Posted: 18 Apr 2014 | 4:16 pm
Users on a mobile phone hacking subreddit are being credited with the discovery of a malware infection targeting iOS users.…
Posted: 18 Apr 2014 | 1:03 pm
The year so far has been a particularly stressful one for enterprise IT staff. Early in the year, concerns over data breaches and point of sale POS malware gave retailers something to worry about.
The long-simmering headache of Windows XP migration came to a head when support for the venerable OS ended in April. That would normally have been the security headline of the month, but a vulnerability in OpenSSL known as Heartbleed reared its less than welcome head.
All in all, then, IT security personnel can be a bit excused if they’re tired and just a bit weary of patching holes as they happen. Hopefully, these teams are able to properly recuperate from these rather stressful times, as the importance of trained and empowered security personnel cannot be underestimated.
While the role of technical solutions gets more attention (and, frequently, funding), these solutions are worthless without trained personnel that know how to use them. Dealing with today’s attack environment is not just about using more sophisticated tools; it is also about trained IT security people making decisions, with the best information provided by their tools as well as threat intelligence at their disposal.
Unfortunately in many organizations, these teams get the short shrift and are viewed as nothing more than a cost center. This sounds good until a major breach or other security failure happens – which ends up costing an organization far more.
So how exactly can organizations take care of their information security personnel? Here are four areas where organizations can help.
Give them the tools they need – and let them experiment, too.
First of all, the information security teams must have the resources they need. This can include hardware, software, and headcount. Teams should be able to do their job without having to worry that they don’t have the resources to do it. Yes, this can be expensive, but: so are attacks and data breaches.
In addition, organizations should let teams have some leeway to experiment. If they want to try new tools, or use new methods to gather or analyze threat information – let them experiment. These ideas don’t have to be production quality right out of the gate, all that’s needed is a proof of concept to check if the idea will work.
Let them learn and make mistakes.
New threats and problems are always emerging. As we just saw in rather lurid detail this year, things we thought were secure sometimes aren’t. Learning has to be a key part of a team’s goals. in order to stay in front of the threats encountered in day-to-say usage.
Information about threats is not always precise; things that appear to be threats may turn out to be completely harmless, and the reverse is also true. Mistakes happen; trying to reduce them is obviously desirable, but it shouldn’t turn your security team into an overcautious group that is afraid of pointing out an obvious attack.
Ensure data is freely accessible
This ties in with our first statement. If an organization really wants their teams to experiment, it should ensure that its logs and databases should be in easily accessible and open formats. All files being archived should be stored in plain text files such as comma separated values (CSV) rather than a proprietary binary format. Plain text can be easily processed by many viewers and scripting languages.
Why is this important? This allows for searches to be performed in a relatively quick and efficient manner. This provides an organization security professionals the best possible access to potential threat information. Depending on the information an organization logs and archives, it also offers intriguing possibilities for data correlation. The available threat intelligence to an organization’s defenders may improve as a result.
Listen to them.
In many organizations the security professionals are not listened to, either by other IT staff or by upper management. That is a mistake, as security professionals know what they’re talking about and can provide helpful insights if asked. It’s true for any profession, but in the security field it is of particular importance that its practitioners be engaged and considered by the rest of the organization.
All in all, the lesson is simple: the foundation of any organization’s security posture is the individuals actually putting that posture into force on the ground. To ensure the success of any policies, the individuals implementing them must receive the proper support and resources necessary to do their job.
Are you an information security professional? Let us know what you think in the comments.
Posted: 18 Apr 2014 | 10:00 am
The situation surrounding attempted mobile malware infections is constantly changing, and I’d like to write about one recent trend. Over the last year, Trojan-SMS.AndroidOS.Stealer.a, a mobile Trojan, has become a leader in terms of the number of attempted infections on KL user devices, and now continually occupies the leading positions among active threats. For example, in Q1 2014 it accounted for almost a quarter of all detected attacks.
This SMS Trojan has actively been pushed by cybercriminals in Russia, and there have also been continual attempts to attack users in Europe and Asia. Infections with this Trojan have occurred virtually everywhere across the globe:
Posted: 17 Apr 2014 | 2:00 am
During many of my customer meetings, I often hear security leaders ask the question: “What technology could I remove to free up budget to enable the implementation of FireEye?”
My natural response is to inquire how and when they assess the real value, not the ROI, they get from their existing solutions. Whilst every security solution provides an “ROI” – often a metric based around industry data on how many security “events” they return – this assessment should not focus on noisy “ROI,” but which solution gives your company the most valuable information. Considering the nature and pace of change when it comes to malware and advanced attacks, this is something to validate regularly and involves looking at more factors than a generic ROI tool can factor in.
In a small survey of about 30 European CxOs we ran in December 2013, I asked the question of how they validated the value of security controls, and, surprisingly, at least 36 percent still didn’t conduct any annual assessment.
Having spent quite a bit of time looking at analyst models and what exists publically today, the fact that some still don’t conduct these assessments emphasizes that there still isn’t a well-defined model to correlate business value against investment for security solutions.
Take, for example, the outsourced model where Key Performance Indicators (KPIs) are typically established. Too often I hear anecdotal examples where KPIs were based on incidents found; this simply encourages dialing-up the technologies being monitored so that every incident – malicious or not – is tracked and reported, drowning out the ability to identify real threats.
For example, companies investing in big data solutions that gather and equate the millions to billions of events delivered each week to value. However, because they are too resource-constrained to convert these into actionable data, the true value is not extracted and, because doing so in a resource-constrained environment takes so long, the return here would seem extremely poor to a sheer numbers-based evaluation.
However, if the value of said product is measured by the actions taken to mitigate a major security event, that extra time spent executing on a few major items rather than not executing on a large amount of items becomes invaluable to the business. As such, we must blend together the quantitative metrics such as the costs of a solution (capex & opex), incident levels and overlay those values with qualitative insight. These evaluation criterion would look something like the below:
In the coming months we are going to delve into the economics of security in greater detail. Whilst there are many tools out there discussing security process and ROI tools showing generic return, we all have limited budget and resources. With the scale and scope of security tools continues to grow we must innovate our thinking, in how we each quantify the value of our investments.
Posted: 17 Apr 2014 | 1:00 am
On 11/04/14 At 09:53 AM
Posted: 10 Apr 2014 | 11:54 pm
The “8×8″ script I’m referring to includes a link that looks like this:
And can be detected using a regular expression that looks something like this:
One set of links redirect users to social engineering scams (e.g. fake Adobe Flash Player update) that I wrote about earlier. Another set redirects users to Infinity EK (aka “RedKit”, “GoonEK”).
First, let’s see how this drive-by looks like from the users’ perspective.
The user visits a website that’s been compromised. On one of the webpages, there’s a script with the filename containing eight random characters followed by an ID value which has eight digits (i.e. the “8×8″ script).
The user is then redirected to another legitimate website that’s been previously compromised. This site serves up a script that leads to another site.
This site is also legitimate and compromised. It houses the Infinity Exploit Pack script which tries to exploit the user’s browser.
This is what the deobfuscated version of the landing page looks like. If the exploit is successful, there’s a request for the malicious payload file back to the same site.
Infinity has an arsenal that includes two Java, two MSIE, Flash, and Silverlight exploits. The author(s) have been adding updates to their arsenal as well as modifying the links and infrastructure since the last time I analyzed it as RedKit v2.0.
Now let’s look at what’s happening behind the scenes. A webmaster provided me with suspicious files from his compromised website after I informed him his site was redirecting users to a drive-by. (I promised I would not reveal his site name so I redacted and/or modified the following screens.)
Turns out his site was compromised two different times. The first time, the attacker modified at least one HTML page and inserted the following script tags:
Sometime later, the/another attacker modified the index.php file and inserted a PHP script that would download content from another website.
Running this script, makes a request to a backend server and produces a seemingly endless number of new links:
I was very fortunate that the compromised website had both the infected index.php file and the 8×8 script on his server. The link above leads to a PHP script on another site but I’m pretty certain it’s the same as the one below (which is also the same as the one I wrote about earlier).
Deobfuscating the script is no longer a chore so I can extract the contents of the encrypted config string.
Running it produces the TDS IP, key, and other information:
So this is what’s going on…
Here’s a series of packets showing this:
The scripts are all the same and therefore appears to be the work of the same gang behind RedKit v2, Box Fraud, Goon EK, and Infinity.
Posted: 6 Apr 2014 | 10:40 pm
Every single day our automated systems analyze hundreds of thousands of malicious samples. Yesterday one of the samples caught my attention because the malware started performing bruteforce attacks against Remote Desktop using certain username and passwords.
Other similar samples:
Once started the malware copy itself to \Documents and Settings\Administrator\Application Data\lsacs.exe and starts the communication with the C&C sending data about the status of the bot (number of hosts bruteforced, packets per second, number threatds, version, etc).
and the server replies with a configuration block containing:
- Login/Password list to use during bruteforcing
- List of IP Addresses to attack
- Number of threads to use
As you can see some of the user/passwords that they are using (pos, pos1, pos01, shop, station, hotel, atm, atm1, micros, microssvc) are the default ones commonly used in Point of Sale terminals by retailers and businesses all around the world.
The control panel of the botnet is also hosted in the same server:
This is not new, we know cybercriminals have been using this technique to compromise Point of Sale systems for years. Once they gain access to the terminal using one of the default credentials, they upload a second stage payload commonly known as a memory scrapper that is a piece of malware that searchs for credit card data in memory before it has been encrypted. Some examples are:
These pieces of malware are able to extract the credit card data from the terminal and exfiltrate the data to the attackers that will then sell the information in the black market.
When it comes to detect the infection of a system in your network, this is how our AlienVault Unified Security Management (USM) will detect a compromised assset in your network:
USM is able to detect both the communication wit the the C&C server and the network activity that is generated when the malware performs bruteforce attacks against devices on the Internet. It is worth mentioning that the C&C server IP address was already in our Open Threat Exchange database and the correlation engine used that information to generate an alarm about a system compromise.
If you want to try yourself you can download our Open Source SIEM - OSSIM or the Free 30 day trial of AlienVault Unified Security Management (USM)
We have shown how these threats can impact companies using Point Of Sale terminals, specially those retailers and medium and small businesses that don't have visibility into the systems that are part of their networks and handle credit card information.
Some recommendations to protect against these kind of attacks are:
- Change default credentials of POS systems
- Configure an access control list
- Keep your software up-to-date
- Install an Antivirus solution
- Centralize and monitor the logs from your POS systems to detect potential security breaches
Posted: 11 Mar 2014 | 2:34 am
Posted: 4 Feb 2014 | 6:48 pm
Cyber Engineering Services Announces the Cyber Red List, Industries That Have Been Cyber Walloped Since 2010
– List Highlights Smaller Defense Supply Chain Partners, Legal Counsel and Public Relations/Advertising as Major Targets for Cyber Attacks –
COLUMBIA, MD – May 7, 2013 – Based on its observation of thousands of cyber attacks over the 30 months since its founding, Cyber Engineering Services today announced the launch of the Cyber Red List. Developed using the company’s proprietary technology that enables Cyber Engineering Services to identify cyber attacks in progress, the Cyber Red List details the industries that have been hardest hit by cyber attacks since November 2010, and identifies accompanying environmental indicators that place organizations at a higher level of risk.
“Size doesn’t matter when you’re looking at cyber attack victim commonalities; the kind of data you have does,” commented Joseph Drissel, CEO of Cyber Engineering Services and former acting chief of the Department of Defense Computer Forensics Lab cyber intrusions section. “Based on what we’ve read in the news lately, it would be easy for companies with revenues of $1 billion and under to get the false impression that only the big contractors, the news organizations, and companies that are involved in Chinese diplomacy are targets. The Cyber Red List shows that what motivates the adversary is the kind of information you deal in and have access to – weapons, communications, energy, policy, and research – and often the smaller companies don’t have the resources in place to effectively seal their networks. We help them get the same level of data protection as the big guys.”
Cyber Engineering Services is an information security company with heavy experience in forensics analysis, reverse engineering and malware arenas focusing on what is known as the Advanced Persistent Threat (APT). Its proprietary technology, called Legal Non-Invasive Malware Exploitation technique (LNIME), provides the company substantial insight into the malicious activities of cyber adversaries. Cyber Engineering Services works on behalf of its clients to:
• Identify, in real time, when a cyber attack is happening,
• Stop an attack before critical data is lost,
• See live command-and-control keystrokes of the adversary, and
• Engage with the adversary to regain control of networks.
“A huge volume of our country’s intellectual property is owned by companies that supply or collaborate with large contractors or government agencies, yet what is most alarming is that many of these companies don’t have the cyber security infrastructure that their larger, better-funded counterparts do,” Drissel went on to say. “The smaller players not only have the most to lose in terms of IP and valuation, but the potential implications for national and international safety, security, health and well-being are vast. All it takes is one hole in the network to result in a massive data loss. We identify and then plug those holes to keep the bad guys out and seal data in.”
For media inquiries, contact: Media@CyberEngineeringServices.com.
Cyber Engineering Services has observed cyber attacks in thousands of networks since the company’s inception in November 2010, many of which resulted in significant data losses for the compromised companies. The following is a snapshot of industries that were most targeted based on the data gathered through Cyber Engineering Services Legal Non-Invasive Malware Exploitation (LNIME) technique. The vast majority of compromises took place in organizations with revenues of less than $1 billion USD annually.
TOP TARGETED INDUSTRIES
1. Defense, Homeland Security, International Security including unmanned aerial vehicles (UAV), satellite communications, aerospace and military communications, rocket and propulsion systems, and radar systems.
2. Critical infrastructure including energy, oil, gas, transportation, banking, and telecommunications.
3. Sensitive data exchange environments including law firms, public relations and advertising agencies whose clients do business in energy, oil, transportation, communications, and defense.
4. Long-term policy information including from lawmakers, think tanks, diplomatic and policy organizations.
5. Research and Development-focused industries including laboratories, pharmaceutical and medical facilities.
Additionally, the following environmental indicators were present in cyber attacks among the targeted industries:
1. Where data is shared electronically via email, the internet, on a smartphone or other handheld device;
2. Where the Advanced Persistent Threat or competitor could degrade or otherwise manipulate data to source, duplicate, transport, purchase, sell, manufacture or supply a product or service through alternate means;
3. Where there is a global nexus.
Due to the highly sensitive nature of the data that was breached in these attacks – inclusive of data protected under the International Traffic in Arms Regulations (ITAR) – Cyber Engineering Services does not disclose the names of the victims or the technical information that was stolen. Cyber Engineering Services has reported these incidents directly to the victims, as well as followed established protocols to report to the government agencies that oversee these functions.
ABOUT THE CYBER RED LIST
Cyber Engineering Services, an information security company with heavy experience in forensics analysis, reverse engineering and malware arenas focusing on what is known as the Advanced Persistent Threat (APT), compiled the Cyber Red List to raise awareness among victim organizations – especially smaller organizations often with fewer cyber security resources – for the need to protect mission and operation-critical data assets from cyber attacks. Cyber Engineering Services team of experts works with clients to control their networks and protect their most valued data assets using unrivaled technical skills, investigative curiosity and tenacity to prevail. For more information, contact Media@CyberEngineeringServices.com.
# # #
Posted: 6 May 2013 | 8:21 pm