Security Posts

Threat Roundup for September 14 to September 21

Cisco Talos - Sat, 2018/09/22 - 16:23
Today, as we do every week, Talos is giving you a glimpse into the most prevalent threats we’ve observed this week — covering the dates between Sept. 14 and 21. As with previous roundups, this post isn’t meant to be an in-depth analysis. Instead, we will summarize the threats we’ve observed by highlighting key behavioral characteristics and indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

The most prevalent threats highlighted in this round up are:

  • Win.Dropper.Genkryptik-6690044-0
    Dropper
    This threat attempts to spread via removable drives and spam email. It uses legitimate SMTP servers to send spam from its victims.
     
  • Win.Dropper.Dofoil-6689818-0
    Dropper
    Dofoil, aka SmokeLoader, is primarily used to download and execute additional malware. Read more about this threat on our blog here.
     
  • Doc.Malware.Nastjencro-6688356-0
    Malware
    Nastjencro uses PowerShell to download and execute additional malware.
     
  • Win.Dropper.Kovter-6689163-0
    Dropper
    Kovter uses mshta and PowerShell to minimize its presence on the victims harddrive. It uses the registry to execute a malicious script any time a file with a specific file extension is opened (e.g. *.clUQwv).
     
  • Win.Dropper.Coinminer-6688928-0
    Dropper
    This malware installs and executes cryptocurrency mining software. You can read more about this kind of threat on our blog.
     
  • Win.Dropper.Fareit-6688124-0
    Dropper
    The Fareit trojan is primarily an information stealer with the ability to download and install other malware.
     
  • Doc.Downloader.Pederr-6686124-0
    Downloader
    Pederr uses malicious PowerShell scripts to download and execute a malicious executable. It has been seen installing banking malware such as Emotet.
     
ThreatsWin.Dropper.Genkryptik-6690044-0
Indicators of Compromise
Registry Keys
  • N/A
Mutexes
  • N/A
IP Addresses
  • N/A
Domain Names
  • smtp[.]yandex[.]com
Files and or directories created
  • %AppData%\Windows Update.exe
  • \??\E:\Sys.exe
  • \??\E:\autorun.inf
File Hashes
  • 0b6d3eb6dba7730fdfcaf892eb153c1cf9762419eaf0a29689ec929cc7e57aff
  • 27b205b99c01b6ef21c8ee0df5dce9a970790d61b48da3d6a8be8c8845289db5
  • 3069631a8410decb34e6210a8fc4b36de03d1635baac8655035365076a3613e4
  • 3b6ec2629747f8ddb0b244a686f29f7001b030f0ba86ab7b76961bfff0f6c151
  • 3ccba4f06849edeefe60f8a25f4752f89b9ccf8ca62378f7e6108980b244ac2c
  • 3e2a97b7d366e255fcfd2f470da800e9e5aae08a3c1d75916870f8e42ad6160a
  • 492064ef6226b2b174046c07987dfe09afcd9e2f3f69f80bb109dd8b151ea49d
  • 4b50bda6c3fe41f6c930ec701d851781e1664b720e6fc65ab2fbb6c28916f24b
  • 5325cf98bf3080c9846aba8bc76d5cb49de5ac4cf10e337e12a1945cc9a4763d
  • 5a0a5181cf8be2be6fda2be77eca48030d64ad6f737f4c911eba52219537b746
  • 5f7c12cefe681ce32304c1944da6a14e47de36d83ecb47101873d8702f041b76
  • 656a97b7d3481ebf79887b691637f45ec54c494832f5b83774f35dc2c8d8bba2
  • 714f0773cd6a55310527aa10eba1905284c42ace7a5cc063443fd8a00c9868fb
  • 73efa5fd117d51ffd6d2f51e0a946ed3455ad29334f5899b39ff338d0b72edf8
  • 825f8902a8a8ae4852ff5c2351efbc83140203473b2d90eb8526c9b8eb88faca
  • 896e7407427fdb945e2f09b65095d80c79cae041db31a16bcd5979668bcd14ec
  • 8a6fe46554f345d8e5001bff5b8147edb2570fab335bfef28d9f5cff661d6e2c
  • 8eef0b06ac1bc9445e752d851dd2ed905494df8741ae22cc3acee2af1d2ef36f
  • 9cbe3c887a94b6a4fb47f3ec3d1e329cb90b291c39f14179337c52eb3a6228a0
  • 9fb4cd041ff2bb0cbbf2e62f3633aadcbf9513ff12a449a9db8c69aee048c387
  • a52367db8f3e58f122222d22b62072ad827389760e6cf179382b29e5d5478152
  • a80cb2444eaa865fc268874e90ab7af658335159e6c6d0ffd939662f9f7b82e6
  • af8e4c150fe96ee59d7a9ef0dc5d97624fa94bc4dd6a6bcb947b7c5820b9f47b
  • b906ab1e3606cd64670fa1ad6c308a63f10b6d71d1758f3f58cf72947ce4d836
  • c9a8eefdca421af7871d7dd3bccbb56a64fc1b7c0721260286a5c5e4d3c0ef67

Coverage Screenshots of DetectionAMP
ThreatGrid
Umbrella

Win.Dropper.Dofoil-6689818-0
Indicators of Compromise
Registry Keys
  • <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
    • Value Name: internat.exe
Mutexes
  • N/A
IP Addresses
  • 99[.]12[.]215[.]168
  • 98[.]217[.]41[.]219
  • 99[.]152[.]6[.]105
  • 98[.]66[.]233[.]28
Domain Names
  • N/A
Files and or directories created
  • N/A
File Hashes
  • 09b128c59e326c83d4c51cab9cbdd5be2e94dbfb6f10ec8c6a2624e209c72e48
  • 0c2b53607f9a654193bd746068de1ddf9d5bf6b7bc6f3971f72fae2f3ff9a285
  • 16153bfbe50ea0565dcdf55151483f47dda327a367883a26848e2a5d89205aae
  • 17b672d424c62eeebf742068e1c1e38404d2ec0d28349265ee14b546aa6adbb7
  • 21785834f2d808fa9c19956b9c4f24ddc22730e69ca4c781cc006541a4807e5d
  • 23edd474e7fbdb77e2125cc41c70d79959b8ebc764108a230dbfa2843f6993ba
  • 2664dd574bb2115864e4d9ca72f8ad0acf53bfc6b02697795ad980c05e2d4127
  • 27c1d0d72d43e3af324ce52ccdceae142f404f7636862654a8e9da9890de4099
  • 29e59373e62a2c41003cf065865b07f847003467f70dc50d67a6c8592dd4303c
  • 31609ceba86711fe540c4aa7beca78dba4c0f72f41c15251fe98fb9b6d099b01
  • 394a644677da56ac14dbc5b3c72db0f60f77158ead598f3dc9af3564a326f7a1
  • 3e72c6843feadb36dadf0e34551762164a1f24554584c9cca7e1629d6b8f027e
  • 3fc9444d1ee0fa180d761646db3828b1e5f97e2db46a4fc613ee4bc9eb1211c7
  • 41f3fc180ba3c26cf716adff8ae07a9d509d621390d4733cf4b4d8b68f0ec49e
  • 475fec4512fa00322e723ba1a687a01ffe9c64532f6d8d9899d2c8ffbe0a3088
  • 4d905057797bdddd0f17bc62bbd051bb34c08a095e563fb56c30ab08c67398e2
  • 578e81265a2a78e97cb088b34c45f78c1a75ad1515b0a4720592bd4b061d3f0f
  • 5cb179313e277a4d50a637f69d1277fdb63d3b713d3df37c0f7289814d4f04ca
  • 5f3d2fbdaead02e440ad43475cc6411e08738495129eb83c8897cca10379d180
  • 60d91c1223b66c03b82223ac156437e1d299d51a9cb5e6c0e8b4eb8f383d1982
  • 6bd7d37e7dc72a6681c97abf4e315e780325de849159ac9bcd44174b79048d82
  • 6c6afd4ee02aab0050696b157e6db5b14b5a94c84b10c6475e34b0a544668e72
  • 7209b1b807534e03c3ca7fc12df9b74b5cbebc66f834eef37a22b1764476acbb
  • 73b5f2e591f089008a0b2711adc80e38b83f759d4d2e576bc742ea10734466fb
  • 74b13ba6c7a4e340386826c97b1cb5492e7b2f8b662e4e01b643c817d9866c2c

Coverage Screenshots of DetectionAMP
ThreatGrid

Doc.Malware.Nastjencro-6688356-0
Indicators of Compromise
Registry Keys
  • N/A
Mutexes
  • N/A
IP Addresses
  • 185[.]159[.]130[.]242
  • 185[.]228[.]232[.]143
Domain Names
  • N/A
Files and or directories created
  • %LocalAppData%\Temp\qqqqqqqqq_qqqqq_qqqqqq_qqqqqqq74.exe
  • %LocalAppData%\Temp\handler.bat
  • %LocalAppData%\Temp\j55xmasb.5xy.ps1
File Hashes
  • 0064cc856676d9530b8a8ef988ebf0f0e85941eeb03e92d048bdb61cfd221044
  • 0386cc5236fb5503511727f90f74b5eef0568ca375acbd34b8cef4a873503f50
  • 05d309d7f97a3fb941eecff000a4e552c92765075aa3bfd462c17bea3898d208
  • 05de2abe6e7cbcbd01d9be985eae7fcf874ecbb1479abf6d48ce5ae9f84a8824
  • 07d9423510851c706ae4a8a5f7732e649aa9a9b1bbc2616cffcb6d3c6a49323a
  • 08a032433b81c351cf503ba89954fd93c7b9414d6f63d0253302a23e94ed4f5d
  • 08d284ffcfa51ffc67b769213b211c22390475f614a715e9eec6a494be4eb7ad
  • 0a08e09efa13b5337d6b64b7b7cff355e5ca5eaafc35a50acf0b5032b17c25a3
  • 0a4712cb76c18cf69d9d18d6ba2f3e36a7a8e57ecdb55e588751618e38f999f9
  • 0e177a278f491afa651957dc5df685bb5204e23b46850efa4873cd36a8b0ce9d
  • 0ebde3a80d2d1d0bbe20fab28afb4a956afd685adf750da27122b0a619d2d299
  • 13674ec6f804aad27306cb7100c09630d097fee38f8033fa5b65ffa156d4d9e4
  • 14798d7f311744799d24804d03214f816d553739c90629de1c484f04fc4cda01
  • 17c28bdbd648b237b705687564612a5844ae2898c3b2f8d7af7d244bdc21afba
  • 18b76a5575b1d7dea98eca66d48057e0855c55aa9b6766b2cc0a61b30de55fdf
  • 18bdc01b7d8eb340255dc17d761ae5f444587df4262cbe936cce1a0a0bbf3869
  • 18e3faccf8f62cd05f0b396c2af7501975d0710d2d16318bc65f1e8f6f3654f1
  • 1badce6bf66a310c2deebd61e4d168e11ccf6a045f3b5a4621abced338c6ad0a
  • 1c02f4358e2564f843ba59fa93787f9250e028e7f6bbddd2d5bb8ef56d739347
  • 1ce16aea648c94342a24cab22c33228d0d951fd4e478791ed61d02a511e6f8e6
  • 1f36192c1b9e670836c411bc2bf855ecdb1d5a6eff5052fa9f65251dde011e85
  • 21797bc7f67e06f1e3bb6d63a6e471121ae2ba5227219cd8d7518c39038e892d
  • 247386e46a27fe5a805201d0d8a7547701b344533be725dbaf52c814d9c698a1
  • 24ae782268b91d62055e9b7b39a57cd99707c03de5df953a598c457f998a1a31
  • 24f23bf843af4a7af0bf10aac5763c5d54dedfc0f97caefced30d911cae334df

Coverage Screenshots of DetectionAMP
ThreatGrid


Win.Dropper.Kovter-6689163-0
Indicators of Compromise
Registry Keys
  • <HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
    • Value Name: \x008567f942
  • <HKCR>\DR2V\SHELL\OPEN\COMMAND
  • <HKCR>\.CLUQWV
  • <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
    • Value Name: \x0070f54730
Mutexes
  • N/A
IP Addresses
  • 98[.]228[.]140[.]122
  • 98[.]228[.]140[.]122
  • 99[.]78[.]177[.]117
Domain Names
  • find-dentalimplants[.]com
Files and or directories created
  • %LocalAppData%\ejybag\i3f1uvT.clUQwv
  • %LocalAppData%\Temp\y4os1u24.vgj.ps1
File Hashes
  • 03b8ab67bdd073132062dbd0f2583168a2d8a0f7ac5b91723d6b1258764ea64f
  • 0a6d5badc010d69326d9761b09b572cc80a309538e28d5fd9cac5c86a57bbc28
  • 11fa307845aee1ddfedcfe32a79e4e0bc2316c0997a06e46e07604ac99b63f79
  • 266fa02dda9470019421609062197911910f0501731b9b9eebddc5a14d9915ec
  • 594c3cb58030b08b5d444a91de2c470d23424a35dd46269939c49cf0a81613e1
  • 61fb82e5b7db8ab7d7bbdafa8a4a908a365c2c33a14f57fab7675997dea4ba20
  • 770f1ef50284455627ce75f2dc169cb8826948201656cab957108120832b01cf
  • 86d45d0596a37611f88855c879e0be52a3732f233b86c4370a592806481ab1aa
  • 8d06806978eb998acef0904676f1e0664fbf5ceec468eb157981f4b3937e865c
  • a0440a5d2e393efec2fb8f257671622b202c726dc8f76682c02db915e1d7318d
  • ba952b2c15317cda9fabfd4928c99a33d45c9e674a0a9f6bb045353021b45624
  • e507665160772d9c8d22a2564bad14a5d4126972a3168145dbe2d30f46d4f84f
  • ef502a248c1a09734b05842f98053d2e184d4f02cd75318eba97fa00af001ecd

Coverage Screenshots of DetectionAMP
ThreatGrid

Win.Dropper.Coinminer-6688928-0
Indicators of Compromise
Registry Keys
  • <HKLM>\SYSTEM\CONTROLSET001\SERVICES\ZENUPDATE
    • Value Name: Type
Mutexes
  • N/A
IP Addresses
  • 94[.]130[.]64[.]225
Domain Names
  • xmr[.]pool[.]minergate[.]com
Files and or directories created
  • %LocalAppData%\Temp\RarSFX0\mexas.exe
  • %LocalAppData%\Temp\RarSFX1\Support.exe
  • %LocalAppData%\Temp\RarSFX1\system.exe
  • %WinDir%\Windows\1.exe
  • %WinDir%\Windows\1.vbs
  • %WinDir%\Windows\sistem.bat
  • %WinDir%\Windows\sistem.exe
  • %LocalAppData%\Temp\RarSFX2\3.bat
File Hashes
  • 0231bcbb139118577233fb1f7f656259fbf8333a778f6a08bf4313b399a7eda4
  • 0a4759f4397f7002e27ed2a94413e7f2bd2e93af429a344c05243d180ee9db3f
  • 177a90400bef5873f86edccb9644f7aabad085cfb3956358fd47a67d85030d66
  • 1c7aa82bb86c73a7763481af80ab563a58126141dd67a428ff906a216c23acb3
  • 20213d423c8cb20b2cd27ca9068b783ae88d25c8b4132e7398b3e39dc749bc84
  • 208998f4c61a63a06bffc006f6ca72d53a3d26d25ed18a91a729f8d885f3d434
  • 2b4c8855bb8a7886650975150357a7c14ec1f3f79512944e5d96020f2662b3dd
  • 2ce35940413042879446fb3b42d02f959bf88d758635e2b24839a2bb8f5ba5e5
  • 2ec3f6dbbd5265568fb79504311eea752aec5d976f471bb7271845b6715d41d8
  • 3cb153a58e43434c05c3bc78b19cf0d88c598e1a28669a3e695671e0fef20342
  • 45708626b424d9f5671d2985ec6a8b8c0a2ef1ed286615814edef67cd02e5e8f
  • 457c27931565b6f7161d9dcbd55307a931a61eedbee947928c66fcc5f27cf562
  • 4639bb6af2aa32540f966c3bd8bfbf939baabe9e05c6068317c5758731c474e2
  • 4878a5a116e333961832264f2df37d2b6087fd718e2ff813af07c8bd452cff4a
  • 496458dcba5b888e4cc55b96e1662b49cb42504e7d61d99f915c5bd859b6cc51
  • 5486eabfd8ff09c353b1daf1dc3e0897345743d9d6eac8f30a659c57cf8990f9
  • 63f6c26b6336b0e7e589bce24e5e8e59bc7de20bcd3dc4e2f0a4b32518bc9821
  • 6e124f148d16d85b5185c938ce87f10615f40650960c4a8def1aad9a6f6aa517
  • 84350051e0e3f2c397fb6a76ac42ef8982642bc088b8e7776e583233fe4b7163
  • 8e6fe70d98d5cc923be3053d1320812893286182bc03acf2bc1526b4c86de3c1
  • 8e806b7b90b38b45d5d8513e2f3feade0db7e07bb0939617dcb8e5de611eb53a
  • a515905e42ab3f174ffa76bb06963f7d441977da38b536e70ca207749cc10bb2
  • a6303c6d4fb8fdabb3804e537c61e6ceb03729c89481213060ed0747efa18dcb
  • adcfa5fde1d1126cf0091e5fbb2a8960d6d12bab9895169cf09ab9da68917897
  • ce69632177a83f629b2da597bf011904952be92e084872f58f2c9649082ce0cc

Coverage Screenshots of DetectionAMP
ThreatGrid

Win.Dropper.Fareit-6688124-0
Indicators of Compromise
Registry Keys
  • <HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
    • Value Name: K4XD4XP0OPG
Mutexes
  • 8-3503835SZBFHHZ
  • OMM-7UQ942T0D7yz
IP Addresses
  • 217[.]160[.]223[.]46
  • 98[.]124[.]199[.]17
  • 52[.]54[.]24[.]134
Domain Names
  • www[.]businessintuitive[.]expert
  • www[.]instrovate[.]com
  • www[.]meesebyte[.]com
  • www[.]mxauny[.]men
  • www[.]anotherlscreation[.]com
  • www[.]maisonlecallennec[.]com
  • www[.]weltho[.]com
  • www[.]ybnonline[.]com
  • www[.]mufflerbrothersbellbrook[.]net
  • www[.]aerolitigate[.]com
Files and or directories created
  • %AppData%\Microsoft\Windows\Start Menu\Programs\Startup\h.vbs
  • \TEMP\transfer application.exe
File Hashes
  • 1865f1902c9f9244dbed9f0610885533d06aba815de58e921fcf67af8b9cfec4
  • 187201a91fb47052f6c8b01310ae17f6fa84bff20b5653a1b0b8af54dc96da50
  • 20517fb0a924314f16246bda9b1ba2e3fdf2f8cf2d541f7a4088f8a63bc6b268
  • 2832d3cceb2392df0b331c96355d91876d3b53d76d2dabcd98cd77df0b3a1c09
  • 3c79a984a1598c9260bc6897f46fc207d3aecdb6b67180d0fa62804128621ca9
  • 4384907852405b4de4c95a6fb4e8f4a8090dcf4efb69f9efe5615752d7518c85
  • 5e8f46ecabd431d173e046a69cd45c30e0855794dc2572226454cca3d97155c6
  • 63ebdc567b8e3633fdbe3f16a1693b79a98dfe901a1f4a3fd59de361286b00e8
  • 68489889e574e1b76cf511a9fdb19d083517d810f29865f58d84816407d6cb5f
  • 69bffa8bfcde33890bbbbcb4df72fee8f455c38decfe78ffbce62cc297ed80f2
  • 6ec3a026ec2847aac11f9be2f033e8a46262cb9cfd0c9bfd93cf35a025986505
  • 9ddfd64d03cee5171560734ebadb29b90a6f152cc77ce01c3748713be7d643bc
  • b82e68bce9ba7a4c081a1f7abf60a8f74677da099ca28b16b35e8eb6265b293f
  • ba61fad6518e22448d52520ab7d1fcff23a341cdc9b8b7d90dd512145a45b659
  • bd988f2f34f4270e16cb477d30672c293a7178a61f0c834cb088a0cc06a70b58
  • dd49e3acf25c03cfd8596f78e58407fce8186e7c95d6ff2b3d0b411b85b0ff0a
  • e2222669d455bb76359e6334c46a76603b7967f54e5bebcd1c29c0ce1a9c1409

Coverage Screenshots of DetectionAMP
ThreatGrid
Umbrella


Doc.Downloader.Pederr-6686124-0
Indicators of Compromise
Registry Keys
  • N/A
Mutexes
  • N/A
IP Addresses
  • 220[.]253[.]68[.]95
  • 69[.]70[.]248[.]98
Domain Names
  • familiekoning[.]net
Files and or directories created
  • %UserProfile%\480.exe
  • %LocalAppData%\Temp\zaybh0yp.m4u.ps1
File Hashes
  • 0b0f79a09a323f618f566f99cda0e16661e635cda47c4958e0eba33ead354962
  • 43e4d5a9bba1328664912ceb46f5028da57ba14ca0246ff0f0ead90d3c488c11
  • 4b749e172456275d8acfbd0110645198b0f02157f0c8527f3c119d231ad1e364
  • 4f17ac54dae3d4bd6c6d2b7371d7f00ad2a68f662513a75c59678103b328fef0
  • 59d38c5f0fc8779756c2b586a4caa0161949298a03fba80c6253ade7747ba7d5
  • 5e885baff145db23dd14b15a489f174316c39e5bbfaf9b523498fd735920fd45
  • 76b69f93b5532b1d050b38537035eee5c1aae94690d716aa96a1b926c36e6816
  • 7c377ced751e3dfe1b62e337e5aa8835e4a16cf0b4bad8c975c92f5a04b7b434
  • 7db86c3f63c8319cef1a15b85ac2099e9943d27ce8e70c7e756b5ce065e30448
  • 8b3e7b0cd5c83967782bb2aa41996b97e8badd89b43171a48e7b28f94f443c7c
  • 8ea59348fabec29d76e8c9c3c72d08cfe3bb9080ba5e8504afea9af72cf2040e
  • 9a719afc937416f57b260e195384cb89fd72388fb25afe7e392063e5d06d4696
  • 9acc1502c8a145e569fb80ec294f4077f10c7a668f7c8032aaf4464e1d8293ef
  • a6c8b64eb83808c413d4866d6881643c62c28ab583ec848f9445dcacc49870ad
  • b61476ae5ec49be90033eaac7b45d27581b89873191a05da5cfa1594d96085a5
  • bb475f796deb9e2f64f7dbc6561b0b0a929b1eb171becd6cb19bed64bb006a8f
  • bf1e0abe4078554cbc7de5e3d8f8d87f120beb9c803c2cde9f21640c1e629ac1
  • c844112b2b7649bb5e54b2a053f1177ce074725e651160291c1e6d2a1941f697
  • c9d351497963b1f6c24c8d3d1d7e9634cd043f45ebeb211eec99810486afdca9
  • cdb87125ba3ab9416efa180784b9d8d3edc4785166438a54b02917358bf5c9c9
  • e24bad80d42293433fd0bb506319b237d29da100a25c250095af1c1bf09ce02b
  • f7af8177aae877691ea3a6ea290b8a3e29c4613b5038dbb417cf960f10625ff7
  • fd8780f8d82ad7c64e0035a9fe3468342aec9f8c145d9e3e3536d12926133573

Coverage Screenshots of DetectionAMP
ThreatGrid

Umbrella


Categories: Security Posts

Agenda de eventos, conferencias y cursos del 24 al 30 de Septiembre @elevenpaths @luca_d3 @0xWord @telefonica

Un informático en el lado del mal - Sat, 2018/09/22 - 14:36
Ya se nos va el mes nueve del año. Quedan solo los días de la última semana, y que por supuesto contará con actividades para mantener la cabeza en forma. No solo hay que hacer algo de deporte todos los días para cuidarse un poco, hay que hacer deporte mental leyendo, estudiando o aprendiendo en cursos, charlas y conferencias, para mantener la cabeza en forma. Estas son las citas que yo tengo en el radar para traeros.

Figura 1: Agenda de eventos, conferencias y cursos del 24 al 30 de Septiembre
Y antes de que me olvide, el evento de LUCA Innovation Day 2018: Science without fiction está casi a reventar, así que, si quieres venir, no dejes pasar un minuto más para hacer el registro y reservar tu plaza. Tampoco te olvides de comprar mi libro de Pentesting con FOCA 2ª Edición para estudiar mucho, mucho de seguridad.
25-Sept: Jornadas de la Armada [Madrid][*]El martes que viene tendrán lugar las Jornadas Tecnológicas dentro de la Semana de la Armada que se suele hacer por estas fechas los últimos años. Yo estoy invitado a dar una charla a las 09:45 para hablar un poco de tecnologías de ciberseguriad, así que estaré por allí. No sé si el registro es abierto o no al público, pero toda la información está online.Figura 2: Jornadas Tecnológicas de la Armada
25-Sept: Data-Driven Business Transformation [London]
El mismo día, pero en Londres, nuestros compañeros de LUCA D3 estarán en una jornada de Data Leaders centrada en el tema que veis en la web: Data-Driven Business Transformation. Una interesante oportunidad de ver de primera mano cómo se pueden utilizar los datos en los negocios. Más información en la web.Figura 3: Data Driven Business Transformation en Londres
26-Sept: II Congreso Industria Conectada 4.0 [Madrid]
Será la II Edición, y desde Telefónica tendremos presencia en las áreas de IoT, BigData, Ciberseguridad y Transformación Digital, así que si quieres ver cuáles son las tendencias y cómo están evolucionando las empresas más eficaces, tienes una jornada dedicada solo a esto. En la web del II Congreso de Industria Conectada 4.0 tienes toda la información. Figura 4: II Congreso de Industria Conectada 4.0
26-Sept: SEDIAN Day Seguridad Digital en Andalucía [Sevilla] 
El mismo miércoles, pero en Sevilla, tendrá lugar una jornada dedicada a la Seguridad de las tecnologías digitales. En ella participará nuestra compañera Yaiza Rubio que hablará de tendencias y ataques en las empresas y cómo debemos afrontar estas nuevas amenazas. Toda la información en la web de las jornadas.Figura 5: SEDIAN Day en Sevilla
26-Sept: Curso Online Auditorías Móviles [Online]A lo lardo de todo el día 26 de Septiembre dará comienzo la nueva edición del Curso Online de Auditorías Móviles de nuestros compañeros de The Security Sentinel. Una formación de 250 horas para conocer cómo se audita la seguridad de las aplicaciones y dispositivos móviles, así como se aprende a realizar informes forenses. Como complemento de la formación se entrega el libro de 0xWord que escribí yo junto con algunos compañeros dedicado al Hacking de iOS: iPhone & iPad [2ª Edición] que explica muchas de estas técnicas centradas en el mundo iOS. Figura 6: Curso Online de Auditorías Móviles
26 y 27- Sept: Jornadas de Smart Tourism en la UPV [Gandía]
El día 26, primer día de este evento, participarán nuestros compañeros de LUCA hablando de cómo hemos construido la solución LUCA Tourism para dar soluciones Data-Driven a los procesos de gestión del turismo de manera inteligente. Una sesión que formará parte dentro de una agenda mucho más amplia que puedes ver en la web del congreso.Figura 7: Smart-Tourism en GandíaY esto es lo más importante en lo que participamos esta última semana. Esperamos que sea de vuestro interés alguna acción y que nos veamos por ahí.

Saludos Malignos!
Sigue Un informático en el lado del mal - Google+ RSS 0xWord
Categories: Security Posts

Forrester Says that AlienVault “Challenges” Enterprise SIEM vendors

AlienVault Blogs - Fri, 2018/09/21 - 16:18
Forrester just released their “Security Analytics Wave” report that evaluates Security Analytics/SIEM technologies used by large enterprises (5000+ employees).   I am super excited that AlienVault was included for the first time and placed as a “Challenger”. This is quite incredible if you think about it. To include AlienVault as a challenger in a group of vendors that provide big data platforms to large enterprises is a major note on the state of the market.   AlienVault has always taken a contrarian approach to traditional SIEM/big data based security techniques.  We do not require our users to set up data lakes, or train machine learning algorithms - instead we make it as simple as possible to quickly detect threats, efficiently respond to breaches and manage compliance.   We provide a SaaS platform to remove the administrative overhead of a big data product, we integrate the essential security capabilities most customers need and our Labs team delivers Threat Intelligence on a daily basis to train all of the technologies in our platform.  The result is that 46% of our customers are investigating an alarm within 24 hours!! In contrast, it takes days maybe more to just deploy and populate a big data store leave alone constructing analytics workflows. In our early years we quickly gained a large, loyal following in organizations with less than 5000 employees.  Our approach has helped security champions in more than 7000 organizations around the world along with over 80000 subscribers to our Open Threat Exchange (OTX).  In fact, Forrester did an objective analysis of the impact USM Anywhere has had on some real world users of the product. They found that there was an 80% reduction in the time spent on ‘security engineering’ (time spent deploying, maintaining, integrating security technology), an 80% improvement in the time to detect an incident and an average of 6000 hours a year saved on their audits (2.5 full time employees!).  You can find this report here https://www.alienvault.com/resource-center/analyst-reports/forrester-total-economic-impact-study Our inclusion in the Wave reflects that our value proposition is now resonating with a broader set of customers by making a noticeable dent in ‘traditional’ approaches that require a security team to procure, deploy, integrate security controls into a data lake and research teams to stay current on threats and tune AI and ML algorithms.  In addition, organizations need an operations team to continuously monitor dashboards and respond to the threats. This approach is heavy in technology and heavy in people - it is exactly what we set out to solve with USM Anywhere. As we continue our evolution and become AT&T Cybersecurity it gives us access to one of the world’s largest cyber-security operations. We look forward to leveraging this knowledge to improve the USM Anywhere platform, deliver new capabilities and expand our threat intelligence to disrupt the status quo and help organizations of all sizes strengthen and simplify their security postures. To learn more about the USM Anywhere platform, you can take a look at our interactive demo (https://www.alienvault.com/products/usm-anywhere/demo) or call us (https://www.alienvault.com/contact).
 
Categories: Security Posts

Things I Hearted this Week, 21st Sept 2018

AlienVault Blogs - Fri, 2018/09/21 - 15:00
Next week I’ll be flying out to Dallas, Texas to attend the AT&T Business Summit. I’ve never been to Dallas before, so hope to check out the sites and maybe even find out who did shoot JR (if you’re born after 1983 that reference probably means nothing to you). Do Breaches Affect Stock Market Share Prices? A common question that comes up is whether a breach actually impacts a company’s share price or not. There are a varying degrees of opinions and anecdotes, but what we really need is data. Comparitech has published a very detailed breakdown, complete with methodology and data used. Some of the key findings include:
  • In the long term, breached companies underperformed the market. After 1 year, Share price grew 8.53% on average, but underperformed the NASDAQ by -3.7%. After 2 years, average share price rose 17.78%, but underperformed the NASDAQ by -11.35%. And after three years, average share price is up by 28.71% but down against the NASDAQ by -15.58%. It’s important to note the impact of data breaches likely diminishes over time.
  • Share prices of breached companies hit a low point approximately 14 market days following a breach. Share prices fall 2.89% on average, and underperform the NASDAQ by -4.6%
  • After about a month, share prices rebound and catch up to NASDAQ performance on average
  • After the first month, the companies we analyzed actually performed better than they did prior to the breach. In the six months leading up to a breach, average share price grew 3.64%, compared to 7.02% following a breach. Similarly, the companies underperformed the NASDAQ by -1.53% leading up to the breach, but managed to outperform it by 0.09% afterward.
  • Finance and payment companies saw the largest drop in share price performance following a breach, while healthcare companies were least affected
  • Breaches that leak highly sensitive information like credit card and social security numbers see larger drops in share price performance on average than companies that leak less sensitive info
  • Analysis: How data breaches affect stock market share prices | Comparitech
Europol Internet Organised Crime Threat Assessment 2018 Ransomware continues to be the biggest malware threat to businesses around the world, but mobile threats and cryptojacking are emerging as serious challenges, according to Europol. The law enforcement organization’s annual Internet Organised Crime Threat Assessment (IOCTA) provides a good snapshot of current industry trends. It reflects the findings of many security vendors: that ransomware is slowing but still the most widespread financially motivate threat out there, ahead of banking Trojans — and will be so for several years. DDoS attacks were second only to malware in terms of volume in 2017, as infrastructure becomes more “accessible, low-cost and low-risk.” Ransomware Blanks Bristol Airport Screens For two days last week, airport officially were using posters and whiteboards to announce check-in and arrival information for flights going through the airport. Which shows it’s good to have a backup system in place. Run Critical Infrastructure Regardless of Malware As threats and cyber-attacks on critical infrastructure are expected to intensify in the near future, cyber-security experts believe that companies and government agencies should be prepared to operate networks even if there's malware or a threat actor on the network or not. The idea is that cyber-attacks should not cause downtime of any form, and networks should be designed in a way that an attacker's presence does not affect the network's availability for end users. Experts who believe in this approach are Major General Robert Wheeler, retired US Air Force, and former Deputy Chief Information Officer for Command, Control, Communications and Computers (C4) and Information Infrastructure Capabilities (DCIO for C4IIC), US Air Force. The Big Boys of Tech are Out of Their Depth I came across this interesting article where the author feels sorry for the big boys of tech, Zuckerberg, Dorsey, and others in similar positions. In many ways I agree with the main points that these founders may not be able to fix privacy and security issues on these social platforms - but then again, I don’t think there is a suitable replacement. That’s one of the problems when you enter new realities, there are no real maps to follow. Still, an article worth pondering over. Other Random Stories I Liked this Week
Categories: Security Posts

Hex-Rays Microcode API vs. Obfuscating Compiler

Hex blog - Wed, 2018/09/19 - 12:22
This is a guest entry written by Rolf Rolles from Mobius Strip Reverse Engineering. His views and opinions are his own, and not those of Hex-Rays. Any technical or maintenance issues regarding the code herein should be directed to him. In this entry, we’ll investigate an in-the-wild malware sample that was compiled by an obfuscating … Continue reading Hex-Rays Microcode API vs. Obfuscating Compiler
Categories: Security Posts

Pattern Welding Explained as Wearable Art

Niels Provos - Tue, 2018/08/28 - 06:37

Pattern-Welding was used throughout the Viking-age to imbue swords with intricate patterns that were associated with mystical qualities. This visualization shows the pattern progression in a twisted road with increasing removal of material. It took me two years of intermittent work to get to this image. I liked this image so much that I ordered it for myself as a t-shirt and am looking forward for people asking me what the image is all about. If you want to get a t-shirt yourself, you can order this design via RedBubble. If you end up ordering a t-shirt, let me know if it ends up getting you into any interesting conversations!

Categories: Security Posts

An Elaborate Hack Shows How Much Damage IoT Bugs Can Do

Wired: Security - Mon, 2018/04/16 - 19:00
Rube-Goldbergesque IoT hacks are surprisingly simple to pull off—and can do a ton of damage.
Categories: Security Posts

How Russian Facebook Ads Divided and Targeted US Voters Before the 2016 Election

Wired: Security - Mon, 2018/04/16 - 15:00
New research shows just how prevalent political advertising was from suspicious groups in 2016—including Russian trolls.
Categories: Security Posts

Infocon: green

SANS Internet Storm Center, InfoCON: green - Fri, 2018/04/06 - 17:46
ISC Stormcast For Friday, April 6th 2018 https://isc.sans.edu/podcastdetail.html?id=5943
Categories: Security Posts

ISC Stormcast For Friday, April 6th 2018 https://isc.sans.edu/podcastdetail.html&#x3f;id=5943, (Fri, Apr 6th)

SANS Internet Storm Center, InfoCON: green - Fri, 2018/04/06 - 03:30
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Security Posts

&#x26;#xa;Threat Hunting &#x26; Adversary Emulation: The HELK vs APTSimulator - Part 1, (Thu, Apr 5th)

SANS Internet Storm Center, InfoCON: green - Thu, 2018/04/05 - 19:26

Ladies and gentlemen, for our main attraction, I give you...The HELK vs APTSimulator, in a Death Battle! The late, great Randy "Macho Man" Savage said many things in his day, in his own special way, but "Expect the unexpected in the kingdom of madness!" could be our theme. I'm having a flashback to my college days, many moons ago. :-) The HELK just brought it on. Yes, I know, HELK is the Hunting ELK stack, got it, but it reminded me of the Hulk, and then, I thought of a Hulkamania showdown with APTSimulator, and Randy Savage's classic, raspy voice popped in my head with "Hulkamania is like a single grain of sand in the Sahara desert that is Macho Madness." And that, dear reader, is a glimpse into exactly three seconds or less in the mind of your scribe, a strange place to be certain. But alas, that's how we came up with this fabulous showcase.
In this corner, from Roberto Rodriguez, @Cyb3rWard0g, the specter in SpecterOps, it's...The...HELK! This, my friends, worth every ounce of hype we can muster.
And in the other corner, from Florian Roth, @cyb3rops, the The Fracas of Frankfurt, we have APTSimulator. All your worst adversary apparitions in one APT mic drop. This...is...Death Battle! Now with that out of our system, let's begin. There's a lot of goodness here, so I'm definitely going to do this in two parts so as not undervalue these two offerings.
HELK is incredibly easy to install. Its also well documented, with lots of related reading material, let me propose that you take the tine to to review it all. Pay particular attention to the wiki, gain comfort with the architecture, then review installation steps.
On an Ubuntu 16.04 LTS system I ran:
git clone https://github.com/Cyb3rWard0g/HELK.git
cd HELK/
sudo ./helk_install.sh 
Of the three installation options I was presented with, pulling the latest HELK Docker Image from cyb3rward0g dockerhub, building the HELK image from a local Dockerfile, or installing the HELK from a local bash script, I chose the first and went with the latest Docker image. The installation script does a fantastic job of fulfilling dependencies for you, if you haven't installed Docker, the HELK install script does it for you. You can observe the entire install process in Figure 1. Figure 1: HELK Installation
You can immediately confirm your clean installation by navigating to your HELK KIBANA URL, in my case http://192.168.248.29.
For my test Windows system I created a Windows 7 x86 virtual machine with Virtualbox. The key to success here is ensuring that you install Winlogbeat on the Windows systems from which you'd like to ship logs to HELK. More important, is ensuring that you run Winlogbeat with the right winlogbeat.yml file. You'll want to modify and copy this to your target systems. The critical modification is line 123, under Kafka output, where you need to add the IP address for your HELK server in three spots. My modification appeared as hosts: ["192.168.248.29:9092","192.168.248.29:9093","192.168.248.29:9094"]. As noted in the HELK architecture diagram, HELK consumes Winlogbeat event logs via Kafka.
On your Windows systems, with a properly modified winlogbeat.yml, you'll run:
./winlogbeat -c winlogbeat.yml -e
./winlogbeat setup -e
You'll definitely want to set up Sysmon on your target hosts as well. I prefer to do so with the @SwiftOnSecurity configuration file. If you're doing so with your initial setup, use sysmon.exe -accepteula -i sysmonconfig-export.xml. If you're modifying an existing configuration, use sysmon.exe -c sysmonconfig-export.xml.  This will ensure rich data returns from Sysmon, when using adversary emulation services from APTsimulator, as we will, or experiencing the real deal.
With all set up and working you should see results in your Kibana dashboard as seen in Figure 2.
Figure 2: Initial HELK Kibana Sysmon dashboard.
Now for the showdown. :-) Florian's APTSimulator does some comprehensive emulation to make your systems appear compromised under the following scenarios:
  • POCs: Endpoint detection agents / compromise assessment tools
  • Test your security monitoring's detection capabilities
  • Test your SOCs response on a threat that isn't EICAR or a port scan
  • Prepare an environment for digital forensics classes 
This is a truly admirable effort, one I advocate for most heartily as a blue team leader. With particular attention to testing your security monitoring's detection capabilities, if you don't do so regularly and comprehensively, you are, quite simply, incomplete in your practice. If you haven't tested and validated, don't consider it detection, it's just a rule with a prayer. APTSimulator can be observed conducting the likes of:
  • Creating typical attacker working directory C:\TMP...
  • Activating guest user account
    • Adding the guest user to the local administrators group
  • Placing a svchost.exe (which is actually srvany.exe) into C:\Users\Public
  • Modifying the hosts file
    • Adding update.microsoft.com mapping to private IP address
  • Using curl to access well-known C2 addresses
    • C2: msupdater.com
  • Dropping a Powershell netcat alternative into the APT dir
  • Executes nbtscan on the local network
  • Dropping a modified PsExec into the APT dir
  • Registering mimikatz in At job
  • Registering a malicious RUN key
  • Registering mimikatz in scheduled task
  • Registering cmd.exe as debugger for sethc.exe
  • Dropping web shell in new WWW directory
A couple of notes here.
Download and install APTSimulator from the Releases section of its GitHub pages.
APTSimulator includes curl.exe, 7z.exe, and 7z.dll in its helpers directory. Be sure that you drop the correct version of 7 Zip for your system architecture. I'm assuming the default bits are 64bit, I was testing on a 32bit VM. Let's do a fast run-through with HELK's Kibana Discover option looking for the above mentioned APTSimulator activities. Starting with a search for TMP in the sysmon-* index yields immediate results and strikes #1, 6, 7, and 8 from our APTSimulator list above, see for yourself in Figure 3.
Figure 3: TMP, PS nc, nbtscan, and PsExec in one shot
Created TMP, dropped a PowerShell netcat, nbtscanned the local network, and dropped a modified PsExec, check, check, check, and check.
How about enabling the guest user account and adding it to the local administrator's group? Figure 4 confirms.
Figure 4: Guest enabled and escalated
Strike #2 from the list. Something tells me we'll immediately find svchost.exe in C:\Users\Public. Aye, Figure 5 makes it so.
Figure 5: I've got your svchost right here
Knock #3 off the to-do, including the process.commandline, process.name, and file.creationtime references. Up next, the At job and scheduled task creation. Indeed, see Figure 6.
Figure 6: tasks OR schtasks
I think you get the point, there weren't any misses here. There are, of course, visualization options. Don't forget about Kibana's Timelion feature. Forensicators and incident responders live and die by timelines, use it to your advantage (Figure 7).
Figure 7: Timelion
Finally, under HELK's Kibana Visualize menu, you'll note 34 visualizations. By default, these are pretty basic, but you quickly add value with sub-buckets. As an example, I selected the Sysmon_UserName visualization. Initially, it yielded a donut graph inclusive of malman (my pwned user), SYSTEM and LOCAL SERVICE. Not good enough to be particularly useful I added a sub-bucket to include process names associated with each user. The resulting graph is more detailed and tells us that of the 242 events in the last four hours associated with the malman user, 32 of those were specific to cmd.exe processes, or 18.6% (Figure 8).
Figure 8: Powerful visualization capabilities
I am thrilled with both HELK and APTSimulator. The true principles of blue team and detection quality are innate in these projects. The fact that Roberto considers HELK still in alpha state leads me to believe there is so much more to come. Be sure to dig deeply into APTSimulator's Advanced Solutions as well, there's more than one way to emulate an adversary.
Part 2 will explore HELK integration with Spark, Graphframes & Jupyter notebooks.
Russ McRee | @holisticinfosec (c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Security Posts

Thu, 1970/01/01 - 02:00
Syndicate content