent. The issue is remotely exploitable and more than 3400 vulnerable services are exposed to the Internet.
  • The most common vulnerability type is XSS.

SAP Security Notes – June 2017

SAP has released the monthly critical patch update for June 2017. This patch update includes 29 SAP Security Notes Notes (21 SAP Security Patch Day Notes and 8 Support Package Notes).

11 of all the Notes were released after the second Tuesday of the previous month and before the second Tuesday of this month. 5 of all the Notes are updates to previously released Security Notes.

5 of the released SAP Security Notes have a High priority rating. The highest CVSS score of the vulnerabilities is 7.5 .

SAP Security Notes June by priority

The most common vulnerability type is XSS (PDF).

SAP Security Notes June 2017 by type Issues that were patched with the help of ERPScan

This month, 3 critical vulnerabilities identified by ERPScan’s researchers Mathieu Geli, Nursultan Abubakirov, and Vahagn Vardanyan were closed.

Below are the details of the SAP vulnerability, which was identified by ERPScan team.

  • A Denial of service vulnerability in SAP NetWeaver Instance Agent Service (CVSS Base Score: 7.5). Update is available in SAP Security Note 2389181. An attacker can exploit a Denial of service vulnerability to terminate a process of a vulnerable component. For this time nobody can use this service, this fact negatively affect business processes, system downtime and, as a result, business reputation.
  • A Cross-Site Scripting vulnerability in SAP NetWeaver Composite Application Framework and Business Warehouse Test Integration (CVSS Base Score: 6.1). Update is available in SAP Security Note 2405943. An attacker can exploit a Cross-site scripting vulnerability to inject a malicious script into a page. The malicious script can access cookies, session tokens and other critical information stored and used for interaction with a web application. An attacker can gain access to user session and learn business-critical information; in some cases, it is possible to get control over this information. Also, XSS can be used for unauthorized modifying of displayed content.
  • An Open redirect vulnerability in SAP Data Services Management Console (CVSS Base Score: 4.3). Update is available in SAP Security Note 2472026. An attacker can use an Open redirect vulnerability for redirecting a user to phishing or malicious sites while the user does not realize it. The security loophole occurs because an application takes a parameter and redirects a user to the parameter value without any validation.

About DoS Vulnerability in SAP Host Agent Service. 3400+ services at risk

SAP Host Agent allows accomplishing several life-cycle management tasks, such as operating system monitoring, database monitoring, system instance control, and provisioning.

This month, the vendor closed a Denial of Service vulnerability affecting this component (reported by ERPScan back in November, 2016). A DoS attack has a direct impact on availability, as it causes response delays and service interruptions. The vulnerability can be exploited over the network without any authentication procedure.

A custom non-intrusive scanning reveal that there are 3400+ such services exposed to the Internet with the largest share of them located in the USA, India, and China. As the vulnerability is remotely exploitable, these services are at risk of anonymous attack.

image image

ERPScan recommends the companies to install the appropriate patch as soon as possible.

Critical issues closed by SAP Security Notes June 2017 identified by other researchers

The most dangerous vulnerabilities of this update can be patched by the following SAP Security Notes:

  • 2313631: BILaunchPad and Central Management Console has a Denial of service vulnerability (CVSS Base Score: 7.5). An attacker can exploit a Denial of service vulnerability to terminate a process of a vulnerable component. For this time nobody can use this service, this fact negatively affect business processes, system downtime and, as a result, business reputation. Install this SAP Security Note to prevent the risks.
  • 2396544: SAP BusinessObjects Web Intelligence HTML interface has a Cross-Site Scripting vulnerability (CVSS Base Score: 7.1). An attacker can exploit a Cross-site scripting vulnerability to inject a malicious script into a page. The malicious script can access cookies, session tokens and other critical information stored and used for interaction with a web application. An attacker can gain access to user session and learn business-critical information; in some cases, it is possible to get control over this information. Also, XSS can be used for unauthorized modifying of displayed content. Install this SAP Security Note to prevent the risks.
  • 2444321: SAP CommonCryptoLib has a Missing certificate verification vulnerability (CVSS Base Score: 7). Without the certificate check the function does not recognize if the data to be verified was signed by an unauthenticated/unauthorized person or system. Install this SAP Security Note to prevent the risks.

Advisories for these SAP vulnerabilities with technical details will be available in 3 months on erpscan.com.

Copyright 2010 Respective Author at Infosec Island]]>
Webinar: Top 5 Myths of ICS Cybersecurity - Debunked! https://www.infosecisland.com/blogview/24939-Webinar-Top-5-Myths-of-ICS-Cybersecurity-Debunked.html https://www.infosecisland.com/blogview/24939-Webinar-Top-5-Myths-of-ICS-Cybersecurity-Debunked.html Wed, 14 Jun 2017 08:19:00 -0500 Webinar: The Top 5 Myths of ICS Cybersecurity – Debunked!

What are the top five ICS cybersecurity myths, and are they hindering you from securing your industrial process control environment?

Industrial control systems (ICS) are certainly under assault. There are numerous public examples – the most recent being the WannaCry ransomware attack that successfully penetrated process control networks and, in limited cases, slowed or shut down production. This attack was a wake-up call for industrial process industries as WannaCry exposed the immaturity of and misconceptions surrounding ICS cybersecurity strategies today.

Join us for a live webinar on June 14 at 1PM ET to hear from a panel of industry experts that will:

- Identify popular ICS cybersecurity myths that leave the systems that matter most in a facility vulnerable.

- Examine each myth and provide specific kill chain examples (including WannaCry) that expose these myths for what they are.

- Provide best practices that companies can adopt to help secure their ICS environments from both outsider and insider threats.

Register for Webinar

Speakers

Mike Assante - Director of Critical Infrastructure and ICS, SANS Institute 

Mike Assante

Michael Assante currently manages the SANS Industrials and Infrastructure practice area and is the lead for the Industrial Control System (ICS) and Supervisory Control and Data Acquisition (SCADA) security curriculum. Previously he served as vice president and chief security officer of the North American Electric Reliability Corporation (NERC), where he oversaw industrywide implementation of cyber security standards across the continent. Before joining NERC, Mike held a number of high-level positions at Idaho National Laboratory and served as vice president and chief security officer for American Electric Power. His work in ICS security has been widely recognized.

Jason Howard-Grau - CISO, PAS Global, LLC 

Jason Howard-GrauJason Howard-Grau is the chief information security officer at PAS, Inc. Jason is a veteran technology leader with more than 22 years of cybersecurity and advisory experience within both operational and information technologies. Prior to joining PAS, Jason was the CISO at MOL Group, an integrated oil and gas company with operations in over 30 countries, where he owned and developed the company’s cybersecurity strategy. Prior to MOL Group, Jason held information technology (IT) leadership positions at both Burberry and Vodafone, where he was Global Head of Cyber Security Operations & Program Delivery. Previously, Jason was a Senior Advisor at KPMG focusing on IT and cybersecurity within the Financial Services, Petrochemical, and Telecommunication sectors.

Copyright 2010 Respective Author at Infosec Island]]>
You Can't Hire Your Way Out Of The Skills Shortage... Period. https://www.infosecisland.com/blogview/24938-You-Cant-Hire-Your-Way-Out-Of-The-Skills-Shortage-Period.html https://www.infosecisland.com/blogview/24938-You-Cant-Hire-Your-Way-Out-Of-The-Skills-Shortage-Period.html Wed, 07 Jun 2017 09:17:00 -0500 Training alone can’t close the cybersecurity skills gap. It’s just math.

A major component of President Trump’s recent executive order on cybersecurity (see Sec. 3, Part D) calls for “workforce development” as part of strengthening the nation’s overall cybersecurity posture. While there has been some optimism around the potential for closing the massive cybersecurity skills gap by training more people, a look at some hard numbers clearly demonstrates that training alone will not even come close to addressing the massive skills gap the country faces.

That’s not to say that workforce development is a wasted effort – encouraging young people to seek careers in cybersecurity will certainly be part of the solution. As the volume and complexity of threats increase, we need smart people that will continue to stay ahead of criminal – and even state-sponsored – elements that are only becoming stronger and more organized. Cybersecurity proponents have recommended things like building “corporate universities,” promoting STEM boot camps for kids, and setting realistic expectations at the entry level to help address the talent crisis. These are all good ideas that shouldn’t be discouraged, but they’ll never be enough.

To clearly see the size of the gap that will still exist if we try to solve this problem with manpower alone, you just have to look at the numbers.

The non-profit Center for Cyber Safety and Education predicts that there will be a global shortfall of 1.8 million cyber security workers in the next five years. Anyone will admit that’s a big number, but just how big is it? To put the size of the shortfall in context, consider that colleges and universities in the U.S. are expected to award a total of 1.9 million bachelor’s degrees during the 2016-17 school year, according to the National Center for Education Statistics (NCES).

So, one way to close the gap quickly would be for nearly every single college graduate this year to enter the cybersecurity field. But obviously, that’s never going to happen.

How many people can we expect to graduate and go into cybersecurity careers? Experts have pointed out that the number of young people entering into IT-related fields may have slowed down a bit at some point during the last 10 to 15 years as many companies turned to offshore outsourcing, and the market for IT skills started to look bleak. But that pendulum has swung back, and information security is now lauded as an area with abundant opportunity for job growth and career stability.

IT and cybersecurity have been a bright spot in the job market, offering promising careers to college graduates for at least a few years now. And going back to data from NCES, that knowledge incentivized 59,581 people to earn degrees in “computer and information sciences” fields during the 2014-15 school year. Again, it sounds like a significant number, but it only accounts for about 3 percent of all the bachelor’s degrees awarded. And remember, that number reflects all “computer and information sciences” degrees, not just those related to cybersecurity. But for the sake of argument, let’s say that all 60,000 people were going into cybersecurity jobs. If that were the case, it would still take 30 years to fill a shortfall of 1.8 million people.

To continue with the “best-case” hypotheticals, let’s assume companies were able to hire all the trained professionals they needed to secure their data and infrastructure. Getting all those people on the payroll would simply be cost prohibitive. One of the easiest ways to demonstrate this is by looking at the time and resources it takes for level 1 and 2 cyber analysts to investigate and remediate threats.

On average, an enterprise organization can receive around 10,000 security alerts per day, and that number can increase exponentially at larger companies. A few years ago, BP’s CEO spoke to CNBC about the volume of attacks at his company saying, “we see as many as 50,000 attempts a day like many big companies …”

These alerts take time to investigate, and when a threat is found, even more time to remediate. On average an experienced analyst can perform roughly 10 investigations per day. So, to field the 10,000 alerts that many organizations receive, you’d need 1,000 people. If the salary for those people averaged out to about $100,000 each, a company would be spending $100 million just investigating alerts.

And remember, we’re only talking about the manpower needed to investigate and remediate threats. This accounts for a lot of the heavy lifting in securing an organization, but there are also a number of other jobs required to implement a comprehensive IT security strategy.

While developing the cybersecurity workforce should be applauded, it’ll fall way short of the ultimate goal of ensuring that important data and infrastructure is secure. Even when using some very generous hypotheticals, the numbers just don’t add up. We’ll be hard-pressed to find enough people able to fill the number of cybersecurity job openings, and even if those people existed, employing them all would be cost-prohibitive.

The attacks on our networks are getting more aggressive because the people directing them are using highly coordinated and automated technology. To be successful at defeating them, we need to fight fire with fire and start doing the same. Getting more people into the cybersecurity field and making sure they’re highly trained is very important. But we need to help them work smarter, not harder, which is why technology that uses intelligent security automation will be an essential part of the solution.

About the author: As Vice President of Marketing at Hexadite, Nathan Burke is responsible for bringing Hexadite's intelligent security orchestration and automation solutions to market. For 10 years, Nathan has taken on marketing leadership roles in information security-related startups. He has written extensively about the intersection of collaboration and security, focusing on how businesses can keep information safe while accelerating the pace of sharing and collaborative action.

Copyright 2010 Respective Author at Infosec Island]]>
Social Security Administration’s Second Attempt at 2FA Fails Federal Government’s Own Standards, Not Secure https://www.infosecisland.com/blogview/24937-Social-Security-Administrations-Second-Attempt-at-2FA-Fails-Federal-Governments-Own-Standards-Not-Secure.html https://www.infosecisland.com/blogview/24937-Social-Security-Administrations-Second-Attempt-at-2FA-Fails-Federal-Governments-Own-Standards-Not-Secure.html Tue, 06 Jun 2017 13:17:39 -0500 The Social Security Administration (SSA) recently instituted its latest precautions to identify threats and protect citizens’ information by making two-factor authentication mandatory for all users. This basic security layer is invariably better than nothing, but it places the burden on the customer to ensure their account is secure, while the organization should ultimately be responsible for protecting users.

 

In July 2016, the SSA announced they would implement multifactor authentication. This year, the effort soon evolved into sending one-time and time-sensitive passwords to the users by two methods, email or cell phone. These latest “options” neglected to address the fact that seniors are less likely to have access to a smartphone or email account than any other demographic group. Ironically, the decision to switch to multifactor authentication came in the same month in which the National Institute of Standards and Technology (NIST) warned that these SMS-based channels can be compromised by hackers.

 

The SSA portal was launched in 2012, and fraudsters have regularly manipulated the system to create fake accounts, divert money and reroute SSA benefits payments.  The agency has failed to secure the process of opening accounts, which requires basic information that can be bought and sold on underground information exchanges. The multifactor authentication system signed into effect in September 2014 has made seniors extremely vulnerable to new hacking techniques such as social engineering scams, stealing SIM card data, or rerouting the verification signals.

 

Those who are registered in the SSA system would most likely acknowledge that they feel safe because of all the orders and authentication methods that have been put in effect. The agency’s additional method of authentication involves the use of a third party to verify the name, address, birth date, and Social Security number. If the user provides the correct answers, they are verified and can access their account, but hackers conquered simplistic information like this years ago and this has morphed into huge illicit businesses that trade in personal information.

 

Beyond these initial security enhancements, the administration has proposed additional measures. Users can elect an option that provides a “better” way to verify their information, but this is NOT the default option and is unlikely to be implemented by those who aren’t aware of the current risks. That third option, it turns out, is not that appealing after all, as it mails a passcode to the registrant via the United States Postal Service, which can then be entered on the website, followed by a series of other questions that must be answered correctly. This is far from ideal solution because it still requires the user to initiate the extra measures, and could be intercepted in route.

 

When the Social Security Administration continues to rack up losses in the information war, it will hopefully seek to implement solutions that proactively protect the entire organization and its users. Yet again, it’s the perfect scenario that would benefit from the low cost and high level of security that push technology and other options offer compared to the highly vulnerable SMS-based systems of yesteryear. 

 

About the author: Alexandre Cagnoni is CEO of McLean, Virginia-based Datablink (www.datablink.com), a global provider of advanced authentication and transaction signing solutions.

Copyright 2010 Respective Author at Infosec Island]]>
WannaCry and Jaff: Two Different Malware Attacks with A Common Goal https://www.infosecisland.com/blogview/24936-WannaCry-and-Jaff-Two-Different-Malware-Attacks-with-A-Common-Goal.html https://www.infosecisland.com/blogview/24936-WannaCry-and-Jaff-Two-Different-Malware-Attacks-with-A-Common-Goal.html Fri, 02 Jun 2017 09:18:00 -0500 On Friday, May 12, the Infoblox Intelligence Unit observed not one but two separate ransomware attacks — both using different distribution capabilities and malware. While the two ransomware attacks were not related, it’s becoming evident that the rise in this form of malware is growing exponentially, creating a greater need for businesses to double down on their defense mechanisms. In this particular case, even though both attacks were ransomware-based, it’s vital that organizations properly understand their differences, as the actions to remediate them require different measures.   

WannaCry Hits Hard

The first attack, WannaCry, was able to ravage the network systems of over 200,000 organizations across the globe by exploiting a vulnerability found in Microsoft’s Server Message Block. Crises were quickly caused in hospitals and facilities in England’s National Health Service, as these healthcare institutions were forced to cancel non-urgent services, turn away patients and revert to backup procedures. This particular piece of malware leverages an exploit called ETERNALBLUE, which allows it to then move on to establish a backdoor known as DOUBLEPULSAR to allow for future access to the infected systems. WannaCry rapidly spreads by connecting itself to SMB services on local and internet-facing systems with the vulnerability, or by simply running the backdoor.

Upon its initial infection, WannaCry checks whether an external domain (kill switch domain) is available. If the kill switch can be contacted, the encryption function does not run. The kill switch domains are not a command-and-control server for the malware, and therefore should be monitored but not blocked. Before the attack took root on May 12, the domains were not registered; however, shortly after the attack started, a malware researcher registered and sinkholed the first domain. By doing this, the malware was able to resolve the domain — preventing later infections. However, if left unchecked, WannaCry will encrypt most files on a machine, then begins the ransom ask at $300, raising it to $600 if a user takes too long to pay up.

Meet Jaff

While the world was preoccupied with WannaCry, there was another ransomware attack in progress called Jaff. Launched May 11 by Necurs, one of the largest botnets in the world (notorious for spreading threats such as the Locky ransomware and Dridex banking Trojan), Jaff sent misleading emails to infect its victims encouraging them to open an attached PDF. This document asks for additional permissions when opened, and, if approved, allows the delivery and execution of the ransomware payload. Although the emails used to deliver Jaff employ standard spamming techniques, the exact details vary between each of the concurrent campaigns.

Once the victim opens the email and downloads the PDF attachment, it contacts its C2 servers to communicate that encryption of the victim’s files has begun. From there, Jaff proceeds to encrypt the victim’s files, instructs them to install the Tor Browser and directs users to a specific website that displays a ransom note and payment instructions. The exact amount demanded by the ransom varies over time, but the current ask averages around two Bitcoin (about 3,500 USD).

So What Can You Do?

In the wake of these attacks, organizations need to be aware of the security measures they currently have in place, as well as what they can do moving forward.

  • Implement Patches In A Timely Manner: WannaCry’s reliance on a known vulnerability and network scanning indicates that some traditional defenses may be effective. However, it is absolutely crucial that organizations are ensuring timely software updates and keeping systems patched. If organizations had done so prior to the WannaCry attack, this would have limited the vulnerability and the worm’s ability to spread through that particular exploit. In the case of the Jaff ransomware, patching would not have been an effective measure.
  • Use Sinkholes: Unlike the typical command-and-control domains, which should be blocked, WannaCry used a kill switch domain which had to be resolved in order to avoid activating the ransomware’s encryption function. One best practice is for an enterprise to redirect its internal request for those domains to an internal sinkhole. Permitting the infected client to successfully connect to the kill switch domain will prevent the encryption function from completing - allowing it to run internally and prevent unwanted interaction with unknown internet users. This will also enable the enterprise to identify its internal hosts that have been impacted by the malware. Utilizing these internal sinkholes may also be effective for limiting command-and-control interaction such as with the Necurs botnet responsible for launching the Jaff ransomware.
  • Leverage DNS Response Policy Zone (RPZ) capabilities: Using RPZ capability on your organization’s DNS server to monitor any hits to the kill switch domain helps identify infected clients. For WannaCry, RPZ would’ve helped organizations identify malware infections and quickly respond to them.  In the case of the Jaff ransomware, using the RPZ on your organization’s DNS server to blacklist or block connections to the Necurs command and control domains would have mitigated parts of the infection. Additionally, a spambot RPZ could be used for mailer server DNS resolution which would have helped to block some of the incoming malicious emails.
  • Email safety: In case of Jaff, simple email safety would’ve helped prevent the spread of Jaff. To prevent email-propagated infections like Jaff in the future: 1)  Do not open email attachments from unknown senders. 2)  Disable Microsoft Office document macros by default. 3) Do not allow documents to open additional files or execute macros without external confirmation (e.g. phone, in person) that the sender is valid. Further, confirm that there’s a specific reason the sender intentionally sent you a document that requires the use of those features.
  • Keep up-to-date threat intelligence: Across the board, organizations should leverage up-to-date and curated threat intelligence across their entire security and DNS infrastructures, in order to protect against malicious activity and DNS security breaches.

Truly understanding the differences between attacks like these and implementing best practices against both is essential for the security of any organization.

About the author: As Director of Cyber Intelligence for Infoblox, Sean Tierney leads the efforts to develop and refine threat data; delivered to customers as machine readable, actionable intelligence. His team collaborates with industry peers, Fortune 500 companies, and government agencies to identify emerging cybersecurity threats.

Copyright 2010 Respective Author at Infosec Island]]>
Malware: The Gift That Keeps on Giving https://www.infosecisland.com/blogview/24935-Malware-The-Gift-That-Keeps-on-Giving.html https://www.infosecisland.com/blogview/24935-Malware-The-Gift-That-Keeps-on-Giving.html Fri, 02 Jun 2017 06:18:00 -0500 USB was game changing when it was introduced in the late 90’s. The ability to plug a new device into your computer, without needing to shut it down first changed our lives forever. Today, we take this for granted, and are constantly attaching and removing devices without a second thought - but you should be thinking about it.

The Gift

Recently, our office had some new desks installed, and the company that installed them decided to leave a gift on each of the new desks: a branded USB hub. This seems harmless enough to most people, but, of course, our ever suspicious curiosity took over.

We weren’t expecting these USB hubs. They were just sitting on our new desks when we arrived in the office on Monday morning. Naturally, we decided to tear into a few of them and see what they were made of. These hubs had a strange numbering system for the ports, but nothing else seemed out of place. There was a single chip, controlling the flow of data through the hub. In our case, they turned out to be harmless USB hubs, but that isn’t always the case. Seemingly harmless USB devices have been found to contain malware in a number of cases.

Reputable Devices

IBM recently released a Flash (Alert), in which they disclosed that a Trojan, part of the Reconyc Trojan malware family, had been found in the USB flash drives they provide with the initialization tool for some of their Gen 1 Storwize systems. The malware finds its way onto your system by hitching a ride with the initialization tool when it copies itself to a temporary folder on your hard drive.

In this case, the drives were part of a product, provided by a reputable company. You wouldn’t expect to receive malware from IBM, so the natural response is to trust the drive, and run the application it contains. With any new USB drive, it is always a good idea to scan it with your antivirus software before running any applications it contains.

Innocent Devices

Programmable keyboards and mice contain a small amount of memory, which could potentially be loaded with malicious software. Even USB chargers for vape pens have been found to contain malware. The more modern boxes for vapes often even contain memory, and can be plugged directly into a USB port for charging and firmware updates. Even devices that don’t typically contain memory could have additional devices included within the casing to hide malware, or could have their firmware infected with something like BadUSB.

Any USB device has the potential to infect your computer. There is no such thing as a trustworthy USB device, especially the first time you use it.

Suspicious Devices

As far back as 2011, there have been studies regarding USB devices dropped in parking lots, and how many people will plug them in. A study just last year found that nearly half of the devices dropped were plugged in by the person that found them. Even season 1 episode 6 of Mr. Robot features Darlene dropping infected flash drives in a prison parking lot to gain access to the prison’s network. Any device you don’t purchase should be considered suspicious, and should not be plugged into a computer. If you do plug it into a computer, it should be one that is not connected to a network, and that you don’t mind completely wiping and reinstalling the operating system after you’ve plugged in the device.

How Do I Stay Safe?

While there are times when you will need to replace a keyboard or other USB device, and I’ve hopefully sufficiently scared you away from USB devices, these are generally safe to use. If you do purchase a USB drive that has software pre-installed, be sure that you scan it with your antivirus software before running any of the installed applications. If you or your employer did not purchase the device, don’t plug it into your computer. If the device was found on a business or school property, just turn it in to lost and found. Always be wary of unfamiliar USB devices, you never know what might be lurking in the darkness.

About the author: Topher Tebow is a Web Security Research Analyst at SiteLock, with over seven years of experience in web hosting and website security. When he is not helping rid the world of malware, he is spending time with his family, working on sound for independent films, and fighting human trafficking.

Copyright 2010 Respective Author at Infosec Island]]>
The Cyber Car: The Intimate Tango of the 21st Century https://www.infosecisland.com/blogview/24934-The-Cyber-Car-The-Intimate-Tango-of-the-21st-Century.html https://www.infosecisland.com/blogview/24934-The-Cyber-Car-The-Intimate-Tango-of-the-21st-Century.html Thu, 25 May 2017 07:00:00 -0500 The automotive industry is currently undergoing a dramatic revolution. This is a statement being echoed by leaders from across the sector, with individuals such as GM CEO Mary Barra professing that the automotive industry is set to change more in the next five to ten years than it has in the last 50.  

The question that arises is why those of us involved in the automotive world seem to believe that such a monumental paradigm shift is taking place. Quite simply, in-car connectivity is increasing at an almost stratospheric rate. In-car connectiveness has now reached the point of no return and is set to proliferate rapidly throughout the next decade, with 150 million connected cars set to be on the road by 2020.

The Connected Car - A Great Opportunity or Existential Threat?

As previously asserted, experts and leaders in the automotive sphere unanimously believe that the industry is undergoing a revolution – arguably the most dramatic since the advent of the first car. As the car becomes computerized and increasingly connected, with access to the Internet and cloud computing, so the propensity for hacking grows. This explosion of in-car connectivity is analogous to the revolution experienced in computing with the creation of the Internet. It is particularly necessary for automakers to take heed. This is because in the computer industry there was also an existing infrastructure (of data processing and computing power) that had not been built to be connected. The moment the computer became connected, it created a negative result – hacking and cyber attacks. What the automotive industry is experiencing today is a very similar phenomenon. However, automobile manufacturers have an additional issue to contend with that their counterparts in the computing sector did not – with car hacking, the results can be fatal.

To add some perspective on the connectivity of cars today, it’s amazing to think that the modern car already has over 70 dedicated CPUs that are responsible for the most sensitive systems. These range from functions such as central locking through to the transmission and engine ignition. It is also worth noting that that the quantity of the software is not only growing, but is becoming increasingly complex. A car manufactured today can be expected to have around 100 million lines of code, with a third of manufacturing costs now relating to the hardware and software that is installed within. Intertwine these variables to the ability of cars today being able to connect to cellular networks, Wi-Fi and Bluetooth, then it is extremely easy to see how vulnerable and susceptible cars of the future could be to cyber attacks. Not to mention that a car in production today can have up to 15 points of entry for hackers via these connective methods.

The Journey – Next Steps into the Future

The automotive industry is now at a point of no return. Cyber is here to stay and the industry is very well aware of the vulnerability of connected cars. It is now the responsibility of the main players to address the fact that an inherent cyber security capability becomes a precondition for the continued development of connected and autonomous cars. At all costs, it is integral that consumers remain protected from the threats that increased connectivity bring. If protection is guaranteed and consumers remain safe, then the opportunities this will present for manufacturers is almost limitless, with consumer experience moving to another level.

Solutions – Detecting and Blocking Attempts to Penetrate a Car’s Internal and External Networks

To secure connected cars, firewall-like systems are needed to protect against attacks on the internal network of the car and stop penetration from outside the network. Having this protected network sit in a strategic location inside the vehicle can also prevent malicious threats.  

Through sophisticated machine-learning algorithms, systems can identify anomalies and attempted attacks quickly. At the same time, they can block cyber attacks and simultaneously issue reports with deep analysis to the central vehicle management system. Connected cars also need cyber security solutions that defend against threats through wireless interfaces such as cellular networks, Bluetooth and Wi-Fi. They need to be able to mitigate against hackers that have already entered the car’s communications network via micro-controllers, considering they are especially vulnerable to attack via a wireless network.

The stakes are always high when dealing with safety-critical functions, but the automotive industry and the tech companies that support it are rising to the challenge. By working together, adopting a holistic approach and evolving with the technology, we aim to remain one step ahead of threats at all times. That way the connected car will be free to maximize its huge and fascinating potential.

About the author: Asaf Atzmon is Director, Business Development & Marketing, Automotive Cyber Security - TowerSec at HARMAN, the premier connected technologies company for automotive, consumer and enterprise markets. Asaf joined HARMAN with the acquisition of TowerSec in January 2016 where he served as VP, Business Development & Marketing.

Copyright 2010 Respective Author at Infosec Island]]>
Adylkuzz: WannaCry’s Older and More Devious Cousin https://www.infosecisland.com/blogview/24933-Adylkuzz-WannaCrys-Older-and-More-Devious-Cousin.html https://www.infosecisland.com/blogview/24933-Adylkuzz-WannaCrys-Older-and-More-Devious-Cousin.html Thu, 25 May 2017 05:32:25 -0500 Think you got off scot-free with this whole WannaCry business? Well, it turns out that you might be immune to infection by WannaCry because you've already been infected by Adylkuzz. #irony

Last week, the WannaCry ransomware attack made headlines around the world as it spread at an unprecedented and almost mindboggling fast pace, infecting thousands of computers worldwide. Now, the next wave of attacks using the same tactics and techniques is underway. In fact, it’s already been active for weeks—and is quietly getting bigger, too.

Proofpoint claims the Adylkuzz attack likely predates the WannaCry attack by several weeks and may have begun as early as April 24. Much like WannaCry, Adylkuzz now possibly affects hundreds of thousands of PCs and servers worldwide and spreads leveraging the same exploits—EternalBlue and DoublePulsar—that were released by the Shadow Brokers and allegedly stolen from the NSA.

Unlike WannaCry, however, Adylkuzz is not ransomware. While Adylkuzz infects computers through similar techniques as WannaCry, instead of making a lot of noise and encrypting all of the data on a user’s computer and demanding a ransom to restore access, it hides in the background and digitally makes money by installing a cryptocurrency program otherwise known as a “coin miner.”

What Are the Symptoms of an Adylkuzz Infection?

Adylkuzz doesn’t want to be found and so will do everything possible to evade detection and go unnoticed by the user. It doesn’t interfere at all with a user's ability to use an infected computer, but there are some tell-tale signs of infection that are more subtle than WannaCry’s bright red ransom note. For example, symptoms could include loss of access to shared Windows resources such as network drives and printers as well as a general and unexplained sluggishness or slowness of overall system performance.

Adylkuzz Isn’t Ransomware. It’s a “Coin Mining” Botnet. 

So why is Adylkuzz so stealthy and what’s it doing with your computer?

Unlike WannaCry, Adylkuzz doesn’t want your money. It wants to use your computer to mine Monero coins. When it installs, Adylkuzz uses a computer's resources, its processor and/or graphics card to perform complex computations that “mine” new Monero coins, a cryptocurrency similar to Bitcoin. At the time of this writing, one Monero coin is worth $31.3575262 USD and the entire Monero cryptocurrency has a market cap of $454,268,360 USD. So even though you may have never heard of it, it’s serious business.

Running a coin miner on a single computer like yours, for example, wouldn't likely result in much of a financial gain. However, combining thousands, tens of thousands or even hundreds of thousands of infected computers into a single botnet that can be controlled by cybercriminals could be lucrative.

How Does the Adylkuzz Attack Actually Work?

Around since about October 2014, Adylkuzz has seen a resurgence and began accelerating its infection rates substantially in April of this year.

The Adylkuzz attack is launched from multiple virtual private servers that scan the Internet for vulnerabilities and make it possible to install the Adylkuzz miner. When a computer or server on the Internet is identified as vulnerable to the EternalBlue exploit, the malware targets the system for infection with DoublePulsar, which then downloads and runs Adylkuzz.

This is where it gets interesting. Adylkuzz not only terminates any pre-existing versions of itself on a target machine, it also deploys cleanup tools to mask itself. This includes blocking SMB network communications with other machines to prevent any further malware infections from disrupting its operations. Not only does this prevent other malware and ransomware attacks from using the same techniques to infect the system, it also prevents cybersecurity professionals from identifying that these computers were already infected.

Here’s a great example of this in action. While researching WannaCry, Proofpoint exposed a lab machine vulnerable to the EternalBlue attack on the Internet as a honeypot. It was immediately and unexpectedly infected by Adylkuzz within 20 minutes. They repeated the experiment several times with the same result.

Why Is Adylkuzz Potentially a Bigger Problem Than WannaCry?

For starters, Adylkuzz is clearly being run by professionals. Unlike WannaCry, which has attracted an Incredible amount of attention from both the media and law enforcement, Adylkuzz has quietly gone about its business infecting systems at a similar pace unnoticed.

Just Google WannaCry and Adylkuzz to see the difference for yourself.

As a criminal business venture, Adylkuzz is doing much better, too. Highly sophisticated and automated versus the amateurish execution and manual processes that have limited WannaCry’s profits to a mere $92,896.91 as of May 19 at 11 a.m. EST, Adylkuzz had made . . . well, no one knows for sure how much money it’s made.

Proofpoint, however, claims the system is set up in a way to avoid paying too many Monero coins to a single address, and has easily found several addresses that have received $7,000, $14,000, and $22,000 and says there are "many more." This indicates that the creators of Adylkuzz have avoided the collection and laundering problems that plague WannaCry and, by doing so, have also made it extremely difficult to determine just how much money they are making.

Another concern is that users and companies who were “lucky” enough to have avoided WannaCry may have been spared because of a previous Adylkuzz infection that protected them. This may encourage complacency in patching and allow Adylkuzz to continue to go undetected for weeks, months or even years on older systems.

Lastly, the creators of Adylkuzz appear to have iterated their attack vector to include the specific exploits that also made WannaCry possible and went unnoticed by security researchers for weeks. It’s possible that without the noise created by WannaCry, Adylkuzz may have continued to ply its criminal trade unnoticed for some time.

This begs the questions: What other exploits have they incorporated into their cybercriminal arsenal? And what else have they already deployed that we’re unaware of?

About the author: Kevin Magee is a global security strategist with Gigamon, where he assists customers to successfully adopt and implement enterprise-wide Security Delivery Platforms. He also writes, teaches and advises security and business executives, government leaders, and corporate and non-profit boards around the world on the topics of cyber security, cyber risk governance, cybercrime and personal digital security awareness.

Copyright 2010 Respective Author at Infosec Island]]>
Cloud Control: Key Points to Consider When Going to the Cloud https://www.infosecisland.com/blogview/24932-Cloud-Control-Key-Points-to-Consider-When-Going-to-the-Cloud.html https://www.infosecisland.com/blogview/24932-Cloud-Control-Key-Points-to-Consider-When-Going-to-the-Cloud.html Wed, 24 May 2017 11:12:00 -0500 Many of today’s organizations are considering public cloud storage options for their data, due to their low upfront cost and ease of use. Several public cloud providers, such as Amazon Web Services, are designed with an OpEx model that can often seem more appealing than constructing an onsite data center, because of cost. But, there are some very important things to keep in mind when “going to the cloud.”

1. Not All Clouds Are Created Equal: A growing number of companies are entering the cloud storage and service provider market today, yet most will not succeed. Over 100 cloud providers evaporated in 2016, illustrating how important it is to stick with the ones that are established. Take a look at this recent article from Network World for classic examples of cloud providers going out of business and not giving their customers enough time to retrieve their data: Cloud’s Worst-Case Scenario: What To Do If Your Provider Goes Belly Up

2. Always Keep a Local Copy: Users that keep a local copy of their data are able to easily change cloud providers. They can simply delete existing data and move to a new provider with their local copy. This eliminates the need to download data and pay the expensive costs associated with exiting the cloud. If you decide cloud isn’t the right option for you, you can easily pull out of the cloud with no cost to your organization. If your cloud evaporates, you still have your data.

Clouds often experience outages. By keeping a local copy, business is not interrupted when your cloud is out of order.

Performing large data retrievals can be costly when using the cloud. With a local copy, all large retrievals can be executed from your local hardware. This also relates to speed of access. When dealing with the cloud, there are different Service Level Agreements (SLA’s) that are available, ranging from milliseconds to hours until data is available for download. Then, you also have to download based on your network connection (different options for off-site storage are presented in the white paper Iron Mountain vs. Amazon Glacier: Total Cost Analysis For Off-Site Storage).

3. Determine a Recovery Time Objective: It is important to know how long your organization can manage without access to your cloud data before it negatively impacts operations. Understand how long it will take to recall data from the cloud under current environment. Consider, what’s your SLA? Your bandwidth/internet connection speed? How much of this bandwidth can be dedicated to restoring data from the cloud? What is the cost associated with pulling data from the cloud?

4. Look at the BIG Picture: Be aware of how much your data is growing and how long you need to keep it for. Ask yourself: How much data will your organization have in three years? How much will it cost to store? How much would it cost to retrieve?

Establishing a solid plan when deciding to transition to the cloud is essential. By understanding the costs to store, transfer, and retrieve data, organizations can protect themselves from making a costly mistake. From keeping a local copy, to laying out a detailed recovery time objective, it becomes clear that when going to the cloud, a hybrid cloud approach that combines both on and off premise storage strategies can save substantial money over the life of your organization’s data.

About the author: Eric Polet brings more than 10 years of corporate experience to his marketing position at Spectra. As the emerging markets program manager, Eric is responsible for product positioning and messaging, brand development, demand generation, sales enablement, launch management and market intelligence.

Copyright 2010 Respective Author at Infosec Island]]>
WannaCry Shows World the Need for Endpoint Security https://www.infosecisland.com/blogview/24931-WannaCry-Shows-World-the-Need-for-Endpoint-Security.html https://www.infosecisland.com/blogview/24931-WannaCry-Shows-World-the-Need-for-Endpoint-Security.html Wed, 24 May 2017 09:05:00 -0500 Computers all around the world were hit with one of the worst ransomware viruses in history earlier this month. The virus, dubbed “WannaCry,” hit over 200 thousand computers in 150 countries. The virus was able to attack hospital systems in the U.K. and a telecom company in Spain. WannaCry has also hit universities and companies in China and Japan. Security experts say that the WannaCry virus is so fast-moving because it spreads from computer to computer by itself, rather than through emails or malicious links.

The WannaCry ransomware virus scans the victim’s device for personal files, encrypts them, and then holds them for ransom until the victim pays $300 in bitcoin. If the user doesn’t pay the ransom within three days, WannaCry will increase the payout demand to $600 in bitcoins. Through these threats, the attackers were able to get at least $50,000 in Bitcoin in ransom payments from infected users.

Windows users who put off updating their operating systems were affected by the ransomware. Microsoft designed a patch for people and organizations that used unsupported versions of Windows, like Windows XP, last Friday. The National Health Service in the U.K. had many devices that were operating on Windows XP, which is why 48 of its centers were affected. Although Microsoft provided a patch to users who bought the Windows product, people who are using a pirated version of Windows have to rely on third parties to provide them with a security patch.

The WannaCry virus has also been causing tensions between businesses and the government. Microsoft is blaming the National Security Agency of the U.S. for its role in stockpiling the WannaCry ransomware. The WannaCry ransomware was stolen from the NSA back in April, but Microsoft suspects that the NSA didn’t disclose that the security risk existed until the ransomware was stolen. Security experts are advising that governments should be more careful with cyber weapons, just as they are with physical weapons. Researchers have also found that the WannaCry virus was developed using some of the same code that was used in the 2014 Sony Pictures hack. The cybercrime organization behind the Sony Pictures hack, Lazarus Group, may have connections with North Korea.

Although WannaCry has been stopped, security experts are still concerned that people can be infected. Below are a few tips organizations can take to limit the consequences of a ransomware attack:

  1. Backup all data: Organizations should create backups of all of their important information, ideally on a daily basis. When information is backed up, it is more readily accessible when a security incident occurs, and organizations won’t have to pay ransoms to get their data back. Organizations can also consider making backups of their data on separate devices, so they have uninfected machines ready to go if a ransomware attack hits.
  2. Limit user access: Not all employees should have admin level access, or the ability to install third-party software onto company devices. Decreasing the number of people who have administrative access, or access to confidential databases, can decrease the chances of that information being compromised by a ransomware attack.
  3. Regularly inspect networks: Regularly conducting inspections for cyber threats lets organizations detect chaos-causing viruses before they get a chance to execute. By taking measures to prevent an attack, organizations can avoid losing thousands on compromised data and lost productivity.

Ransomware attacks will continue to become more sophisticated and effective as the year goes on. It is now imperative that organizations prepare their networks and devices for a ransomware attack. By conducting regular data backups and limiting user access, organizations can decrease the impact of a ransomware attack. By using endpoint security software to detect malware, organizations can stop potential ransomware attacks.

About the author: Amir Geri handles research and development at Promisec, a pioneer in endpoint detection and remediation.

 

Copyright 2010 Respective Author at Infosec Island]]>