Security Posts

Infocon: green

ISC Stormcast For Friday, May 24th 2019 https://isc.sans.edu/podcastdetail.html?id=6512
Categories: Security Posts

M0d2377ba4f5077062407de4a743baf673

AlienVault Blogs - 2 hours 57 min ago
M1d2377ba4f5077062407de4a743baf673
Categories: Security Posts

Algoritmos de Texto Predictivo para que crees tus novelas de Harry Potter, Drácula o Don Quijote de la Mancha

Un informático en el lado del mal - 11 hours 41 min ago
Botnik Studios, es una comunidad abierta de escritores, desarrolladores y artistas en general, los cuales han tenido una gran idea. Utilizando una Inteligencia Artificial (IA), han logrado crear unas pocas páginas con algo que parece una nueva aventura de Harry Potter llamada “Harry Potter and the Portrait of what looked like a Large Pile of Ash” (Harry Potter y el cuadro que parecía un montón de ceniza).

Figura 1: Algoritmos de Texto Predictivo para que crees tus novelas de
Harry Potter, Drácula o Don Quijote de la Mancha
Para conseguirlo, han utilizado un algoritmo de Texto Predictivo, y para conseguir esa similitud al estilo de J.K. Rowling, se le ha alimentado con siete libros originales de la autora dentro de la saga de Harry Potter, tal y como contaban nuestros compañeros de LUCA en este vídeo que hicieron para contarnos este hecho.


Figura 2: Noticia de la creación del capítulo de Harry Potter
Este algoritmo de Texto Predictivo no es nada excepcional, lo usamos muchas veces sin darnos cuenta. Por ejemplo, en los teclados de los teléfonos inteligentes, el cual aprende en base a las sugerencias que vamos aceptando. Pues justamente eso es lo que ha creado Botnik, dos teclados predictivos, uno para la parte de narración y otro para los diálogos.  Después, varios usuarios fueron tecleando frases mientras el teclado predictivo las iba corrigiendo siguiendo el patrón aprendido basado en el entrenamiento con los libros originales de Harry Potter.

El equipo de Botnik luego fue recopilando las mejores frases para más tarde unirlas y crear una estructura similar a la de un capítulo de la serie. La noticia ha creado bastante hype en Internet sobre todo por la forma de anunciarla, ya que más que decir que una IA ha creado un capítulo de Harry Potter, quizás se tendría que haber dicho que realmente ha sido fruto de una colaboración entre un ser humano y una Inteligencia Artificial.

Figura 3: Portada similar a un libro de la misma saga de este nuevo capítulo creado con texto predictivo
El texto completo final puedes leerlo aquí (además lo han recreado como si fuera un libro real, como puedes ver en la Figura 3) y como comprobarás, no es que sea especialmente genial. De hecho, no se parece demasiado a la escritura de J.K. Rowling pero sí ha sabido capturar en cierto modo el ritmo y el estilo de narración (por supuesto ha ayudado aquí la intervención humana).

También es bastante cómico y absurdo en algunas secciones, como por ejemplo una en la que Harry Potter literalmente se saca los ojos y los arroja a un bosque o la aparición de unos personajes aparentemente terribles llamados Death Eaters que se dedican a darse besos entre ellos y … ya está.

Figura 4: Ilustración de la escena que hemos descrito en el párrafo anterior
Un algoritmo predictivo no se utiliza únicamente en los teclados virtuales de teléfonos inteligentes o tabletas como antes hemos mencionado, de hecho los podemos encontrar prácticamente por todas partes. Como curiosidad, Amazon está trabajando también en ellos para anticipar si tiene que enviarte un producto antes incluso de comprarlo, según los gustos y compras realizadas anteriormente.

Alguno de los métodos predictivos más utilizados son los modelos lineales, árboles de decisión (Random Forest son muy comunes), Support Vector Machines (SVMs), Naive Bayes o los modelos de Markov (Markov model). En nuestro libro “Machine Learning aplicado a la Ciberseguridad: Técnicas y ejemplos en la detección de amenazas” puedes encontrar también información sobre alguno de estos algoritmos aplicados al mundo de ciberseguridad, como dice su titulo.

Figura 5: Libro “Machine Learning aplicado a la Ciberseguridad:
Técnicas y ejemplos en la detección de amenazas
Lo curioso es que esta noticia de la generación de un capítulo de Harry Potter no es algo nuevo. Ya en 2017, en la comunidad Botnik apareció parte de un guion de Expediente X creado de esta misma manera. Pero no queda aquí la cosa. También podemos encontrar letras de canciones de Bob Dylan, de los Strokes o incluso un álbum propio donde todas las letras de las canciones han sido generadas utilizando la misma técnica aplicada a la generación del capítulo de Harry Potter.

Figura 6: Fragmento del guión de Expediente X generado con texto predictivo
Es bastante divertido experimentar con esta técnica, sobre todo si mezclamos diferente estilos. En la página web oficial parece no estar disponible la aplicación pero sí el código fuente de otro teclado predictivo muy similar al utilizado para escribir la historia de Harry Potter. En este enlace puedes encontrar toda la información para instalarlo (Mac).

Por defecto, para alimentar el algoritmo predictivo, lleva una serie de textos almacenados como un fragmento de una historia de Batman o la letra de las canciones de Bowie. Si no quieres usar este teclado, en este otro enlace de GitHub puedes encontrar algunos programas para generar dichos textos predictivos. Este que usamos nosotros, escrito en nuestro querido Python.

Figura 7: pt-voicebox en GitHub
Pero nosotros queremos hacer algo distinto, así que desde la web del Proyecto Gutenberg, desde la cual puedes descargarte libros totalmente gratuitos y de dominio público, hicimos nuestra propia selección. Como somos seguidores de la obra de H.P. Lovecraft, este no podía faltar en la recopilación con la historia del Horror de Dunwich (The Dunwich Horror).

También elegimos El Mago de Oz (Wizard of Oz), La Guerra de los Mundos (War of the Worlds) y Drácula (hemos bajado también Romeo y Julieta también por si acaso para cambiar un poco de ambientación). Una vez instalado el programa, sólo hay que copiar los ficheros (en formato TXT) dentro de la carpeta /texts. En el siguiente vídeo se muestran algunas pruebas y sus resultados:


Figura 8: Demo de escritura de novelas con herramientas con texto predictivo
La primera prueba ha consistido en escribir alguna frase utilizando el contexto de El Mago de Oz. Estos son algunos de los resultados (no esperéis demasiado):“Dorothy walked across the room and took back the emerald and said to the witch laughing …”“… her slaves and Dorothy walked across the ditch again until they reached the emerald city and everyone seemed happy”Para la siguiente prueba, esta vez mezclamos El Mago de Oz con El Horror de Dunwich:“ … from the Necronomicon and the wild tales from Dunwich village it could hear strange people who lived in Kansas where Dorothy was afraid to give me courage to keep my promises and they walked through the glass to … ““… as he saw into the shadowland of sentinel hillluther the scarecrow was thinking that the horror represented descended by dunwich route or any other city…”Como en una buena historia de ciencia ficción nunca deben de faltar los marcianos, vamos añadir La Guerra de los Mundos a El Mago de Oz y también, por qué no, El Horror de Dunwich. Esto ha sido parte del resultado obtenido:“… with the permission of the martians i will go to oz today however if …”“ … in the middle of the emerald city is possible to tortured their brains but it certainly is not another dimension like something esoterically, and Dorothy entered another unknown dangers for her own country and especially in the Emerald City …”Por cierto, dejamos como tarea adaptarlo al castellano, para conseguirlo será necesario jugar un poco con el código y modificar la gestión de los UnicodeEncodeError. Nosotros ya estamos trabajando en el libro “Don Lazarillo de la Mancha” ;) 
Figura 9: Don Lazarillo de la Mancha
Dejando de lado la curiosidad de este algoritmo predictivo, no tenemos que olvidar que ya ha habido casos más complejos incluso, donde esta vez el algoritmo no es predictivo como tal, sino que directamente genera todo el texto partiendo unas semillas iniciales.
De hecho, la primera novela escrita por una Inteligencia Artificial se llama “1 The Road” y es sencillamente inquietante. En este caso se utilizó como semilla inicial con toda la información posible recolectada durante un viaje largo de carretera. Es decir, activaron un micrófono, imágenes, ubicaciones, diálogos, etcétera, y todo eso lo utilizaron para entrenar una red neuronal tipo LSTM.
Figura 10: El texto de la novela “1 The Road” se imprimió al completo en rollos de recibos
En cuestión de poco tiempo será prácticamente imposible averiguar si un texto es o no obra directa de un autor concreto o si es real o no lo es. Y lo mismo pasará con las noticias, un tweet, un artículo en un blog, etcétera. Pero, además, esto no se queda en el ámbito del texto.
Mis compañeros Pablo González y Enrique Blanco nos mostraron una PoC en la RootedCon 2019 donde era posible suplantar la cara y aspecto de otra persona en tiempo real (aquí puedes encontrar un completo artículo sobre este tema). Será bastante complicado detectar en un futuro cercano si algún tipo de media (vídeo, texto, imágenes, etcetera) son reales o falsas.

Figura 11: Creando a Chema Alonso con una IA
Así que estamos ante el nacimiento de un nuevo campo en el mundo de la ciberseguridad, orientado a crear técnicas y herramientas capaces de detectar estos fakes. De hecho, en la misma charla, ellos mismos presentaron un pequeño algoritmo que era capaz de detectar un vídeo falso basándose en el número y la frecuencia de parpadeo del sujeto, simplemente espectacular. A nosotros se nos ocurre un nombre para esa nueva disciplina encargada de encontrar fakes: Voight-Kampff ;) 
Autor: Fran Ramírez, (@cyberhadesblog) es investigador de seguridad y miembro del equipo de Ideas Locas en CDO en Telefónica, co-autor del libro "Microhistorias: Anécdotas y Curiosidades de la historia de la informática (y los hackers)", del libro "Docker: SecDevOps", Machine Learning aplicado a la Ciberseguridad” además del blog CyberHades.
Sigue Un informático en el lado del mal - Google+ RSS 0xWord
Categories: Security Posts

ISC Stormcast For Friday, May 24th 2019 https://isc.sans.edu/podcastdetail.html?id=6512, (Fri, May 24th)

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Security Posts

The Danger in Assange’s Charges, a Memory Experiment, and More News

Wired: Security - 16 hours 24 min ago
Catch up on the most important news from today in two minutes or less.
Categories: Security Posts

The Latest Julian Assange Indictment Is an Assault on Press Freedom

Wired: Security - 17 hours 16 min ago
By invoking the Espionage Act against Julian Assange, the Justice Department will effectively put national security journalism on trial.
Categories: Security Posts

One year later: The VPNFilter catastrophe that wasn't

Cisco Talos - Thu, 2019/05/23 - 22:24

Cisco Talos first disclosed the existence of VPNFilter on May 23, 2018. The malware made headlines across the globe, as it was a sophisticated piece of malware developed by a nation state, infecting half a million devices, and poised to cause havoc. Yet the attack was averted. The attacker’s command and control (C2) infrastructure was seized by the FBI, preventing the attacker from broadcasting orders to compromised devices. The attacker lost control of the infected systems, and potential catastrophe was prevented.

This was a wakeup call that alerted the cybersecurity community to a new kind of state-sponsored threat — a vast network of compromised devices across the globe that could stow away secrets, hide the origins of attacks and shut down networks.

This is the story of VPNFilter, and the catastrophe that was averted.
Network as the target
Network infrastructure is a tempting and useful target to attackers. Like any computing system, network devices such as routers and switches may contain vulnerabilities or misconfigurations that allow attackers to compromise the device. Once compromised, the device can be used as a point of incursion to search out and attack additional further systems, or the functionality of the device can be changed to the attacker’s will, and network traffic intercepted, modified or rerouted. Unlike many other computing systems, routers and switches are unlikely to be running anti-virus software, or be under active supervision by eagle-eyed administrators who may notice unusual activity.

In the weeks prior to the disclosure of VPNFilter, it was clear that network infrastructure was increasingly the target of state-sponsored threat actors. The activities of a threat actor associated with Russia had been observed and government agencies across the world published advisories warning organisations to take note1,2,3.
Traces of VPNFilter
Someone registered the unobtrusive domain toknowall.com in December 2015. On May 4 2017 that domain was changed to point to an IP address hosted in France after it initially pointed at a Bulgarian hosting provider. Although nobody knew it at the time, this was one of the means by which the attackers were communicating with VPNFilter. This domain would remain active until the threat was neutralised on May 23, 2018.

By the end of August 2017, the FBI had been made aware of a home router exhibiting unusual behaviour. The device attempted to connect to a Photobucket account to download an image, behaviour that was clearly being driven by a malware infection4.

In fact, both the Photobucket accounts and the toknowall.com domain were hosting images in which the IP address of the C2 server, used by the threat actor to issue instructions to the malware were hidden, disguised within the EXIF metadata of the image.

By March 2018, additional malware samples were discovered that also reached out to Photobucket, and used toknowall.com as a backup in case Photobucket was unavailable. Analysing the malware samples showed that the threat actor let an important clue slip.

To keep important data within the malware confidential, the malicious code used encryption, implementing the RC4 encryption algorithm. However, the code implementing this algorithm included a subtle error, a mistake that was identical to exhibited by code used in the BlackEnergy attacks against Ukraine and elsewhere5. This code reuse from one attack to another allowed government agencies to identify that this attack originated from the group known as APT28 or “Sofacy.”6
BlackEnergy and APT28
Each threat actor group has their own mode of operation, preferences, and characteristics that they display as part of their attacks. For example, Group 123 is known to conduct attacks by distributing documents that reference politics on the Korean peninsula7. In contrast, the threat actor Rocke seeks to install cryptocurrency mining software on compromised devices by downloading code from Git repositories8. Threat actors frequently reuse code or infrastructure, which allows researchers to identify specific threat actor groups and track their campaigns9.

APT28, also known as Sofacy or Grizzly Steppe, is one of many threat actors that are followed by analysts. There is little doubt that this threat actor is part of the Russian Intelligence Services, that it is particularly active, and that it can cause chaos10,11.

The BlackEnergy attack was one of the most notorious attacks from this group. BlackEnergy disrupted electrical power distributions in Ukraine in December 2015, which caused widespread power outages across the country7. A particular characteristic of this attack was a component that wiped disks, rendering infected devices inoperable and destroying forensic evidence which could have been used to understand exactly how the attack was conducted12.

This intent to destroy systems and prevent recovery was one of the factors that made is so important to respond to VPNFilter swiftly.
Capability and intent
VPNFilter managed to exploit various network devices and affected over 500 000 devices in at least 54 countries. The modular architecture of the malware allowed the threat actor to install various different modules to conduct different malicious activities from the infected devices.

At its simplest, the malware contained the ability to ‘brick’ or render permanently inoperable the infected devices. Alternatively, the malware could be used as a point of ingress on a network, and subsequently used to discover and attack other systems connected to the affected device. One particular module contained functionality to identify and monitor Modbus network traffic, a protocol widely used in Industrial Control Systems.

A further module allowed the malware to create a giant Tor network comprising the many compromised systems. This network potentially allowed attackers to disguise the ultimate destination of data stolen from other compromised systems, or the country of origin of attacks against systems.

Clearly, capturing data, especially usernames and passwords, was one goal of the attack. The malware was capable of downgrading encrypted https connections to an unencrypted http connection, then saving that traffic for future collection. Similarly, anything that looked like a user credential or authorisation token could be identified, recorded, and subsequently collected.

Since the malware infected routers that direct network traffic to its intended destination, the malware could modify the routing information and create custom destinations for certain traffic; redirecting traffic from the genuine destination to a separate system under the control of the attackers. All of this is achieved without alerting the end user that anything was amiss.
The response
The number of affected systems grew throughout the spring of 2018. However, sharp spikes in the numbers of new infections were observed on May 8 and 17. This sudden growth was almost exclusively within Ukraine which pointed to imminent preparation of an attack.

At this point, Talos worked with partner organisations in the private and public sector to neutralise the threat. The FBI led efforts to seize the C2 infrastructure6, and in parallel, Talos informed members of the industry coalition group, the Cyber Threat Alliance, to ensure that the whole cyber security industry could act together to neutralise the threat 13.

The response was closely coordinated. Law enforcement took down the C2 infrastructure, cutting the ability of the attacker to send commands to the infected systems. The cyber security industry updated security products to detect and block VPNFilter, and issued advice to users on how to protect themselves.

We will never know the exact nature of the attack that was averted. The timing of the growth of infections suggested that Ukranian Constitution Day on June 29, the anniversary of NotPetya on June 27, or Orthodox Pentecost Monday on May 28 may have been target dates. The Security Service of Ukraine suggested that the attack would have been timed to disrupt the UEFA Champions League Final, which was taking place in Kiev on May 2614.
Protection
VPNFilter partly resided in memory, and partly on the storage media of the devices it infected. Rebooting the device would clear the memory resident part of the malware, but not stop the malware component residing in the device storage from initiating contact with the command and control systems. However, once that C2 was disabled, the persistent part of the malware could no longer receive instructions.

The remnants of the malware can be cleared by resetting devices to factory settings, followed by patching to the latest version to remove vulnerabilities. Although it is still unclear which vulnerabilities were exploited to install VPNFilter, all the types of devices that were compromised had known existing vulnerabilities.

Given their position in the network topology, perimeter network devices are always going to be exposed to attack. Unpatched devices with known vulnerabilities that are exposed to the internet are ripe for compromise by threat actors such as APT28.

Keeping such devices fully patched and correctly configured are vital parts of network hygiene. However, if this can’t be assured, then devices need to be placed behind next generation firewalls to detect and block the attacks before they impact on the vulnerable device.

Vigilance is also part of good network hygiene. VPNFilter was first detected by identifying the unusual network behaviour of an infected device. The network is ideally placed to be the sensor that detects and informs us of the actions of the bad guys.
Conclusion & Aftermath
Together, Talos and the FBI worked to identify and characterise VPNFilter. The malware’s multi-stage modular platform supported both intelligence-collection and destructive cyber attack operations. The campaign managed to infect over 500 000 devices in at least 54 countries. This malware could have been used to conduct a large-scale destructive attack, which would have rendered infected physical devices unusable and cut off internet access for hundreds of thousands of users. However, identification and characterisation of the threat, coupled with a coordinated response across the public and private sectors, stopped the attack before a catastrophe occurred.

The degree of collaboration across different organisations was unprecedented. There is always a balance to tread between keeping information private in order to maintain operational security, and sharing between partners to act together, maximising the impact against the threat actor to reduce the severity of an attack. There is evidence to suggest that Talos’ early engagement of the Cyber Threat Alliance in the case of VPNFilter has had a lasting legacy, helping to encourage others to engage in earlier, and more frequent sharing of data13.

The various malicious modules identified for VPNFilter give us an insight into the objectives and desires of the threat actor. Notably, infecting routers allows the threat actor to reroute network traffic from the intended legitimate destination to a malicious destination under the control of the attacker. Potentially this ability can be used to collect further usernames and passwords, and also to conduct man-in-the-middle attacks by intercepting and reading network traffic before passing it on to the intended destination.

APT28 is only one example of the many threat actors who continue to attempt destructive attacks. Talos recently discovered the Sea Turtle campaign. Although the unknown threat actor behind the attack is different from APT28, they also sought to reroute internet traffic in order to conduct man-in-the-middle attacks and collect user credentials. However, they achieved their objectives by a completely different approach than VPNFilter, by attacking the internet’s DNS infrastructure15.

Clearly, network infrastructure is in the sights of nation-state threat actors. We can expect that attackers will continue to seek to compromise these systems and continue to refine and develop the malware that they use to achieve their goals. Attackers can only learn from past failures. In the inevitable next wave of attacks, we can expect to see malware that leaves fewer traces in network traffic and has a more sophisticated C2 infrastructure that is more resistant to disruption.

The network is at the heart of our professional and social lives, and increasingly, our physical environment. The little devices that connect us to the network are often overlooked, but it is these systems allow our critical national infrastructure and enterprises to function.

VPNFilter teaches us that attackers have not overlooked the importance of these systems, and that those who may be seeking to disrupt our societies look to strike at the network. However, in attempting to conduct this attack, the threat actors have let slip their technologies and the capabilities that they are trying to develop. These clues help us in knowing where to look and how to search for the next attack in preparation.

Talos continues to use its unparalleled visibility of threats to analyse the changing threat landscape and to act together with partners to protect customers. Nevertheless, cyber security is everyone’s concern. We all have our part to play in protecting against the next attack by ensuring that we have adequate security protection, and that all our devices connected to the network are kept updated and fully patched.

We don’t know what the next major attack will be, but we continue to search for the hints and clues of an impending attack, so that we can disrupt the activity and stop catastrophes before they happen.
References
[1]. The Increasing Threat to Network Infrastructure Devices and Recommended Mitigations, US Department of Homeland Security. https://cyber.dhs.gov/assets/report/ar-16-20173.pdf [2]. UK Internet Edge Router Devices: Advisory, UK National Cyber Security Centre. https://www.ncsc.gov.uk/information/uk-internet-edge-router-devices-advisory [3]. Russian State-Sponsored Cyber Actors Targeting Network Infrastructure Devices, US Department of Homeland Security. https://www.us-cert.gov/ncas/alerts/TA18-106A . Affidavit in Support of an Application for a Seizure Warrant, US District Court for the Western District of Pennsylvania. https://www.justice.gov/opa/press-release/file/1066051/download [5]. New VPNFilter malware targets at least 500K networking devices worldwide, Talos. https://blog.talosintelligence.com/2018/05/VPNFilter.html [6]. Justice Department Announces Actions to Disrupt Advanced Persistent Threat 28 Botnet of Infected Routers and Network Storage Devices, US Department of Justice. https://www.justice.gov/opa/pr/justice-department-announces-actions-disrupt-advanced-persistent-threat-28-botnet-infected [7]. Korea In the Crosshairs, Talos. https://blog.talosintelligence.com/2018/01/korea-in-crosshairs.html [8]. Rocke: The Champion of Monero Miners, Talos. https://blog.talosintelligence.com/2018/08/rocke-champion-of-monero-miners.html [9]. Groups, MITRE ATT&CK. https://attack.mitre.org/groups/ [10]. GRIZZLY STEPPE – Russian Malicious Cyber Activity, US Department of Homeland Security & Federal Bureau of Investigation. https://www.us-cert.gov/sites/default/files/publications/JAR_16-20296A_GRIZZLY%20STEPPE-2016-1229.pdf [11]. Reckless campaign of cyber attacks by Russian military intelligence service exposed, UK National Cyber Security Centre. https://www.ncsc.gov.uk/news/reckless-campaign-cyber-attacks-russian-military-intelligence-service-exposed [12]. Cyber-Attack Against Ukrainian Critical Infrastructure, US Department of Homeland Security. https://ics-cert.us-cert.gov/alerts/IR-ALERT-H-16-056-01 [13]. Information Sharing in Action: CTA’s Incident Review of VPNFilter, Cyber Threat Alliance. https://www.cyberthreatalliance.org/information-sharing-action-cta-incident-review-vpnfilter/ [14]. The SBU warns of a possible large-scale cyberattack on state structures and private companies ahead of the Champions League final (via Google Translate), Security Service of Ukraine. https://ssu.gov.ua/ua/news/1/category/21/view/4823#.Xa4RX7cc.dpbs [15]. DNS Hijacking Abuses Trust In Core Internet Service, Talos. https://blog.talosintelligence.com/2019/04/seaturtle.html
Categories: Security Posts

Threat Source newsletter (May 23)

Cisco Talos - Thu, 2019/05/23 - 20:00

Newsletter compiled by Jonathan Munshaw.

Welcome to this week’s Threat Source newsletter — the perfect place to get caught up on all things Talos from the past week.

Election security is a touchy — and oftentimes depressing — topic of conversation. So why not let Beer with Talos bring some levity, and more importantly, expertise, to the conversation? The latest episode focuses solely on election security, as Matt Olney runs down what he’s learned recently from spending time with various governments.

On the research end of things, we released a post earlier this week outlining the details of a new campaign called “BlackWater” that we believe could be connected to the MuddyWater APT.

And since we know everyone was waiting on this, yes, there’s coverage for that wormable Microsoft bug everyone was talking about.

There was no Threat Roundup last week, but it’ll be back tomorrow.
Upcoming public engagements with TalosEvent: Copenhagen Cybercrime ConferenceLocation: Industriens Hus, Copenhagen, DenmarkDate: May 29Speaker: Paul RascagnèresSynopsis: Paul will give an overview of an espionage campaign targeting the Middle East that we called “DNSpionage.” First, he will go over the malware and its targets and then talk about the process the attackers took to direct DNSs. The talk will include a timeline of all events in this attack, including an alert from the U.S. Department of Homeland Security.

Event: Bsides LondonLocation: ILEC Conference Centre, London, EnglandDate: June 5Speaker: Paul RascagnèresSynopsis: Privacy has become a more public issue over time with the advent of instant messaging and social media. Secure Instant Messaging (SIM) has even become a problem for governments to start worrying about. While many people are using these messaging apps, it’s opened up the door for attackers to create phony, malicious apps that claim to offer the same services. In this talk, Paul will show various examples of these cloned applications and the different techniques used to send data back to the attacker. Cyber Security Week in Review
  • The U.S. Department of Homeland Security issued a warning this week against Chinese-manufactured drones. Some of the drones may be collecting their users’ personal data and transferring it back to China.
  • A forum dedicated to hijacking online accounts and carrying out SIM-swapping attacks has been hacked. More than 113,000 users on OGusers had their login information, IP addresses and private messages exposed in an attack.
  • Cisco released patches for many of its devices, fixing a vulnerability in its Secure Boot process. However, the patches will only be released in waves, and some devices could remain vulnerable until November.
  • Some of the most popular Docker containers are open to attacks. Researchers recently discovered that 20 percent of the 1,000 most used containers are impacted by a misconfiguration, including those belonging to Microsoft, Monsanto and the British government.
  • San Francisco recently passed a ban on governmental use of facial recognition technology. The new law is likely to spark debates across the country between privacy advocates and law enforcement agencies.
  • The Trump administration is considering blacklisting Hikvision, a Chinese tech company that manufactures surveillance cameras. The move would prevent the company from purchasing American technology and would create another point of tension between the two countries.
  • Google disclosed that some G Suite users’ passwords have been mistakenly stored in plaintext for nearly 14 years. The company said the passwords stayed in its secure infrastructure, and the problem has been fixed.
  • Ireland opened a GDPR investigation into Google this week, specifically how the company uses personal data for advertising. Regulators say users’ personal information is stored by Google and then sold off to advertisers without their knowledge.
  • One year after the GDPR went into effect, Europe has received an estimated 145,000 privacy complaints.
  • The latest update to Mozilla Firefox fixes 21 security vulnerabilities, two of them rated “critical.” There are also new options for users to block “digital fingerprinting” on all sites.
Notable recent security issuesTitle: Coverage available for critical vulnerability in Microsoft Remote Desktop Protocol
Description: Microsoft released its monthly security update today, disclosing a variety of vulnerabilities in several of its products. The latest Patch Tuesday covers 79 vulnerabilities, 22 of which are rated “critical," 55 that are considered "important" and one "moderate." This release also includes two critical advisories: one covering Microsoft Live accounts and another addressing updates to Adobe Flash Player. This month’s security update covers security issues in a variety of Microsoft’s products, including the Scripting Engine, the Microsoft Edge web browser and GDI+.
Snort SIDs: 50014 - 50025
Title: Multiple vulnerabilities in Wacom Update Helper
Description: Adobe disclosed 87 vulnerabilities in a variety of its products as part of its monthly security update. The majority of the bugs exist in Adobe Acrobat and Acrobat Reader. There are also critical arbitrary code execution vulnerabilities in Adobe Flash Player and Reader.
Snort SIDs: 48293, 48294, 49189, 49190, 49684, 49685Most prevalent malware files this weekSHA 256: 3f6e3d8741da950451668c8333a4958330e96245be1d592fcaa485f4ee4eadb3
MD5: 47b97de62ae8b2b927542aa5d7f3c858
Typical Filename: qmreportupload.exe
Claimed Product: qmreportupload
Detection Name: Win.Trojan.Generic::in10.talos

SHA 256: 6dfaacd6f16cb86923f21217ca436b09348ee72b34849921fed2a17bddd59310
MD5: 7054c32d4a21ae2d893a1c1994039050
Typical Filename: maftask.zip
Claimed Product: N/A
Detection Name: PUA.Osx.Adware.Advancedmaccleaner::tpd
  
SHA 256: 15716598f456637a3be3d6c5ac91266142266a9910f6f3f85cfd193ec1d6ed8b
MD5: 799b30f47060ca05d80ece53866e01cc
Typical Filename: 15716598f456637a3be3d6c5ac91266142266a9910f6f3f85cfd193ec1d6ed8b.bin
Claimed Product: N/A
Detection Name: W32.Generic:Gen.22fz.1201

SHA 256: c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f
MD5: e2ea315d9a83e7577053f52c974f6a5a
Typical Filename: Tempmf582901854.exe
Claimed Product: N/A
Detection Name: W32.AgentWDCR:Gen.21gn.1201

SHA 256: 7acf71afa895df5358b0ede2d71128634bfbbc0e2d9deccff5c5eaa25e6f5510
MD5: 4a50780ddb3db16ebab57b0ca42da0fb
Typical Filename: wup.exe
Claimed Product: N/A
Detection Name: W32.7ACF71AFA8-95.SBX.TG


Categories: Security Posts

Investigating an Odd DNS Query, (Thu, May 23rd)

SANS Internet Storm Center, InfoCON: green - Thu, 2019/05/23 - 19:00
I have been asked this question a few times, and figure it may be worthwhile to document this in a quick diary. This is typically the result of watching for odd DNS queries (and I highly recommend that). But not all DNS queries are created equal, and sometimes you will see odd, or even malicious, hostnames and domain names in your logs without any wrongdoing on your end. The latest example I just ran into: faraisp.ir . IR being the country level domain for Iran, and I am currently not doing business with Iran, which certainly makes this a bit suspect if it bubbles up to the top of the "odd domain list". The queries for this domain came in at a rate of 100-150/5min in my Zeek logs: Next, let's break down all the queries for the "faraisp.ir" domain You can click on the image to get a larger view. But the queries are essentially A/AAAA queries for ns[1-4].faraisp.ir. To add to this: they all came from my DNS server. Now the DNS server's query log would usually be my next step. But in this case, the query log does not show any queries for *.faraisp.ir. I also didn't see any queries from any of my hosts to the name server for *.faraisp.ir . The reason for these queries was that a prior query returned these hostnames as authority records. This triggered my name server to do a lookup for these hostnames. So I need to search for answers that contain faraisp.ir. It turned out that a prior reverse lookup by the mail servers spam filter returned the authority record, and as a result, the name server then kept looking for ns[1-4].faraisp.ir. So why did the mail server try to reverse resolve the IP address over and over? My first guess was spam, but it turned out to be a brute force attack against the server: May 23 16:47:35 mail postfix/smtpd[3420]: connect from unknown[185.137.111.145] May 23 16:47:42 mail postfix/smtpd[3420]: warning: unknown[185.137.111.145]: SASL LOGIN authentication failed: authentication failure May 23 16:47:42 mail postfix/smtpd[3420]: disconnect from unknown[185.137.111.145] May 23 16:47:58 mail postfix/smtpd[3420]: connect from unknown[185.137.111.44] May 23 16:48:05 mail postfix/smtpd[3420]: warning: unknown[185.137.111.44]: SASL LOGIN authentication failed: authentication failure May 23 16:48:05 mail postfix/smtpd[3420]: disconnect from unknown[185.137.111.44] So at least not entirely a "false positive", but also not terribly exciting. Mail servers are probably the main source of odd DNS queries. They tend to do a lot of reverse lookups for anti-spam, and they also use various DNS based anti-spam and email validation features that often look very much like data exfiltration. You will also see a lot of less common record types in DNS queries from mail servers (TXT, SPF..). ---
Johannes B. Ullrich, Ph.D. , Dean of Research, SANS Technology Institute
Twitter| (c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Security Posts

Sorpresa! JasperLoader targets Italy with a new bag of tricks

Cisco Talos - Thu, 2019/05/23 - 17:49
Nick Biasini and Edmund Brumaghin authored this blog post.

Executive summary
Over the past few months, a new malware loader called JasperLoader has emerged that targets Italy and other European countries with banking trojans such as Gootkit. We recently released a comprehensive analysis of the functionality associated with JasperLoader. Shortly after the publication of our analysis, the distribution activity associated with these campaigns halted. But after several weeks of relatively low volumes of activity, we discovered a new version of JasperLoader being spread. This new version features several changes and improvements from the initial version we analyzed. JasperLoader is typically used to infect systems with additional malware payloads which can be used to exfiltrate sensitive information, damage systems or otherwise negatively impact organizations.

The attackers behind this specific threat have implemented additional mechanisms to control where the malware can spread and are now taking steps to avoid analysis by sandboxes and antivirus companies. There's also a new command and control (C2) mechanism to facilitate communications between infected systems and the infrastructure being used to control them. The campaigns that are currently distributing JasperLoader continue to target Italian victims and further demonstrate that while JasperLoader is a relatively new threat, the developers behind it are continuing to actively refine and improve upon this malware at a rapid pace and introduce sophistication that is not commonly seen in financially motivated malware.

Delivery changes
As mentioned in our previous analysis of JasperLoader, the distribution campaigns attempting to spread this malware are relying heavily on certified email services in Italy. However, the actors have made some changes to the way distribution occurs.

The initial emails we saw contained ZIP files with VBS files inside them. These VBS files were similar to the VBS and DOCM files we saw in the previous campaign and began the infection process. The version with attached files didn't last long and was not very high in volume.

Shortly afterward, we saw a new shift away from using attachments directly. In the case shown below, you can see the initial email being sent through the typical certified email service that has been repeatedly leveraged by the actors behind JasperLoader.
Just as we saw previously, the email is written in Italian and states that the original message is included as an attachment. You can see the original email titled "postacert.eml" attached. The following pops up once the email is opened:
This is where the distribution process started to shift. There are not any attachments in the email, but instead, there is a hyperlink that makes a connection to hxxp:\\tribunaledinapoli[.]recsinc[.]com/documento.zip with a parameter that is referenced in the email. For example, above the full URL was hxxp:\\tribunaledinapoli[.]recsinc[.]com/documento.zip?214299. Note that the number 214299 is the number referenced in the email itself. When we initially saw this change, we immediately began to investigate and, initially, it appeared to be benign. The URL leads to an HTTP 302 response from the web server. HTTP 302 is the redirect code for temporarily moved and has been abused by adversaries for years, including the use of 302 cushioning by exploit kits several years ago.
This particular 302 redirected to www.cnnic[.]cn, which is the Chinese Internet Network Information Center (CNNIC), the organization responsible for internet affairs in the People's Republic of China. Obviously, this isn't the place that an adversary would send a potential victim to get compromised. It was at this point that we started looking at potential geofencing.

Geofencing is a technique that some adversaries use to ensure that all the victims are from a particular region or country and that researchers like us have more difficulty tracking down the activity. It's something we've seen repeatedly used by advanced adversaries but is not commonly done with crimeware threats like JasperLoader. In order to make that determination, we routed our traffic through Italian IP space and tried to follow the same link.

When the traffic is routed through Italian IP space, the results are drastically different. The request is met with a ZIP file that contains a malicious VBS file that is similar to the samples we found attached to emails earlier in the week. Once this VBS file is executed, the infection process kicks off and the loader is installed.

As we observed in previous campaigns, JasperLoader continues to leverage domain shadowing, and moves rapidly across subdomains that they control. The chart below shows the DNS resolution activity associated with one of the C2 domains leveraged by JasperLoader. The scope if fairly limited, but more than 95 percent of resolutions came from Italy, so the geofencing protections they put into place appear to be somewhat successful.
Let's now walk through the new infection process where we highlight some of the evolutions we've discovered.

JasperLoader functionality changes
The infection process associated with JasperLoader continues to feature multiple stages which are used to establish a foothold on systems, initiate communications with attacker-controlled infrastructure and implement the core functionality of the loader. While much of the process functions similar to what was described in our previous analysis of JasperLoader, there have been several notable changes to the malware's operation, which are described in the following sections.

Additional layers of obfuscation
Similar to what was previously seen in the JasperLoader infection process, the attackers rely upon several layers of obfuscation to attempt to hide the operation of the malware. In general, they leverage character replacement mechanisms and perform mathematical calculations at runtime to reconstruct the PowerShell instructions that will be executed on infected systems. This same process is used by the Visual Basic Script (VBS) downloader observed across these campaigns.
In current campaigns spreading JasperLoader, the attackers have introduced an additional layer of character replacement to further obfuscate the underlying PowerShell. Once the VBS has been deobfuscated, the underlying PowerShell is:
Replacing each of the characters in the previous image results in the Stage 1 PowerShell that is used to retrieve additional stages from attacker controlled servers. An example of this stage of PowerShell is:
This PowerShell is similar to what was seen in previous JasperLoader campaigns with a few notable differences.

Decoy documents
As can be seen in the PowerShell associated with Stage 1, a PDF is retrieved from the specified URL and displayed to the user. This PDF is not overtly malicious and is simply designed to function as a decoy document so that when a user executes the VBS, there's an expected result.
While victims will simply see the PDF above, in the background, the infection process is continuing with the malware attempting to retrieve Stage 2.

Geolocation filtering
One of the changes made in JasperLoader is the introduction of additional geolocation-based filtering. Geolocation-based filtering was also being leveraged during the delivery stage of the infection process. In previous versions of JasperLoader, the malware would use the Get-UICulture PowerShell cmdlet at each stage of the infection process and terminate if the system was configured to use the language pack associated with People's Republic of China, Russia, Ukraine or Belarus. The latest version of JasperLoader has added an additional check for Romanian and will exit if any of these language settings are in use.
Virtual machine/Sandbox detection
Another new feature that has been added in the latest version of JasperLoader is detection for hypervisor-based environments. In many cases, malware will perform various checks to determine if it being executed in a virtual environment and terminate execution to avoid being analyzed by sandbox or anti-malware solutions

The latest version of JasperLoader has introduced mechanisms that query the Windows Management Instrumentation (WMI) subsystem to obtain the model of the system that is being infected. The model identifier is then checked so see if it matches the following hypervisors:
  • VirtualBox
  • VMware
  • KVM
If so, the malware terminates execution and does not attempt to perform any additional actions on the system. These same checks are performed at each stage of the infection process.
Stage 3 functionality/Payload retrieval
While there have been minor changes at Stage 2, they are mostly related to file storage locations, file naming conventions, and other characteristics are frequently modified on a campaign by campaign basis, but the overall functionality and process of retrieving, deobfuscating, and executing Stage 2 to obtain Stage 3 remains relatively unchanged. For details of how this process works, please refer to our previous blog here.

The majority of the ongoing development activity appears to have been focused on Stage 3 of the JasperLoader infection process as that is where most of the JasperLoader functionality resides. The latest version of JasperLoader has changed how the malware attempts to persist across reboots, has introduced mechanisms to protect C2 communications, and added more robust mechanisms for ensuring that updates to JasperLoader get propagated efficiently to all of the systems that are part of the JasperLoader botnet.

Persistence mechanism
In previous versions of JasperLoader, the malware would obtain persistence on infected systems by creating a malicious Windows shortcut (LNK) in the Startup folder on the system. The latest version of JasperLoader accomplishes this using the Task Scheduler, as well. A scheduled task is created on infected systems using the following syntax:

schtasks.exe /create /TN "Windows Indexing Service" /sc DAILY /st 00:00 /f /RI 20 /du 24:59 /TR (Join-Path $bg_GoodPAth 'WindowsIndexingService.js');

This creates a Scheduled Task that will relaunch JasperLoader periodically. If this process fails, JasperLoader will then revert back to the use of the shortcut for persistence.
Failback C2 mechanism
One of the features that has been added to JasperLoader is a failback C2 domain retrieval mechanism that allows for time-based fluxing. A default C2 domain is specified. If that domain is not available, the current date on the system is used to generate a series of failback domains that the malware will attempt to use for C2 communications.
Bot registration
The malware has also implemented a new bot registration and ID generation mechanism and utilizes different pieces of information to create a unique identifier for each system than what was seen in previous versions of JasperLoader. As before, this information is communicated to the C2 as parameters within an HTTP GET request and is generated using the following:
Interesting PowerShell artifacts
One interesting artifact present in the PowerShell associated with Stage 3 of JasperLoader is in the function responsible for defining the C2 domain to use for future communications. The function is called BG_SelectDomen(). The word "domen" translates to "domain" and is a word that is widely used in multiple countries, including Romania.
While this is a low-confidence indicator, it is interesting in relation to the apparent targeting of this malware as well as the geolocational checking that is performed to determine whether it should continue to execute on infected systems.

Payload delivery
During our analysis of the latest JasperLoader campaigns, we were unable to receive the commands and URL information required to obtain a malicious PE32 from the attacker's C2 infrastructure. We did note that the C2 communications channel remained active and was beaconing.
This may be due to JasperLoader not being actively used to spread additional payloads at this time. The botnet operator may be attempting to obtain JasperLoader infections in order to build out capabilities so that they can be monetized for the purposes of leveraging the botnet to distribute additional malware in the future. We have seen reports indicating that GootKit may again be the payload of choice for this campaign. GootKit was the payload during the previous campaign we analyzed, so its inclusion in this campaign seems likely.

Conclusion
As illustrated by these new JasperLoader campaigns, adversaries are always going to take steps to try and increase their ability to infect victims, while at the same time evading detection and analysis. JasperLoader has taken that to the extreme and has quickly developed additional capabilities and added additional layers of obfuscation, while at the same time taking steps to evade virtual machines and geofence their victims in Italy. The majority of these changes came rapidly and demonstrate the author's commitment to making JasperLoader a robust, flexible threat that can be updated rapidly as security controls and detection capabilities change. Despite all these steps, we are still able to derive enough intelligence to expose their activities and protect our customers and the general public from their malicious intentions.

JasperLoader is another prime example of how rapidly threats can change and illustrates just how important threat intelligence is to ensuring that organizations are prepared to defend against them even as adversaries are constantly investing time, effort, and resources into improving upon their tools as they attempt to stay ahead of defenses deployed on enterprise networks. As techniques become less effective, cybercriminals will continue to move to other techniques to maximize their success in achieving their mission objectives. While JasperLoader is still relatively new compared to other established malware loaders out there, they have demonstrated that they will continue to improve upon this malware and leverage it against organizations. It is expected that as this botnet continues to grow, it will likely become more heavily leveraged for the distribution of various malware payloads as the operators of this botnet can make use of already infected systems at the push of a button or the issuance of a command.
CoverageWays our customers can detect and block this threat are listed below.


Advanced Malware Protection (AMP) is ideally suited to prevent the execution of the malware detailed in this post. Below is a screenshot showing how AMP can protect customers from this threat. Try AMP for free here.

Cisco Cloud Web Security (CWS) or Web Security Appliance (WSA) web scanning prevents access to malicious websites and detects malware used in these attacks.

Email Security can block malicious emails sent by threat actors as part of their campaign.


Network Security appliances such as Next-Generation Firewall (NGFW), Next-Generation Intrusion Prevention System (NGIPS), and Meraki MX can detect malicious activity associated with this threat.

AMP Threat Grid helps identify malicious binaries and build protection into all Cisco Security products.

Umbrella, our secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs, and URLs, whether users are on or off the corporate network.

Additional protections with context to your specific environment and threat data are available from the Firepower Management Center.

Open Source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org.

Indicators of compromise
The following IOCs are associated with various malware distribution campaigns that were observed during the analysis of JasperLoader activity.

Domains
A list of domains observed to be associated with JasperLoader are below.

breed[.]wanttobea[.]com
zzi[.]aircargox[.]com
nono[.]littlebodiesbigsouls[.]com
tribunaledinapoli[.]recsinc[.]com
tribunaledinapoli[.]prepperpillbox[.]com
tribunaledinapoli[.]lowellunderwood[.]com
tribunaledinapoli[.]rntman.com

IP addresses
A list of IP addresses observed to be associated with JasperLoader are below.

185[.]158[.]251[.]171
185[.]158[.]249[.]116

Hashes
A list of file hashes (SHA256) observed to be associated with JasperLoader are below.

052c9895383eb10e4ad5bec37822f624e443bbe01700b1fe5abeeea757456aed
54666103a3c8221cf3d7d39035b638f3c3bcc233e1916b015aeee2539f38f719
ee3601c6e111c42d02c83b58b4fc70265b937e9d4d153203a4111f51a8a08aab

Categories: Security Posts

How To Optimize Your Security Defenses

BreakingPoint Labs Blog - Thu, 2019/05/23 - 16:46
As I mentioned in a blog a couple months ago, there is an absolute myriad of security architectures…
Categories: Security Posts

Automotive Ethernet—Full-Stack Conformance Testing

BreakingPoint Labs Blog - Thu, 2019/05/23 - 16:46
Ethernet is the evolved communication layer for automobiles To overcome in-car network speed…
Categories: Security Posts

Exploiting PHP Phar Deserialization Vulnerabilities - Part 1

BreakingPoint Labs Blog - Thu, 2019/05/23 - 16:46
Understanding the Inner-Workings INTRODUCTION Phar deserialization is a relatively new vector for…
Categories: Security Posts

What is ‘Metadata’ and why does it matter?

BreakingPoint Labs Blog - Thu, 2019/05/23 - 16:46
In the information technology world, metadata is a term you’ll often hear thrown around in many…
Categories: Security Posts

Subscriber-Aware Session Monitoring: The ABCs of Network Visibility

BreakingPoint Labs Blog - Thu, 2019/05/23 - 16:46
This blog is another in a series devoted to exploring critical aspects of network visibility. The…
Categories: Security Posts

Technology Changes Are Creating Significant Challenges for Higher Education

BreakingPoint Labs Blog - Thu, 2019/05/23 - 16:46
The education sector is undergoing significant change. National enrollment for higher education has…
Categories: Security Posts

What to do when traffic overwhelms your monitoring tools

BreakingPoint Labs Blog - Thu, 2019/05/23 - 16:46
Growing traffic volume is a challenge for NetOps and SecOps as they work to ensure high-quality…
Categories: Security Posts

The Best Way To Optimize Load Balancing for Inline Security Appliances

BreakingPoint Labs Blog - Thu, 2019/05/23 - 16:46
In today’s 24x7, “always on” world, the company’s data network must be as reliable as possible.…
Categories: Security Posts

What is Port Scanning?

BreakingPoint Labs Blog - Thu, 2019/05/23 - 16:46
Port scanning is the one of the oldest mechanisms used in network security scanning, service…
Categories: Security Posts

Mirai is still alive and using multiple old exploits on home routers

BreakingPoint Labs Blog - Thu, 2019/05/23 - 16:46
Ixia’s Application Threat Intelligence (ATI) security researchers continue to hunt for the latest…
Categories: Security Posts
Syndicate content