Crime

security collaborationThe escalation of high-profile hacking and data dumps recently has underscored the increasing boldness of digital threat actors, culminating in July’s Democratic National Committee email leak and its ripple effect through American politics. The group behind the hack and its attack patterns were known, and yet the attack was not thwarted, leaving many questions as to the overall state of the Internet’s security.

The dangers in cyberspace in 2017 will only increase – most likely with even more sophisticated attacks such as advanced IoT DDoS invasions and ransomware campaigns, not to mention sensitive data hacks with a variety of end goals – from stealing our most critical corporate and personal data to stealing elections.

Standard security solutions don’t seem to be working. What, if anything, can be done?

State sponsored actors as well as criminal bodies seem to have unlimited resources and extremely high levels of coordination at their disposal to carry out their pernicious attacks. But defense against cyberattacks has been characterized by a lack of collaboration within the cybersecurity community.

Moving forward, this will have to change. Cyber defenders should take a page out of the enemy’s playbook. Crowd intelligence will need to be organized and harnessed as a major tactic to improve security strategies against growing threats. Just as cyber attackers collaborate and share their attack techniques and latest methods with each other, cyber defenders should do the same with best defense practices. Cyber criminals are actually generous with each other – they welcome collaboration within their community, symbiotically enhancing each other’s methods and techniques. Shouldn’t we ‘good guys’ be doing the same?

Sure, some info-sharing databases for cybersecurity experts do exist, such as open virus databases allowing for searching and sharing of malware samples to facilitate the detection of viruses, and updated reputation sources which share information about sites associated with malware infection, phishing campaigns, and the like. But almost all of these collaborative projects focus on sharing attack-side information like specific vulnerabilities, attack techniques, or specific intrusion patterns. Sharing this kind of information is basically useless, as it takes too long for security experts to analyze the threat information, plan a defense strategy, and then deploy it.

What could be quite effective in meeting these kill chains head-on are detection solutions in the form of security orchestration models – but currently, there is no forum within the security community for creating and sharing these models. The lack of preventative collaboration is a gaping hole in the security industry which must be rectified. State actors and organized crime are just that – organized. We, the protectors, are not.

Multiple security technologies are involved in protecting against advanced attack campaigns – network security, endpoint security, threat intelligence, etc. All of these must work in synch and must be activated in the correct sequence to provide maximum protection against increasingly sophisticated threats. We need our own “generals” coordinating our security arsenal, orchestrating our battles and rallying the cyber troops.

The industry must learn to pool its resources better and develop the ability to share preemptive avenues of detection, investigation, and mitigation of advanced attack campaigns. No existing forum allows security experts to write orchestration models (which define the defense strategies) and share them with each other for collaboration and communal enhancement.

What’s needed is a platform through which the cybersecurity community can create and share vendor-neutral security orchestration models (defense strategies) which can then be internally rated by community members and updated as needed, rendering them ready for adaptation by organizations – no matter which security products they use.

If an organization is lacking a security function that the model requires, the organization can be alerted and the gap filled. Orchestration models can also be created for specific verticals and tailored to the needs of specific organization types such as banks, retail, healthcare, or critical infrastructure, for example, or developed to specifically combat known hacker groups and their attack patterns, or both.

Hacking organizations have been alarmingly successful in the scope of their attacks over the last couple of years, and they are becoming bolder, more technically proficient, and better organized, creating an air of cyber unease which has left much of the Western world unsettled. But we are far from raising the white flag to the black hats. Taking the right steps to form expert communities and impart our accumulated knowledge and innovations to preemptively combat the cyber scourge could eventually put them out of business – we just need to learn to share more effectively than they do.


Help Net Security

Security remains top of mind as over 70 per cent of consumers noted they always think about their security/privacy when shopping online, according to Centrify. Unfortunately, despite the changing attitudes towards security, some consumers are still making basic security faux pas online.

security faux pas

Password hygiene is also a continuing problem when shopping online. Nearly 14 per cent admitted that they share passwords with friends and family so they can login to their accounts, whilst over 50 per cent said they save them to the retailer’s websites so as not to forget them. Over half also said that they only sometimes use different passwords for different retailer’s websites.

Most concerning is that one in eight said they would accept discounts and special offers from retailers in exchange for their passwords, highlighting the risks consumers are willing to take in order to save money online.

83 per cent would sometimes, or never, check the security and privacy terms and conditions of the retailer, leaving them wide open to hacking and data theft if shopping with an unknown or untrusted retailer.

On top of this, more than a fifth would still not ensure there is a secure padlock icon in the browser before making their purchases, and 27 per cent said they would only do this on some occasions.

With Black Friday around the corner and the Christmas shopping season well under way for most, frugal shoppers need to consider their online safety before making any purchases.

Centrify offers ten tips for consumers when shopping online:

  • Always shop with reputable sellers, and be cautious when entering URLs. A misspelled domain, or non-‘https’ site could land you on a false site designed to steal your information
  • Ensure you read the site’s privacy policy to understand how and where your personal information is being used. Lack of an easily visible privacy policy should be a red flag to using that site
  • Be suspicious of links in unsolicited emails – always type the link directly into your browser, do not click on them within the email. Hovering over the links should highlight if the link is unsafe, as you would notice the link underneath may be different to the text
  • Deals that appear too good to be true often are, so treat them with even more caution
  • If an online retailer requests extra personal information, such as a password for your email or bank account as part of the shopping process, do not enter them
  • Secure mobile phones if you plan to use them for shopping by enabling security features such as passwords and encryption
  • Always use different, long, and complex passwords (or passphrases) for each site. If you don’t, and a hacker steals your password for one account they will have free rein over the others! This would have devastating consequences on sites that have your personal and credit card information
  • Enable multi-factor authentication where possible. This involves combining two or more different ‘factors’ for extra security when logging in – such as something an individual has (like an ATM card or smart card), something a user is (such as a biometric characteristic like a fingerprint or retina scan) or something the user knows, like a password
  • Passwords are not meant to be shared. Never give out your passwords online, on the phone or even to friends or family
  • Do not store passwords. Many browsers, programs, or web applications will offer to store your password for you so you only have to enter the password once and never again. While seemingly a convenient option, it is a bad idea to store passwords associated with personal or financial accounts. This is especially true if you use public or shared computers.


Help Net Security

The recently spotted Telecrypt ransomware can be thwarted: malware analyst Nathan Scott has created a tool that decrypts the encrypted files.

Telecrypt Decryptor

Telecrypt Decryptor works only if the affected user has .NET 4.0 and above (every Windows version since Windows XP has it by default), and if he or she has at least one of the encrypted files in unencrypted form. It also needs to be run from an Administrator account.

The tool comes with instructions and a warning: don’t use it if you haven’t been infected with this particular ransomware, as it could corrupt some of your files.

About Telecrypt

Telecrypt was first spotted a few weeks ago, targeting Russian-speaking users.

Its specificity is that it uses Telegram’s communication protocol to deliver the decryption key to the crooks and, in general, to keep in touch with them.

The message it shows puts the ransom at 5,000 rubles (around 78 USD), and the crooks thank the victims for helping the “Young Programmers Fund.”

“Telecrypt will generate a random string to encrypt the files that is between 10-20 length and only contain the letters vo, pr, bm, xu, zt, dq,” Malwarebytes explained.

“[It] encrypts files by looping through them a SINGLE byte at a time, and then simply adding a byte from the key in order. This simple encryption method allows a decryption application to be made.”

Telecrypt is distributed in the form of an executable, via spam emails, exploits, and drive-by download schemes.

It encrypts a wide variety of files and, depending on its configuration, it either adds the extension ‘.Xcri’ to the encrypted files or leaves it unchanged.


Help Net Security

For the sixth year in a row, Internet freedom is declining.

According to the latest Freedom on the Net report, 67 percent of all Internet users now live in countries where online criticism of the government, ruling family or the military is subjected to censorship, and such activity can result in individuals getting arrested.

Blocking social media apps

Also, more governments have come to realize the power of social media and messaging apps, and are actively trying to censor them or prevent their use, particularly during anti-government protests, but also because they help thwart their surveillance efforts.

“The increased controls show the importance of social media and online communication for advancing political freedom and social justice. It is no coincidence that the tools at the center of the current crackdown have been widely used to hold governments accountable and facilitate uncensored conversations,” says Freedom House, the NGO that compiled the report that focuses on developments that occurred between June 2015 and May 2016.

“Authorities in several countries have even resorted to shutting down all internet access at politically contentious times.”

The “problem” with some communication apps is that they encrypt the exchanges, but it’s interesting to note that the use of some online voice and video calling apps is being blocked or restricted in a number of countries, mainly because they eat away at the profit margins of national telecommunications firms.

The range of censored online content is also expanding, and includes news outlets that favor political opposition, sites that launch calls for protest, sites expounding LGBTI issues, and images.

China, Syria, Iran, Ethiopia and Uzbekistan lead the pack of countries with the smallest amount of Internet freedom. On the other end of the spectrum are Estonia, Iceland, Canada, the US, and Germany.

State of Internet freedom around the world

“Of the 65 countries assessed, 34 have been on a negative trajectory since June 2015. The steepest declines were in Uganda, Bangladesh, Cambodia, Ecuador, and Libya,” Freedom House noted.

“In Uganda, the government made a concerted effort to restrict internet freedom in the run-up to the presidential election and inauguration in the first half of 2016, blocking social media platforms and communication services such as Facebook, Twitter, and WhatsApp for several days. In Bangladesh, Islamist extremists claimed responsibility for the murders of a blogger and the founder of an LGBTI magazine with a community of online supporters. And Cambodia passed an overly broad telecommunications law that put the industry under government control, to the detriment of service providers and user privacy. Separately, Cambodian police arrested several people for their Facebook posts, including one about a border dispute with Vietnam.”

While there have been improvements in 14 other countries, they are small, and not always the result of positive government actions.

The tug of war between protestors, digital activists, and companies offering social media services and communication apps on one side, and a wide variety of governments on the other continues.


Help Net Security

efficient cyber investigationsMany organizations today are not equipped to defend against traditional cyberattacks, as demonstrated by the ever-increasing numbers of successful breaches reported daily – the Privacy Rights Clearinghouse’s latest number is 900,875,242 records breached in 5,165 attacks over the past decade – and that’s U.S. only.

Even the largest companies appear to be less equipped to deal with more sophisticated cyberattacks, like the latest IoT-based Mirai DDoS attack or the attacks detected months or years after the initial breach, such as the Yahoo and Dropbox attacks.

Inundated by alerts, analysts lack the automated and intelligence-driven processes to hone in on attacks across the kill chain and breaches continue far too long. To address this fundamental mismatch, organizations need a new perspective on the way they detect and respond to attacks.

Like police investigations in the real world, every cyber investigation starts with a lead upon which a hypothesis is built. As more evidence is gathered in the field, the case continues to build until investigators can confirm or refute the direction of the investigation. This process is iterative until a conclusion is reached, and it must be thoroughly documented for future reference. This same process needs to be followed when investigating a cyberattack.

Organizations can improve their detection, investigation and response processes and enable analysts to hone in on and stop cyberattacks more efficiently with these simple steps.

Automate where it hurts the most

To really make a difference, saving time and resources, you need to automate the time-consuming analysis and investigation stages and not just the response. By automating the collection and analysis of leads across your security infrastructure, you can reduce the number of alerts and confirm real incidents worthy of investigation. Not only will this alleviate alert overload, it sharpens the skill set of less experienced analysts and frees senior analysts to let them focus on the complex, sophisticated attacks where human judgment is required.

Document everything to show the evidence and the rationale

Documentation is essential to presenting the chronology and context of an event, including situational and environmental information, such as initial findings, areas affected and evidence to support the incident storyline. Particularly in automated investigations using machine-based analysis, it is critical to document what decisions were made during the investigation process and why. Visualization tools create representative pictures that “connect the dots,” ensuring that analysts get a complete picture without missing critical details.

This information is important when a complex incident is handed off for manual investigation as well as scenarios where an investigation is passed from one analyst to another. With all evidence fully documented, security teams are better equipped to make decisions, conduct shift handover, and create managerial reports.

Combine the strengths of humans and machines

Machine-based analysis is essential for productivity and allowing professionals to focus their skills on the more complex tasks where human experience and intuition is needed. Machines can be built to simulate the way humans investigate – automatically take a lead and confirm or refute it by gathering intelligence from multiple sensors. Once the machine has collected all the relevant pieces of evidence and automatically pieced them together into an incident, humans can use their judgment to add new leads and evidence to the incident. In a continuous, self-learning process, this new evidence can be fed back into the machine, which applies it to past and future analyses to improve threat detection.

Collect the right information

Savvy attackers use multiple methods and vectors – such as malware, phishing and social engineering – to reach their targets. They study your network topology and find the weak points in your defenses. To address this challenge, your security coverage needs to consider multiple elements including network topology, attack chain and IT assets. Whether your organization has one central site or multiple campuses, you need visibility into traffic coming into each site and among sites using a variety of attack vectors.

In terms of the attack chain, it’s becoming increasingly difficult to detect attacks at the perimeter due to the many ways in. Therefore, you need to be able to identify and verify indicators of compromise across the attack chain through detection of lateral movement and command and control communications. Your IT assets, such as endpoints, servers and files, should also be protected using endpoint analytics and forensics.

Create unified workflows and a seamless investigation workspace

Once all the evidence has been gathered from multiple sensors across your network, it needs to be brought together and presented to the investigator in a coherent and logical manner designed for attack representation. Unified workflows and a single workspace enable analysts to access information from every sensor and perform network and endpoint forensics as needed to build the attack story.

Use machines to model how attackers operate and simulate the way analysts investigate

The key to boosting the efficiency of cyber analysts is to provide them with better insight into raw data to simplify the decision-making process. Start by modeling an attack – the attack surface, the attack components, steps, methods, technology – and how all those might be linked into an attack operation. Then focus on the human investigation workflow so you can mimic it properly and scale it up with accuracy. For example, how to dissect leads into individual pieces of forensic information that can be fused, correlated, triaged and connected into an incident view or how to decide which forensic query option is the best next step at each point in the investigation flow. Then you need to figure out how to interpret and apply the results.

Holistically applying these principles to design, implementation, data modeling, APIs, user interfaces and other components will result in a purpose-built, mission-centric defense system that makes your analysts more effective and productive.

The time has come for a new approach to cyber defense – let the automated system do the heavy lifting, and then empower your analysts to use their intuition and experience to stop the attacks in their tracks.


Help Net Security

A criminal group dubbed Cobalt is behind synchronized ATM heists that saw machines across Europe, CIS countries (including Russia), and Malaysia being raided simultaneously, in the span of a few hours. The group has been active since June 2016, and their latest attacks happened in July and August.

Cobalt hackers are behind synchronized ATM heists

Setup and execution of the attacks

The group sent out spear-phishing emails – purportedly sent by the European Central Bank, the ATM maker Wincor Nixdorf, or other banks – to the target banks’ employees. The emails delivered attachments containing an exploit for an MS Office vulnerability.

“If the vulnerability is successfully exploited, the malicious module will inject a payload named Beacon into memory. Beacon is a part of Cobalt Strike, which is a multifunctional framework designed to perform penetration testing. The tool enables perpetrators to deliver the payload to the attacked machine and control it,” the researchers explained in a recently released paper.

Additional methods and exploits were used to assure persistence in the targeted machines, to gain domain administrator privileges, and ultimately to obtain access to the domain controller. From that vantage point, they were able to obtain Windows credentials for all client sessions by using the open source Mimikatz tool.

The attackers would ultimately gain control over a number of computers inside the bank’s local network. Some of them are connected to the Internet, and others not, but the latter would receive instructions from the central Cobalt Strike console through the former.

“After the local network and domain are successfully compromised, the attackers can use legitimate channels to remotely access the bank, for example, by connecting to terminal servers or via VPN acting as an administrator or a standard user,” the researchers noted. The attacker have also installed a modified version of the TeamViewer remote access tool on the compromised devices, just in case.

Once constant access was assured, the criminals searched for workstations from which they could control ATMs. They would load the ATMs with software that allows them to control cash dispensers.

The final strikes happened in a few hours on the same day, when money mules would go to the targeted ATMs, send an SMS with the code identifying the ATM to a specific phone number, the criminals would make it spit out all the cash, and the mules would leave with it.

Some interesting things about the gang’s capabilities

The Cobalt gang uses a number of legitimate, open and closed source tools – Cobalt Strike (a tool for penetration testing), Mimikatz, SDelete (a free tool available on the Microsoft website that deletes files beyond recovery), and TeamViewer.

“Once an ATM is emptied, the operator launches the SDelete program, which removes les used with a special algorithm, which prevents information from being recovered. Thereafter, the ATM restarts,” the researchers explained. “In addition, operators disable the bank’s internal servers involved in the attack using the MBRkiller malware that removes MBR (master boot record). Such a careful approach significantly complicates further investigation.”

The ATM manipulation software also contains code that allows it to record a log containing information about the banknotes dispensed – the gang obviously does not trust the money mules to correctly report the amount that was stolen from each ATM.

Which banks were hit?

IB Group did not name them, but only noted that they are based in Armenia, Belarus, Bulgaria, Estonia, Georgia, Kyrgyzstan, Moldova, the Netherlands, Poland, Romania, Russia, Spain, the UK and Malaysia.

According to Reuters, Diebold Nixdorf and NCR, the world’s two largest ATM makers, have provided banks with information on how to prevent or at least minimize the impact of these attacks.

It is unknown how much money the group was able to steal.


Help Net Security

Oracle today announced that it has signed an agreement to acquire Dyn, a cloud-based Internet Performance and DNS provider that monitors, controls, and optimizes Internet applications and cloud services.

Oracle buys Dyn

Dyn’s solution is powered by a global network that drives 40 billion traffic optimization decisions daily for more than 3,500 enterprise customers, including preeminent digital brands such as Netflix, Twitter, Pfizer and CNBC.

Adding Dyn’s DNS solution extends the Oracle cloud computing platform and provides enterprise customers with a one-stop shop for Infrastructure-as-a-Service (IaaS) and Platform-as-a-Service (PaaS).

“Oracle already offers enterprise-class IaaS and PaaS for companies building and running Internet applications and cloud services,” said Thomas Kurian, President, Product Development, Oracle. “Dyn’s immensely scalable and global DNS is a critical core component and a natural extension to our cloud computing platform.”

“Oracle cloud customers will have unique access to Internet performance information that will help them optimize infrastructure costs, maximize application and website-driven revenue, and manage risk,” said Kyle York, Chief Strategy Officer, Dyn. “We are excited to join Oracle and bring even more value to our customers as part of Oracle’s cloud computing platform.”


Help Net Security

If you’re using a cheap Android smartphone manufactured or sold by BLU, Infinix, Doogee, Leagoo, IKU, Beeline or Xolo, you are likely wide open to Man-in-the-Middle attacks that can result in your device being thoroughly compromised.

Android smartphones backdoor

A more detailed (but not complete) list of vulnerable devices can be found in an advisory by CERT/CC.

This discovery comes less than a week after researchers from Kryptowire identified several models of Android mobile devices that contain firmware that collects sensitive data about their owners and secretly transmits it to servers owned by a company named Shanghai Adups Technology Co. Ltd.

Among these mobile devices are also some BLU smartphones.

The origin of the vulnerability (CVE-2016-6564)

Those and other devices (roughly 55 device models) are open to attack because they sport the same firmware by Chinese software company Ragentek Group.

This firmware contains a binary that is responsible for enabling over-the-air (OTA) software updating, but unfortunately the mechanism is flawed.

For one, the update requests and supplied updates are sent over an unencrypted channel. Secondly, until a few days ago, two Internet domains that the firmware is instructed to contact for updates (the addresses are hardwired into it) were unregistered – meaning anybody could have registered them and delivered malicious updates and commands to compromise the devices.

Luckily, it was researchers from Anubis Networks that did it, and the move allowed them clock over 2.8 million devices that contacted the domains in search for updates. Many of these devices are located in the US, as most of the models are sold by Best Buy and Amazon.

But even though the domains are now owned by these security companies, the fact that updates are delivered over an unencrypted channel allows attackers with a MitM position to intercept legitimate updates and exchange them for malicious ones (the firmware does not check for any signatures to assure the updates’ legitimacy).

MitM attackers could also send responses that would make the devices execute arbitrary commands as root, install applications, or update configurations.

Is this a deliberate backdoor/rootkit?

It does seem so. According to the researchers, the binary that performs OTA update checks – debugs, in the /system/bin/ folder – runs with root privileges, but its presence and the process it starts are being actively hidden by the firmware.

“It’s unclear why the author of this process wanted to purposely hide the presence of the process and local database on the device, although it’s worth noting that it did not attempt to do this comprehensively,” they researchers noted.

But they told Ars Technica that believe the backdoor capabilities were unintentional, and Ragentek is yet to comment on the discovery.

How to protect yourself?

If you’re using one of the affected devices, the right solution is to implement an update with the fix – when it becomes available. But make sure to download the update only over trusted networks and/or use a VPN to encrypt and protect the traffic from tampering.

So far, only BLU has released such an update, but the fix has not yet been checked.

A workaround that should keep you safe until a security update includes using your device only on trusted networks (eg. your home network, as opposed to open or public Wi-Fi).


Help Net Security

Michigan State University has announced on Friday that a university server and a database containing information on some 400,000 faculty, staff and students has been accessed by a unauthorised third party.

Michigan State University breach

The database contains names, social security numbers, MSU identification numbers, and in some cases, date of birth of faculty, staff and students who were employed by MSU between 1970 and Nov. 13, 2016, and students who attended MSU between 1991 and 2016.

“MSU’s Information Technology team rapidly determined the cause and nature of the breach, and the MSU Police Department is working diligently with federal law enforcement partners to investigate the crime,” the university said.

The database in question was taken offline in less than 24 hours after it was breached by the attacker, but not quickly enough to prevent him or her to access records of 449 individuals.

The university has already notified affected parties, and has offered them two years of identity theft protection, fraud recovery, and credit monitoring services, for free.

They also made sure to note that the database did not contain passwords, financial, academic, contact, gift or health information.

The breach happened on November 13.

Michigan State University spokesman Jason Cody told News 10 that the hacker(s) demanded money for the stolen information, but that the university did not pay.


Help Net Security

Fortinet researcher Kai Lu warns of a fake email app that is capable of stealing login credentials from 15 different mobile banking apps for German banks.

android banking malware masquerading

“Once this malicious app is installed and device administrator rights are granted, when the user first launches a targeted banking app the malicious app sends a request via HTTPS to its C2 server to get the payload. The C2 server then responds with a fake customized login webpage, and the malicious app displays this fake customized login screen overlay on top of the legitimate banking app to collect entered banking credentials,” he explains.

“There is a different customized login screen for each bank targeted by this malware.”

The malware hides the icon from the launcher once the malware is up and running, and victims might be tricked into believing that they have somehow failed to install the app.

But, in the background, the malware tries to prevent some 30 different anti-virus mobile apps from launching, collects information about the device (as well as the “installed app” list) and sends it to the C&C server, and waits for further instructions.

It can be made to intercept incoming SMS messages, send out mass text messages, update the targeted app list, set a new password for the device, and more.

At the moment, it does not pop overlays to steal credit card info (e.g. when the Google Play or PayPal app is started), but that can soon change.

The researcher says that to remove the app, victims must first disable the malware’s device administrator rights in Settings > Security > Device administrators > Device Admin > Deactivate, then uninstall the malware via ADB (Android Debug Bridge) by using the command ‘adb uninstall [packagename]’. Tech-unsavvy users might want to ask for help with that last step from friends and family who know how to do that.

Lu also recently analyzed another piece of malware that masquerades as an unnamed German mobile banking app. This one also targets five banks in Austria, as well as Google Play (asks users to input credit card info when they start the app).

This particular malware also comes in the form of a fake Flash Player app, and is after credit card info of users of several popular social media apps (Instagram, Skype, WhatsApp, Facebook, etc.).


Help Net Security