Two malware instances have converted numbers to words in a novel attempt to cloak the IP addresses of command and control servers.…
Posted: 28 Sep 2016 | 11:18 pm
Posted: 28 Sep 2016 | 8:59 am
Yahoo announced on Thursday that the account information of at least 500 million users was stolen by hackers two years ago, in the biggest known intrusion of one company’s computer network.
In a statement, Yahoo said user information — including names, email addresses, telephone numbers, birth dates, encrypted passwords and, in some cases, security questions — was compromised in 2014 by what it believed was a “state-sponsored actor.”
While Yahoo did not name the country involved, how the company discovered the hack nearly two years after the fact offered a glimpse at the complicated and mysterious world of the underground web.
The hack of Yahoo, still one of the internet’s busiest sites with one billion monthly users, also has far-reaching implications for both consumers and one of America’s largest companies, Verizon Communications, which is in the process of acquiring Yahoo for $4.8 billion. Yahoo Mail is one of the oldest free email services, and many users have built their digital identities around it, from their bank accounts to photo albums and even medical information.
Changing Yahoo passwords will be just the start for many users. They’ll also have to comb through other services to make sure passwords used on those sites aren’t too similar to what they were using on Yahoo. And if they weren’t doing so already, they’ll have to treat everything they receive online with an abundance of suspicion, in case hackers are trying to trick them out of even more information.
The company said as much in an email to users that warned it was invalidating existing security questions — things like your mother’s maiden name or the name of the street you grew up on — and asked users to change their passwords. Yahoo also said it was working with law enforcement in their investigation and encouraged people to change up the security on other online accounts and monitor those accounts for suspicious activity as well.
“The stolen Yahoo data is critical because it not only leads to a single system but to users’ connections to their banks, social media profiles, other financial services and users’ friends and family,” said Alex Holden, the founder of Hold Security, which has been tracking the flow of stolen Yahoo credentials on the underground web. “This is one of the biggest breaches of people’s privacy and very far-reaching.”
The post Yahoo Says Hackers Stole Data on 500 Million Users in 2014 appeared first on CyberESI.
Posted: 26 Sep 2016 | 7:58 am
With Stephen Hilt and Philippe Lin
Today, the Trend Micro Forward-Looking Threat Research team released the paper Leaking Beeps: Unencrypted Pager Messages in the Healthcare Industry, our research about a weakness we identified in pager technology. If you are concerned about keeping your health information private, I would highly recommend you read through it. I, for one, was not expecting the findings we made. Pagers are secure, right? We’ve used them for decades, they are hard to monitor, and that’s why some of our most trusted industries use them, including the healthcare sector.
Nope. Wrong. All it took to see hospital information in clear text from hundreds of miles (or kilometers if you are a non-US person like me) away is an SDR software and a USB dongle. Frankly, I was stunned. The problem with pagers—like many other technologies—is that they were designed and developed in a bygone era, and very few people go back to see if current technologies easily break the trust we had in these older ones or not (by virtue of making ease of monitoring—accidental or intentional—something easily done by a common person).
Our team has gathered a lot of really great data analysis of the types of data leakages that were seen during our testing. Here are a few points I would like you to take away from it.
Now remember, this research was done with tools easily purchased from Amazon for less than US$30. This tells us that monitoring is literally within the reach of children, a bored teenager or a criminal mind with a monetary interest. We saw this problem across the globe, including Asia, Europe, and North America, which means it’s not an isolated occurrence that we by chance witnessed in one country or a singular organization. It really is a result of a belief in the idea that technology never ages, though some might say this ‘belief’ is, in fact, a form of negligence of the implications of outdated technologies in a new environment.
To learn more about the use of pagers in the healthcare industry and the pitfalls of this usage, see our report Leaking Beeps: Unencrypted Pager Messages in the Healthcare Industry. We talk about the potential ways an attacker might be able to exploit this technology to their advantage and prompt healthcare organizations to re-evaluate the use and maintenance of pagers and consider more secure options. In our paper, we also offer recommendations for best practices in the event that the use of pagers cannot be entirely curbed right away.
Posted: 26 Sep 2016 | 5:15 am
A lot has already been said about current cyber threats facing the owners of ATMs. The reason behind the ever-growing number of attacks on these devices is simple: the overall level of security of modern ATMs often makes them the easiest and fastest way for fraudsters to access the bank’s money. Naturally, the banking industry is reacting to these attacks by implementing a range of security measures, but the threat landscape is continually evolving. In order to prepare banks for what they should expect to see from criminals in the near future, we’ve prepared an overview report of future cyberthreats to ATMs. The report will – we hope – help the industry to better prepare for a new generation of attack tools and techniques.
The report comprises two papers in which we analyze all existing methods of authentication used in ATMs and those expected to be used in the near future, including: contactless authentication through NFC, one-time password authentication and biometric authentication systems, as well as potential vectors of attacks using malware, through to network attacks and attacks on hardware components.
We looked into what is going on underground around these technologies and were surprised to discover that there are twelve manufacturers out there that are already offering fake fingerprint scanners, otherwise known as biometric skimmers. There are also at least three other vendors researching devices that will be able to illegally obtain data from palm vein and iris recognition systems.
This is a major trend, because the problem with biometrics is that, unlike passwords or pin codes which can be easily modified in the event of compromise, it is impossible to change your fingerprint or iris image. Thus if your data is compromised once, it won’t be safe to use in the future. That is why it is extremely important to keep such data secure and transmit it in a secure way. Biometric data is also recorded in modern passports – called e-passports – and visas. So, if an attacker steals an e-passport, they not only steal the document, but also that person’s biometric data. As a result they steal a person’s identity.
The biometric data can also be accessed by criminals as a result of hacking into a bank’s infrastructure, which is also a major issue: if you lose the biometric database of your clients it won’t be possible to solve this problem just by recalling compromised payment cards. This is an unrecoverable loss and thus it is a kind of threat that the industry has never experienced before.
In general, network-based attacks against ATMs will be a headache for the security personnel of financial organizations in the coming years simply because, based on our penetration testing experience, the network infrastructure of a bank is very often built in a way that a hacker can exploit to gain access and take control of some critical parts of the network, including the network of ATMs. And this situation is not going to change any time soon, due to many reasons, one of which is the sheer size of financial organizations’ networks and the time-consuming and expensive task of upgrading them.
Nevertheless, by publishing this report we’d like to draw attention to the problem of ATM security now and in the near future, and to speed up the development of a truly secure ecosystem around these devices.
Read the full report here
Read the description of attacks here
Posted: 22 Sep 2016 | 2:57 am
Posted: 23 Aug 2016 | 9:19 pm
The AlienVault Labs team does a lot of malware analysis as a part of their security research. I interviewed a couple members of our Labs team, including Patrick Snyder, Eddie Lee, Peter Ewane and Krishna Kona, to learn more about how they do it.
Here are some of the approaches and tools and techniques they use for reverse engineering malware, which may be helpful to you in your own malware hunting endeavors. Please watch the webcast they did recently with Javvad Malik on reverse engineering malware and hear details and examples of how the Labs team investigated OceanLotus, PowerWare and Linux malware in recent situations.
Now, let’s look at techniques that can be utilized while analyzing malware.
Here’s IDA Pro:
Here’s the file utility:
Generally, when we get a bunch of samples or an archive of samples from open-source feed, we use a file utility to find out if the file is a regular executable or for a Windows platform or OSX or Linux, or is it just a text file or a script.
Here’s Immunity Debugger:
For monitoring the activity on the system, we use system monitor and Regshot.
Sandboxes are another important step in reverse engineering malware, as often there are functionalities malware doesn't exhibit unless it is running in a suitable environment. One sandbox, malwr, comes from the people who built Cuckoo Sandbox. With malwr, you submit a sample and run it inside a VM. You can then run various dynamic analysis tools and static analysis tools referenced above and turn this into a nice, readable report.
Here is malwr:
Here is Hybrid-Analysis:
Another major Sandbox tool for identifying malware is VirusTotal. VirusTotal is owned by Google, and they arguably have the biggest repository of both malware and known file types in general layout. If you are looking for any particular malware, it typically shows up in VirusTotal.
Here is VirusTotal:
Another new contender is DeepViz. DeepViz is being developed very actively, with new features on a regular basis. DeepViz functions very similarly to other Sandboxes, but sometimes it is beneficial to submit the same sample to multiple sandboxes to see if the behavior matches up or if it reacts differently.
Here is DeepViz:
Which brings us to Cuckoo. Cuckoo is a malware analysis system. It contains many different tools, including some of the dynamic and static analysis tools that we mentioned earlier. Also, it is free. While other sandboxes are free, you are sharing your data by using them. If you set up Cuckoo on your own system you can keep everything localized and keep it to yourself, especially if you are analyzing something you don't want the world to know about yet.
Here is Cuckoo:
Open Threat Exchange (OTX) is another key component we use in malware analysis.
To find out more about OTX there is a documentation center. You can also see information on our forums. There is a section specifically for OTX where you can see pulses. Also, just a few weeks ago we announced some enhancements to the OTX API. If you are a blogger, please note you can now embed pulses. So if you write a blog, you can just simply embed it within so users can read it and directly download the IoCs and other information. Read more.
Connecting OTX to your USM platform helps you to manage risk better and effectively take action on threats. A free trial of AlienVault USM is available.
Posted: 27 Jun 2016 | 8:58 am
Let’s see what these scripts look like:
At the bottom of the script, is this function that reverses the string above, joins the characters, then evaluates it:
Since we’re dealing with JScript, we can just do this and capture the result instead of executing it:
Now we get this:
This script employs a lot of nonsense functions that just returns exactly what gets sent to it in an attempt to make it harder to figure out what’s going on.
After I beautify the script and scan through everything, I come across the main function that downloads a file from the Internet. It’s using the familiar AJAX method.
I echo out the URL array to see where the requests are going. There’s three URLs it’s attempting to connect to. If the site is up then Locky gets downloaded and executed.
This round of scripts are similar to the ones that were sent before the Locky gang took a break. If you’ve been tracking their scripts, you know that they make a lot of changes to bypass filters but they are essentially all AJAX downloaders.
Instead of trying to keep up with their constant script variations, why not use a web proxy I thought? You just run the script in a VM and catch the URLs being called. There’s Fiddler, Paros, Burp, etc I could use but I thought I would try to make something more lightweight and portable.
Here’s my take on a web proxy. This program will capture the request from these scripts and drop it so it won’t download the malware from the Internet. This way you can see the URLs and take the necessary action quickly and without having to deobfuscate the script.
When you run URL Revealer (in a VM!), it will automatically set up a proxy server on port 8080 and write the captured URLs to a text file to the app path. You should open up your browser and test it to make sure it’s working properly before executing the script you want to analyze. You should also set your VM’s network adapter to “host-only” while doing this just to be safe.
Here’s what it looks like when I run four recent Locky scripts plus two from the past two weeks:
I killed the wscript process in between runs otherwise the script would just keep going. URL Revealer will ignore repeated hits to the same URL as long as it’s exactly the same as the one before.
When you are done, press
If you run the program from an elevated command line, you can change the proxy port as well as the capture filename.
Over the past several months, I saw four methods used by various scripts to download malware from the Internet – ajax, winhttp, bitsadmin, and powershell. URLRevealer should detect and block the requests for all of these methods. If you encounter a new method, please let me know.
You can get the program here.
Posted: 22 Jun 2016 | 7:26 pm