- Cyber -

Last update 09.10.2017 12:44:39

Introduction  List  Kategorie  Subcategory 0  1  2  3  4  5  6



UK Blames North Korea for Cyberattack That Crippled Hospitals
27.10.2017 securityweek  Cyber
Britain on Friday blamed North Korea for a ransomware attack this year that a new report revealed affected a third of English hospitals and could have been prevented with "basic" IT security.

"This attack, we believe quite strongly that it came from a foreign state," Ben Wallace, a junior minister for security, told BBC Radio 4's Today programme.

"North Korea was the state that we believe was involved in this worldwide attack," he said, adding that the government was "as sure as possible".

The WannaCry attack in May infected some 300,000 computers in 150 countries, including in Britain's National Health Service (NHS), Spanish telecoms company Telefonica and US logistics company FedEx.

Britain's National Audit Office revealed the attack had hit NHS England particularly hard, forcing the cancellation of some 19,500 medical appointments.

Computers at 81 hospital groups across England were affected -- a third of the total number of 236.

Some 600 general practitioners were also affected.

The facilities affected were running computer systems -- the majority Windows 7 -- that had not been updated to secure them against attacks, the NAO said.

"It was a relatively unsophisticated attack and could have been prevented by the NHS following basic IT security best practice," NAO chief Amyas Morse said.

"There are more sophisticated cyber threats out there than WannaCry so the Department (of Health) and the NHS need to get their act together to ensure the NHS is better protected against future attacks," he said.

The report revealed that there had been multiple warnings ahead of the attack about the weakness of IT security in the NHS but that recommendations for security updates were not respected.

Dan Taylor, NHS Digital's head of security said the NHS had "learned a lot" from WannaCry, calling it "an international attack on an unprecedented scale".

Ransomware attacks use a type of malware that encrypts files on an infected computer and demands money to unlock them.

The NAO said no ransom was paid by the NHS but the government "does not know how much the disruption to services cost."


Researchers Warn of Cyber Risks for Olympic Games
15.10.2017 securityweek Cyber
The Olympic Games offer a tempting target for hackers and other malicious actors, with potentially devastating consequences for one of the world's premier sporting events, researchers said Tuesday.

A report by University of California researchers said the efforts to disrupt the 2016 US election should serve as warning about the impact of a cyber-attack on the games.

The report released four months ahead of the Pyeongchang Winter Games cited "an increasing supply of opportunities for digital manipulation as sports incorporate new technologies designed to improve athlete training, accessorize the fan experience, and even help officials decide the results."

The researchers said hackers could do damage by infiltrating stadium or scoring systems, or by releasing sensitive data on athletes. Fans or transport systems could also be targeted.

"Most serious would be physical harm caused to the athletes or spectators; in such a case, the event would be overshadowed and likely cancelled as a result of these more serious harms," said the report by the university's Center for Long-Term Cybersecurity.

"Attacks on the integrity of the sporting event would also be serious... interference with the outcome could result in a decreased sense of trust that would have lasting impacts on the sport."

Cybersecurity has become more important as sporting events have introduced new technologies for everything from tickets to replays and scoring verification.

In recent years, hackers have increasingly sought to target sporting events, the researchers noted.

In one case, the hacker group known as Anonymous hacked into the Formula One website to protest a race held in Bahrain. And during the 2014 World Cup of football, phishing attacks from "hacktivists" infiltrated email accounts local for many Brazilian officials organizing the event.

Betsy Cooper, director of the center, said the report does not seek to evaluate how well-prepared Olympics organizers are for cybersecurity.

"Because the landscape of sports is changing so dramatically, it would be very difficult to predict today what that future risk landscape might look like even in a few years, let alone in 2024 or 2028," she said.

"It's very clear from our research that those in charge of preparing for future Olympic Games are taking security extremely seriously, which will be a great benefit as those games go forward."


ATMii: a small but effective ATM robber
10.10.2017 Kaspersky  Cyber
While some criminals blow up ATMs to steal cash, others use less destructive methods, such as infecting the ATM with malware and then stealing the money. We have written about this phenomenon extensively in the past and today we can add another family of malware to the list – Backdoor.Win32.ATMii.

ATMii was first brought to our attention in April 2017, when a partner from the financial industry shared some samples with us. The malware turned out to be fairly straightforward, consisting of only two modules: an injector module (exe.exe, 3fddbf20b41e335b6b1615536b8e1292) and the module to be injected (dll.dll, dc42ed8e1de55185c9240f33863a6aa4). To use this malware, criminals need direct access to the target ATM, either over the network or physically (e.g. over USB). ATMii, if it is successful, allows criminals to dispense all the cash from the ATM.

exe.exe – an injector and control module
The injector is an unprotected command line application, written in Visual C with a compilation timestamp: Fri Nov 01 14:33:23 2013 UTC. Since this compilation timestamp is from 4 years ago – and we do not think this threat could have gone unnoticed for 4 years – we believe it is a fake timestamp. What’s also interesting is the OS that is supported by the malware: One more recent than Windows XP. We can see this in the image below, where the first argument for the OpenProcess() function is 0x1FFFFu.

OpenProcess call with the PROCESS_ALL_ACCESS constant

It is the PROCESS_ALL_ACCESS constant, but this constant value differs in older Windows versions such as Windows XP (see the picture below). This is interesting because most ATMs still run on Windows XP, which is thus not supported by the malware.

A list of PROCESS_ALL_ACCESS values per Windows version

The injector, which targets the atmapp.exe (proprietary ATM software) process, is fairly poorly written, since it depends on several parameters. If none are given, the application catches an exception. The parameters are pretty self-explanatory:

param short description
/load Tries to inject dll.dll into atmapp.exe process
/cmd Creates/Updates C:\ATM\c.ini file to pass commands and params to infected library
/unload Tries to unload injected library from atmapp.exe process, while restoring its state.
/load param
<exe.exe> /load
The application searches for a process with the name atmapp.exe and injects code into it that loads the “dll.dll” library (which has to be in the same folder as the exe.exe file). After it has been loaded it calls the DLLmain function.

/unload param
<exe.exe> /unload
As the name already suggests, it is the opposite of the /load parameter; it unloads the injected module and restores the process to its original state.

/cmd param
<exe.exe> /cmd [cmd] [params]
The application creates/updates C:\ATM\c.ini which is used by the injected DLL to read commands. The file is updated each time the .exe is run with the /cmd param.

Contents of c.ini after execution of “exe.exe /cmd info”

The executable understands the following set of commands:

command description
scan Scans for the CASH_UNIT XFS service
disp Stands for “dispense”. The injected module should dispense “amount” cash of “currency” (amount and currency are used as parameters)
info Gets info about ATM cash cassettes, all the returned data goes to the log file.
die Injected module removes C:\ATM\c.ini file
dll.dll injecting module
After injection and execution of the DllMain function, the dll.dll library loads msxfs.dll and replaces the WFSGetInfo function with a special wrap function, named mWFSGetInfo.

At the time of the first call to the fake WFSGetInfo function, C:\ATM\c.ini is ignored and the library tries to find the ATM’s CASH_UNIT service id and stores the result, basically in the same way as the scan command does. If the CASH_UNIT service is not found, dll.dll won’t function. However, if successful, all further calls go to the mWFSGetInfo function, which performs the additional logic (reading, parsing and executing the commands from the C:\ATM\c.ini file).

Contents of C:\ATM\c.ini after execution of “exe.exe /cmd disp RUB 6000”

Below is an output of the strings program uncovering some interesting log messages and the function names to be imported. The proprietary MSXFS.DLL library and its functions used in the ATMii malware are marked with red boxes.

“scan” command
Because of the architecture of XFS, which is divided into services, the injected library first needs to find the dispense service. This command must be successfully called, because the disp and info commands depend on the service id retrieved by scan. Scan is automatically called after the dll has been injected into atmapp.exe.

After collecting the WFS_INF_CDM_STATUS data, additional data gets added to the tlogs.log. An example can be found below:


(387):cmd_scan() Searching valid service
(358):FindValidService() Checking device index=0
(70):CheckServiceForValid() ————————————————
(72):CheckServiceForValid() Waiting for lock
(76):CheckServiceForValid() Device was locked
(86):CheckServiceForValid() WFSGetInfo Success 0
(182):CheckServiceForValid() Done-> szDevice: WFS_CDM_DEVONLINE, szDispenser: WFS_CDM_DISPOK, szIntermediateStacker: WFS_CDM_ISEMPTY, szSafeDoor: WFS_CDM_DOORCLOSED
(195):CheckServiceForValid() Unlocking device
(390):cmd_scan() Service found 0

Part of a tlogs.log possible log after successfully executed “scan” command

“info” command
Before the criminals can dispense cash, they first need to know the exact contents of the different cassettes. For this, they use the info command which provides exhaustive information on all cassettes and their contents. The list of used XFS API functions is the same as with the scan command, but this time WFSGetInfo is called with the WFS_INF_CDM_CASH_UNIT_INFO (303) constant passed as a param.

Below is an example of the data in log file returned by the info command.


(502):ExecuteCmd() Executing cmd
(506):ExecuteCmd() CMD = info
(402):cmd_info() ! hFoundGlobalService = 0
(213):GetDeviceInformation() ————————————————
(220):GetDeviceInformation() Device locked 0
(337):GetDeviceInformation() Module: C:\program files\dtatmw\bin\atmapp\atmapp.exe
Cash Unit # 1, name=SOMENAME
Type: 3
Status: HIGH
Currency ID: 0x52-0x55-0x42
Note Value: 5000
Notes Count: 3000
Notes Initial Count: 3000
Notes Minimum Count: 10
Notes Maximum Count: 0

Example5 Part of a tlogs.log possible log after successfully executed “info” command

“disp” command
The dispense command is followed by two additional params in the command file: currency and amount. Currency must contain one of the three-letter currency codes of notes kept in the CASH_UNIT_INFO structure (currency codes are described in ISO_4217 e.g. RUB, EUR). The amount code holds the amount of cash to dispense and this value must be a multiple of ten.

“die” command
Does nothing except deleting C:\ATM\c.ini command file.

Conclusion
ATMii is yet another example of how criminals can use legitimate proprietary libraries and a small piece of code to dispense money from an ATM. Some appropriate countermeasures against such attacks are default-deny policies and device control. The first measure prevents criminals from running their own code on the ATM’s internal PC, while the second measure will prevent them from connecting new devices, such as USB sticks.


FBI Arrests A Cyberstalker After Shady "No-Logs" VPN Provider Shared User Logs
9.10.2017 thehackernews  Cyber

FBI recently arrested a psycho cyber stalker with the help of a popular VPN service and this case apparently exposed the company's lies about the "no logs" policy.
Taking down cyber stalkers and criminals is definitely a good thing, and the FBI has truly done a great job, but the VPN company whose first line of the privacy policy is—"We Do Not monitor user activity nor do we keep any logs"—has literally betrayed its customer's trust.
Is your VPN also lying to you? Well, it's the right time to think about this twice.
It's no secret that most VPN services—which claim to shield your Internet traffic from prying eyes, assuring you to surf the web anonymously—are not as secure as they claim.
In this post-Snowden era, a majority of VPN providers promise that their service is anonymous, with no log policy, but honestly, there is no way you can verify this.
PureVPN Helped the FBI with Logs
A 24-year-old Massachusetts man, Ryan Lin, has been arrested in a Cyberstalking case after one of the largest VPN providers, PureVPN, helped the FBI with information that linked Lin to his alleged cyber crimes.
In an FBI affidavit published last week by the US Department of Justice (DoJ), Lin is accused of stalking and harassing his housemates and former-roommates online while evading local police by using various services like Tor, VPNs and Textfree.
Lin tormented his former-roommate, Jennifer Smith, for one and a half year after stealing credentials for some of her online profiles from her unlocked MacBook, and other personal files, including photographs, from her iCloud and Google Drive accounts.
According to the affidavit, Lin released Smith's personal details online (known as 'doxing'), posted intimate photographs without her face suggesting they were of Smith, and emailed her private information to her contacts, including her family, relatives and colleagues.
Additionally, Lin allegedly posted fake profiles of her to websites "dedicated to prostitution, sexual fetishes, and other sexual encounters," shared information about her medical background that she never shared with anyone, and sent "images that likely constitute child pornography" to her family and friends.
Suspect Also Made Bomb, Death and Rape Threats
What's more? Lin often spoofed Smith's identity to send bomb, death and rape threats to schools and lone individuals, which even tricked one of her friends into calling the police to her house.
To conduct all these illegal actions and hide his tracks, Lin used various privacy services like ProtonMail, VPN clients, and Tor, anonymised international text messaging services and offshore private e-mail providers.
However, the suspect made a mistake by using a work computer for some of his illegal campaigns. The feds were able to recover some forensic artefacts from his work computer, even though he had been terminated and the OS had been reinstalled on the computer.
In the unallocated space of the system's hard drive, the FBI found artefacts referencing:
Bomb threats against local schools.
Username for TextNow, the anonymous texting service being Lin's most-visited Website.
Lin's name on Protonmail.
Lin had visited Rover.com (pet sitting site) and FetLife.com which were used in the cyberstalking campaigns.
Lin repeatedly accessed his personal Gmail account.
He used PureVPN in the cyberstalking campaign.
How FBI Investigated the Cyberstalking Case
PureVPN Helped the FBI with LogsThe FBI then managed to obtain logs from PureVPN, which linked himself to the illegal campaigns against Smith and his other former roommates.
"Further, records from PureVPN show that the same email accounts—Lin's Gmail account and the teleportfx Gmail account—were accessed from the same WANSecurity IP address," the complaint reads.
And then the complaint goes on to say what would be quite worrying for those who believe VPNs are their best way to protect their activities online:
"Significantly, PureVPN was able to determine that their service was accessed by the same customer from two originating IP addresses: the RCN IP address from the home Lin was living in at the time, and the software company where Lin was employed at the time."
Being one of the largest and well-known VPN providers, Hong Kong-based PureVPN is used by hundreds of thousands of users across the world, which eventually handed over details which a VPN is supposed to protect against.
Lin was arrested by the authorities on October 5, and if found guilty, he faces up to 5 years in prison and up to 3 years of "supervised release," according to the DoJ.


Utilities Fear Cyberattacks Could Cause Electric Grid Disruptions: Survey
5.10.2017 securityweek Cyber
Many utility executives from around the world believe cyberattacks could cause disruptions to electric distribution grids in the next five years, according to a report published on Wednesday by professional services company Accenture.

Accenture conducted a survey of more than 100 utility executives from over 20 countries in Europe, North America, Asia Pacific and other regions. The respondents were decision-makers in processes related to smart grids.

The study shows that nearly two-thirds of respondents are concerned that there is at least a moderate risk of a cyberattack causing disruptions to electricity supply in the next five years.

Electric distribution grids face cyberattacks

Accenture found that 57% of respondents are concerned that a cyberattack would result in interruption to electricity supply, while 53% are worried about its impact on employee and/or customer safety.

Roughly half of respondents are concerned about theft of sensitive customer or employee data, and theft of company data and intellectual property. Ransomware and destruction of physical assets are also among the top concerns.

“A typical distribution grid has neither the size of a transmission network nor the same risks of cascading failure,” Accenture said in its report. “However, distribution grids have the same vulnerabilities and, as a potentially softer target, could be increasingly subject to attack. Breaches by a wide range of potential attackers could have devastating impacts along the entire electricity value chain, from generation through to consumers. A successful attack could erode public trust in the utility and raise questions about the security of all devices along the value chain.”

Related: Learn More at SecurityWeek’s 2017 ICS Cyber Security Conference

On a global scale, cyberattacks conducted by state-sponsored actors, including their own government, are considered the biggest risk to distribution networks. This is also the greatest concern in North America, but cybercriminals are seen as the biggest threat in Europe and the Asia Pacific region.

The study also shows that utility executives are concerned, at least to some extent, about the risks posed by the Internet of Things (IoT) devices found in consumers’ homes.

Despite concerns, more than 40% of respondents said their organizations did not fully integrate cybersecurity into their risk management processes.

Nearly one-third of respondents believe improved threat identification and sharing across the industry would have the greatest impact on their cybersecurity capabilities. Others believe the biggest impact would come from clearer understanding of OT implications for cybersecurity (20%), training and risk awareness (15%), a holistic security program (12%), a risk management framework incorporating cybersecurity (11%), and clear cybersecurity governance and roles (10%).


EtherParty Breach: Another Ethereum ICO Gets Hacked
4.10.2017 thehackernews Cyber
Etherparty announced Sunday that its ICO (Initial Coin Offering) website selling tokens for a blockchain-based smart contract tool was hacked and the address for sending funds to buy tokens was replaced by a fraudulent address controlled by the hackers.
Vancouver-based Etherparty is a smart contract creation tool that allows its users to create smart contracts on the blockchain. Companies like this launch ICO to let them raise funding from multiple sources.
Etherparty said the company launched its Fuel token sale on Sunday, October 1 at 9 A.M. PDT, but just 45 minutes, some unknown attackers hacked into its ICO website and replaced the legitimate address by their own, redirecting cryptocurrencies sent by investors into their digital wallet.
According to the details released by the Etherparty team, the company detected the hack after just 15 minutes and immediately took its website down for nearly one and half hour to fix the issue, preventing more people from sending funds to the hacker's address.
By 11:35 A.M. PDT, the website was rebuilt and switched to a new web server, which also includes a pro tip on the top of it that reads: "Always check the URL and verify the contract address before sending ETH to any ICO."
Although Etherparty did not reveal details on how many funds were stolen, the company was really quick in figuring out the whole incident, taking appropriate steps, and alerting people of the hacking incident by distributing a press release.
The blockchain company has also "promised to compensate any affected contributors, with its proprietary FUEL token, prior to the temporary website shutdown at 10 A.M. PDT." The Etherparty's ICO is still ongoing and open until October 29, 2017.
"Our team has been consistently and successfully thwarting potential security issues to avoid further escalation," Etherparty Founder Lisa Cheng said.
"However, we do acknowledge and apologise for the temporary disruption to our otherwise successful launch day. Etherparty is eager and committed to compensating all affected contributors for the inconvenience."
Etherparty also said despite the hacking incident, its ICO got off to a positive start, "selling over 10,000,000 FUEL tokens in the first hour," and sold more than 400,000,000 FUEL tokens before the official launch in the pre-sale.
This incident marks the latest cyber attack on an ICO, following a theft of nearly $471,000 worth of Ethereum in cyber attack that hit Enigma Project in August, around $8.4 Million worth of Ethereum in hack that hit Veritaseum's ICO in July, and $7 Million worth of Ether tokens during the hack of Israeli startup CoinDash's ICO a week prior to Veritaseum's ICO hack.
Due to rising concerns surrounding ICOs over such hacks and scams, regulators globally are taking action against ICO fundraising. China has already announced an immediate ban on all ICO across the country.
In the United States, the Securities and Exchange Commission (SEC) has also issued an official warning about the risks of ICOs but has not made a firm move yet.


Equifax hack affected 145.5 million individuals, 2.5M more than originally stated
3.10.2017 securityaffairs Cyber

Equifax data breach may affect 2.5 million more customers than originally stated, the overall number of exposed individuals reached 145.5 million.
Earlier this week, Equifax announced that additional 2.5 million U.S. consumers were exposed as a result of the massive data breach that affected the company in September. The credit reporting agency confirmed that a total of 145.5 million individuals have been exposed, hackers accessed names, social security numbers, dates of birth, addresses and, in some cases, driver’s license numbers and credit card numbers.

The company hired the security firm Mandiant to investigate the incident, it has already completed the forensic analysis of the affected systems.

“I was advised Sunday that the analysis of the number of consumers potentially impacted by the cybersecurity incident has been completed, and I directed that the results be promptly released,” said the appointed interim CEO, Paulino do Rego Barros, Jr. “Our priorities are transparency and improving support for consumers. I will continue to monitor our progress on a daily basis.”

Equifax data breach

According to Equifax, Mandiant was not able to find further evidence of new attacker activity or any unauthorized access to new databases or tables. and concluded that there is no evidence the attackers accessed databases located outside of the United States.

The experts have found no evidence the attackers have accessed databases located outside of the United States, personal information of only approximately 8,000 Canadian consumers was exposed. The figure is lower than previous thought, it was initially estimated that 100,000 Canadian consumers were affected.

“That number was preliminary and did not materialize,” Equifax said.

The Equifax hackers exploited a Struts 2 vulnerability, tracked as CVE-2017-5638, that was discovered in March.

In a statement to a congressional committee on Monday, former Equifax CEO Richard Smith explained that the company failed to patch the flaw in March after becoming aware of it. This admission aggravates the position of the company, according to Equifax policy, it experts would have required a patch to be applied within 48 hours.


The Increasing Effect of Geopolitics on Cybersecurity
3.10.2017 securityweek Cyber
Cyber Warfare Can be Exerted by Any Nation With an Actual or Perceived Grievance Against Any Other Nation

The effect of geopolitics on cybersecurity can be seen daily – from Chinese cyber espionage to Russian attacks on the Ukraine and North Korea’s financially-motivated attacks against SWIFT and Bitcoins – and, of course, Russian interference in western elections and notably the US 2016 presidential election.

The primary cause is political mistrust between different geopolitical regions combined with the emergence of cyberspace as a de facto theater of war.

"Of course there is a connection between cybersecurity and geopolitics,” Ilia Kolochenko, CEO of High-Tech Bridge, told SecurityWeek. “Hackers are now acting as soldiers, and it's difficult to find a country that has never used a cyber weapon.”

Geopolitics, Cybersecurity and CyberwarA current example of geopolitical tensions can be seen in the recent ban on U.S. government agencies using a much-respected antivirus and endpoint protection product produced by Russian firm Kaspersky Lab. In September 2017, the U.S. Department of Homeland Security (DHS) issued a binding operational directive ordering government departments and agencies to stop using products from Kaspersky Lab, due to concerns regarding the company’s ties to Russian intelligence.

Kaspersky Lab has continually denied any inappropriate ties to the Russian intelligence services; and there is no public evidence to suggest otherwise.

“Kaspersky Lab has never helped, nor will help, any government in the world with its cyberespionage or offensive cyber efforts, and it’s disconcerting that a private company can be considered guilty until proven innocent, due to geopolitical issues,” it said in a statement.

There are many who believe that geopolitical mistrust is misplaced in the commercial world.

“Any cyber security strategy begins with trust,” comments Alan Levine, cyber security adviser to Wombat. “Can we trust the technology and services we procure? Has Kaspersky indicated even once that they can’t be trusted? Is this part of a parochial discussion about Russia equals bad? China bad? I’ve had colleagues in both countries, part of a trusted team I never had reason to second-guess.”

Nevertheless, the U.S. government’s distrust continues. It is against this background that we now examine the effect of geopolitics on cybersecurity; and ask whether there are any solutions to the problem.

Cyber as a Theater of War
Although not necessarily recognized at government level, few people involved with cybersecurity have any doubt that cyber warfare is current and ongoing. Governments are reluctant to openly acknowledge this reality for fear that recognition will require retaliation – and the big fear then is that it could escalate into kinetic warfare. Kinetic provocation leads to kinetic responses; cyber provocation tends not to. Consider, for example, the U.S. response to North Korea’s missile tests compared to the response to North Korea’s cyber attacks against Sony and SWIFT.

Cyber warfare has further advantages: the difficulty of attribution provides plausible deniability.

Attribution

Attribution is a major problem in cyberspace. Attackers can compromise servers in any part of the world. They can limit their activities to the working day of any geographical area. They can code in foreign languages; and they can reuse code snippets first used by different hacking groups. Such misdirection (false flags) is used by both nation state actors and cyber criminals.

An example of such occurred in 2015, when hackers initially thought to be the CyberCaliphate (that is, ISIS) almost destroyed the French TV5Monde television station. Attribution later turned to Fancy Bear (and by implication, the Russian state). Nevertheless, there remains no actual proof in the public domain that Fancy Bear has affiliations with the Russian Government.

Ironically, Kaspersky Lab researcher Juan Andrés Guerrero-Saade told SecurityWeek that if any organizations are equipped to accurately attribute attacks, it is the large nation signals intelligence agencies; that is, governments, because they have access to a much wider range of communications than is available to private researchers and research companies.

Governments also have access to old-fashioned spies, agents and other assets on the ground. When these resources provide physical evidence, intelligence agencies rarely acknowledge the source for fear of identifying their assets. The result is governments will sometimes make an attribution but decline to provide evidence; and it comes down to whether we trust our governments or not.

“Kaspersky is great software,” Eric O’Neill, General Counsel and Investigator at Carbon Black – and a former Investigative Specialist with the FBI – told SecurityWeek, “but I'd like to know what the U.S. Intelligence community isn't telling us.”

Plausible deniability

When it is impossible to openly prove the culprit, it is easy for the suspect to deny all knowledge. Following repeated denials of involvement in the US 2016 election hacks, Vladimir Putin finally suggested that it could have been ‘patriotic Russian hackers’.

“They got up today and read that something is going on internationally. If they are feeling patriotic they will start contributing, as they believe, to the justified fight against those speaking ill of Russia,” he said. But at the same time, he stressed that it had nothing to do with the Russian government.

This has been interpreted by some as a comment verging on a taunt: we did it; you know we did it; but you just cannot prove we did it. This is plausible deniability.

Escalation

Given the ease and success of cyber warfare attacks, it’s only natural that we see an escalation in its use. “In 2007, in Estonia,” explains Kenneth Geers, senior research scientist at Comodo and NATO Cyber Center Ambassador, “a distributed denial of service campaign primarily targeted online services. A decade later, in Ukraine, we have seen a far higher number and variety of attacks, spanning the political, diplomatic, business, military, critical infrastructure, and social media domains.”

The use of the internet as a means of disseminating political propaganda has also increased. Public awareness initially focused on Anonymous hacktivism, where the Anonymous group would deface or take down the websites of organizations or companies to which it objected.

This was followed by a series of social media account hacks by the Syrian Electronic Army (SEA), who used the accounts to disseminate pro-Assad views – often, it has to be said, through the use of humor.

This has now evolved into a complete and automated ‘fake news’ industry. In June 2017, Trend Micro published an analysis of this industry. Voter manipulation is available for a price. "Siguldin," says the report, "markets itself to be capable of manipulating almost any voting system in the Internet and bypassing security checks such as source IP address, Captcha, and authentication mechanisms in social media, SMS, and email as well as on-site registration among others."

During the run-up to the 2016 U.S. presidential elections, Fancy Bear allegedly broke into DNC servers to steal and release inflammatory emails – supposedly to manipulate the U.S. electorate into rejecting the Democrat candidate Hilary Clinton in favor of the Republican Donald Trump. The U.S. intelligence agencies have no doubt that this action was directed by the Kremlin – but, as with the accusations against Kaspersky Lab, there is no public proof offered.

While Russia is by no means the only nation engaging in cyber warfare (North Korea and Iran quickly come to mind), nevertheless Russia dominates the accusations. The technical excellence of the Russian hacking groups, whether or not affiliated to the FSB, escapes no-one: as long ago as September 2012, Trend Micro warned in the report Peter the Great vs. Sun Tzu, “East Asian hackers are not at the same skill level of maturity as their East European counterparts.”

It is against the background of rising US concern over Russian hacking that we should consider the current accusations levied against Kaspersky Lab. “I suspect that Kaspersky is merely a victim of the ongoing political fallout from the 2016 U.S. Presidential Election,” comments Geers. “This is what we must assume, absent published analysis of a demonstrable secret back door or intentionally weakened cryptography.”

The Effect of Geopolitics on Cybersecurity
The fundamental cause of cyber warfare is international political mistrust. As this escalates, so international cyber incidents increase – and there is little doubt that political mistrust is as high as it has ever been since the end of the Cold War. Sino-American tensions remain high, complicated by the unpredictability of a newly nuclear North Korea. The War on Terror that replaced the Cold War has seen the emergence of Iran as a sponsor of terror; both on the streets and in cyberspace. And Russia’s new found energy wealth sees Putin apparently determined to make the Russian Federation as powerful as the old Soviet Union.

Kinetically, the United States is probably the world’s sole Super Power; perhaps followed by China. Cyberspace, however, is a huge leveler. “What you’re seeing today is technology straining and sometimes eclipsing the ability of traditional constraints and institutions to keep them in check,” Christopher Bray, SVP/GM Consumer at Cylance Inc, told SecurityWeek. “It’s also resulting in smaller nations punching above their weight when it comes to cyber defensive and offensive capabilities, and exerting these new-found technological powers in advancing their geopolitical agendas as well as their desire to monitor their own populations to various degrees. This monitoring is always done in the interest of ‘national security’, but depending on the government in question, it can also lead into a more Orwellian direction.”

In short, cyber warfare can be exerted by any nation with an actual or perceived grievance against any other nation; and the implication of that is that it will continue to grow. This is likely to have several negative effects on cyberspace.

Balkanization

The first negative effect is already being felt: it is the balkanization of the internet. There are two aspects to this: the first is to protect the national internet from the global internet; and the second is to promote the use of locally produced products over foreign-produced, and therefore suspect, products. The Iranian, North Korean and Chinese intranets are the best known examples. China has embarked on a locally-produced product policy (China’s Cybersecurity Law) which will see 80% of large Chinese business security expenditure will be on locally produced products.

Other countries are embarking on different routes towards the same end: banning or at least deprecating the use of foreign-produced products (China’s Huawei and perhaps Russia’s Kaspersky in the U.S., for example), or using internet censorship and press restraint to limit the citizen’s access to foreign or distrusted information sources (as increasingly happens in the UK).

The problem with this effect of geopolitics is that it increases rather than decreases mistrust – and this ‘balkanization’ will likely, but not necessarily, have further negative effects on both cyber and national security.

Weakened cybersecurity

It is not at all clear that a ‘local product only’ policy can work. “Most major software products are written by personnel in numerous countries, and parent companies subcontract out much of the labor to coders whom they only know tenuously,” explains Geers. “Often, we have little choice but to use, for example, Chinese hardware, American software, French routers, and Israeli security applications… Are there spies working in many of the best-known software companies? Without a doubt. But in most cases, the companies in question do not know about them.”

Chris Roberts, chief security architect at Acalvio, agrees with this view. “Almost everything we have is brought in from somewhere else, manufactured elsewhere and/or supported elsewhere. Those microchips you have in your sensitive systems come from China… and if anyone is counting,” he added, “we (the U.S.) hold more in long term securities in Russia than they hold in us… so we’re basically shooting ourselves in our feet (with both barrels).”

The corollary is clear. Globalization market forces have produced the most efficient manner of producing high quality security products. Forced interference with that schema will likely lead to less than optimum cybersecurity. In our current example, if Kaspersky Lab’s protestation of innocence is true, then U.S. government agencies are restricted from purchasing an antivirus endpoint protection product that consistently performs at the top end of the spectrum in all third-party tests.

If cybersecurity is weakened by nationalism, then the national security that depends upon strong security products will also be weakened.

“Traditional political and military conflicts may drag us into a Cyber Cold War that will be bad both for technology and for the rule of domestic and international law,” says Geers. “The best place to see progress on cybersecurity, which is fundamentally an international problem that requires an international solution,” he continues, “is within the European Union and NATO, the world’s strongest political and military alliances. The combined law enforcement, network security, and intelligence power of 29 sovereign democracies far outweighs that of even Moscow or Beijing.”

The nationalism and ‘Britain First’ policies behind Brexit will weaken British and EU security. The full effect of a nationalist ‘America First’ policy will weaken global cybersecurity, and potentially – if it also weakens NATO – global kinetic security.

More complex business security

Concern over geopolitical influence on cybersecurity products simply makes a difficult job even more difficult. Steven Lentz, CSO at Samsung Research America, told SecurityWeek, “It's sad that we have to be aware of vendors like this, but that's the environment. Politics finds a way into everything nowadays. I just want a solution that does what it says and fits our environment. Now, with all the press of certain vendors in possible collusion with governments that may spy on the U.S., it makes it more complicated. I may like the vendor’s solution, but now I have to worry about possible malware or back doors,. It's sad.”

Martin Zinaich, ISO at the City of Tampa, doesn’t believe that the possibility of government backdoors in cybersecurity products makes an impossible job any more impossible. “If a government wanted to bury a backdoor, I have doubts that anyone would actually find it.” He also points out that the problem isn’t limited to to a nation’s own products. He notes the recent compromise of CCleaner, a product owned by Avast. Avast is a Czech-based antivirus company. There are suggestions that it was compromised by a hacking group known as Group 72; and there are further suggestions that Group 72 has affiliations with the Chinese government.

Is There a Solution?
There is no easy solution to the cybersecurity problems caused by geopolitics, although there are several proposals. The first is a set of internationally agreed ‘norms of cyber behavior’. One example was published by Microsoft in summer 2016.

The Microsoft Norms

The problem with norms is that they must first be agreed by everyone, and then obeyed by everyone before they can be called ‘norms’. “The impact of cybersecurity norms depends on whether they are implemented faithfully and whether violators are held accountable,” admits the report. However, accountability falls at the attribution problem – since it is almost impossible to prove attribution, it is impossible to hold deviant nations to account.

Microsoft’s proposed solution is an independent, international body of experts who would pronounce on attribution. “A public/private international body might be a highly constructive way to validate whether norms are being adhered to and may help create a more stable cyberspace in the future."

However, it is hard to see how this would work in practice: it is doubtful whether any state would accept responsibility just because a panel of adjudicators finds it culpable. Furthermore, each accused state would likely be supported strictly along the lines of their existing geopolitical spheres of influence.

For the foreseeable future, norms are not likely to be possible; and norms are most required when they are least achievable.

Product certification

Product certification is an approach that offers a partial solution. The idea is simple – an independent authority should analyze a hardware or software product and, if satisfied, certify it free of weaknesses or backdoors. Both government and business could then treat the product as trustworthy, regardless of source.

Over the years there have been many attempts at developing product certification schemes. In the UK, GCHQ runs a Commercial Product Assurance (CPA) scheme via the NCSC. ‘Foundation Grade’ certification ‘means the product is proven to demonstrate good commercial security practice and is suitable for lower threat environments.’ Noticeably, it doesn’t say it is free from foreign government backdoors.

A more recent initiative comes from the European Commission: a regulation proposal on ‘Information and Communication Technology cybersecurity certification’, published Sept. 13, 2017. The proposal has two key elements: that the European Union Agency for Network and Information Security (ENISA) is put on a permanent footing as Europe’s cybersecurity agency; and that ENISA should develop and control a new pan-European product certification scheme.

“ICT cybersecurity certification becomes particularly relevant in view of the increased use of technologies which require a high level of cybersecurity, such as connected and automated cars, electronic health or industrial automation control systems (IACS),” says the proposal.

The European approach has one main advantage over the UK approach – ENISA is at arms length from the politicians, and two arms lengths from the intelligence agencies. The CPA is controlled by an intelligence agency.; so while CPA may be trusted within the UK, its value to other countries may be suspect simply because of geopolitical tensions.

However, all certification schemes suffer from the same ultimate flaw: certification can never guarantee that there is no backdoor, and that one won't be added through means such as remote updates. Certifications can only affirm that none have been found.

Reverse engineering

Reverse engineering software code is probably the most effective way of detecting flaws and backdoors; but it is too time-consuming and costly to be generally effective. It can be done, however, in special circumstances; and the Huawei Cyber Security Evaluation Center (HCSEC) in Banbury, UK, is an example.

China’s Huawei telecommunications products are not universally trusted – and were banned in the U.S. in 2012 for fear of backdoors leaking information to China. The company was also banned from bidding on a contract to work on Australia’s National Broadband Network (NBN). The same is not now true in the UK, albeit by an unusual route.

In 2005, BT awarded a telecommunications contract to Huawei – but government ministers what not informed of any security concerns until 2006. By this time the Cabinet Office had been informed that blocking the contract “could have had serious diplomatic and trade implications as well as exposing the government to a potential claim for hundreds of millions of pounds in compensation from BT under a provision in the 1984 Act that makes the Government liable to offset any losses sustained in complying with the direction.”

The solution was to retrofit trust. HCSEC, commonly called The Cell, was launched in November 2010. Under GCHQ and now NCSC oversight, and with cooperation from Huawei, the UK is able to reverse engineer Huawei code looking for any flaws or backdoors.

Since 2015, the HCSEC Oversight Board – chaired by NCSC CEO Ciaran Martin – has produced annual reports. The third of these (PDF), published in July 2017, concludes “that in the year 2016-17, HCSEC fulfilled its obligations in respect of the provision of assurance that any risks to UK national security from Huawei’s involvement in the UK’s critical networks have been sufficiently mitigated. We are content to advise the National Security Adviser on this basis.”

In short, reverse engineering has retrofitted trust between the UK government and Huawei despite any geopolitical tensions that might exist between the UK and China. This is relevant to any discussion over geopolitics and Kaspersky Lab since the Russian firm has offered the same facility to the U.S. government.

In July 2017, Eugene Kaspersky told the Associated Press that the company will show its source code to the U.S. government if that gesture will foster trust. “Anything I can do to prove that we don’t behave maliciously I will do it,” he said. Kaspersky has continually reinforced his willingness to do so ever since.

Roberts believes that this could be a solution. “So, let’s go back to Russia given that’s the one that’s at the forefront of everyone’s mind.. why don’t we have a ‘gating’ system where we bring technologies in, assess them, reverse engineer them, and then when they’ve passed that ‘gate’ they can be let into the government etc? The UK does it, and as long as our geeks are more devious than their attackers we should be in good shape.”

There is no solution

Kaspersky Lab’s problem with the U.S. government is an example of the effect of geopolitics on cybersecurity – and the sad reality is that there is no way that Kaspersky Lab can prove its innocence. Consider, for example, the company’s statement on Russian law:

Russia Cyber Threats

“Regarding the Russian policies and laws being misinterpreted, the laws and tools in question are applicable to telecom companies and Internet Service Providers (ISPs), and contrary to the inaccurate reports, Kaspersky Lab is not subject to these laws or other government tools, including Russia’s System of Operative-Investigative Measures (SORM), since the company doesn’t provide communication services. Also, it’s important to note that the information received by the company, as well as traffic, is protected in accordance with legal requirements and stringent industry standards, including encryption, digital certificates and more.”

Carbon Black’s O’Neill responded, “I do not fault Kaspersky or the Federal Government for this decision. While the [DHS] directive may appear extreme, the Russia government has waged a silent war against the United States for years, most recently in attempting to influence our 2016 election.” He added, “Unfortunately for Kaspersky, our government has no good answer for whether Kaspersky could deny any request for assistance from Russian intelligence. While I expect that Kaspersky would immediately say no to any such request, the question is unfortunately not ‘would they’ but ‘could they’. I'm not certain Russian intelligence would take no for an answer.”

For so long as geopolitical tensions remain high, mistrust will prevail, and geopolitical effects on cybersecurity will increase.


A simple example of a complex cyberattack
28.9.2017 Kaspersky Cyber
We’re already used to the fact that complex cyberattacks use 0-day vulnerabilities, bypassing digital signature checks, virtual file systems, non-standard encryption algorithms and other tricks. Sometimes, however, all of this may be done in much simpler ways, as was the case in the malicious campaign that we detected a while ago – we named it ‘Microcin’ after microini, one of the malicious components used in it.

We detected a suspicious RTF file. The document contained an exploit to the previously known and patched vulnerability CVE-2015-1641; however, its code had been modified considerably. Remarkably, the malicious document was delivered via websites that targeted a very narrow audience, so we suspected early on that we were dealing with a targeted attack. The threat actors took aim at users visiting forums with discussions on the state-subsidized housing that Russian military personnel and their families are entitled to.
A forum post with a link to the malicious document

This approach appears to be very effective, as it substantially increases the chance that a potential victim will download and open the malicious document: the hosting forum is legitimate, and the malicious document is named accordingly (“Housing acceptance procedure” in Russian).

All links in the forum messages lead to the URL address files[.]maintr**plus[.]com, where the RTF document with the exploit was hosted. The threat actors sometimes used PPT files containing an executable PE file which did not contain the exploit, as the payload was launched by a script embedded into the PPT file.

If a Microsoft Office vulnerability is successfully exploited, the exploit creates an executable PE file on the hard drive and launches it for execution. The malicious program is a platform used to deploy extra (add-on) malicious modules, store them stealthily and thus add new capabilities for the threat actors. The attack unfolds in several stages, as described below:

The exploit is activated, and an appropriate (32-bit or 64-bit) version of the malicious program is installed on the victim computer, depending on the type of operating system installed on it. To do this installation, malicious code is injected into the system process ‘explorer.exe’ rather than into its memory. The malicious program has a modular structure: its main body is stored in the registry, while its add-on modules are downloaded following the instruction arriving from the C&C server. DLL hijacking (use of a modified system library) is used to ensure that the main module is launched each time the system is rebooted.
The main module of the malicious program receives an instruction to download and launch add-on modules, which opens new capabilities for the threat actors.
The malicious add-on modules provide opportunities to control the victim system, take screenshots of windows and intercept information entered from the keyboard. We have seen them in other cyber-espionage campaigns as well.
The threat actors use PowerSploit, a modified set of PowerShell scripts, and various utilities to steal files and passwords found on the victim computer.
The cybercriminals were primarily interested in .doc, .ppt, .xls, .docx, .pptx, .xlsx, .pdf, .txt and .rtf files on the victim computers. The harvested files were packed into a password-protected archive and sent to the threat actors’ server.

Overall, the tactics, techniques and procedures that the cybercriminals used in their attacks can hardly be considered complicated or expensive. However, there were a few things that caught our eye:

The payload (at least one of the modules) is delivered using some simple steganography. Within traffic, it looks like a download of a regular JPEG image; however, the encrypted payload is loaded immediately after the image data. Microcin searches for a special ‘ABCD’ label in such a file; it is followed by a special structure, after which the payload comes, to be decrypted by Microcin. This way, new, platform-independent code and/or PE files can be delivered.
If the Microcin installer detects the processes of some anti-malware programs running in the system, then, during installation, it skips the step of injecting into ‘explorer.exe’, and the modified system library used for establishing the malicious program within the system is placed into the folder %WINDIR%; to do this, the system app ‘wusa.exe’ is used with the parameter “/extract” (on operating systems with UAC).
Conclusion
No fundamentally new technologies are used in this malicious campaign, be it 0-day vulnerabilities or innovations in invasion or camouflaging techniques. The threat actors’ toolkit includes the following:

A watering hole attack with a Microsoft Office exploit;
Fileless storage of the main set of malicious functions (i.e., the shellcode) and the add-on modules;
Invasion into a system process without injecting code into its memory;
DLL hijacking applied to a system process as a means of ensuring automatic launch that does not leave any traces in the registry’s autorun keys.
The attackers also make use of PowerShell scripts that are used extensively in penetration tests. We have seen backdoors being used in different targeted attacks, while PowerSploit is an open-source project. However, cybercriminals can use known technologies as well to achieve their goals.

The most interesting part of this malicious campaign, in our view, is the attack vectors used in it. The organizations that are likely to find themselves on the cybercriminals’ target lists often do not pay any attention to these vectors.

First, if your corporate infrastructure is well protected and therefore ‘expensive’ to attack (i.e., an attack may require expensive 0-day exploits and other complicated tools), then the attackers will most likely attempt to attack your rank-and-file employees. This step follows a simple logic: an employee’s personal IT resources (such as his/her computer or mobile device) may become the ‘door’ leading into your corporate perimeter without the need of launching a direct attack. Therefore, it is important for organizations to inform their employees about the existing cyber threats and how they work.

Second, Microcin is just one out of a multitude of malicious campaigns that use tools and methods that are difficult to detect using standard or even corporate-class security solutions. Therefore, we recommend that large corporations and government agencies use comprehensive security solutions to protect against targeted attacks. These products are capable of detecting an ongoing attack, even if it employs only a minimum of manifestly malicious tools, as the attackers instead seek to use legal tools for penetration testing, remote control and other tasks.

The implementation of a comprehensive security system can substantially reduce the risk of the organization falling victim to a targeted attack, even though it is still unknown at the time of the attack. There is no way around it; without proper protection, your secrets may be stolen, and information is often more valuable than the cost of its reliable protection.

For more details of this malicious attack, please read Attachment (PDF).


Third-Party Cyber Risks a Rising Threat, Research Shows
28.9.2017 securityweek  Cyber
Third-party risk and understanding that risk continues to grow; but mitigation of the risk is, if anything, getting worse. This can be seen in two separate studies published this week by Ponemon and BitSight.

The Ponemon study (PDF), commissioned by risk and compliance firm Opus, questioned 625 individuals familiar with their organizations' third-party risk management posture. The BitSight study (PDF) took a different approach and examined the visible security posture of more than 5,200 legal, technology, and business services companies known to be third-parties to finance organizations. Both surveys show a significant gap in the security posture of primary organizations and their third-party suppliers.

For many large organizations, this gap is increasingly exploited by malicious actors as the soft underbelly route into the company. The Ponemon study shows that this situation is, if anything, worsening; while the BitSight study highlights some of the security weaknesses commonly found in third-party vendors.

Ponemon found that 56% of respondents had suffered a third-party data breach in the last year -- an increase of 7% over the previous year. The cause ins't clear, but could be related to industry's growing reliance on third-parties and especially cloud-based service suppliers. Noticeably, the BitSight study suggests that "business services companies present the highest level of risk for the finance industry."

Part of the problem is that organizations have little visibility of, or into, their supply chain. Fifty-seven percent of Ponemon's respondents don't have an inventory of the third-parties with which they share sensitive data, and the same number don't know if their suppliers' policies would prevent a data breach.

BitSight offers some insight in this area. By examining the visible posture of vendors, it has discovered a strong correlation between outdated systems (XP and Vista) and machine compromise. "This means," suggests BitSight, "that outdated desktop operating systems and browsers that exist within a supply chain are correlated to more immediate risks of machine compromise and data loss."

However, BitSight also notes that primary finance companies have a higher incidence of outdated servers than their supply chain. Nearly 30% of finance firms have at least one instance of an outdated Windows IIS server on their network, compared to only 10% of their legal services and 20% of business services and technology services suppliers. It points out that one of the exploits leaked by Shadow Brokers relates to IIS v6 (CVE-2017-7269). Earlier this year researchers suggested that more than 8 million webservers might be subject to this vulnerability, and that it had exploited in the wild since July 2016. BitSight also notes that there is a similar correlation for unsupported versions of Apache, for which there have been 15 documented CVEs since 2015. Clearly in some areas organizations need to improve their own security as well as that of their vendors.

Previous BitSight research has shown that high levels of torrent file sharing activity also correlates with a higher rate of system compromise. Finance companies do little of this, with less than 1% exhibiting torrent downloads. Only 10% of legal organizations have torrents; but 22% of business services and 23% of technology firms have torrented. "Overall," suggests BitSight, "peer-to-peer file sharing activity may be indicative of other lax security policies for an organization."

"While finance organizations tend to have more sophisticated vendor risk management programs, there is a lot of work to be done to close the performance gap between their own organizations and their immediate business ecosystem," said Stephen Boyer, co-founder and CTO of BitSight.

The Ponemon study, however, shows that most organizations are not confident in their current ability to do so. Only 17% of respondents feel they are highly effective at mitigating third-party risks (a 5% decrease from 22% in 2016); while 60% (down from 66% in 2016) are unprepared to check or verify their third-parties.

Both studies suggest that third-party risk is now being taken more seriously by senior management. According to Ponemon, this has risen by 15% in the last year. "Senior executives and Boards of Directors are increasingly asking for updates into their vendor risk management programs and looking for demonstrable progress in reducing third-party cyber risk," says BitSight. There is, however, a long way to go. Gartner reports that by 2020, only 75% of Fortune 500 companies will be treating vendor risk management as a board -level initiative.

Both studies also provide a set of recommendations for improving the current situation.

"Data breaches and cyberattacks continue to plague organizations who are often unaware that the source of their information security risks can result from sensitive data obtained by a third or Nth party," comments Dr. Larry Ponemon. "It is critical for organizations to actively manage their third-party interactions by implementing standard processes, including inventory and policy review and documentation, senior leadership and board member oversight, as well as other safeguards to reduce their vulnerability."

The recommendations include, from Ponemon, suggestions such as "conduct audits and assessments to evaluate the security and privacy practices of third-parties"; "create an inventory of third-parties who have access to confidential information and how many of these third-parties are sharing this data with one or more of their contractors"; and "regularly review the security and privacy practices" of third-party vendors.

The problem with these recommendations is that security officers are already aware that this should be done, but have neither the manpower nor budget to do them. Ponemon's final recommendation consequently becomes the most important: "involve senior leadership and boards of directors in third-party risk management programs." Achieving this will require that security teams successfully 'sell' the need to their management -- but the reward could be the first step to solving the problem. "Such high-level attention to third-party risk may increase the budget available to address these threats to sensitive and confidential information," concludes the report.

BitSight offers some practical recommendations. Having found a correlation between outdated endpoints, servers and peer-to-peer file-sharing with data breaches, it suggests that primary organizations should take special notice of their occurrence in the supply chain. Third-parties with Vista and XP endpoints should be encouraged to upgrade, and provide a timetable for doing so. Particular concern should be taken over vendors who have outdated servers containing their sensitive information since "it is the most immediate path to data compromise." And, "If a vendor exhibits peer-to-peer file sharing on their network, ask to review their file sharing policies."

However, BitSight's final recommendation is perhaps the most important and potentially least expensive: collaborate with third-parties to improve their level of performance. In the end, third-party risk is all about relationships; and a good working relationship between buyer and seller can go a long way towards mitigating inherent risk.


Company That Tracks Location of Cars Left Data Open to the World
25.9.2017 securityweek  Cyber
A misconfigured Amazon Web Services (AWS) S3 bucket containing more than half a million records pertaining to an auto tracking company was left publicly accessible, thus leaking the data stored in it, Kromtech security researchers warn.

The repository appears to be connected to the vehicle recovery device and monitoring company SVR Tracking, where “SVR” stands for “stolen vehicle records.” In addition to exposing information on the tracking device, including details about where on the car the unit is hidden, the bucket included data on the company’s customers and re-seller network.

When accessing the AWS bucket, the security researchers discovered that a backup folder called “accounts” contained a total of 540,642 records with logins and passwords, emails, VIN (vehicle identification number), IMEI numbers of the GPS devices on the device, plate numbers, and other data.

SVR Tracking promises live, real-time tracking, and stop verification, features that supposedly allow owners to determine the potential locations for their vehicles. Through the application dashboard, users can access real-time graphs and detailed data on vehicle activity.

This is possible because the car’s movements are monitored continuously, with location history saved for the past 120 days. Not only can users see everywhere the car has been for said period, they can also pinpoint on the map all the places the driver has visited, along with the top five stop locations. A recovery mode can pinpoint every 2 minutes.

Anyone with the necessary credentials at hand can access the application dashboard from any Internet connected device, including desktops, laptops, mobile phones, or tablets, the security researchers warn. Located by satellite, the tracking device sends information using the GPRS Data Network.

“In the age where crime and technology go hand in hand, imagine the potential danger if cyber criminals could find out where a car is by logging in with the credentials that were publicly available online and steal that car?” Bob Diachenko, Kromtech's Chief Communication Officer, points out.

Kromtech said that it has contacted SVR Tracking to report their findings, but has not received a reply. However, the auto tracking company secured the repository shortly after receiving the report, Diachenko says.


Verizon Engineer Exposes Internal System Data
25.9.2017 securityweek Cyber
Researchers discovered an unprotected Amazon Web Services (AWS) S3 bucket containing potentially sensitive information associated with a system used internally by Verizon.

The cloud container, discovered by Kromtech Security on September 20, stored roughly 100 Mb of data from a system called Distributed Vision Services (DVS), which is used to retrieve and update billing data on all Verizon Wireless front-end applications.

While the S3 bucket did not store any Verizon customer information, it did contain usernames, passwords, and 129 Outlook messages representing internal communications.

The security firm also reported finding information that could have been used to access parts of Verizon’s internal network, B2B payment server details, PowerPoint presentations describing Verizon’s infrastructure, and global router hosts.

An investigation by Verizon revealed that the storage container was owned and operated by one of its engineers and not the company itself. Access to the files was restricted shortly after Kromtech sent a notification to Verizon on September 21.

Kromtech was told that the storage container did not hold any confidential data, but experts are not convinced.

“Verizon had $126.0 billion in consolidated revenues in 2016 and it seems like they would not leave the keys to the front door of their data servers or network out for anyone. In the corporate world any bad news can affect stock prices or other aspects of the business. However, if these files were not sensitive, why not make this information open source or publically available?” explained Bob Diachenko, chief security communications officer at Kromtech.

“As security researchers we often hear that data was not sensitive or that it was production or test data, when it is clearly not,” Diachenko added.

This was not the first time Verizon data was exposed via a misconfigured AWS S3 bucket. Back in mid-July, cyber resilience firm UpGuard reported that one of the company’s partners in Israel had exposed information on millions of Verizon customers.

Verizon determined at the time that the names, addresses, phone numbers and other details of roughly 6 million customers were exposed due to human error.

“Given the high number of incidents involving exposed S3 buckets that we have seen in the past few months, it is baffling that every organization is not carefully looking into the configurations and exposure levels of their storage in the cloud. Protecting data in the cloud from accidental exposure and theft is a business priority,” said Zohar Alon, co-founder and CEO of Dome9.

“Companies need to be held highly accountable for their lack of security on the public cloud,” Alon told SecurityWeek. “The public cloud needs a united front on security with regular configuration checks and balances – where public cloud providers, third party tools with advanced features, and a governing body all work together in order to ensure corporate and consumer data stays safe and out of the reach of hackers.”


Experts say United Cyber Caliphate hackers have low-level cyber capabilities
25.9.2017 securityaffairs Cyber

United Cyber Caliphate members stopped trying to develop their own hacking and communication tools and used to search them into the criminal underground.
According to Kyle Wilhoit, a senior security researcher at DomainTools, who made a speech at the DerbyCon hacking conference in US, ISIS members stopped trying to develop their own hacking and communication tools and used to search them into the criminal underground.

United Cyber Caliphate ISIS mobile app-download-page

The expert explained that members of hacker groups that go under the banner of the United Cyber Caliphate (UCC) have low-level coding skills and their opsec are “garbage.”

ISIS members belonging to groups under the United Cyber Caliphate (UCC) developed three apps for their communication, they also developed trivial malware whom code was riddled with bugs.

The terrorists also developed a version of PGP called Mujahideen Secrets in response to NSA surveillance and the DDOS tool dubbed “Caliphate cannon.”

“ISIS is really really bad at the development of encryption software and malware,” Wilhoit explained. “The apps are sh*t to be honest, they have several vulnerabilities in each system that renders them useless.”

Due to their technical limitations, ISIS-linked groups started using mainstream communication systems like Telegram and Russian email services that are widely used by cyber criminals.

United Cyber Caliphate Telegram ISIS Channel

Wilhoit revealed to have discovered a server left open online containing photographs of active military operations by ISIS in Iraq and Syria. The content on the server, allegedly used for propaganda, was a mine for the experts because the ISIS militants haven’t removed metadata from the material allowing them to gather information on the terrorists.

Wilhoit provided profiled the activity of the following ISIS hacking groups:

The Caliphate Cyber Army, a group formed about four years ago that was mostly involved on online defacement of websites.
The Islamic State Hacking Division that was focused on the hacking of government systems in the US, UK, and Australia to gather information of the military personnel purportedly involved in drone strikes against the IS in Syria and Iraq and publish “Kill lists.” In May 2016, the group claimed to have infiltrated the UK Ministry of Defence. Wilhoit believes the technical skills of the group are negligible.
The Islamic Cyber Army focuses on the energy industry, gathering data about power grids likely to plan an attack. Despite they leaked information about the systems of the targeted companies, Wilhoit confirmed that there’s no evidence they have actually managed to break into a power company,
The Sons of the Caliphate Army is another group analyzed by the expert. It is currently operating under the UCC banner, but it was not involved in specific operations.
Wilhoit also provided data related to the activity of social network companies against online propaganda, he said Facebook is able to take down terrorist accounts within 12 hours and Twitter in many cases is able to shut down accounts before they start spreading messages.

Twitter suspends 299,000 accounts linked to terrorism in the first six months of 2017, the company revealed that 75 percent of the infringing accounts were suspended before their first tweet confirming the huge efforts in fighting online propaganda and other activities linked to this threat.

According to data provided in the transparency report, Twitter confirmed that 95 percent of the suspended accounts for the promotion of terrorism were identified by using internal tools designed to identify and block spam, government requests accounted for less than 1% of account suspensions.

Wilhoit also explained that attempts to use the internet for fundraising were a failure, he reported scammers have started spoofing Islamic State websites to trick sympathizers in make Bitcoin donations.

“If UCC gets more savvy individuals to join then a true online terrorist incident could occur,” Wilhoit concluded. “But as it stands ISIS are not hugely operationally capable online. As it is right now we should we be concerned, of course, but within reason.”


New Verizon data leak, the second one in a few months
23.9.2017 securityaffairs Cyber

Experts at Kromtech Security Research Center discovered a new Verizon leak exposed confidential and sensitive data on internal systems.
It has happened again, security researchers with Kromtech Security Research Center discovered a new Verizon leak exposed confidential and sensitive data on internal systems.

Leaked data includes server logs and credentials for internal systems, the huge trove of documents was found on an unprotected Amazon S3 bucket.

The archive seems to refer to internal Verizon Wireless systems, known as Distributed Vision Services (DVS), that is a middleware system used by the company to deliver data from the back-end systems to the front-end applications used by employees and staff in stores and at call centers.

“On September 20th, Kromtech Security researchers discovered publicly accessible Amazon AWS S3 bucket containing around 100MB of data attributing to internal Verizon Wireless system called DVS (Distributed Vision Services).” states a blog post published by Kromtech.

“DVS is the middleware and centralized environment for all of Verizon Wireless (the cellular arm of VZ) front-end applications, used to retrieve and update the billing data.”

The Amazon cloud storage contained several files, mostly scripts and server logs that included some login credentials to internal systems, some folders contained internal Verizon confidential documents, another folder contained 129 Outlook messages with internal communications within Verizon Wireless domain.

The repository contained:

Admin user info that could potentially allow access to other parts of the network
Command notes, logs including
B2B payment server names and info
Internal PowerPoints showing VZ infrastructure, with server IPs, marked as “Verizon Wireless Confidential and Proprietary information”
Global router hosts
129 saved Outlook messages with access info and internal communications
Although no customers data are involved in this data leak, some scripts could be used by an attacker to elevate privileges within the internal systems and access them.

Some documents, marked as “confidential and proprietary materials,” include detailed information on the internal infrastructure, including server IP addresses and global router hosts.

It’s not clear why the confidential documents were exposed on a public server.

According to ZDNet, the unprotected Amazon S3 storage server was controlled by an employee that told ZDNet on the phone Thursday that the files were “not confidential,” he also added that Verizon was fully aware of the server’s existence.

This is the third incident suffered by Verizon in the last two years, in March 2016, hackers reportedly stole the records of 1.5 million customers in July 2017 which were offered for sale in the criminal underground, in July 2017 data belonging to 14 million U.S.-based Verizon customers have been exposed on an unprotected AWS Server by a partner of the telecommunications company.

A Verizon spokesperson confirmed that the company is “aware” of the incident.


Equifax Sent Breach Victims to Fake Website
21.9.2017 securityweek Cyber
Equifax has made another blunder following the massive data breach suffered by the company – it advised some customers on Twitter to access a fake support website set up by a security researcher.

Equifax staff advised breach victims on Twitter at least 8 times to access securityequifax2017.com instead of equifaxsecurity2017.com, the website created by the credit reporting agency following the hacker attack that affected as many as 143 million consumers in the U.S., 400,000 in the U.K. and 100,000 in Canada.

Securityequifax2017.com is a fake Equifax support website set up by Nick Sweeting to show how easily cybercriminals can impersonate such a domain. The researcher believes the company should have hosted its consumer notification website on equifax.com, instead of a domain that can be easily faked.

Shortly after Equifax announced that its systems were breached, security experts started warning consumers that they would likely be targeted in phishing attacks leveraging the incident. A list of possible phishing domains impersonating equifaxsecurity2017.com was published on Pastebin.

While it’s unclear how many phishing pages have been set up, the fact that Equifax itself directed breach victims to a fake website clearly demonstrates the risks associated with the company’s decision to set up this domain.

Equifax has removed the tweets referencing the fake support website. Sweeting said that his site, which did contain a form for entering data just like the legitimate Equifax site, did not actually store any information.

Equifax sends breach victims to fake phsihing site

This was not the only problem with equifaxsecurity2017.com. When it was launched, the site was riddled with flaws and some security services flagged it as a phishing website.

Following the data breach, researchers and cybersecurity firms started highlighting Equifax’s failings, including serious website vulnerabilities, the lack of basic protections on the company’s site, and employee credentials up for sale on the dark web.

The company also admitted that it had been aware of the Apache Struts 2 vulnerability that was used to breach its systems. The flaw had been exploited in the wild for two months before attackers leveraged it against Equifax.


AWS Bucket Leaks Viacom Critical Data
20.9.2017 securityweek Cyber
An Amazon Web Services S3 cloud storage bucket containing a great deal of Viacom internal access credentials and other critical data was left publicly accessible, UpGuard security researchers have discovered.

Viacom is an $18 billion multinational corporation that owns Paramount Pictures and various cable channels, including MTV, BET, Comedy Central, and Nickelodeon. According to the company, it has “the largest portfolio of ad-supported cable networks in the United States, in terms of audience share.”

Chris Vickery, UpGuard Director of Cyber Risk Research, was the one to discover the exposed Amazon Web Services (AWS) bucket. In it, he found seventy-two .tgz files representing irregular backups of technical data, created starting with June 2017 and containing a host of sensitive data.

The backups, which the security researcher determined to be incremental, were located at the subdomain “mcs-puppet.” MCS likely refers to Multiplatform Compute Services, the group that supports the infrastructure for hundreds of Viacom’s online properties, including MTV, Nickelodeon, Comedy Central, Paramount, and BET.

MCS appears to be currently in the process of migrating its infrastructure to AWS and getting ready to launch production workloads on containers (Amazon ECS), which explains the presence of said backup data on AWS.

After having a look at the exposed data, the security researcher determined that it included a master provisioning server running Puppet, left accessible to the public Internet, along with “the credentials needed to build and maintain Viacom servers across the media empire’s many subsidiaries and dozens of brands,” UpGuard’s Dan O'Sullivan notes in a blog post.

Viacom’s secret cloud keys were also exposed in the leak, which could have put the media company’s cloud-based servers in the hands of hackers. Thus, attackers could have been able to launch a variety of attacks while leveraging “the IT infrastructure of one of the world’s largest broadcast and media companies.”

UpGuard also explains that in addition to the passwords and manifests for Viacom’s servers, the access key and secret key for the corporation’s AWS account were also stored in the repository. Thus, an attacker accessing the bucket could have compromised Viacom’s servers, storage, and databases under the AWS account, leveraging the leaked data for phishing schemes or abusing Viacom’s IT systems for a botnet.

“Analysis reveals that a number of cloud instances used within Viacom’s IT toolchain, including Docker, New Relic, Splunk, and Jenkins, could’ve thus been compromised in this manner,” O'Sullivan says.

When decompressed, each of the seventy-two .tgz files in the bucket revealed a number of folders, such as “manifests,” “configs,” “keys,” and “modules,” along with various files that indicated the use of server provisioning and automation suite Puppet, which is frequently used by IT admins for configuration management.

The suite allows enterprises to easily create new servers and streamline operations at scale, and an admin using it would need to know all of the relevant credentials to have access to all required systems, and this type of access was leaked via said repository.

“Picture a skeleton key, opening not merely every door in a house, but every door that could be added to the house as well. This is the type of master access that was publicly exposed in the S3 bucket,” O'Sullivan explains.

Other data in the bucket included GPG decryption keys, as Viacom utilizes GPG encryption on many regular backups, thus allowing an attacker to decrypt data. Ruby scripts were also exposed in the leak, allowing malicious actors to know what applications are being run.

UpGuard discovered the exposed bucket on August 30 and alerted Viacom the next day. The multinational corporation closed the gap within hours.

“This incident highlights the potentially enormous cost such data leaks can evince upon even the largest and most sophisticated organizations. Exposed in this incident were nothing less than the master controls needed to harness the power of a digital media empire and turn it towards nefarious aims,” O'Sullivan points out.

We’ve contacted Viacom for a comment on this and will update the article as soon as a response arrives.


Viacom left the keys of its digital kingdom on a publicly exposed AWS S3 bucket
20.9.2017 securityaffairs Cyber

The security researcher Chris Vickery discovered that Media giant Viacom left sensitive data and secret access key on unsecured Amazon AWS S3 bucket.
Media giant Viacom left sensitive data and secret access key on unsecured Amazon AWS S3 bucket, a gift for hackers. Viacom controls Paramount Pictures, MTV, Comedy Central and Nickelodeon.

The huge trove of data store was discovered by the popular security researcher Chris Vickery, director of Cyber Risk Research at security shop UpGuard.

The Amazon AWS S3 bucket contained 72 compressed .tgz files in a folder labeled ‘MCS’ name which appears to be Viacom’s Multiplatform Compute Services division that operates IT systems for the firm.

The cloud storage exposed a gigabyte’s worth of credentials and configuration files for the backend of dozens of Viacom properties.

“While Viacom has not confirmed to UpGuard the purpose of this bucket, the contents of the repository appear to be nothing less than either the primary or backup configuration of Viacom’s IT infrastructure. The presence of this data in an S3 bucket bearing MCS’s name appears to further corroborate the Viacom group’s mission of moving its infrastructure onto Amazon Web Services’ cloud.” states Vichery.

The Amazon AWS S3 contained the passwords and manifests for Viacom’s servers, as well as the access key and private key for the corporation’s AWS account. Some of the data was encrypted using GPG, but the disconcerting news is that the bucket also contained the related decryption keys.

“While the exposure has since been closed, following UpGuard’s notification to Viacom, this incident highlights the potentially enormous cost such data leaks can evince upon even the largest and most sophisticated organizations. Exposed in this incident were nothing less than the master controls needed to harness the power of a digital media empire and turn it towards nefarious aims.” added Vickery.

“The leaked Viacom data is remarkably potent and of great significance, an important reminder that cloud leaks need not be large in disk size to be devastating; when it comes to data exposures, quality can be as vital as quantity,”


Vickery was disconcerting by its discovery and highlighted the risks faced by the organization.

“Perhaps most damaging among the exposed data are Viacom’s secret cloud keys, an exposure that, in the most damaging circumstances, could put the international media conglomerate’s cloud-based servers in the hands of hackers,” says Vickery.

“Analysis of the Viacom leak reveals nothing less than this: the keys to a media kingdom were left publicly accessible on the internet, completely compromising the integrity of Viacom’s digital infrastructure.”

Viacom sent the following statement to Vickery

“Once Viacom became aware that information on a server – including technical information, but no employee or customer information – was publicly accessible, we rectified the issue. We have analyzed the data in question and determined there was no material impact.”

The Viacom case is just the latest in order of time of Amazon S3 buckets found unsecured online.

Earlier September, researchers from cybersecurity company UpGuard have discovered thousands of files containing personal data on former US military, intelligence, and government workers have allegedly been exposed online for months.

On August, Vickery discovered more than 1.8 million voter records belonging to Americans have been accidentally leaked online by a US voting machine supplier for dozens of US states.

In June, Vickery discovered that a top defense contractor left tens of thousands sensitive Pentagon documents on Amazon Server Without any protection in places.

Chris Vickery discovered many other clamorous cases of open database exposed on the Internet. In July, he discovered data belonging to 14 million U.S.-based Verizon customers that have been exposed on an unprotected AWS Server by a partner of the telecommunications company. In December 2015, the security expert discovered U.S.-based Verizon customers that have been exposed on an unprotected AWS Server by a partner of the telecommunications company. In December 2015 the security expert discovered 191 million records belonging to US voters online, on April 2016 he also discovered a 132 GB MongoDB database open online and containing 93.4 million Mexican voter records.

In March 2016, Chris Vickery has discovered online the database of the Kinoptic iOS app, which was abandoned by developers, with details of over 198,000 users.

In January 2017, the expert discovered online an open Rsync server hosting the personal details for at least 200,000 IndyCar racing fans.

In March, he announced a 1.37 billion records data leak, in June 2017 Vickery revealed the DRA firm left 1.1 TB of data unsecured on an Amazon S3, 198 million US voter records exposed.


Equifax Breach Affects 100,000 Canadians
20.9.2017 securityweek Cyber
Equifax revealed on Tuesday that the recent data breach affects roughly 100,000 Canadian consumers, but the company’s systems in Canada were not compromised.

Equifax Canada said the company’s investigation is still ongoing, but it believes the incident affects approximately 100,000 Canadians. Similar to the United States, the exposed information includes names, addresses, social insurance numbers, and, in some cases, credit card numbers.

“Equifax Canada can confirm that Canadian systems are not affected. We have found no evidence of unauthorized activity on Equifax's core consumer or commercial credit reporting databases. Equifax Canada systems and platforms are entirely separated from those impacted by the Equifax Inc. cybersecurity incident widely reported in the U.S.,” the company said.

Impacted individuals will be notified via mail and they will be offered credit monitoring and identity theft protection services for one year at no charge.

Equifax said it notified MasterCard and Visa about the payment cards compromised in the breach. The company has also informed the Privacy Commissioner of Canada (OPC), the Commissioners in Alberta, British Columbia, and Quebec, and consumer reporting registrars in Ontario, Alberta and Saskatchewan.

While the number of individuals affected by the breach in Canada has only now come to light, some Canadian consumers launched a class action lawsuit within a week of disclosure. The initiators of the suit are seeking damages of $550 billion CAD ($450 billion US).

Equifax said cybercriminals had access to its U.S. systems between mid-May and late July after leveraging an Apache Struts 2 vulnerability that had been exploited in the wild since March.

The company said the breach affects roughly 143 million U.S. consumers and 400,000 customers in the United Kingdom. In the case of the U.K., the credit reporting agency revealed that the data was stored on U.S. systems between 2011 and 2016 due to a “process failure.” No such explanation has been provided by Equifax Canada.

Equifax stock has dropped from roughly $140 to just over $90 following the breach and experts believe it could plunge as low as $50. The incident has already cost the company nearly $10 billion in market value.

The company’s Chief Security Officer and Chief Information Officer retired after the hack came to light.

In the United States, the Federal Trade Commission (FTC), congressional committees, and the Attorneys General in 40 states have announced the launch of investigations into the Equifax breach.


EU to Launch Cybersecurity 'Safety Labels'
19.9.2017 securityweek Cyber
The European Union unveiled plans Tuesday to step up its response to cyber attacks, including a new intelligence-sharing agency, cyber war games and product safety labels.

The proposals by the European Commission, the executive arm of the 28-nation bloc, come amid growing concerns over election hacking by foreign states, ransomware attacks and other cybercrime like identity theft and bank fraud.

"Cyberattacks are becoming more frequent, imaginative and global," Andrus Ansip, the European Commission Vice President for the Digital Single Market, told a press conference. "The EU needs to respond to them 24/7."

Building on an existing agency based in Greece, the new EU Cybersecurity Agency would help countries deal with cyber threats. It would also organise yearly pan-European cybersecurity exercises and ensure better sharing of intelligence.

The agency would also help create EU-wide certificates -- much like labels that are currently used for food safey -- for trusted energy, transport and other networks, as well as new consumer devices, like connected cars.

"I want high cybersecurity standards to become the new competitive advantage of our companies," said Mariya Gabriel, commissioner for the digital economy and society.

The EU will also launch cyber defence training next year and work with Brussels-based NATO on the issue.

Meanwhile the commission also unveiled fresh steps towards creating what it calls a digital single market for data for the world's biggest free-trade bloc of around 500 million people and worth tens of billions of euros.

It proposed the free flow of non-personal data across the bloc, rather than have member states require firms to store and process data within their borders, unless there are public security reasons.

The new rules still have to be approved by EU states and the European Parliament.


Siemens, PAS Partner on Industrial Cybersecurity
19.9.2017 securityweek Cyber
Engineering giant Siemens and PAS, a company that specializes in cyber security solutions for industrial control systems (ICS), announced on Tuesday a new strategic partnership.

The goal of the partnership is to provide organizations the capabilities needed to identify and inventory assets, including distributed and legacy control systems, and provide visibility for detecting cyber threats and unauthorized engineering changes in multi-vendor environments.Siemens and PAS partnership

The solutions offered as a result of the partnership can be ideal for fleet-wide monitoring in the oil and gas sector, which is largely unprepared to address cybersecurity risks in operational technology (OT) environments.

Eddie Habibi, founder and CEO of PAS, pointed out that security personnel in energy and oil & gas facilities is in many cases “blind” to the configuration state of most of their cyber assets.

“Siemens chose to help address this gap with our Cyber Integrity software, which provides customers with the context they need to drive targeted security responses to incidents and ultimately to harden systems that were designed, built, and deployed before cybersecurity was a design consideration,” Habibi told SecurityWeek. “Siemens understands that any managed security service that is going to reduce risk in any meaningful way must include all critical vendor assets.”

Leo Simonovich, Vice President of Global Cyber Security at Siemens, noted that the company had previously partnered with Darktrace for network intrusion detection and it has now selected PAS for its ability to provide configuration visibility into proprietary industrial control systems.

“These are the systems that have direct responsibility for controlling volatile processes and ensuring safety in an industrial facility. Most companies lack sufficient visibility into these critical endpoints,” Simonovich said. “With PAS, we aim to lift that veil and raise the security posture of our customers through visibility into proprietary assets and deep analytics for indicators of compromise.”

Siemens’ products are available as standalone services or part of the company’s comprehensive managed security offering, depending on the customer’s needs and maturity. PAS also provides comprehensive security services, but the company’s integrity, inventory and configuration management solutions can be acquired separately by organizations that have their own security operations centers (SOCs).

“Chief Information Security Officers with whom we speak want to leverage existing investments to reduce security risk,” explained Habibi. “Where PAS has an install base, Siemens is a natural add-on service that helps CISO’s gain actionable intelligence on systems that frankly are the lifeblood of critical infrastructure industries. Likewise, existing Siemens customers who will have other vendor systems in place, will have the ability to bring these systems under one security monitoring umbrella. This is unprecedented.”


CyberGRX Partners With BitSight to Address Supply Chain Risks
18.9.2017 securityweek Cyber
Partnership Integrates BitSight’s Security Ratings Capabilities With CyberGRX Third-Party Cyber Risk Exchange

The iconic Target breach of 2013 brought attention to the threat from third-party suppliers -- the supply chain. Target was breached after its HVAC supplier, Fazio Mechanical Services, had itself been breached and had the credentials for accessing its customer stolen.

This threat has become more difficult and more complex as digital transformation has increased and cloud service providers have boomed. A single enterprise can now use several thousand different cloud services. According to Gartner research, a large enterprise's network of vendors, partners, contractors and customers all with access to the corporate network can easily run into the tens of thousands. Any one of these can potentially introduce an unseen risk.

Managing this risk manually is impossible to do effectively -- and several specialist companies have evolved to provide various degrees of automation. SecurityScorecard and BitSight are two companies that provide analyses of third-party vendors by analyzing their external face.

CyberGRX (GRX stands for global risk exchange) takes a different approach -- it provides a 'risk exchange' based on a storehouse of validated third party risk assessments. According to CEO Fred Kneip, the firm is the brainchild of Jay Leek -- then at Blackstone. "Jay was thinking about the inefficiencies of third party risk management across his portfolio. In an ad-hoc survey of his portfolio companies, he found that 90 of his 115 portfolio companies were using the exact same vendor. Fifty of those were doing a full blown assessment of that vendor every year."

CyberGRX is the result of that observation. Rather than do 50 risk assessments of one vendor, do one assessment and share it across fifty companies. Where CyberGRX differs from SecurityScorecard and BitSight is that its risk assessments are internal rather than external affairs -- the former looks at processes and controls in relation to vulnerabilities, while the latter looks at the third-party's internet face.

CyberGRX and BitSight have now recognized the potential synergy between the two approaches.

On Monday they announced a partnership. "BitSight is a leader of the security ratings market, and their ability to continuously rate the security performance of third parties from an outside-in perspective will strengthen the CyberGRX Exchange," said Kneip. "Combining their proven non-intrusive approach to evaluating risk and security performance with the inside-out view our platform provides is a powerful proposition for customers: a comprehensive, continuous, 360-degree view of third-party cyber risk exposure."

"Enterprises today require access to accurate, continuous and actionable information about third-party cyber risk," added Jacob Olcott, VP of strategic partnerships at BitSight. "CyberGRX helps to solve that problem for companies across the world, and our security ratings provide the unique, objective data that organizations need to scale their third-party risk programs and make more informed business decisions."

CISOs now have somewhere to go to rate the risk associated with their supply chain without having to spend hours every day pouring over vendor-supplied spreadsheets or questionnaires; or ignoring the risk altogether through lack of time and manpower.

BitSight has raised more than $90 million in funding to-date, including $40 million in Series C financing in September 2016. Headquartered in Cambridge, Massachusetts, it was founded in 2011.

CyberGRX closed a $20M Series B funding round in April 2017. Headquartered in Denver, Colorado, it was founded in July 2016.


U.S. Energy Department Invests $20 Million in Cybersecurity

13.9.2017 securityweek  Cyber
The United States Department of Energy announced on Tuesday its intention to invest up to $50 million in the research and development of tools and technologies that would make the country’s energy infrastructure more resilient and secure. Over $20 million of that amount has been allocated to projects focusing on cyber security.

The funding, awarded to various national laboratories, will be used to support early-stage research and development of next-generation tools and technologies that improve the resilience and security of critical energy infrastructure, including the power grid, and oil and natural gas infrastructure.

Nine national laboratories in California, Illinois, Idaho, Tennessee, Washington, Colorado and New Mexico have been selected for a total of 20 projects focusing on protecting energy infrastructure from cyber threats and improving information sharing.Energy Department invests in cyber security

Specifically, the Energy Department wants tools and technologies that enhance cybersecurity, communication systems for resilient grid architectures, energy delivery systems that can adapt to survive a cyber incident and ones that are verifiably trustworthy, partnerships for reducing risks via vulnerability mitigation, and identifying energy delivery systems that are inadvertently accessible from the Internet.

For example, the Idaho National Laboratory has been tasked with developing a technique that will help secure firmware on the embedded systems used by field devices, and the Los Alamos National Laboratory will work on designing a quantum secure communication operational network.

The Pacific Northwest National Laboratory has been assigned six projects, including one for developing blockchain cybersecurity technology for distributed energy resources at the edge of the grid.

“These technologies are expected to have broad applicability to the U.S. energy delivery sector by meeting the needs of the energy sector in a cost-effective manner with a clear path for acceptance by asset owners and operators,” said the Energy Department.

While the energy sector in the United States has not suffered damaging attacks such as the ones that hit Iran, Saudi Arabia and Ukraine, organizations in this sector and the Energy Department itself have fallen victim to cyberattacks.

The most recent report on such attacks is from security firm Symantec and it describes the activities of Russia-linked cyberspies that may have gained access to control systems housed by energy facilities.


Chinese Man Jailed For Selling VPNs that Bypass Great Firewall
7.9.2017 thehackernews Cyber

In an effort to continue its crackdown on VPNs, Chinese authorities have arrested a 26-year-old man for selling VPN software on the Internet.
China's Supreme Court has sentenced Deng Jiewei from Dongguan in Guangdong province, close to Hong Kong, to nine months in prison for selling virtual private network (VPN) software through his own small independent website.
VPN encrypts users' Internet traffic and routes it through a distant connection so that web surfers can hide their identities and location data while accessing websites that are usually restricted or censored by any country.
Chinese citizens usually make use of VPNs to bypass the Great Firewall of China, also known as the Golden Shield project, which employs a variety of tricks to censor the Internet in the country.
The project already blocked access to some 171 out of the world's 1,000 top websites, including Google, Facebook, Twitter, Tumblr, Dropbox, and The Pirate Bay in the country.
But to tighten grip over the Internet and online users, the Chinese government announced a 14-month-long crackdown on VPNs in the country at the beginning of this year, requiring VPN service providers to obtain prior government approval.
The move made most VPN vendors in the country of 730 million Internet users illegal, and has now resulted in the arrest of Deng, who was convicted of "providing software and tools for invading and illegally controlling the computer information system."
According to the court documents posted on the China's Supreme People's Court website, Deng has been selling two VPN services on his website since October 2015, and was first detained in August last year.
Deng along with his partner Jiang Moufeng made nearly 14,000 Chinese yuan (just US$2,138) selling the VPN software, which allowed users to "visit foreign websites that could not be accessed by a mainland IP address."
Deng has been found guilty of intrusions and "illegal control of computer information system procedures," and has been sentenced to nine months imprisonment and fined 5,000 Chinese yuan.
Deng was actually sentenced in March this year, but the online court documents were circulated on a Chinese blog tracking social media trends in China, called What's on Weibo, only on Sunday.
We reported in July that Apple also removed some of the popular VPN apps, including ExpressVPN and Star VPN, from its official Chinese app store in order to comply with the government crackdown that will remain in place until March 31, 2018.


FDA recalls 465,000 pacemakers open to cyber attack
1.9.2017 securityaffairs Cyber

The United States Federal Drug Administration (FDA) is recalling 465,000 pacemakers that could be hacked by attackers.
The Food and Drug Administration (FDA) is recalling roughly half a million pacemakers because they are vulnerable to hacking, million people in the United States urge to get their pacemakers updated.

In May, researchers from security firm White Scope analyzed seven pacemaker models commercialized by four different manufacturers and discovered that medical devices could be hacked with “commercially available” equipment that goes between $15 to $3,000.

The FDA has recalled 465,000 pacemakers after discovering security vulnerabilities that could be exploited by hackers to reprogram the medical devices to run the batteries down or in a terrifying hacking scenario to modify the patient’s heartbeat.

The good news is that there are no reports of hacked pacemakers yet.

The affected devices belong to six types of pacemakers manufactured by firm Abbott, they include the Accent, Anthem, Accent MRI, Accent ST, Assurity, and Allure.

In the U.S., an updated version of the firmware is available for Accent SR RF, Accent MRI, Assurity, Assurity MRI, Accent DR RF, Anthem RF, Allure RF, Allure Quadra RF, and Quadra Allure MP RF.

Pacemakers installed abroad includes Accent SR RF, Accent ST, Accent MRI, Accent ST MRI, Assurity, Assurity +, Assurity MRI, Accent DR RF, Anthem RF, Allure RF, Allure Quadra RF, Quadra Allure MP RF, Quadra Allure, and Quadra Allure MP.

The companies developed a firmware update that force authentication the to connect the devices.

The devices were manufactured before August 28th.

“Many medical devices—including St. Jude Medical’s implantable cardiac pacemakers—contain configurable embedded computer systems that can be vulnerable to cybersecurity intrusions and exploits,” reads the FDA security advisory.

“As medical devices become increasingly interconnected via the Internet, hospital networks, other medical devices, and smartphones, there is an increased risk of exploitation of cybersecurity vulnerabilities, some of which could affect how a medical device operates.”

pacemakers
Fortunately, the firmware running on the affected pacemakers could be updated without removing them from the patients.

Patients have to go to their healthcare provider to receive a firmware update, an operation that is very simple that would take just 3 minutes.
The update also includes further operating system fixes, encryption, operating system fixes, and also the ability to disable network connectivity features.

“The new pacemaker firmware update is part of Abbott’s planned enhancements that began with updates announced in January 2017 to the Merlin@home™ v8.2.2 software. The new updates provide an additional layer of security against unauthorized access to these devices.” reads the Abbott’s press release.

“The update contains a software release that includes data encryption, operating system patches, and the ability to disable network connectively features, in addition to the firmware update.”

“Every pacemaker manufactured beginning Aug. 28, 2017, will have this update pre-loaded in the device and those devices will not need to be updated.”


Tor relay of a Brazilian University was banned after harvesting .onions
28.8.2017 securityaffairs Cyber

The Tor relay of a Brazilian University was banned by the Tor administrators because it was spotted collecting the .onion addresses of visitors.
A team of researchers from a Brazilian University of Campinas in São Paulo, Brazil, has had its Tor relay node banned because it was spotted collecting the .onion addresses of visitors.

Marcus Rodrigues, a junior researcher with the Brazilian University, explained he and his colleagues were working to develop a tool that could identify malicious hidden services.

According to the Tor administrators, the activity conducted by the researchers is a violation of the Tor Project’s ethical guidelines and triggered the banning of the node.

Below the description published by the researchers in a Tor mailing list post:

“My relay was harvesting .onion addresses and I apologize if that breaks any rule or ethical guideline.
We were conducting some research on malicious Hidden Services to study their behavior and how we could design a tool that could tell malicious and benign Hidden Services apart.

Because we focus mainly on web pages, we use a crawler to get almost all of the data we need. However, there are some statistics (such as the size of the Tor network, how many HSs run HTTP(s) protocol, how many run other protocols and which protocols do they run, etc) which cannot be obtained through a crawler. That’s why we were harvesting .onion addresses.

We would run a simple portscan and download the index page, in case it was running a web server, on a few random addresses we collected. We would also try and determine the average longevity of those few HSs. However, after collecting the data we needed for statistical purposes, the .onion addresses we collected would be deleted and under no circumstances we would disclose the information we collected on a specific .onion address we harvested. In addition, we would never target specific harvested HS, but only a random sample.”

They decided to collect .onion addresses and fetch their content to classify the hidden service.

“My research in particular is about malicious hidden services. I’m developing a method to automatically categorize a malicious hidden service by its content (eg, drug traffic website, malware propagation),” Rodrigues told The Register.

“We would then publish an academic paper containing up-to-date statistics regarding what kind of malicious websites there are on the dark web. We were also going to develop a platform on which the user could verify if a certain .onion website is trustworthy or malicious before entering it.”

The team set up a Tor relay to collect specific data about the hidden services. Rodrigues clarified that data collected could not be used to unmask TOR users or locate a specific server running the hidden service.

“That would provide information about the Hidden Services running at the time, such as their .onion addresses, their popularity and some technical data – none of which would allow me to deanonymize or harm the hidden service in any way,” he explained.

Rodrigues was unable to restore its Tor relay online, he explained that the research will go on in any case, with different techniques.

“I can use other methods to discover the Hidden Services,” he explains, “but none is as informative or as efficient.”


ShadowPad in corporate networks
17.8.2017 Kasprsky Cyber
ShadowPad, part 2: Technical Details (PDF)

In July 2017, during an investigation, suspicious DNS requests were identified in a partner’s network. The partner, which is a financial institution, discovered the requests originating on systems involved in the processing of financial transactions.

Further investigation showed that the source of the suspicious DNS queries was a software package produced by NetSarang. Founded in 1997, NetSarang Computer, Inc. develops, markets and supports secure connectivity solutions and specializes in the development of server management tools for large corporate networks. The company maintains headquarters in the United States and South Korea.

NetSarang website
Our analysis showed that recent versions of software produced and distributed by NetSarang had been surreptitiously modified to include an encrypted payload that could be remotely activated by a knowledgeable attacker.

The backdoor was embedded into one of the code libraries used by the software (nssock2.dll):

Backdoored dll in a list of loaded modules of Xshell5 sofware

Disposition of the NSSOCK2.DLL binary with embedded malicious code
The attackers hid their malicious intent in several layers of encrypted code. The tiered architecture prevents the actual business logics of the backdoor from being activated until a special packet is received from the first tier command and control (C&C) server (“activation C&C server”). Until then, it only transfers basic information, including the computer, domain and user names, every 8 hours.

Activation of the payload would be triggered via a specially crafted DNS TXT record for a specific domain. The domain name is generated based on the current month and year values, e.g. for August 2017 the domain name used would be “nylalobghyhirgh.com”.

DNS queries to C&C from backdoored nssock2.dll

Only when triggered by the first layer of C&C servers does the backdoor activate its second stage
The module performs a quick exchange with the controlling DNS server and provides basic target information (domain and user name, system date, network configuration) to the server. The C&C DNS server in return sends back the decryption key for the next stage of the code, effectively activating the backdoor. The data exchanged between the module and the C&C is encrypted with a proprietary algorithm and then encoded as readable latin characters. Each packet also contains an encrypted “magic” DWORD value “52 4F 4F 44” (‘DOOR’ if read as a little-endian value).

Our analysis indicates the embedded code acts as a modular backdoor platform. It can download and execute arbitrary code provided from the C&C server, as well as maintain a virtual file system (VFS) inside the registry. The VFS, and any additional files created by the code, are encrypted and stored in a location unique to each victim. The remote access capability includes a domain generation algorithm (DGA) for C&C servers which changes every month. The attackers behind this malware have already registered the domains covering July to December 2017, which indirectly confirms alleged start date of the attack as around mid July 2017.

Currently, we can confirm activated payload in a company in Hong Kong. Given that the NetSarang programs are used in hundreds of critical networks around the world, on servers and workstations belonging to system administrators, it is strongly recommended that companies take immediate action to identify and contain the compromised software.

Kaspersky Lab products detect and protect against the backdoored files as “Backdoor.Win32.ShadowPad.a”.

We informed NetSarang of the compromise and they immediately responded by pulling down the compromised software suite and replacing it with a previous clean version. The company has also published a message acknowledging our findings and warning their customers.

ShadowPad is an example of the dangers posed by a successful supply-chain attack. Given the opportunities for covert data collection, attackers are likely to pursue this type of attack again and again with other widely used software components. Luckily, NetSarang was fast to react to our notification and released a clean software update, most likely preventing hundreds of data-stealing attacks against their clients. This case is an example of the value of threat research as a means to secure the wider internet ecosystem. No single entity is in a position to defend all of the links in an institution’s software and hardware supply-chain. With successful and open cooperation, we can help weed out the attackers in our midst and protect the internet for all users, not just our own.

For more information please contact: intelreports@kaspersky.com

Frequently Asked Questions

What does the code do if activated?

If the backdoor were activated, the attacker would be able to upload files, create processes, and store information in a VFS contained within the victim’s registry. The VFS and any additional files created by the code are encrypted and stored in locations unique to each victim.

Which software packages were affected?

We have confirmed the presence of the malicious file (nssock2.dll) in the following packages previously available on the NetSarang site:

Xmanager Enterprise 5 Build 1232
Xme5.exe, Jul 17 2017, 55.08 MB
MD5: 0009f4b9972660eeb23ff3a9dccd8d86
SHA1: 12180ff028c1c38d99e8375dd6d01f47f6711b97

Xmanager 5 Build 1045
Xmgr5.exe, Jul 17 2017, 46.2 MB
MD5: b69ab19614ef15aa75baf26c869c9cdd
SHA1: 35c9dae68c129ebb7e7f65511b3a804ddbe4cf1d

Xshell 5 Build 1322
Xshell5.exe, Jul 17 2017, 31.58 MB
MD5: b2c302537ce8fbbcff0d45968cc0a826
SHA1: 7cf07efe04fe0012ed8beaa2dec5420a9b5561d6

Xftp 5 Build 1218
Xftp5.exe, Jul 17 2017, 30.7 MB
MD5: 78321ad1deefce193c8172ec982ddad1
SHA1: 08a67be4a4c5629ac3d12f0fdd1efc20aa4bdb2b

Xlpd 5 Build 1220
Xlpd5.exe, Jul 17 2017, 30.22 MB
MD5: 28228f337fdbe3ab34316a7132123c49
SHA1: 3d69fdd4e29ad65799be33ae812fe278b2b2dabe

Is NetSarang aware of this situation?

Yes, we contacted the vendor and received a swift response. Shortly after notification by Kaspersky Lab all malicious files were removed from NetSarang website.

How did you find the software was backdoored?

During an investigation, suspicious DNS requests were identified on a partner’s network. The partner, which is a financial institution, detected these requests on systems related to the processing of financial transactions. Our analysis showed that the source of these suspicious requests was a software package produced by NetSarang.

When did the malicious code first appear in the software?

A fragment of code was added in nssock2.dll (MD5: 97363d50a279492fda14cbab53429e75), compiled Thu Jul 13 01:23:01 2017. The file is signed with a legitimate NetSarang certificate (Serial number: 53 0C E1 4C 81 F3 62 10 A1 68 2A FF 17 9E 25 80). This code is not present in the nssock2.dll from March (MD5: ef0af7231360967c08efbdd2a94f9808) included with the NetSarang installation kits from April.

How do I detect if code is present on a system?

All Kaspersky Labs products detect and cure this threat as Backdoor.Win32.Shadowpad.a. If for some reason you can’t use an antimalware solution you can check if there were DNS requests from your organization to these domains:

ribotqtonut[.]com
nylalobghyhirgh[.]com
jkvmdmjyfcvkf[.]com
bafyvoruzgjitwr[.]com
xmponmzmxkxkh[.]com
tczafklirkl[.]com
notped[.]com
dnsgogle[.]com
operatingbox[.]com
paniesx[.]com
techniciantext[.]com
How do I clean any affected systems?

All Kaspersky Lab products successfully detect and disinfect the affected files as “Backdoor.Win32.Shadowpad.a” and actively protect against the threat.

If you do not have a Kaspersky product installed, then:

Update to the latest version of the NetSarang package.
Block DNS queries to the C2 domains listed in Appendix A.
What kind of companies/organizations/ are targeted by the attackers?

Based on the vendor profile, the attackers could be after a broad set of companies who rely on NetSarang software, which includes banking and financial industry, software and media, energy and utilities, computers and electronics, insurance, industrial and construction, manufacturing, pharmaceuticals, retail, telecommunications, transportation and logistics and other industries.

Who is behind this attack?

Attribution is hard and the attackers were very careful to not leave obvious traces. However certain techniques were known to be used in another malware like PlugX and Winnti, which were allegedly developed by Chinese-speaking actors.

How did the attackers manage to get access to create trojanized updates. Does that mean that NetSarang was hacked?

An investigation is in progress, but since code was signed and added to all software packages it could point to the fact that attackers either modified source codes or patched software on the build servers.

Appendix A – Indicators of Compromise

At this time, we have confirmed the presence of the malicious “nssock2.dll” in the following packages downloaded from the NetSarang site:

Xmanager Enterprise 5 Build 1232
Xme5.exe, Jul 17 2017, 55.08 MB
MD5: 0009f4b9972660eeb23ff3a9dccd8d86
SHA1: 12180ff028c1c38d99e8375dd6d01f47f6711b97

Xmanager 5 Build 1045
Xmgr5.exe, Jul 17 2017, 46.2 MB
MD5: b69ab19614ef15aa75baf26c869c9cdd
SHA1: 35c9dae68c129ebb7e7f65511b3a804ddbe4cf1d

Xshell 5 Build 1322
Xshell5.exe, Jul 17 2017, 31.58 MB
MD5: b2c302537ce8fbbcff0d45968cc0a826
SHA1: 7cf07efe04fe0012ed8beaa2dec5420a9b5561d6

Xftp 5 Build 1218
Xftp5.exe, Jul 17 2017, 30.7 MB
MD5: 78321ad1deefce193c8172ec982ddad1
SHA1: 08a67be4a4c5629ac3d12f0fdd1efc20aa4bdb2b

Xlpd 5 Build 1220
Xlpd5.exe, Jul 17 2017, 30.22 MB
MD5: 28228f337fdbe3ab34316a7132123c49
SHA1: 3d69fdd4e29ad65799be33ae812fe278b2b2dabe

Domains:

ribotqtonut[.]com
nylalobghyhirgh[.]com
jkvmdmjyfcvkf[.]com
bafyvoruzgjitwr[.]com
xmponmzmxkxkh[.]com
tczafklirkl[.]com
notped[.]com
dnsgogle[.]com
operatingbox[.]com
paniesx[.]com
techniciantext[.]com

DLL with the encrypted payload:

97363d50a279492fda14cbab53429e75

NetSarang packages which contain the DLL with the encrypted payload (same as above, just the list of MD5 sums):

0009f4b9972660eeb23ff3a9dccd8d86
b69ab19614ef15aa75baf26c869c9cdd
b2c302537ce8fbbcff0d45968cc0a826
78321ad1deefce193c8172ec982ddad1
28228f337fdbe3ab34316a7132123c49

File names:

nssock2.dll


Kenya opposition claims election results manipulated in cyber attack
14.8.2017 securityaffairs Cyber

Kenya opposition claims hackers have manipulated the results of the recent election by breaking into the database of Kenya’s electoral commission.
According to Kenya opposition, led by Raila Odinga, hackers have manipulated the results of the recent election by breaking into the database of Kenya’s electoral commission.

The President Uhuru Kenyatta was re-elected and èrotests and violence broke out almost immediately.

“At least 24 people, including a 9-year-old girl, have been killed in Kenya in the violence that erupted after the re-election of President Uhuru Kenyatta, according to the Kenya National Commission on Human Rights.” reported the CNN.
“Specifically, these cases indicate that the casualties were felled by bullets and the same has been corroborated by family and community members who have indicated that they were killed during the protests which broke out in various parts of the country,” the independent rights group said in a statement. Of those death, 17 were killed in the capital Nairobi, the group said.
Odinga kenya opposition.
Raila Odinga claims hackers have used the credential of a murdered employee of the electoral commission (IEBC), Chris Msando, to hack into an electronic voting system and manipulate the votes.

Msando was a top IT official at the IEBC that was tortured and killed in late July.

The politician supported his accusation by releasing an alleged log from an IEBC server that confirms it was altered to increase Kenyatta’s totals by 11 percent and hide the manipulation.

“These results are fake, it is a sham. They cannot be credible,” Odinga told journalists.

“This is an attack on our democracy. The 2017 general election was a fraud.”

He later released what he claimed was a log from an IEBC server to support his allegations that the server was configured to increase Kenyatta’s totals by 11 percent and cover up the modifications.

At the time I was writing the log was not yet verified by any independent researcher.

The electoral commission (IEBC) results showed Kenyatta obtaining 54.4 percent of the nearly 13 million ballots tallied, against Odinga’s 44.7 percent.

Odinga refused the result of the election and claims Kenyatta’s skullduggery, according to the politicians the hackers manipulated the results for both the presidential and the general election.

“The electoral fraud and fabrication of results was massive,” Odinga said. “It has always been common knowledge that Uhuru Kenyatta’s regime was a fraud. This takes Mr Kenyatta and [deputy president] William Ruto’s fraud … to another level.”

Odinga did not reveal the source of his information to protect it.

Odinga is inviting his supporters to “remain calm as we look deep into this matter,”


Steganography in contemporary cyberattacks
13.8.2017 Kaspersky Cyber

Steganography is the practice of sending data in a concealed format so the very fact of sending the data is disguised. The word steganography is a combination of the Greek words στεγανός (steganos), meaning “covered, concealed, or protected”, and γράφειν (graphein) meaning “writing”.

Unlike cryptography, which conceals the contents of a secret message, steganography conceals the very fact that a message is communicated. The concept of steganography was first introduced in 1499, but the idea itself has existed since ancient times. There are stories of a method being used in the Roman Empire whereby a slave chosen to convey a secret message had his scalp shaved clean and a message was tattooed onto the skin. When the messenger’s hair grew back, he was dispatched on his mission. The receiver shaved the messenger’s scalp again and read the message.

In this article, the following definitions are used:
Payload: the information to be concealed and sent secretly, or the data covertly communicated;
Carrier (stego-container): any object where the payload is secretly embedded;
Stego-system: the methods and means used to create a concealed channel for communicating information;
Channel: the data communication channel via which the carrier is transferred;
Key: the key used to extract the payload from the carrier (not always applied).
Steganography was actively developed throughout the 20th century, as was steganalysis, or the practice of determining the fact that concealed information is being communicated within a carrier. (Basically, steganalysis is the practice of attacking stego-systems.) Today, however, a dangerous new trend is emerging: steganography is increasingly being used by actors creating malware and cyber-espionage tools. Most modern anti-malware solutions provide little, if any, protection from steganography, while any carrier in which a payload can be secretly carried poses a potential threat. It may contain data being exfiltrated by spyware, communication between a malicious program and its C&C, or new malware.

A variety of steganographic methods and algorithms have been scientifically developed and tested. A description of some of them is provided below.
In LSB steganography, the payload is encoded into and communicated in one or several least significant bits of the carrier. The smaller the number of bits used to carry the payload, the lower the impact on the original carrier signal.
Discrete cosine transform or DCT-based steganography is a sub-type of LSB steganography that is often applied on JPEG-format carriers (i.e., when JPEG images are used to carry the payload). In this method, the communicated data is secretly encoded into the DCT coefficients. With all other factors being equal, this method provides a somewhat lower data carrying capacity; one of the reasons for this is that the coefficient values of 0 and 1 cannot be altered, so no data can be encoded whenever the coefficients take on these values.
Palette-based image steganography is basically another sub-type of LSB steganography, in which the communicated data is encoded into least significant bits of the image palette rather than into those of the carrier. The obvious downside to this method is its low data carrying capacity.
Use of service fields in data formats. This is a relatively simple method, in which the payload is embedded into the service fields of the carrier’s headers. The downsides are, again, a low data carrying capacity and low payload protection: the embedded payload may be detected using regular image viewing software that can sometimes display the contents of the service fields.
Payload embedding is a method whereby the payload is encoded into the carrier and, upon delivery, is decoded using an algorithm known to both parties. Several payloads can be independently encoded into the same carrier provided that their embedding methods are orthogonal.
Wideband methods fall into the following types:
Pseudorandom sequence method, in which a secret carrier signal is modulated by a pseudorandom signal.
Frequency hopping method, in which the frequency of the carrier signal changes according to a specific pseudorandom law.
Overlay method – strictly speaking, this is not proper steganography, and is based on the fact that some data formats contain data size in a header, or the fact that the handler of such formats reads the file till it reaches the end-of-data marker. An example is the well-known RAR/JPEG method based on concatenating an image file, so that it is composed of a JPEG format section, followed by a RAR archive section. A JPEG viewer software program will read it till the boundary specified in the file’s header, while a RAR archiver tool will disregard everything prior to the RAR! signature that denotes the beginning of an archive. Therefore, if such a file is opened in an image file viewer, it will display the image, and if it is opened in a RAR archiver, it will display the contents of the RAR archive. The downside to this method is that the overlay added to the carrier segment can be easily identified by an analyst visually reviewing the file.
In this article, we will only review methods of concealing information in image-type carriers and in network communication. The application of steganography is, however, much wider than these two areas.

Recently, we have seen steganography used in the following malware programs and cyberespionage tools:
Microcin (AKA six little monkeys);
NetTraveler;
Zberp;
Enfal (its new loader called Zero.T);
Shamoon;
KinS;
ZeusVM;
Triton (Fibbit).
So why are malware authors increasingly using steganography in their creations? We see three main reasons for this:
It helps them conceal not just the data itself but the fact that data is being uploaded and downloaded;
It helps bypass DPI systems, which is relevant for corporate systems;
Use of steganography may help bypass security checks by anti-APT products, as the latter cannot process all image files (corporate networks contain too many of them, and the analysis algorithms are rather expensive).
For the end user, detecting a payload within a carrier may be a non-trivial task. As an example, let’s review the two images below. One is an empty carrier, and the other is a carrier with a payload. We will use the standard test image Lenna.

Both images are 786 486 bytes; however, the right-hand image contains the first 10 chapters of Nabokov’s novel Lolita.

Take a good look at these two images. Can you see any difference? They are identical in both size and appearance. However, one of them is a carrier containing an embedded message.

The problems are obvious:
Steganography is now very popular with malware and spyware writers;
Anti-malware tools generally, and perimeter security tools specifically, can do very little with payload-filled carriers. Such carriers are very difficult to detect, as they look like regular image files (or other types of files);
All steganography detection programs today are essentially proof-of-concept, and their logic cannot be implemented in commercial security tools because they are slow, have fairly low detection rates, and sometimes even contain errors in the math (we have seen some instances where this was the case).
A list was provided above (though it does not claim to be complete) of malicious programs that use steganography to conceal their communication. Let’s review one specific case from that list, the malicious loader Zero.T.

We detected this loader in late 2016, though our colleagues from Proofpoint were first to publish a description.

We named it Zero.T because of this string in its executable code (in the path leading to the project’s PBD file):

We will not dwell here on how the malicious loader penetrates the victim system and remains there, but will note that it loads a payload in the form of Bitmap files:

Then it processes them in a particular way to obtain malicious modules:

On the face of it, these three BMP files appear to be images:
However, they are more than just regular images; they are payload-filled carriers. In each of them, several (the algorithm allows for variability) least significant bits are replaced by the payload.

So, is there a way to determine whether an image is carrying a malicious payload or not? Yes, there are several ways of doing so, the simplest being a visual attack. It is based on forming new images from the source image, containing the least significant bits of different color planes.

Let’s see how this works using the Steve Jobs photo as a sample image.

We apply a visual attack to this image and construct new images from the separate significant bits in the appropriate order:
In the second and the third images, high entropy (high data density) areas are apparent – these contain the embedded payload.

Sounds simple, right? Yes and no. It’s simple in that an analyst – and even an average user – can easily see the embedded data; it’s difficult in that this sort of analysis is not easy to automate. Fortunately, scientists have long since developed a number of methods for detecting carriers with payloads, based on an image’s statistical characteristics. However, all of them are based on the assumption that the encoded payload has high entropy. This is true in most cases: since the container’s capacity is limited, the payload is compressed and/or encrypted before encoding, thus increasing its entropy.

However, our real-life example, the malicious loader Zero.T, does not compress its malicious modules before encoding. Instead, it increases the number of least significant bits it uses, which can be 1, 2 or 4. Yes, using a larger number of least significant bits introduces visual artefacts into the carrier image, which a regular user can detect visually. But we are talking about automatic analysis. So, the question we have to answer is: are statistical methods suitable for detecting embedded payloads with low levels of entropy?

Statistical methods of analysis: histogram method

This method was suggested in 2000 by Andreas Westfeld and Andreas Pfitzmann, and is also known as the chi-squared method. Below we give a brief overview.

The entire image raster is analyzed. For each color, the number of dots possessing that color is counted within the raster. (For simplicity, we are dealing with an image with one color plane.) This method assumes that the number of pixels possessing two adjacent colors (i.e. colors different only by one least significant bit) differs substantially for a regular image that does not contain an embedded payload (see Figure A below). For a carrier image with a payload, the number of pixels possessing these colors is similar (see Figure B).

Figure A. An empty carrier Figure B. A filled carrier.
The above is an easy way to visually represent this algorithm.

Strictly speaking, the algorithm consists of the following steps that must be executed sequentially:
The expected occurrence frequency for the pixels of color i in a payload-embedded image is calculated as follows:
The measured frequency of the occurrence of a pixel of specific color is determined as:
The chi-squared criterion for k-1 degrees of freedom is calculated as:
P is the probability that the distributions ni and ni* are equal under these conditions. It is calculated by integrating the density function:
Naturally, we have tested whether this method is suitable for detecting filled stego-containers. Here are the results.

Original image Visual attack image Chi-squared attack, 10 zones
The threshold values of the chi-squared distribution for p=0.95 and p=0.99 are 101.9705929 and 92.88655838 respectively. Thus, for the zones where the calculated chi-squared values are lower than the threshold, we can accept the original hypothesis “adjacent colors have similar frequency distributions, therefore we are dealing with a carrier image with a payload”.

Indeed, if we look at the visual attack images, we can clearly see that these zones contain an embedded payload. Thus, this method works for high-entropy payloads.

Statistical methods of analysis: RS method

Another statistical method of detecting payload carriers was suggested by Jessica Fridrich, Miroslav Goljan and Andreas Pfitzmann in 2001. It is called the RS method, where RS stands for ‘regular/singular’.

The analyzed image is divided into a set of pixel groups. A special flipping procedure is then applied for each group. Based on the values of the discriminant function before and after the flipping procedure is applied, all groups are divided into regular, singular and unusable groups.

This algorithm is based on the assumption that the number of regular and singular pixel groups must be approximately equal in the original image and in the image after flipping is applied. If the numbers of these groups change appreciably after flipping is applied, this indicates that the analyzed image is a carrier with a payload.

The algorithm consists of the following steps:
The original image is divided into groups of n pixels (x1, …, xn).
The so-called discriminant function is defined which assigns to each group of pixels G = (x1, …, xn) a real number f(x1, …, xn) ∈
The discriminant function for the groups of pixels (x1, …, xn) can be defined as follows:
Then we define the flipping function which has the following properties:
Depending on the discriminant function’s values prior to and after flipping is applied, all groups of pixels are divided into regular, singular and unusable groups:

We have put this method to the test as well, and obtained the following results. We used the same empty and payload-embedded carriers as in the previous test.

Original image Visual attack image Chi-squared attack, 10 zones
Note that this attack method does not pass the binary verdict in terms of “whether this specific carrier contains an embedded payload or not”; rather, it determines the approximate length of the embedded payload (as a percentage).

As can be seen from the results above, this method returned a verdict for the empty message that it was filled less than 1% with payload, and for the payload-embedded carrier it returned a verdict that it was about 44% filled. Obviously, these results are slightly off. Let’s look at the filled container: from the visual attack it follows that more than 50% of the container is filled, while the RS attack tells us that 44% of the container is filled. Therefore, we can apply this method if we establish a certain “trigger threshold”: our experiments showed that 10% is a sufficient threshold of reliability. If the RS attack claims that more than 10% of the container is full, you can trust this verdict and mark the container as full.

Now it’s time to test these two methods in real-world conditions, on the Zero.T carriers in which the payload has regular entropy.

We ran the appropriate tests and here are the results:

Original image Chi-squared attack RS attack
As we see, a chi-squared attack is not applicable on low entropy images – it yields unsatisfactory or inaccurate results. However, the RS attack worked well: in both cases, it detected a hidden payload in the image. However, what do we do if automatic analysis methods show there is no payload, but we still suspect there might be one?

In that case, we can apply specific procedures that have been developed for specific malware families to extract the payload. For the aforementioned Zero.T loader, we have written our own embedded payload extraction tool. Its operation can be schematically presented as follows.

Obviously, if we get a valid result (in this specific case, an executable file), then the source image has an embedded payload in it.

Is DNS tunneling also steganography?

Can we consider use of a DNS tunnel a subtype of steganography? Yes, definitely. For starters, let’s recap on how a DNS tunnel works.

From a user computer in a closed network, a request is sent to resolve a domain, for example the domain wL8nd3DdINcGYAAj7Hh0H56a8nd3DdINcGYAlFDHBurWzMt[.]imbadguy[.]com to an IP address. (In this URL, the second-level domain name is not meaningful.) The local DNS server forwards this request to an external DNS server. The latter, in turn, does not know the third-level domain name, so it passes this request forward. Thus, this DNS request follows a chain of redirections from one DNS server to another, and reaches the DNS server of the domain imbadguy[.]com

Instead of resolving a DNS request at the DNS server, threat actors can extract the information they require from the received domain name by decoding its first part. For example, information about the user’s system can be transmitted in this way. In response, a threat actor’s DNS server also sends some information in a decoded format, putting it into the third- or higher-level domain name.

This means the attacker has 255 characters in reserve for each DNS resolution, up to 63 characters for subdomains. 63 characters’ worth of data is sent in each DNS request, and 63 characters are sent back in response, and so on. This makes it a decent data communications channel! Most importantly, it is concealed communication, as an unaided eye cannot see that any extra data is being communicated.

To specialists who are familiar with network protocols and, in particular, with DNS tunneling, a traffic dump containing this sort of communication will look quite suspicious – it will contain too many long domains that get successfully resolved. In this specific case, we are looking at the real-life example of traffic generated by the Trojan Backdoor.Win32.Denis, which uses a DNS tunnel as a concealed channel to communicate with its C&C.

A DNS tunnel can be detected with the help of any popular intrusion detection (IDS) tool such as Snort, Suiricata or BRO IDS. This can be done using various methods. For example, one obvious idea is to use the fact that domain names sent for DNS resolution are much longer than usual during tunneling. There are quite a few variations on this theme on the Internet:

alert udp any any -> any 53 (msg:”Large DNS Query, possible cover channel”; content:”|01 00 00 01 00 00 00 00 00 00|”; depth:10; offset:2; dsize:>40; sid:1235467;)

There is also this rather primitive approach:

Alert udp $HOME_NET and -> any 53 (msg: “Large DNS Query”; dsize: >100; sid:1234567;)

There is plenty of room for experimenting here, trying to find a balance between the number of false positives and detecting instances of actual DNS tunneling.

Apart from suspiciously long domain names, what other factors may be useful? Well, anomalous syntax of domain names is another factor. All of us have some idea of what typical domain names look like – they usually contain letters and numbers. But if a domain name contains Base64 characters, it will look pretty suspicious, won’t it? If this sort of domain name is also quite long, then it is clearly worth a closer look.

Many more such anomalies can be described. Regular expressions are of great help in detecting them.

We would like to note that even such a basic approach to detecting DNS tunnels works very well. We applied several of these rules for intrusion detection to the stream of malware samples sent to Kaspersky Lab for analysis, and detected several new, previously unknown backdoors that used DNS tunnels as a covert channel for C&C communication.

Conclusions

We are seeing a strong upward trend in malware developers using steganography for different purposes, including for concealing C&C communication and for downloading malicious modules. This is an effective approach considering payload detection tools are probabilistic and expensive, meaning most security solutions cannot afford to process all the objects that may contain steganography payloads.

However, effective solutions do exist – they are based on combinations of different methods of analysis, prompt pre-detections, analysis of meta-data of the potential payload carrier, etc. Today, such solutions are implemented in Kaspersky Lab’s Anti-Targeted Attack solution (KATA). With KATA deployed, an information security officer can promptly find out about a possible targeted attack on the protected perimeter and/or the fact that data is being exfiltrated.