Infosec Island Latest Articles Adrift in Threats? Come Ashore! en hourly 1 Crypto-Mining Is the Next Ransomware Fri, 19 Jan 2018 05:28:48 -0600 Hackers are opportunistic creatures. As device manufacturers continue to add more CPU cores and gigabytes of RAM to smartphones and tablets as well as enterprise-grade cloud servers, these devices will continue to be increasingly useful targets for botnets. What’s more, hackers will seek device vulnerabilities or exploit mobile applications and devices when a network is not secure.

Ransomware took the dark web by storm by creating such an easy way to monetize these vulnerabilities. As a side-effect, the cryptocurrency market exploded from the increased attention. Cryptocurrency mining—the process of confirming Bitcoin transactions and generating new units of digital currency—is perfectly legal. Developers are looking for ways to make money in a competitive mobile app market, and mining bitcoin via these apps has become an inviting venture. However, this method of monetization becomes a legal and ethical dilemma once users are not aware that their devices are being used to mine digital currency.

The recent lawsuits against Apple for throttling down older versions of iPhones may set a legal precedent for cryptocurrency mining lawsuits. If a user can successfully sue Apple for unknowingly slowing down a phone, developers who unknowingly install mining capabilities that affect performance and battery life could be liable as well.

Not only is this a threat that is here to stay, it is shaping up to become a threat as pervasive as ransomware. For instance, there are reliable indicators that show hackers use older vulnerabilities to mine cryptocurrency after initial infection attempts to generate bitcoins from victims without demanding a ransom. As that pool gets smaller, miners focus on extracting value in other ways, such as using the malware as a DDoS weapon.

While the maliciousness of these kinds of infected mobile apps and web browsers is subject to debate, we can say for sure we are witnessing a new birth of a new form of malware—perhaps with the impact as ransomware or adware. And without a robust security and monitoring strategy, along with network visibility to protect applications and computers, you should expect to become the next cryptocurrency mining victim.

Mining Malware for the Mobile Era

The mobile era has generated a malicious opportunity to make the most of cryptocurrency mining malware. Cryptocurrency mining latches onto as much CPU power to mine digital coins, consuming electricity, processing power and data as information is passed through the mining process — all of which cost money.

Research shows there is a plethora of malicious Android apps roaming the Internet right now, and some crypto-miners have managed to bypass filters to get into the Google Play Store. In fact, recent static analysis on mobile malware led researchers to a number of cryptocurrency wallets and mining pool accounts belonging to a Russian developer, who claims what he is doing is a completely legal method of making money.

We in the industry do not agree — cryptocurrency miners are a misappropriation of a user’s device. While it is technically legal if the extraction of cryptocurrencies is disclosed, these actions are purposefully misleading and frequently lack transparent disclosure.

We’ve witnessed the use of cryptocurrency miners embedded in legitimate applications available on the Android store, which are used to extract value from people’s phones during times when their devices are not in use. And, in recent months, there have been several cases of hackers mining cryptocurrencies even after a visible web browser window is closed.

Other methods that hackers are using to deploy cryptocurrency miners include using Telnet/SSH brute forcers attempting to install miners, along with SQL injection and direct installation of miners. Crypto-mining in browsers and mobile applications will continue to persist, so concerned companies should improve their security performance, bringing application-level visibility and context to their monitoring tools.

More devices, more mining

Since new security threats surface every week, there is a good chance that more devices will be infected with cryptocurrency mining malware in the near future. The increased presence of IoT devices will lead to create new targets for cryptocurrency miners. We may also see hybrid attacks that are ransomware-first and crypto-coin miners second, as they attempt to cash in twice on the same computer.

Most of these crypto-mining attacks occur at the edge of the network. One of the more common attacks that attempts to install crypto-miners are the EternalBlue vulnerability released this past summer, which was at the center of ransomware outbreaks like WannaCry and Not-Petya. Here’s the worst part: hackers are not using new tools or advanced methods to deploy these cryptocurrency miners, but they are still successful. As a result, companies need to have a responsive patch management strategy, make sure their IPS rules are up to date, test to make sure they can detect the vulnerabilities that cannot be patched immediately, and finally, monitor the network traffic for peer-to-peer mining traffic.

If organizations do not have insights into their networks, they are unable to tell if their endpoints are mining without permission, leaking data from a breach, or spreading malware across internal networks. Or, perhaps there is no malicious activity going on; they’ll want to see that too. Having a network monitoring solution in place will alert them early on into a compromise by showing a shift in network traffic patterns. 

About the author: Senior Director of the Application and Threat Intelligence Program at Ixia. Steve is responsible for gathering actionable, application and security, intelligence for Ixia products. Steve has more than 25 years of experience working in Computer and Network Security for companies like IBM, TippingPoint, SolarWinds, BreakingPoint, and now Ixia.

Copyright 2010 Respective Author at Infosec Island]]>
Increasing Importance of Mobile Makes Malware a Priority Wed, 17 Jan 2018 10:14:22 -0600 In August, Google pulled more than 500 apps from its Play store, after a security firm warned that the mobile applications had incorporated an advertising library, called lgexin, that could download malicious plugins. Unfortunately, the action came after the apps had been downloaded by users more than 100 million times.

The incident underscores that even a minor success can quickly have a major impact when the mobile ecosystem is so pervasive. Google and Apple have put phenomenal effort into vetting the apps in their stores, but malware developers and criminals are increasingly targeting mobile platforms.

Mobile devices have become the keystone in our digital lives — holding our data, allowing access to a variety of capabilities, and gathering information on what we do. Even with only limited privileges, malicious software can do significant damage to people's digital lives.

The threat to business is even greater. Because digital businesses run on apps, the threat of mobile malware exposes them to risks on two fronts — from the compromised devices of customers and those of workers. Businesses have to protect their customers from attackers looking to gain access to the customers’ accounts while protecting themselves against inside attacks powered by intruders hitching a ride inside the network defenses through a mobile app.

Recent data underscore the problems. Smartphones accounted for 72 percent of all infections detected by Nokia in the first three quarters of 2017 on the 100 million devices the company monitored by its security solution, far outpacing Windows computers, which accounted for the other 28 percent. While the monthly infection rate for devices is only 0.68 percent, that can quickly grow when a major threat, such as the lgexin library, is successful or when users get apps from third-party app stores, which tend to have more lax security requirements.

And while vulnerabilities in applications and Trojan horses can be deleted, the operating system software for most smartphones is rarely updated. Patching is hard, so there are still a lot of vulnerable devices out there, which means that — even when a problem is discovered — it is not going get better overnight.

The long-term onus is on companies that drive the ecosystem, such as Google and Apple. In markets where third-party app stores are popular, those providers need to step up their security, as malware encounters in those markets are far more likely than in the Google and Apple stores.

Yet, companies need to focus on keeping their own code secure. Vulnerable application released to app stores can be used by attackers to spread malware. In addition to hurting customers, such attacks damage the business’s brand.

For that reason, developers need to be more aware that unknown sources of code libraries and components are a threat to their apps and users. While malicious developers are a problem for app-store providers, many developers are unwitting users of libraries that have malicious functionality. Testing services that check source code for vulnerabilities and builds a manifest of the libraries included in the application will help developers stay on top of their third-party code.

For individuals and businesses, the scale of the problem can be contained if they take enough precautions. Data should be backed up to avoid its total loss. Employees and customers should be educated on what behavior should be deemed suspicious and only install apps from trusted sources. Any connected devices should be regularly updated, and proactively monitored to ensure that rogue applications have not compromised the devices. In addition, companies should focus on detecting anomalous behavior among their users and employees.

In the end, businesses can't trust that their mobile devices are secure and have not been compromised, so it's in their best interest to fortify their high value apps with additional security precautions from the inside out.

These steps will blunt the impact of attacks in the short term, allowing companies to respond to any malware outbreak before it causes widespread damage.

About the author: Asma Zubair is a senior director of product management at Arxan. As a seasoned security product management leader, she has also lead teams at WhiteHat Security, The Find (Facebook) and Yahoo!

Copyright 2010 Respective Author at Infosec Island]]>
What Global Manufacturers Need to Know About Security in the Cloud Mon, 08 Jan 2018 06:59:00 -0600 Manufacturers deal with sensitive information each and every day. This includes test and quality data, warranty information, device history records and the engineering specifications for a product that are highly confidential. Trusting that data to a cloud-based application or cloud services provider is a major step, and manufacturers need to fully educate themselves about the security risks and advantages of cloud-based software.

Consider the questions below as a guide to use when discussing application infrastructure and operations with cloud providers.

What do you do to keep my data safe?

This is the most important question a manufacturer should ask a cloud provider.

The answer should be long and multi-faceted. Because no single tool can defend against every kind of attack in any network, cloud providers must deploy multiple layers of defense using: internal systems; protection provided by tier 1 cloud platforms; and security service providers.

All of these elements come together to provide complete protection. Below are some examples of these layers:

  • Physical Defense: Cloud platform providers can and should exercise tight control of access to the physical devices on which the software systems reside. In best case scenarios, Independent auditors attest to the safety of this access. This control and documentation must be reviewed on a regular basis.
  • Barriers to Entry: Firewalls built into the cloud service can limit access to ports managed by the application. Unneeded ports should be blocked so that they cannot be accessed.
  • Application Password Protection: the best-designed cloud applications allow your organization’s identity management system to provide authentication and password management, limiting access to your data and following your internal security policies. This should also support two-factor authentication if your internal policies require it. Some of the more advanced systems can also provide an identity management service as an alternative to your internal solutions, if required.
  • Application Firewalls: Most enterprise-class application designs will include a Web Application Firewall service that uses the latest technology to defend against such things as denial of service attacks and other types of malicious access.
  • Activity Monitoring: State-of-the-art cloud platform providers continuously monitor for suspicious activity that could be the result of hacking or malware. Again, in best case scenarios, warnings are sent automatically and steps taken to protect the data and the integrity of the platform.
  • Malware Monitoring: Both the application provider and the hosting platform provider must run active checks for malicious code to ensure each piece of code that is executed matches the published signature for that code. Be warned: this is a step that many providers have not migrated to yet.
  • Code Standards: Good security starts with good code. Security standards must be included in the system development life cycle, governing every aspect of the system. Be sure to review the code standards of the application developer.
  • Third Party Code Scanning: The most advanced application providers use a third-party firm to scan code looking for opportunities to improve security and look for known vulnerabilities with each new version of the application. Ask for details about this, as there are many different levels of scanning available; a once-a-year scan is obviously not as valuable as regularly scheduled scans before each new release of software.
  • Data Encryption: Generally accepted practices for data encryption provide different options for data in different modes: data in transit (being communicated within the system or between the database and your user interface) and data at rest (data that resides within the database and is not currently being accessed).

○ Data in transit can be encrypted using industry standard encryption through the browser. Additionally, APIs that access the data should use encrypted data and include encrypted tokens to increase access control.
○ Encryption of data at rest protects against accessing data from outside the application’s control. As the physical access to the system is protected and the data is in password protected databases, at-rest encryption may not be essential for every customer - but the question is still worth asking.

What do you do to prevent the data from being hacked and stolen?

“Hacking” or stealing data is the number one security concern of most people considering a cloud solution. Note, however, that some common misunderstandings often drive this concern.

According to the “Data Breach Investigations Report” from Verizon, about 50 percent of all security incidents are caused by people inside an organization. Good user management and password security policies are the best way to prevent these types of attacks. This is the underlying purpose of application password protection, as described above.

For preventing external hacks and data theft, the system must be architected to prevent as many types of attacks as possible (see above). Also, application providers must use internal personnel and external consultants to run frequent penetration testing. These tests look for common paths that attackers use to gain access to systems through the internet. The tests help ensure there are no doors left open for hackers. Be sure to ask about penetration testing, including both the frequency and the methodologies used.

How does cloud security compare to on-premise security?

This is a question that should be asked internally, as well as externally. There is a common misperception that a set of servers running on-premise at a corporate office is more secure than a cloud-based application. Owning the hardware and software often gives a false sense of security; most on-premise systems fall far short of the security that the best cloud providers have deployed.

For example, the cloud storage system utilized by my company was designed for 99.999999999% durability and up to 99.99% availability of objects over a given year. That design and those numbers are virtually impossible to duplicate with an on premise solution. In addition, the comprehensive access control described above is nearly impossible to duplicate on-premise. To deploy tools like these in an on-premise environment would require not only large investments in infrastructure, but large teams to manage them too.

Ask yourself: how big is your security team? How much is your budget for security around your manufacturing data? Then remember, the best application providers and data centers have large, dedicated security teams who have implemented automated threat monitoring systems that operate 24x7. In the end, the best cloud software companies have dedicated more time, resources and budget to securing our systems than most organizations are able to provide themselves.

More Security in the Cloud

The security issue for cloud manufacturing software is perhaps best summed up by this quote from LNS Research:

“By moving to the Cloud, security is usually enhanced rather than diminished as Cloud suppliers devote huge efforts to ensuring their underlying systems are as secure as possible and are constantly updated to react to potential threats. No individual manufacturer could devote such efforts, and they should focus on plant security working with their MES and plant software vendors to ensure maximum security and properly maintained systems. Do not get caught out by obsolete and vulnerable systems.”

About the author: Srivats Ramaswami, CTO at 42Q, has worked at both OEM’s and contract manufacturers, most recently as vice president of IT Operations. His expertise includes the architecture and implementation of IT solutions, making the global supply chain visible and more efficient. Srivats is now responsible for customer acquisition and engagement, technology development and deployment for 42Q.

Copyright 2010 Respective Author at Infosec Island]]>
Security in Operational Technology: Five Top Trends in 2018 Fri, 05 Jan 2018 11:15:00 -0600 “There has been a noticeable increase in security issues and data breaches during recent years in a variety of industries. Following an upsurge of Internet of Things (IoT) devices being utilised in industrial environments and critical infrastructures, it is clear operational technology (OT) is next in line for some very bad news. The critical systems that monitor and control our power distribution networks, our industrial capacity and our connected healthcare systems have been under attack for a long time and while only some of these attacks have been successful, it’s almost inevitable that bigger breaches are yet to come.”

Here are the top five security trends we at Applied Risk are watching out for in 2018:

1. Wireless: a major attack inevitable - Perhaps the single most unsettling piece of news in 2017 was that the ubiquitous WiFi security protocol, WPA2, has a fundamental flaw which is unlikely to be addressed in the majority of WiFi enabled devices. The challenge in 2018 is that the use of wireless communications, including Low Power Area Networks, will continue to grow in line with IoT device deployments. This will result in a far greater OT attack surface which is not being adequately protected with second and third lines of defence. A high-profile malware attack is therefore probable.

2. Healthcare attacks will increase - The most notable victim of the WannaCry malware outbreak in early 2017 was the UK National Health Service (NHS) and many US hospitals have fallen victim to other ransomware attacks. Healthcare is a key industry for IoT adoption with new network connected medical devices delivering life-saving outcomes, but the security of these devices has been too low a priority for too long, accentuating the risk of further attacks.

3. The skills shortage will drive security automation -  It’s been predicted by Frost and Sullivan that the shortfall of skilled security professionals compared to the market needs could be as high as 1.5 million by 2020. This will drive investment in alternative service models for the security industry, and we expect to see innovative new products and processes based on artificial intelligence for both monitoring and testing to safeguard industrial environments.

4. Advanced persistent threats will infiltrate more OT environments - As the Industrial IoT grows in terms of both device numbers and data volumes, inevitably the challenge of detecting and closing down advanced persistent threats (APT) becomes harder to achieve. Even relatively well understood and straightforward techniques, such as data exfiltration over DNS, remain stubbornly easy to exploit. Investments in knowledge sharing and networking monitoring are not yet at the scale required to fight APTs effectively.

5. Security-by-Design will start to improve ICS security - The good news is that heightened awareness of security issues in critical environments is having an effect. More teams are integrating “security-by-design” into their development cycles for industrial control systems, creating products that take into account current and future threat concerns. There is still a long way to go to make this the norm, but legislators around the world are building strong regulations and frameworks which penalise security weaknesses.

About the author: Jalal Bouhdada has over 15 years’ experience in Industrial Control Systems (ICS) security assessment, design and deployment with a focus on Process Control Domain and Industrial IT Security. Jalal has led several engagements for major clients, including many of the top utilities in the world and some of the largest global companies in industry verticals including power generators, electricity transmission provider, water utilities, petro chemical plants and oil refineries.

Copyright 2010 Respective Author at Infosec Island]]>
Bitcoin in the Darknet Ecosystem Fri, 05 Jan 2018 10:44:53 -0600 2017 was without a doubt the year of Bitcoin. The first decentralized cryptocurrency, which had been skyrocketing from a value of $1,000 USD a Bitcoin in January 2017 up to a maximum value of $20,000 USD in December. The worldwide awareness of Bitcoin and the cryptocurrency phenomenon is affecting and challenging traditional financial institutions, investors and even governments in a variety of ways.

The Underlying factors – what makes Bitcoin (et al.) different than other currencies and payment forms?

Bitcoin’s attributes make it profoundly different from traditional currencies and financial assets, which aspire cybercriminals and other potential users:

  • Decentralization and deregulation: One of bitcoin’s most valuable features is its decentralization - The fact that the currency is not controlled by any country, or governing body. Additionally, most countries and central banks have yet to regulate it in any way. This combination makes it attractive for cybercriminals (and others) looking for an easy way to launder money, but also to investors looking for diversification in their funds with a high-risk, but potentially very profitable, tax-free investment.
  • Privacy: Bitcoin and transactions in which it is involved are perceived as anonymous. This claim is not entirely accurate – as there are links to aliases or public keys.
  • Ambiguity: It’s becoming harder and harder to decide whether Bitcoin is indeed a currency, or essentially a commodity/product/goods. In the past, the cyber community was using it as means to buy online products and services in numerous fields, among them dark web markets. However, it seems that most of the Bitcoin purchasers in the 2017 bull-run were buying it for the purpose of investment, as if it were a financial asset.

These attributes, and their perception (and in some cases - misperception) leads to the current changes and trends we are seeing from threat actors and hackers as to how they approach Bitcoin.

The go-to currency for hackers

Bitcoin has long been the go-to currency for hackers, scammers and fraudsters, due to its relative anonymity and high tradability in the black market, especially in the last couple of years, as Bitcoin is much more accessible to the public. This tendency was and still is reflected in the rise of ransomware. An easier solution for collecting Bitcoin with minimal effort is the use of cyber-extortion, known as Doxware.

Doxware is similar to a ransomware attack, but instead or in addition to encrypting the victims’ files, it informs the corporation or the individual that it had penetrated their systems, and is threatening to leak confidential information unless a ransom is paid (in Bitcoin of course).

A similar type of cyber extortion, seen in 2017, is the threat to perform a denial of service attack (DDoS) unless the victim pays a ransom in Bitcoin. This type of attack can appear following an attack in a small scale or with any proof of capability to perform such an attack.

Another threat on the rise these days, is cryptocurrency mining malware. Hackers infect websites, servers and end-users with mining code (sometimes implemented in a distributed manner) while victims are unaware they are being used. A known mining malware attack is the recent Adylkuzz malware, which spread using EternalBlue exploit used by the infamous WannaCry ransomware. Once infected, Adylkuzz will mine the cryptocurrency Monero. 

How Hackers try and steal your Bitcoin

Due to Bitcoin’s relative anonymity and the mass of new investors eager to hop on the cryptocurrency wagon, it is no surprise that scammers, hackers and fraudsters are taking advantage of the inexperienced users.

An infamous way of fooling both experienced and inexperienced Bitcoin owners, is conducting fake Initial Coin Offerings (ICOs). New companies in the field of cryptocurrency and blockchain offer cryptocurrency tokens at a low-price, in order to raise funds.

Investors participate in ICOs, hoping one would turn out to be the next crypto-bonanza, and the tokens issued are bought and sold on trading platforms. Their prices peak and drop before even one line of code is written or currency issued.

Other than the fact that many of these companies go down along with the tokens, many of the ICOs are not actually intended to develop a crypto platform, but rather, make an exit scam by disappearing with the funds raised or selling their tokens on high rates in a classic “pump and dump” move.

There are several red flags that can indicate a fake ICO:

  1. No decentralization: If the companies’ mining project does not require the use of a blockchain or another distributed platform, there is a good chance the ICO is a scam.
  2. Promised returns: As cryptocurrencies are by definition a high-risk investment, you can assume that an ICO that suggests high returns in minimal risk is most definitely an attempt to steal your money.
  3. Vague data: If you cannot know for sure what is the expected net value of the ICO, who the company behind the ICO, or what is the roadmap of the project, there is a good chance there are none. Read the ICO’s whitepaper and make sure to go through a prolonged research of the project, its founders, and its mining structure before you put your money in.
  4. Be careful who you trust: YouTube investment gurus and other internet experts often get paid to promote an ICO. Even if these experts have a solid reputation, it is not recommended to trust them blindly.

Another known scam is the proliferation of fake wallets. In two known scam campaigns, attackers used Google ads to promote phishing websites that mimic famous wallets, luring inexperienced users to download or log-in online to their wallets.The victims end up entering their private key or login information to the fake wallets, and losing all their Bitcoins.

How anonymous is Bitcoin?

Bitcoin is thought to be anonymous, as the identity of its owner is unknown. Nevertheless, all the transactions made in Bitcoin are recorded on the blockchain, and can be seen upon request. These transactions are linked to the users’ public key, in a case where this key is somewhat linked to a real identity, the user might be uncovered. Users of some cryptocurrency exchange markets are even more exposed, since they are going through a business identifying process, exposing their true identities to the owners of the exchange. Bitcoin should be addressed as pseudonymous, as the public key is the alias.

Another possible breach in user anonymity in Bitcoin is following transactions made from Bitcoin ATMs to wallets, which can usually indicate a geographical location of the wallet owner. Cross-referencing the geographic location with other transactions, time of purchase or even street cameras, can allow law enforcement or cyber-espionage organizations to identify the user behind the Bitcoin wallet. 

In pursuance of better anonymity, cybercriminals are turning to different services that can obscure the real user behind transactions. Some are using “mixing services”, in which users can trade their Bitcoin wallets with others containing a completely different history, or sending dozens of small amount transactions, combining their Bitcoins with others’, in order to keep the sender’s real address unknown.

WannaCry, the ransomware that hit the world in May 2017, used only three Bitcoin wallets. A research tracing these three public keys[1] completed by the writer of the blog Le Comptoir Sécu, demonstrates how three wallets were emptied into nine new addresses, which were later emptied as well, creating hundreds of micro transactions. In a high-profile attack like WannaCry, it is only natural that the attackers would want to avoid any option of exposure, and make the tracing as hard as possible for law enforcement and the cyber-security community.

Bitcoin makes the underworld go round, it that so?

Bitcoin is still perceived by many as underground money, used by criminals, drug dealers and hackers. However, recent hype around Bitcoin caused high volatility, heavy load on blockchain networks, and costly fee expenses. This hype had actually drawn darknet users away from Bitcoin, as many black markets are now adhering to other, new cryptocurrencies (known as ‘Alts’) such as Ethereum, Bitcoin Cash, Litecoin, and the recent favorite Monero – a currency which currently offers the highest anonymity in the cryptocurrency market. Libertas market, one of the most known black markets in the dark web, had even went as far as giving up on Bitcoin and solely accepting Monero.

It seems that the acceptance of Bitcoin by the public had brought it from the margins of the internet society to the center of the stage, and sent the cyber criminals searching for other solutions, more compatible to their needs of anonymity.


To sum it up, Bitcoin is a rollercoaster for both investors and cybercriminals, and as it becomes more and more accepted in the public and financial ecosystem, cybercriminals are more interested in stealing Bitcoins, than using them as a currency. This trend will probably continue as long as the Bitcoin bull run lasts, turning Bitcoin from a means to an end. Alternatives are getting better by the day, threatening to take over Bitcoin’s roll as the main currency of the cybercrime community.

[1]115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn, 12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw, 13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94

About the author: Guy Caspi is a seasoned CEO and leading global expert in cybersecurity, big data analytics and data science. A pioneer technologist by the world economic forum in Davos.

Copyright 2010 Respective Author at Infosec Island]]>
The 5 Motives of Ransomware Thu, 04 Jan 2018 08:30:00 -0600 When 2017 began, we knew that ransomware  was going to be a major topic. However, who would have foreseen the impact of both WannaCry and NotPetya? 

WannaCry hit the world on May 12, infecting more than 230,000 systems in over 150 countries. In the process, it caused havoc in the UK’s National Health Service, using the EternalBlue exploit that was part of the Vault7 leak of the U.S. National Security Agency (NSA) offensive tools. The impact was huge, causing many disruptions around the world and highlighted the importance of patching systems with security updates. 

Was the lesson learned? The answer is no.

Shortly after WannaCry, we were introduced to NotPetya in late June, this time escalating out of the Ukraine and quickly cascading around the world, impacting system after system. This caused major issues with energy companies, transportation, medical, power grid, bus stations, airports and banks. 

The financial gain from both variants of ransomware was quite low with approximately a combined total of $150k compared to older variants, such as Zeus, that claimed more than $100 million. 

In my experience in digital forensics, I have always been taught to follow two things when trying to understand cybercrime and that is to follow the motive or follow the money. Either or both will lead to the criminal. In both WannaCry and NotPetya, it looks like the motive was not the financial part of the crime or that the payload and financial portion has been constructed by two different groups or cybercriminals. 

When we look at the motives of those who use ransomware, it is usually the following:  

  • Destructive – This means they do not care about the financial reward it is purely to cause disruption and fear. Of course, the cybercriminals may decide to take the financial takings if it is untraceable. 
  • Financial Motivation – This is to get as much financial reward as possible and usually to ransom is a premium to get the data or access back. 
  • Cryptocurrency Manipulation – Knowing that ransomware usually requires payment in the form of cryptocurrencies and that the value is derived from the number of wallets you could use ransomware to cause a significant increase in value.  The best way to get away with the crime is to make money legally.
  • Disguise Real Motive– This is usually to hide the real crime. After committing a cybercrime and you need to hide your traces, what better way to do it is to cause disruption with a ransomware. While the world is racing to keep secure and reduce the impact, cybercriminals have escaped from the real crime, hiding traces of what happened. Make a disaster or catastrophe to cover tracks.
  • Misdirection – Like disguising, the real motive is similar to a trick used by magicians to get your eyes to focus on something else. I believe we have seen examples of this in the recent nation state attacks in which if you leave breadcrumbs that lead the investigators to focus time on another country when in fact it was attributed by another. This is quite common in cybercrime in the hope that time will prevent the true criminal from being found.     

I will leave you to consider what the real purposes of recent ransomware threats have been. However, remember it can also be a combination of multiple threat actors involved with different motives. 

Remember: It is always important to step back and think if this was your crime how would you have done it. Sometimes it's crucial to be able to think and look at the world through the eyes a hacker or cybercriminal.

About the author: Joseph Carson is a cyber security professional with more than 20 years’ experience in enterprise security & infrastructure. Currently, Carson is the Chief Security Scientist at Thycotic.

Copyright 2010 Respective Author at Infosec Island]]>
Fake Android Security Tools Harvest User Data Thu, 04 Jan 2018 06:29:09 -0600 Tens of Android applications masquerading as security tools were found bombarding users with ads, tracking their location, and secretly harvesting user data, Trend Micro reports.

A total of 36 such applications were found in Google Play in early December, all of which executed the aforementioned unwanted behavior. The applications were posing as security utilities like Security Defender, Security Keeper, Smart Security, Advanced Boost, and more.

The offending applications, the researchers discovered, advertised a variety of capabilities, including scanning, cleaning junk, saving battery, cooling the CPU, locking apps, message filtering, WiFi security, and the like.

When first launched, the apps would hide from the device launcher’s list of applications and would also remove their shortcuts from the device screen. Thus, users would only see the notifications pushed by the apps, which would normally be alarmist security warnings and pop-up windows.

The apps were designed to hide their presence only on specific devices. They would not exhibit such behavior on Google Nexus 6P, Xiaomi MI 4LTE, ZTE N958St, and LGE LG-H525n, most likely because the tactic would not work on these devices or because they wanted to avoid additional scrutiny from Google Play.

Once up and running, the apps would bombard users with “security” notifications and other messages. However, most of the “detection” results displayed in the notifications are false, such as the reporting of all newly installed apps as being suspicious.

Some of these notifications would prompt users to take action on supposedly detected issues on the device. When the user clicks to perform the action, the app would display a fake animation to trick the user into believing that the app is working as intended.

While sending these notifications, however, the apps would also collect the victim’s private data, including specific location details. The collected data is then sent to a remote server.

In addition to pushing said notifications, the applications would also display advertisements to the user, in various different scenarios: after a notification to unlock the device screen or after the user is prompted to connect a charger.

Almost every user action triggers an ad, which suggests the apps were designed mainly for ad display and click fraud.

The security researchers also noticed that users are asked to sign and agree to a EULA (end-user license agreement), where details on the information gathered and used by the app are included. However, because the collection and transmission of personal data is not related to their functionality, these apps are still considered abusive.

These apps can upload to a remote server user information, details on the installed apps, information on attachments, user operational information, and data on activated events.

Additionally, the apps were observed collecting the Android ID, Mac address, IMSI, information about the OS, brand and model of the device, device specifics, language, location information, data on installed apps, and information on what permissions are granted or not.

Google has been informed on the behavior of these applications and has already removed them from Google Play.

Related: Google to Warn Android Users on Apps Collecting Data

Related: Majority of Android Apps Contain Embedded User-Tracking: Report


Copyright 2010 Respective Author at Infosec Island]]>
Hackers Wreak Havoc in 2017, is 2018 Ready to Battle? Thu, 04 Jan 2018 06:26:00 -0600 With a new year upon us, it’s time to reflect back on a rather turbulent 365 days in the cybersecurity space. Between leaked Game of Thrones episodes, WannaCry ransomware and new strains of the Mirai Internet of Things botnet, cyberattacks reached alarming heights in 2017. This increases the burden on companies to adapt to a rapidly changing threat landscape.


So, what will 2018 look like?


IoT must brace for impact


IoT adoption has exploded in 2017 and shows no signs of slowing. Gartner predicts that 20 billion devices will be connected to the internet by 2020. One of the most worrisome aspects of the IoT explosion is just how susceptible these devices are to hacking. Many devices rely on default passwords that often go unchanged, making them easy targets for hackers to gain access. Hackers are creating armies of nefarious botnets comprised of hundreds of thousands of devices to use in DDoS attacks against organizations around the world. Healthcare is particularly vulnerable to IoT hacking -- connected medical devices are hard to update and often run on older versions of operating systems. As manufacturers bring new IoT devices to market, they must make security a priority. The current state of mind of ignoring basic security measures threatens the security and stability of the internet as a whole.


Hacker motivations shift from curious to criminal  


Hacker motivations have moved from the curious individual to organized crime and nation state actors, where hacking is a day job. We’ve long suspected this would be the case, but it’s becoming increasingly clear that the level of sophistication and tenacity shown by these attackers is far beyond opportunistic hacking. It becomes the source of a paycheck, which is both good and bad for defenders. On one hand, professional support is often less motivation for hackers to push boundaries and find new vulnerabilities, meaning they’ll use the same proven tactics in their efforts. However, this new breed of attackers benefit from having greater resources and more confederates to help build out specific tools. When push comes to shove, organized hackers will be much more dangerous than individuals or small groups could ever be.


Security Biometrics are still a mixed bag


New and innovative security solutions, such as biometrics in the form of touch and Apple's Face ID, are gaining momentum as an option to protect personal data. But the effectiveness of biometrics is still up for debate. When a system containing your biometric data is compromised, you cannot change a thumb print in the same way you can change a password. Additionally, the complexities surrounding individual health data are increasingly becoming a concern. Activity trackers like Fitbits and Apple Watches are the quintessential example, allowing us to record heart rate, blood pressure and more. But that data can be used against us, either by someone who steals the data or by an employer who legally collects the data and decides an employee is a health risk. There are years of wrangling to come from the legal and ethical standpoint of this data.


If 2017 taught us anything, it’s that we have a long way to go to get ahead of adversaries. The biggest impact a security team can make in the new year is to understand how effectiveness of their protections are against the evolving threats. The controls that were seen as effective in 2017 might no longer be what’s needed to protect against the threats 2018 will bring.


Copyright 2010 Respective Author at Infosec Island]]>
Global Security Threats You Need to Know About in 2018 Wed, 03 Jan 2018 07:14:19 -0600 In the year ahead, businesses of all sizes must prepare for the unknown so they have the flexibility to withstand unexpected and high impact security events. To take advantage of emerging trends in both technology and cyberspace, businesses need to manage risks in ways beyond those traditionally handled by the information security function, since new attacks will most certainly impact both shareholder value and business reputation.

After reviewing the current threat landscape, there are five dominant security threats that we at the Information Security Forum believe businesses need to prepare for in 2018. 

These include, but are not limited to:

  • Crime-As-A-Service (CaaS) Expands Tools and Services
  • The Internet of Things (IoT) Adds Unmanaged Risks
  • Supply Chain Remains the Weakest Link in Risk Management
  • Regulation Adds to Complexity of Critical Asset Management
  • Unmet Board Expectations Exposed by Major Incidents

We’ve provided an overview for each of these areas below:

1. Crime-As-A-Service (CaaS) Expands Tools and Services

Criminal organizations will continue their ongoing development and become increasingly more sophisticated. The complex hierarchies, partnerships and collaborations that mimic large private sector organizations will facilitate their diversification into new markets and the commoditization of their activities at a global level. Some organizations will have roots in existing criminal structures, while others will emerge focused purely on cybercrime. Organizations will struggle to keep pace with this increased sophistication and the impact will extend worldwide, with cryptoware in particular becoming the leading malware of choice for its threat and impact value.The resulting cyber incidents in the coming year will be more persistent and damaging than organizations have experienced previously, leading to business disruption and loss of trust in existing security controls.

2. The Internet of Things (IoT) Adds Unmanaged Risks

Organizations will adopt IoT devices with enthusiasm, not realizing that these devices are often insecure by design and therefore offer many opportunities for attackers. In addition, there will be an increasing lack of transparency in the rapidly-evolving IoT ecosystem, with vague terms and conditions that allow organizations to use personal data in ways customers did not intend. It will be problematic for organizations to know what information is leaving their networks or what data is being secretly captured and transmitted by devices such as smartphones and smart TVs. When breaches occur, or transparency violations are revealed, organizations will be held liable by regulators and customers for inadequate data protection. In a worst-case scenario, when IoT devices are embedded in industrial control systems, security compromises could result in harm to individuals or even loss of life.

3. Supply Chain Remains the Weakest Link in Risk Management

Supply chains are a vital component of every organization’s global business operations and the backbone of today’s global economy. However, security chiefs everywhere are concerned about how open they are to an abundance of risk factors. A range of valuable and sensitive information is often shared with suppliers and, when that information is shared, direct control is lost. This leads to an increased risk of its confidentiality, integrity or availability being compromised. In the coming year, organizations must focus on the weakest spots in their supply chains. Not every security compromise can be prevented beforehand, but being proactive now means that you— and your suppliers—will be better able to react quickly and intelligently when something does happen. To address information risk in the supply chain, organizations should adopt strong, scalable and repeatable processes — obtaining assurance proportionate to the risk faced. Supply chain information risk management should be embedded within existing procurement and vendor management processes. This readiness may determine competitiveness, financial health, share price, or even business survival in the aftermath of a breach.

4. Regulation Adds to Complexity of Critical Asset Management

New regulations, such as the European Union General Data Protection Regulation (GDPR), will add another layer of complexity to the issue of critical information asset management that many organizations are already struggling with. The GDPR aims to establish the same data protection levels for all EU residents and will focus on how organizations handle personal data. Businesses face several challenges in preparing for the reform, including a widespread lack of awareness among internal stakeholders. The additional resources required to address the obligations are likely to increase compliance and data management costs while pulling attention and investment away from other important initiatives. In the longer term, organizations will benefit from the uniformity introduced by the reform. But it is not just in the area of privacy where legislation will bite.  The increasing burden of compliance and legislative variances across jurisdictions will increase the burden for multi-nationals and those businesses targeting international trade.

5. Unmet Board Expectations Exposed by Major Incidents

Boards will expect that their approval of increased information security budgets will have enabled the Chief Information Security Officer (CISO) and the information security function to produce immediate results. However, a fully secure organization is an unattainable goal, and many boards are unaware that making substantial improvements to information security will take time – even when the organization has the correct skills and capabilities. Consequently, the expectations of boards will quickly accelerate beyond their information security functions’ ability to deliver. Misalignment between a board’s expectations and the reality of the security function’s ability to deliver will be most cruelly exposed when a major incident occurs. Not only will the organization face substantial impact, the repercussions will also reflect badly on the individuals and collective reputations of the board members.

Don’t Be Left Behind

Today, the stakes are higher than ever before, and we’re not just talking about personal information and identity theft anymore. High level corporate secrets and critical infrastructure are constantly under attack and organizations need to be aware of the emerging threats that have shifted in the past year, as well as those that they should prepare for in the coming year.

By adopting a realistic, broad-based, collaborative approach to cyber-security and resilience, government departments, regulators, senior business managers and information security professionals will be better able to understand the true nature of cyber-threats and respond quickly and appropriately. This will be of the highest importance in 2018 and beyond.

About the author: Steve Durbin is Managing Director of the Information Security Forum (ISF). His main areas of focus include strategy, information technology, cyber security and the emerging security threat landscape across both the corporate and personal environments.

Copyright 2010 Respective Author at Infosec Island]]>
The IT Security Lessons from 2017 Fri, 22 Dec 2017 08:09:00 -0600 George Santayana famously observed that: “Those who cannot remember the past are condemned to repeat it.”  In a year where data breaches escalated, and cyber-criminals found yet more ways to infiltrate the enterprise network, this quote came to mind.

So, as 2017 draws to a close let’s look back over the year and reflect and evaluate past events in cyber security, and understand how they happened, so that we can hopefully prevent them from happening again in 2018.

Data breaches continue to happen

As I have already alluded to, data breaches increased in number and severity over the past year. People may have become desensitized to the news, but the number of personal records stolen or lost is staggering. In 2017 alone Uber, Amazon, the US Government, Equifax and Yahoo – to name just a few – all experienced breaches, and there seemed to be another high profile case every month. Investigating and remediating these incidents is costly, with the latest estimates placing the cost of the Equifax breach at $110million alone.

Additionally, we saw simple configuration mistakes leading to breaches in Amazon Web Services. Financial publishing firm Dow Jones & Company and military intelligence agency, INSCOM, for example, left their Amazon S3 buckets accessible and available to any AWS user.

Scrambling for GDPR

2017 saw businesses scrambling to gear up for the General Data Protection Regulation (GDPR) which will come into force in May 2018. It will apply to organizations that are based in or operate across the EU, or which have operations, customers, suppliers or partners within the EU.

GDPR can fine organizations if they fail to adequately safeguard customer data against a breach or fail to report it to the supervisory authority within 72 hours. The fine can be up to €20m, or 4% of the firm’s annual turnover – whichever is greater – which clearly gives regulators a very large stick to use on companies that do not comply.  

What is yet to be seen is how the European regulators decide to exercise their legal powers. Come May 25th we might see investigations and fines handed down to any company that loses personal records, and we could see jurisdiction fights as European regulators try to fine businesses that are based in the US. Equally, the threat of large penalties may not be realized: it will be interesting to see how it all plays out.  

IoT and the bots

Throughout 2017, attacks on IoT systems were rife, and I believe they will only increase in 2018. At the heart of many of these attacks were Botnets, which were deployed to hundreds of thousands of IoT devices. In 2017 we saw new variants of the Mirai botnet, including Reaper, and new botnets like Satori, all of which specifically targeted IoT devices.  

By increasingly allowing IoT devices onto their enterprise network, enterprises are also offering an open back door for bot attacks. Worryingly, recent estimates suggest that up to 75% of organizations globally are infected by bots, and with IoT devices set to increase, we certainly haven’t seen the worst of it yet.  

Indeed, Gartner estimates that 8.4 billion devices were connected to the internet in 2017, and a further 2.8billion will be connected in 2018. These new IoT devices usually have little to no security controls built in, so every additional internet controlled thermostat, door lock, vending machine, air conditioning unit that goes online is another attack vector available to attackers.

To prevent bots working their way onto your enterprise networks, make sure to use up-to-date anti-malware and implement layered defenses to limit their lateral movement if they do manage to infiltrate the network. Additionally, next-generation firewalls can monitor network traffic and look for suspicious activity, block suspicious traffic and cut off from their command and control centers. Intelligent network segmentation, separating IoT devices from the rest of the network, will also help to mitigate risk.

Ransomware is here to stay

2017 was also the first year that businesses globally felt the full force of major ransomware attacks. WannaCry impacted businesses and public services across the globe, Cerber convinced many victims to pay up to unlock their encrypted files and NotPetya, claimed many victims including US based pharmaceutical giant Merck, causing at least $300million of damage.

Threatened by the loss of potentially sensitive files that may not be backed up, some businesses have been paying the criminals’ ransom demands. But of course, paying the attackers not only funds criminal activity, it fuels further attacks. So, ransomware is far from behind us.  

As with bots, there are numerous security best practices that can prevent, or at least greatly reduce, the impact of the next ransomware attack, including segmenting the network, regular data backups, patching, and security awareness training for employees.

The reality is that data breaches, botnets, ransomware and human errors won’t be going away anytime soon, and organization must remain vigilant. But by looking back at the events of 2017, IT teams can take steps to reduce the chances of falling foul of these attacks moving forward. After all, learning from history can help stop events from repeating again in the future.

About the author: Professor Avishai Wool is the CTO and co-founder of AlgoSec.

Copyright 2010 Respective Author at Infosec Island]]>
Goodbye 2017, Hello 2018: New and Old Cloud Security Challenges Fri, 22 Dec 2017 05:07:25 -0600 Security and compliance are going to be hot topics in 2018 as more and more organizations confront the challenges of the cloud. In 2018, a few major new regulations, such as the EU General Data Protection Regulation (GDPR), which takes full effect in May, will start to swing the privacy pendulum towards better cloud security and more protections for consumers and end users.

Here’s what that means for 2018:

An accountability tipping point will change the calculus for custodians of sensitive private information.

High profile incidents in 2017 - Equifax, Uber, I’m looking at you - deeply shook the general public. In 2018, that angst will translate into action. Data custodians will be held to significantly higher data security standards. We’ll see more rigorous board and senior management oversight, with severe consequences for security malfeasance. More exacting regulations are already on the way - and they’ll continue to tighten fiduciary expectations and raise the penalties for non-compliance.

Security risk management will change as a result. Executives will find it far more difficult to fob off blame to subordinates. Benchmarks for acceptable risk will change, and the approaches organizations take to manage that risk will change too. Which leads me to my second prediction:

We’ll come to grips with the fact that perfect security isn’t possible.

In 2018, data custodians need to be better prepared for cloud breaches and their consequences. Due diligence on configurations, continuous auditing for security best practices, active monitoring, regular red team/blue team exercises, and response plans will be a big part of the security discussion in 2018.

Spotting, fixing, and reporting breaches quickly makes post-breach press conferences far easier on the CEO. Therefore, expect reaction times to get much more attention. This focus on responsiveness, combined with the move to the cloud, will disrupt the IT status quo. Policy-centric perimeter security tools need lots of labor to stay effective and up to date.

Those tools aren’t going away - but tolerance for their labor-intensive maintenance requirements is. The cloud magnifies the problem: DevOps and the drive for ever-faster service delivery velocity makes manual processes simply impossible. Which brings me to my third prediction:

Security automation will get real.

DevOps and cloud computing may have started the automation party - but expect security to get in on the action in 2018. In the cloud, automation use cases will expand beyond DevOps to make compliance, detection and configuration management more systematic and robust. Automation will also expand to include incident detection, forensics, and visibility.

Machine learning technologies will power successful automation solutions, and vendors with ML approaches will deliver significant value.  Cloud security automation emerged as a theme in 2017 and it will become mainstream next year, with more and more organizations dramatically improving cloud security with automation in 2018. Complexity and the pace of change won’t slow down and there will be broad agreement that convention security tools aren’t right for the cloud.

Cloud service providers (CSPs) will continue to take security - and security automation - seriously. In 2017, for example, Amazon quickly responded to the high risk of AWS misconfiguration and leaky S3 buckets with new services and toolings. In 2018, CSPs will increase their commitment to cloud security. Third-party vendors, working in concert with CSP-native security capabilities, will deliver powerful new solutions to automate and simplify operations across the entire security stack.

Goodbye 2017!

2018 will be a watershed year in cloud security. After 2017’s string of shocking breaches, big changes are on the horizon. Risk calculations will shift towards a higher standard of care. IT practitioners will refocus on accountability and responsiveness.

And, with any luck, that will translate into a less “eventful” 2018!

About the author: Sanjay Kalra is co-founder and CPO at Lacework, leading the company’s product strategy, drawing on more than 20 years of success and innovation in the cloud, networking, analytics, and security industries. Prior to Lacework, Sanjay was GM of the Application Services Group at Guavus, where he guided the company to market leadership and a successful exit.

Copyright 2010 Respective Author at Infosec Island]]>
Google Patches High Risk Flaw in Chrome 63 Mon, 18 Dec 2017 09:17:23 -0600 Google has released Chrome 63.0.3239.108 to the stable channel to address two security vulnerabilities in the browser.

One of the bugs, tracked as CVE-2017-15429, was a Universal Cross-site Scripting (UXSS) issue in V8, the open-source JavaScript engine in Google Chrome and Chromium browsers.

The vulnerability can be exploited by a remote unauthenticated malicious actor to perform a UXSS attack. No further details on the vulnerability are publicly available at the moment.

The vulnerability was reported to Google on November 24 by an external researcher who chose to remain anonymous. Google paid a $7,500 reward to for the bug report.

The second vulnerability Google addressed with the new browser release was reported by the company’s internal team. The Internet giant has yet to publish any information on the flaw.

Chrome 63.0.3239.108 is now available for download for all Windows, Mac, and Linux users.

This is the second Chrome 63 release Google made available this month. The first arrived on December 6 as Chrome 63.0.3239.84, with patches for a total of 37 security fixes, including a Critical Out of bounds write vulnerability in QUIC.

19 of those security flaws were reported by external researchers and Google revealed it paid over $46,000 in bug bounties to the reporting researchers. The highest payout was of $10,500.

In addition to resolving numerous vulnerabilities, Chrome 63 brought a series of security improvements for enterprise users, such as Site Isolation and the ability to restrict access to extensions based on the permissions required. The browser also brought Transport Layer Security (TLS) 1.3 for Gmail.

In an attempt to improve stability and security, Chrome will prevent applications from injecting code into its processes on Windows, starting next year.

Related: Chrome Improves Security for Enterprise Use

Related: Chrome to Block Apps from Injecting into Its Processes

Related: Chrome 62 Update Patches Serious Vulnerabilities

Copyright 2010 Respective Author at Infosec Island]]>
SAP Cyber Threat Intelligence Report – December 2017 Thu, 14 Dec 2017 10:29:00 -0600 The SAP threat landscape is always expanding thus putting organizations of all sizes and industries at risk of cyberattacks. The idea behind SAP Cyber Threat Intelligence report is to provide an insight into the latest security vulnerabilities and threats.

Key takeaways

  • This set of SAP Security Notes consists of 19 patches with the majority of them rated medium.
  • Implementation Flaw remains the most common vulnerability type this month.
  • Researchers found a vulnerability in SAP HANA XS classic user self-service after exploring a patch for a half-year vulnerability allowing an unauthenticated user to know valid and invalid user accounts.
  • SAP re-released a patch for a 3-year-old security issue.

SAP Security Notes – December 2017

SAP has released the monthly critical patch update for December 2017. This patch update includes 19 SAP Security Notes (15 SAP Security Patch Day Notes and 4 Support Package Notes) ranging from Medium to Very High priority. 4 of all the patches are updates to previously released Security Notes.

6 of all the Notes were released after the second Tuesday of the previous month and before the second Tuesday of this month.

3 of the released SAP Security Notes received a High priority rating and one, which is an update to the previously released SAP Note, was assessed at Hot news with the highest CVSS score of 9.1.


The most common vulnerability type is Implementation Flaw.


SAP users are recommended to implement security patches as they are released.

Issues that were patched with the help of ERPScan

This month, one critical vulnerability identified by ERPScan’s researcher Mikhail Medvedev was closed.

  • A Log injection vulnerability in SAP HANA XS classic user self-service (CVSS Base Score: 5.3 CVE-2017-16687). Update is available in SAP Security Note 2549983. An attacker can use it to inject arbitrary data in the audit log. A large amount of illegal data can complicate the analysis of the audit log. It also can lead to a rapid filling of a disk space and damage the event log.

Other critical issues closed by SAP Security Notes in December

The most dangerous vulnerabilities of this update can be patched with the help of the following SAP Security Notes:

  • 2449757: SAP Additional Authentication check in Trusted RFC has an Implementation Flaw vulnerability (CVSS Base Score: 7.6 CVE-2017-16689). Trusted RFC does not require a Trusted/Trusting Relation from the system to itself. A system always trusts itself. The trust relationship maintained in SMT1 is used as a secure way to identify remote trusted systems. For calls on the same system this is not necessary as the RFC infrastructure always knows that a call came from the same system in a secure way. Install this SAP Security Note to prevent the risks.
  • 2537152: SAP BI Promotion Management Application has a Missing authorization check vulnerability (CVSS Base Score: 7.3 CVE-2017-16684). An attacker can use it for accessing a service without any authorization procedures and using the service functionality with restricted access. It results in information disclosure, privilege escalation and other cyberattacks. Install this SAP Security Note to prevent the risks.
  • 2537545: SAP BW Universal Data Integration has a Cross-Site Scripting (XSS) vulnerability (CVSS Base Score: 6.9 CVE-2017-16685). An attacker can exploit it to inject a malicious script into a page. The critical information stored and used for interaction with a web application can be accessed, and an attacker might gain access to user session and learn business-critical information or even get control over this data. In addition, XSS can be used for unauthorized modifying of displayed content. Install this SAP Security Note to prevent the risks.

Advisories for these SAP vulnerabilities with technical details will be available in 3 months on Exploits for the most critical vulnerabilities are already available in ERPScan Security Monitoring Suite.

Information Disclosure vulnerability in SAP HANA XS Classic User Self-Service

Six months ago, Onapsis identified a bug that allows getting a list of users in Self-Service. The point is that it is possible for an attacker to abuse the “forgot password” functionality from different error messages and guess if a user exists or not. It was reported to SAP and a patch was released.

Afterwards, one of ERPScan’s researchers explored this fix and identified another vulnerability in the same service. The details of the vulnerability was mentioned above.

It turns out that the researcher bypassed the check simply by adding a space in a user’s name and got a response:

1 {"name":"SystemError","message":"dberror(Connection.prepareStatement): 331 - user name already exists: : line 1 col 24 (at pos 23)"}

Remote Command Execution vulnerability in Apache Struts

December’s set of SAP Security Notes addresses 4 updates to the previous fixes. One of them that is SBOP solution for Apache Struts1.x Vulnerability has a high priority rating. It is an update to the SAP security note released more than three years ago, in August 2014.

SAP patched it in a third-party product earlier and noticed the vulnerability in Apache Struts just recently. The vulnerability in Apache Struts enables an attacker to exploit the resources that are used to serve BI Launchpad, LCM, Monitoring.

SAP users are recommended to implement security patches as they are released.

Copyright 2010 Respective Author at Infosec Island]]>
Understanding Endpoint Threat Diversification to Help Better Secure Infrastructures Thu, 14 Dec 2017 08:29:27 -0600 The threat landscape has evolved considerably over the years, as the technology stack deployed within local and cloud infrastructures have changed dramatically to include a wide array of tools, services and stakeholders. Threat diversification has enabled the development of new security technologies designed within layers, aimed at preventing advanced and sophisticated malware from breaching security at various attack stages.

Endpoint security has become the new normal and, while it can secure organizations against mass-market malware, advanced persistent threats (APTs) are purposely built to dodge this security mechanism. Only layered endpoint security that can protect against these attacks, as well as a wide range of attack techniques, is fueled by machine learning and behavioral analysis to ensure accurate disposal of new and unknown malware.

Now, deploying aggressive analysis tools on endpoints is not without drawbacks, including performance issues. Therefore, cloud sandboxing has emerged as an increasingly important option for detecting sophisticated attacks pre-execution, or for securing endpoints without compromising its security.

Sandboxing vs. Emulation

Although the terms sandboxing and emulation are sometimes used interchangeably, the two technologies show fundamental differences when we dive deeply into how advanced malware works, and how it’s detected. Standard endpoint protection (EPP) emulation is usually handled locally and only select chunks of code are analyzed, followed by some process of feature extraction performed by machine learning algorithms. Since the entire analysis process is performed in mere milliseconds, it is limited by local computing resources, and therefore at risk for false positives.

Emulation is an integral part of anti-malware’s pre-execution security stack and plays a vital role in the overall security stack of an EPP solution. As such, its importance should not be downplayed–it offers a vital pre-execution layer designed to filter out garden-variety threats without overtaxing a cloud-based sandbox with easily predictable threats.

Conversely, cloud sandboxing detonates the actual file, including additional payloads, in a virtual cloud host meant to replicate the endpoint configuration. The biggest difference between the two is that unlike emulation, where local resources are limited, a cloud-based sandbox utilizes a significantly larger pool of computing power to fully analyze the complete behavior of a potential threat in real-world conditions.

Since most advanced threats employ sophisticated reconnaissance techniques before dropping additional malicious components, a sandbox analysis provides complete visibility into the entire attack chain. This enables the security solution to prevent the initial attack vector and identify other components or tools that threat actors use to gain access to a machine. As the sandbox analyzer is not a production machine, the security tools designed to perform behavioral analysis can be configured to a heightened state of alert – a sort of paranoid mode – that would allow close monitoring of all actions performed by the execution of a potentially malicious file.

The entire process of submitting an unknown file to a sandbox analyzer may take longer than simply running the local emulator, but the amount of behavioral information collected from the sandbox analyzer is far more detailed and more reliable. A verdict on whether a file is malicious is based on more than one technology. For example, specifically trained machine learning algorithms and advanced behavioral-based security tools can assess the threat more in-depth than locally configured, performance-friendly, security tools.

In a nutshell, while both emulation and cloud-based sandbox analysis are an integral part of threat detection, the latter is specifically built to detect and analyze sophisticated threats using machine learning algorithms and aggressive behavior analysis technologies that would otherwise negatively impact the performance of the local machine.

Disarming Threat Actor’s Weapon of Choice

One thing that sophisticated threats have in common is their reliance on commonly used files to deliver malicious payloads. Documents and executables are often used as both reconnaissance and malware delivery mechanisms when infiltrating an organization.

Taking those files and “detonating” them in controlled environments - away from the victim’s endpoint – means threat actors are practically disarmed, as their most effective and commonly deployed weapons are essentially rendered useless.

Tightly integrated with a company’s EPP, cloud-based sandbox analyzer technology can only strengthen the overall security posture, acting as a new security layer specifically designed to detect malware and report unusual artifacts that employ all sorts of anti-evasion techniques. Moreover, with its rich forensic information, it can give companies a complete and detailed analysis of any detected threat, enabling them to strengthen or rethink a variety of security policies across the infrastructure.

About the author: Liviu Arsene is a Senior E-threat Analyst for Bitdefender, with a strong background in security. He has been closely working and interfacing with cross-company development teams, as his past Product Manager role involved understanding Bitdefender’s technology stack.

Copyright 2010 Respective Author at Infosec Island]]>
BankBot Targets Polish Banks via Google Play Tue, 12 Dec 2017 14:17:16 -0600 Two new applications that managed to slip into Google Play despite being infected with the BankBot Trojan have been observed targeting the legitimate apps of Polish banks, ESET warns.

The malware hid inside the seemingly legitimate Crypto Monitor, an app for tracking cryptocurrency prices, and StorySaver, a utility that helps users download stories from Instagram. Both applications provide their users with the promised functionality, but also serve a nefarious purpose.

On the victim’s device, the apps can display fake notifications and login forms that have been designed to look as if they come from legitimate banking applications, which allows them to harvest the credentials victims enter into the fake forms.

They can also intercept text messages, thus being able to bypass SMS-based 2-factor authentication.

The BankBot banking Trojan was first observed about a year ago, when its source code leaked online alongside instructions on how to use it. It took over a month for the first malware based on that code to emerge, but numerous BankBot variations have been observed since, some in Google Play.

In a report published in early November, RiskIQ revealed that the malware managed to slip into the official Android application store disguised as Cryptocurrencies Market Prices, an application for users looking for timely information for people who engage in cryptocurrency marketplaces.

Only a couple of weeks after that report, the Crypto Monitor malicious app was uploaded to Google Play, under the developer name walltestudio. Four days later, on November 29, StorySaver was published to the marketplace, under the developer name kirillsamsonov45, ESET says.

The applications had between 1000 and 5000 downloads when ESET reported their malicious behavior to Google on December 4. Both of them have been removed from the application store.

After being launched on the infected device, the malicious apps retrieve information on the installed programs and compare these against a list of targeted banking software.

According to ESET, the malware targets the official apps of fourteen Polish banks, namely Alior Mobile, BZWBK24 mobile, Getin Mobile, IKO, Moje ING mobile, Bank Millennium, mBank PL, BusinessPro, Nest Bank, Bank Pekao, PekaoBiznes24, plusbank24, Mobile Bank, and Citi Handlowy.

The malware can display fake login forms imitating those of the targeted apps and can do so either without any action from the user, or after the user clicks on a fake notification.

ESET claims that most of the infections (96%) were detected in Poland, but that a small set of users in Austria were infected as well (the remaining 4% of detections). The local social engineering campaigns propagating the malicious apps contributed to this.

“The good news is that this particular banking malware doesn’t use any advanced tricks to ensure its persistence on affected devices. Therefore, if you’ve installed any of the above described malicious apps, you can remove them by going to Settings > (General) > Application manager/Apps, searching for either “StorySaver” or “Crypto Monitor” and uninstalling them,” ESET says.

Mobile banking users who installed one of the malicious applications are advised to check their bank account for any suspicious activity. They should also consider changing PIN codes, the researchers say.

Related: Millions Download "ExpensiveWall" Malware via Google Play

Related: Android Malware Found on Google Play Abuses Accessibility Service

Copyright 2010 Respective Author at Infosec Island]]>
Creating a Meaningful Security Awareness Training Program Is a 12-Month Commitment Mon, 11 Dec 2017 10:49:00 -0600 Let’s start by asking ourselves a question: As an industry, do we do ourselves a disservice with National Cybersecurity Awareness Month (NCAM)?  

When we have a month and event established on the premise of raising awareness, we start to see corporations, government agencies and organizations put all their efforts and resources around building a big splash that month. In doing that, they tend to downplay and deemphasize the other 11 months of the year. They unintentionally communicate that cybersecurity is not something that needs to be integrated into their day-to-day, or even week-to-week lives, but rather it’s presented as an externality. It becomes an “other,” or an “add-on,” and it’s approached in a way that isn’t tied into, or even relevant, to the rest of their lives. NCAM is an event, and events by their very definition imply that it is other or special, something out of the norm.

When you look at different disciples in life, where people, or cultures, or companies try to integrate ideas within our thinking, it is much more frequent and distributed. And while it may be less flashy, the consistency is more valuable.

A great comparison is the world of marketing. You don’t see McDonald’s having burger month once a year, instead they hit you with information, ideas and promotions as often as they can afford to. Why? They want to integrate into the everyday decision-making process, they want you to have immediate brand recognition and immediate relevance. The security industry has a lot to learn from people who know how to make ideas stick and know how to influence behavior.

So yes, in my opinion NCAM can be a disservice. But should we get rid of it? Absolutely not.  

NCAM is a good call to action, but don’t put all your eggs in that basket. When you talk about things in that context, you’re hitting people with information that may not be relevant to that day or week. For example, if you’re teaching password best practices during October, it will not sync up with when the vast majority of people in your organization need to change their passwords. By the time password change requirements occur, employees will divert to previously-learned behaviors and forget to leverage the information they were given. Instead, we need to more strategically distribute the password tools and lessons at the right time or place, so we’re hitting employees with the most relevant information when they are about to make an action. That’s where we need to be -- we need to put the trigger at the point, or as close to the point, when the action is about to happen.

When it comes to what you can or should be doing - particularly on the security awareness training front -  you need two things: 1) to have your finger on the pulse of organizational culture and 2) executive buy-in. If you get both, you can understand the company dynamic and can then set clear expectations about what your level of engagement will be and how you will effectively use people’s time and attention.

But how do you get there, and then how do you implement?

Best Practice #1: Get Executive buy-in. Speak the language of the business and tie awareness training into the way your organization views risk and opportunity. Explain that if you only raise awareness during NCAM, or if you only do new hire training, it will be ineffective and you will not be able to change behavior. Don’t allow training to become solely a legal or compliance checkmark.

Best Practice #2: Work with your internal marketing team. Not only do they know how to communicate and influence, but they understand your brand identity, the goals that you have, and the way your company talks about things, as well as an informed view of how/when other internal communications are occurring. Don’t be an outsider; instead take an internal communications approach.

Best Practice #3:Be strategic with frequency. Treat it like marketing swimlanes. Think about different channels (modes of communication and types of messages) and how you would distribute them overtime. As a result, you’re building greater awareness of your security ‘brand’ and core messages, and having the best change secure reflexes.  

A piece of this is implementing the “Five Moments of Need” model within training. If you want communicate new ideas or get people to adopt a new patterned behavior, use points in time training. At a high-level, this looks like: 1) telling people about something for the first time (new hire, or yearly training, etc.); 2) learning more - ongoing training, it’s still point-of-time and event-based; 3) “just-in time” training when employees want to apply knowledge (e.g. a password change); 4) when something goes wrong, e.g. simulated phishing or traditional blocking technologies come into play here; 5) when something changes (systems, law, regulation, etc.), people may need associated training.  

Best Practice #4: Use variety when sharing ideas and tools… Various forms of content resonate differently with different people. People are individuals and each have unique ways of absorbing communication, so it’s important to think about sharing content in a variety of ways - from newsletters to video - options are necessary to get everyone’s attention and focus.

In general, I recommend an 80/20 rule. You want to apply approximately 20 percent of your budget and efforts during NCAM while the remaining 80 percent should be dispersed over the other 11 months. That allows you to make a big splash in October but still stay relevant and top-of-mind all year long when it will matter most.

About the author: Perry Carpenter is the Chief Evangelist and Strategy Officer for KnowBe4, the provider of integrated new school security awareness training and simulated phishing platform.

Copyright 2010 Respective Author at Infosec Island]]>