2018: The rise of Cryptominers

Posted on April 23, 2018 by Cheryl Biswas

They’re everywhere. Really. Everywhere. And if you don’t think they’re on your systems, think again. In the first 3 months of 2018, unique cryptominer types increased from 93,750 to over 127,000. Compare that to ransomware, which was doing a booming business from 2016 into 2017. New ransomware variants actually declined from 124,320 to 71,540. Exploit kits are also down. That’s significant, because cybercrime is all about efficiency and profit. Illegal or malicious cyrptominers have evolved from a nuisance infecting individual systems to a pervasive threat on enterprise systems.

Per researchers at Cisco TALOS

“The number of ways adversaries are delivering miners to end users is staggering. It is reminiscent of the explosion of ransomware we saw several years ago. This is indicative of a major shift in the types of payloads adversaries are trying to deliver. It helps show that the effectiveness of ransomware as a payload is limited. It will always be effective to ransom specific organizations or to use in targeted attacks, but as a payload to compromise random victims its reach definitely has limits. At some point the pool of potential victims becomes too small to generate the revenue expected.”

The lure of easy money is unmistakable. Cryptominers offer “continuous passive income” versus the risk of not getting a ransom with ransomware. And you can’t beat the return on investment. It’s pretty much pure profit, since the miners use somebody else’s resources.

The trend actually took hold in 2017, and has not stopped escalating. ZScaler reports it blocked more than 2.5 billion attempts over the past 6 months. On April 12, Infosecurity Magazine reported that cryptomining spiked 500% on corporate networks. This is no longer a single-machine effort, but a massive, coordinated hunt by botnets for vulnerable systems. Researchers report that within the space of 24 hours, attackers tried to compromise 30% of networks globally using botnets to find vulnerable servers and web applications. PATCH people!

Mining is resource-intensive. Monero has moved past what standard user systems can supply. Now, it requires graphics cards or preferably application specific integrated circuit ASIC chips. We’re seeing miners shift to mining alternative currencies to Monero that can be mined using any CPU.

The impact is significant in terms of wear and tear on hardware. Miners usurp corporate bandwidth. They cause performance issues, and we know that uptime must be all the time. What enterprises should also take note of is that they could be at risk of compliance violations because of the unidentified activity on their corporate systems.

PIVOTS: In 2016, we saw ransomware pivot and morph from attacking individuals to leveraging vulnerabilities on servers and networks and attacking institutions. We’re seeing the same thing happen with cryptominers, as criminals discover how to make better money, faster. They are hunting for web servers and applications they can exploit via unpatched vulnerabilities, both old and new. Once they can compromise a system, they install the mining software.

Now, it appears that criminals are repurposing malware as miners, which is not a good thing when that malware happens to be ransomware. Case in point: XiaoBa. Researchers at Trend Micro report this new variation was not modified well, so that it is destructive. The sloppy code destroys files and crashes PCs. While his isn’t widespread, and will likely be reworked, the damage has been done to numerous systems. And raises the bigger issue: what will attackers rework next, and whose systems will be at risk?

MINERS: The one to watch for is Coinhive, as the most impact and pervasive.

BOTNETS: Smominru: this is one of the biggest, most successful cryptojacking botnets active. So far, it’s netted $2.3 billion by leveraging the EternalBlue exploit to infect and enslave computers as part of the botnet. At more than half a million bots, the system is massive, and had evaded sinkhole attempts against it.

TARGETS: Because browsing time by users is high, nudity/porn sites, or those with streaming media, offer the most value for miners. However professional and marketing services are also rating high, bringing miners onto corporate networks.

Android and mobile systems: Kaspersky reports they found malicious mining apps in the Google Play store, imitating legitimate apps like games and VPNs, and notably sports streaming apps. Some of these were downloaded over 100,000 times. The criminals know this is a numbers game, because mobiles aren’t high performance and the risk of detection is higher. Mining has become a frequent topic on darkweb forums, as members share knowledge, experiences and advice to improve their success.

Coinhive has evolved over time. Numerous compromised sites use JavaScript obfuscation and the final code presents itself as Google Analytics JS to viewers.

ATTACKS: ZEALOT was discovered by researchers at F5 in late 2017. This Monero cryptominer installed itself on vulnerable Apache Struts systems, leveraging the EternalBlue and EternalSynergy exploits. PATCH, people!

A recent attack is leveraging an older ISS vulnerability on Windows servers. Microsoft was going to let IIS Internet Information Services 6.0 run its course and die. But there was a WebDAV exploit posted on GitHub in March 2017. The vulnerability, CVE-2017-7269, is very similar to the NSA “Explodingcan” exploit that was part of the infamous Shadow Broker’s Good Friday dump. Attackers used that flaw to install cryptominers. We all know that once a vulnerability is made known, attackers pounce and exploits follow. In this case, the exploits has a new ASCII shellcode that contains a return ortiented programming ROP chain. This uses instructions that are already loaded in memory, so there is no need to write or execute further external code. This enables the attackers to bypass security mechanisms, like executable space protections and code signing.

Lateral movement. Those two words should scare every security analyst. It’s what we fight to prevent. We don’t want the attacker to get to move through our networks and gather data. But this is the hallmark of sophisticated ransomware attacks on enterprises, and it’s now part of cryptominers. In a report by Red Canary, they detail how an adversary mixed lateral movement with cryptomining on a Windows system. We know there are processes to watch over very, very carefully in Windows. In this case, they found numerous Windows command shells that were spawning from the Local Security Authority Subsystem process, lsass.exe. This process handles user authentication for a system and typically does not have child processes. Authentication is a crown jewel so anything impacting this is critical. The child processes that would spawn would inherit major privilege and have unrestricted access to the local system. Hello, lateral movement. This is the threat to enterprise systems we need to be monitoring.

PROTECTION: Set up a web application firewall infront of all applications. Keep your system patched and up to date. And monitor system performance for even small impacts. There are numerous threat intel teams now tracking the mining bots and sharing IOCs, as in the link below from Proofpoint. That is the beauty of the security community at work. Security teams can use this info to ensure their networks are not communicating with mining bots. Because all that glitters is not gold – it’s bitcoin.

ZDNet 04/05/2018 D. Palmer
Red Canary: T. Lambert April 4
darkreading 4/5/2018 T. Kreikemeier
Comodo Cybersecurity Threat Research Labs Q1 Global Malware Report
https://www.tripwire.com/state-of-security/featured/smominru-half-million-pcs-hit-cryptomining-botnet/
https://www.proofpoint.com/us/threat-insight/post/smominru-monero-mining-botnet-making-millions-operators
https://www.bleepingcomputer.com/news/security/xiaoba-ransomware-retooled-as-coinminer-but-manages-to-ruin-your-files-anyway/
https://www.helpnetsecurity.com/2018/04/12/cryptomining-enterprise/

Today’s Advisories

Posted on January 30, 2018 by Cheryl Biswas

CISCO scores a perfect 10 on vulnerability. Fixes available. DO IT NOW!

This vulnerability is critical. CVE-2018-0101 is ranked 10 out of 10 for severity. That means it can be easily exploited, remotely exploited and no authentication required. There are no workarounds “so customers must either disable the ASA VPN functionality or install updated OS versions”. Get yer patches up now!

Cisco says that an attacker can send malformed XML packets to such devices and execute malicious code on the device. Depending on the code’s nature, an attacker can gain control over the device.

It affects any devices running ASA Adaptive Security Appliance software only if they have the “webvpn” feature is enabled in the OS settings. You can find more information about ASA Software version numbers for fixed releases in Cisco’s CWE-415 security advisory.

Per Bleeping Computer https://www.bleepingcomputer.com/news/security/cisco-fixes-remote-code-execution-bug-rated-10-out-of-10-on-severity-scale/

New Ransomware GandCrab being delivered by RIG exploit kit.

This one requests DASH cryptocurrency which is apparently harder to trace by law enforcement. Ransom is 1.54 DASH or $1170 USD. It apends .GDCB to files it encrypts. Here’s how victims will know it’s too late:

At some point, the ransomware will relaunch itself using the command “C:\Windows\system32\wbem\wmic.exe” process call create “cmd /c start %Temp%\[launched_file_name].exe”. If a user does not respond Yes to the below prompt, it will continuously display the UAC prompt.

Be advised: there is NO decryptor currently available for GandCrab. Follow the standard security protocols to keep your data and systems safe.

Use antimalware security software that incorporates behavioral detections to combat ransomware like Malwarebytes or Emsisoft Antimalware
Scan attachments with tools like VirusTotal.
Have all current updates, especially for Java, Adobe, Windows

Per Bleeping Computer https://www.bleepingcomputer.com/news/security/gandcrab-ransomware-distributed-by-exploit-kits-appends-gdcb-extension/

Happy New Year 2018 – Let the Dumpster Fires Begin

Posted on January 15, 2018 by Cheryl Biswas

Just three days into 2018, two massive security warnings were issued for Meltdown and Spectre. About those names – for an industry that claims to hate FUD, we need to work on this. But all kidding aside, these are perhaps the biggest inherent vulnerabilities to be brought to light that I am aware of. For good reason. When almost every device we use in our online and connected lives contains the problem at hand, it’s a top-tier event. Rather than jump on the “sky is falling” bandwagon, I chose to wait things out and read all that I could. There are far more experienced and knowledgeable people who have been weighing in on this from the start, and I will share links to their excellent insights and explanations. Also, as dust settles we can seee things more clearly, which is very relevant when dealing with a situation as massive and impactful as this. More details come available; facts are verified; information about what to do is tested and shared. Worth waiting for given that there was no immediate fix and panic is never a solution.

Here is the simplest breakdown of what both are by Daniel Miessler. What everyone is worried about is that both of these enable attackers to access information and processes that we had all thought were inherently secured, like privacy keys we use to protect our data. Daniel lays it all out here:

Both Meltdown and Spectre allow low-privilege users who execute code on your system to read sensitive information from memory via Speculative Execution. The basic concept for these two attacks is that you should consider secrets to be attackable any place you’re allowing someone else’s code to run on an affected system.

In Meltdown that means “any secret a computer is protecting (even in the kernel) is available to any user able to execute code on the system.” (Miessler) Spectre is worse in that it “works by tricking processors into executing instructions they should not have been able to, granting access to sensitive information in other applications’ memory space.” (Miessler)

What I have been listening for is how this may impact Cloud computing, which we only think we understand, and we need to remember is just somebody else’s server. Jerry Bell has written a piece on his blog, “Thoughts on Cloud Computing in the Wake of Meltdown”. He happens to be one of my go-to sources as part of the Dynamic Duo on the Defensive Security Podcast. First, the good news. As managed service providers running largely out of datacenters, these operations will have likely been told to patch ahead of most, and done so in the best interests of running their business. As well, since datacenters are large organizations managing many clients, they will be using automation to help the patching process. And patching is complicated, especially when it comes to these critical issues.

And that brings us to the not so good news. Patching virtual machines isn’t always straightforward or successful.

spec2 spec1

As Jerry presents:

Meltdown provided an apparent possibility for a guest in one virtual machine to read the memory of a different virtual machine running on the same physical server. This is a threat that doesn’t exist on private servers, or is much less concerning for private cloud. This vulnerability existed for many years

And then there are performance issues. Interestingly, as Jerry points out, not as hard to mitigate on cloud as they would be for physical servers.

One of the big downsides to cloud therefore, seems to the risk of a sudden change in the operating environment that results in higher cloud service costs. As problematic as that might be, firing an API to increase the execution cap or add CPUs to a cloud server is logistically much simpler than private physical servers experiencing the same performance hit and needing to be replaced, which requires the arduous process of obtaining approval for a new server, placing the order, waiting, racking, cabling, set up, and so on.

Based on this, and what has been occurring across 2016 and 2017, I predict we will see more of these events where something we did in the past comes back to “haunt” us, from a time when we did not have any idea of how technology would develop. We are now uncovering what lies beneath the surface of frameworks we rely on that others laid down before us. Simon Segars is CEO of ARM Holdings, which designs mobile chips. He warned at CES 2018 in Vegas last week that we need to expect more of these discoveries. He states one of my chief concerns here:

“The reality is there are probably other things out there like it that have been deemed safe for years.. Somebody whose mind is sufficiently warped toward think about security threats may find other ways to exploit systems which had otherwise been considered comletely safe.”

We don’t know what we don’t know unfortunately in this case, so we need to be prepared for similar discoveries. More importantly, we need to be ready to assess, then share the information in a controlled and constructive fashion while we mobilize immediate and long term responses to the event. My watchword now is “prudence”, both in terms of patching, and then in terms of vigilance as we watch over all our systems with new eyes and insights. Haste makes waste. Because as time has borne out, and is once again, patches can go sideways very badly. Whether you brick a device or you brick an enterprise, both outcomes are severe.

UPDATE ON PATCHES

Per Steve Ragan’s piece in CSO Online, Microsoft has suspended Windows security updates related to this issue on systems with older AMD CPUs, after a documentation mix-up led to the systems being unable to boot after patches were applied.

In order to “prevent AMD customers from getting into an unbootable state,” Microsoft has temporarily paused sending the following Windows updates to devices with impacted AMD processors:

January 3, 2018—KB4056897 (Security-only update)
January 9, 2018—KB4056894 (Monthly Rollup)
January 3, 2018—KB4056888 (OS Build 10586.1356)
January 3, 2018—KB4056892 (OS Build 16299.192)
January 3, 2018—KB4056891 (OS Build 15063.850)
January 3, 2018—KB4056890 (OS Build 14393.2007)
January 3, 2018—KB4056898 (Security-only update)
January 3, 2018—KB4056893 (OS Build 10240.17735)
January 9, 2018—KB4056895 (Monthly Rollup)

There are some excellent writeups out there. Here are some suggestions:

https://www.csoonline.com/article/3245770/security/spectre-and-meltdown-what-you-need-to-know-going-forward.html

https://blog.malwarebytes.com/security-world/2018/01/meltdown-and-spectre-what-you-need-to-know/

https://www.renditioninfosec.com/2018/01/meltdown-and-spectre-vulnerability-slides/

https://infosec.engineering/thoughts-on-cloud-computing-in-the-wake-of-meltdown/

Quickhits: Monday Dec 18 2018

Posted on December 18, 2017 by Cheryl Biswas

New attack on Apache Struts: We’ve seen patches issued in March, May and agin this fall for exploits against vulnerabilities in this widespread open source web development framework used to build JAVA web applications. In this report by F5 labs, a sophisticated new campaign, “Zealot”, is leveraging ShadowBroker exploits EternalBlue and EternalSynergy. Zealot is described as a “highly obfuscated and multi-staged attack”, in keeping with these exploits, and utilizes Powershell in Windows attacks, and Python in Linux attacks. Zealot mines the cryptocurrency Moneris, popular amongst cybercriminals.

Potential for Uptick in Iranian-based attacks: The nuclear deal between Iran and the US seems tenuous at best. There is growing concern that should Trump end things, there will be a corresponding response from Iranian-based hackers. Iranian attacks are state-sponsored, so these won’t be cybercrime cash-grabs, but targeted espionage or worse, damaging attacks against infrastructure, like Shamoon wiperware. And since the attackers do the recon well in advance of the big event, I’d be watching IP addresses and any data exfil carefully.

Banking Trojan Emotet: There is an increase in banking trojan activity. Malware hunters are sharing reports on new activity for Emotet, which made a resurgence in July this year. A dedicated group of researchers has been steadily updating and sharing their findings on Pastebin here.

VirusBulletin and Critical Flaws: VirusBulletin is a very widely used forum for security analysts to test and share malware or suspect findings. Two researchers claim there are unpatched critical flaws that have yet to be remediated and that VirusBulletin has been advised.

Quickhits: Thursday Dec 14 2018

Posted on December 14, 2017 by Cheryl Biswas

Attacks on ICS: FireEye has identified a new targeted attack on ICS. “Triton” is designed to cause physically damage and harm operations. Thanksfully, this latest attack failed, but the lessons and warning are huge. Consider the implications of this against water ppurification plants; nublear power plants; major processing plants that cannot sustain downtime. Triton goes after the SIS or safety implemented system controllers. The FIreEye report describes the malware as follows:

TRITON is one of a limited number of publicly identified malicious software families targeted at industrial control systems (ICS). It follows Stuxnet which was used against Iran in 2010 and Industroyer which we believe was deployed by Sandworm Team against Ukraine in 2016. TRITON is consistent with these attacks, in that it could prevent safety mechanisms from executing their intended function, resulting in a physical consequence.

While FireEye cannot attribute the actor, they suggest with some certainty this is the act of a nationstate, they back it up with this statement:

The attacker targeted the SIS suggesting an interest in causing a high-impact attack with physical consequences. This is an attack objective not typically seen from cyber-crime groups.

New Banking APT: The discovery of a new long term attack on banks was revealed this week. Dubbed “MoneyTaker”, a report issued by Group-IB Security details how the group has taken over $11 million across 18 months from over 20 targets in the UK, Russia and US, including banks and legal firms. Dmitry Volkov, co-founder of Group-IB and head of intelligence, stated:

“MoneyTaker uses publicly available tools, which makes the attribution and investigation process a non-trivial exercise,” says. “In addition, incidents occur in different regions worldwide and at least one of the US Banks targeted had documents successfully exfiltrated from their networks, twice. Group-IB specialists expect new thefts in the near future.”

The twist here is that MoneyTaker is leveraging pentesting tools like Metasploit, NirCmd, psexec, Mimikatz, Powershell Empire. They used PSExec to propogate across the network, per The Hackernews. The article reports they are also using Citadel and Kronos banking trojans to deliver a specific point of sale or POS malware known as ScanPOS.

The group has been targetting card processing systems, like the Russian Interbank System AWS CBR and SWIFT which prompted Group-IB to warn that Latin America is a tempting target because of their broad use of STAR. I’ll be writing more about this as a separate piece. Stay tuned.

My First Keynote: Lookout S(h)ecurity Bootcamp Toronto

Posted on December 14, 2017 by Cheryl Biswas

Lookout Security in Toronto is hosting an exciting event on January 12 2018 for women who are interested in cybersecurity, and currently in the tech field. I am honoured to have been asked to be the keynote speaker at this event. This will be my first keynote! I love that this happens with something I really care about: encouraging women in tech, specifically in cybersecurity.

This is what it’s all about. Encourage learning, growth and opportunity. Events like these grow far beyond the one day they are held, as I can attest from my work with The Diana Initiative. Friendships form, bonds are made, contacts and networking happen. It’s all good!

This is going to be a fantastic and fun day of learning. You had me at reverse engineering! What a great opportunity. Thank you Lookout!

Getting Things Done

Posted on October 12, 2017 by Cheryl Biswas

Series by Dr. Gary McGraw

Dedication. Vision. Accomplishment. Passion. These are the forces of change within cyber security, and just some of the distinctive qualities about the guests Dr. Gary McGraw featured for an entire year on his Silver Bullet podcast.

We know there is a shortage of women, of diversity, in science and technology careers, particularly in cyber security. Rather than make that the focus, this series and these women tell stories that resonate. They share their experiences, and their passion for what they do enfuses each conversation. There are no rockstars or grandstanders here because there is no room for ego when there is work to be done.

These are my role models, my teachers, my heroes. They illuminate the darkness of our own ignorance about medical device security; making security meaningful to those outside our security enclave; understanding the power of digital forensics; crafting not just secure code but a security mindset within development.

This series is so much more than just an homage to women in tech. There is tremendous strength to be realized in our diversity; within our differences are the tools and solutions we seek for what lies ahead. I am so honoured to have been included. Thank you!

Avast AV & CCleaner Massive Malware Download: How to Help the End users

Posted on September 18, 2017 by Cheryl Biswas

Screenshot of CCleaner from Talos Blog

Computers are hard. Ask the average user. They expect technology to serve their needs, not the other way around. Computers are supposed to be instant gratification, entertainment, making life easier, solving problems. They are not supposed to require much more effort than pressing the “on” key and typing. Anything else is our problem – we we were supposed to build security in, right?

We talk increasingly about “the human condition” in tech and security, because more often than not, it is that path of least resistance. Attackers know how we succumb – hence phishing. We opt for free – but you really do only get what you pay for, and buyer beware. Convenience, immediacy, lowest price – these drive the standard of quality in our connected world. It explains the current abysmal state of the IoT. And as we know, we cannot keep doing what we have been doing because – say it with me – it just doesn’t work anymore.

So when things go wrong, which they have been on an almost daily basis it seems, we who are tech reach out to the end users and let them know that they have to do more: remove software, delete files, check for files, run scans. As anyone who has ever worked helpdesk or worked with end users knows, this is not an easy ask. Most people struggle with just setting up their ISP modem/routers. Never mind removing default passwords or enabling controls. People tend to be afraid of technology, because as humans, we are afraid of what we don’t know. So we are afraid of breaking things, just as we are afraid to ask for help. And face it, tech support has earned its reputation for good reason. People know when they are being made fun of, talked down to. We don’t make it easy for people to ask for help.

It doesn’t help that mega breaches and global ransomware outbreaks have been consistently in the headlines this past year. It’s enough to give anyone breach fatigue. And that’s what brings me to this. The talented team at Cisco Talos have issued a warning in their blog about a massive malware infection being spread by a tool, CCleaner 5.33, that has been shipping with a popular, often free, antivirus product, Avast. This is the statement according to Piriform, who owns CCleaner:

“An unauthorized modification of the CCleaner.exe binary resulted in an insertion of a two-stage backdoor capable of running code received from a remote IP address on affected systems.”

There are excellent technical write ups on this latest event and mine is not one of them. Initially, I saw the threat of securing third parties – we all know the perils of supply chain. But then, as I read through it, I realized I could read through it only after months of immersing myself, by choice, in infosec. Choosing to look up and learn what I did not already know (which is still a lot). The average user – that ain’t happening. They may read some of the articles that are more mainstream, but don’t bank on that either. Increasingly, end users are hitting the bar. Some are defeatist, saying they don’t care anymore, it’s pointless, what can they do anyway. Others believe in the power of the megacorps to protect them, so they follow whatever advice is given, like buying credit monitoring. Because that is easier than having to piece together a solution themselves on something they really know nothing about. And others prefer the head in the sand approach – Hear no evil, see no evil. I kid you not.

Some are lucky enough to have the money to pay a tech to fix the problem. Some have tech friends/family who can fix it for them. Most, however, are cast adrift on a sea of increasing peril, without life preservers. And even if we threw them a lifeline, we can’t expect they would be willing to take it. Trust goes both ways.

Before you make fun of the folks who chose Avast because it was free, here’s how I rationalized it years ago, before I arrived in InfoSec. I knew I needed to do something to secure my computer, and a free AV was better then nothing at all. Plus I could use it. And understand enough to use it, to scan. To pay attention if it alerted me. Maybe I even read a bit more to see that it suggested things I could do to clean up my computer and be safer. So, I would have downloaded CCleaner, which I have seen recommended in other places as a safe and free solution to optimizing my performance. And here’s the thing – I would have expected a known AV product, like Avast, would not be endorsing something harmful. Hence, I could trust CCleaner because I could trust Avast.

certs And Avast trusted CCleaner enough to promote and bundle them. To download them. So let’s look at that breakdown of trust. The researchers at Cisco Talos flagged a malicious executable file while doing some beta testing for their new product. That file happened to be the installer file for CCleaner v5.33. Now, that file was being delivered as downloads in good faith by legit CCleaner servers to millions of customers. It was legit because the appropriate digital certification was issued and signed to the main company, Piriform.

Enter the attackers. They had managed to intrude this trust worthy process and include a free, unwelcome gift with download. This was malware, a malicious payload containing the ability to call back to the attackers command and control server, as well as being equipped with a DGA or Domain Generating Algorithm – definitely not a good thing. Obfuscation is a thing. If you can’t find someone was there, how do you know? And, without evidence or proof, trying to analyze this after the fact is problematic. The good news is there was a short window of release between August 15 til the latest version, 5.34 was issued on September 12. In previous attacks I’ve seen, manipulation of digital certificates is often an indicator that compromise is deep, systemic even, and trust in the signing authority may have been misplaced. In this case, Cisco cites:

“the fact that the binary was digitally signed using a valid certificate issued to the software developer, it is likely that an external attacker compromised a portion of their development or build environment and leveraged that access to insert malware into the CCleaner build that was released and hosted by the organization. It is also possible that an insider with access to either the development or build environments within the organization intentionally included the malicious code or could have had an account (or similar) compromised which allowed an attacker to include the code”

Looking through the malware, Cisco found clues that the attacker tried to cover their tracks. Once the infection was in place, the program worked to erase its source data and the memory regions it inhabited. With the legit program now installed, the attacker has the ability to do as they wish in the machine they now occupy. Which means they can gather system information on the machine and send it back to their command + control server. With this link established, other malware could be sent to infect the compromised machines. Here is a high level view of what happens, as written by the Talos crew: talos pic2

As for the DGA, if the key C+C server for the malware failed to respond, the program had a failback to generate some other IP addresses using the DGA and dns lookups. Here’s the good news. Talos used the algorithm and found that the domains it generated had not been registered. Moving on it, they registered them instead and sinkholed them to keep the attackers out. As well, the malicious version of CCleaner had been removed from the download servers.

talos pic3

What is of concern is how many people around the world apparently use CCleaner. As of today, Piriform is somewhat ambivalent in its claims of the number of users affected. Are they limited to only 32 bit windows machines? If you go back to Aug 15, would almost 4 million users have downloaded the malware?

cleaner

Talos advises that users need to either rollback to the previous version or install the new one. Which brings me to my earlier point about the human condition:

“according to the CCleaner download page, the free version of CCleaner does not provide automated updates, so this might be a manual process for affected users.”

The team at Talos is seeing a lot of DNS activity around machines trying to connnect with those suspect domains that are no longer available. And the only reason can be those machines are being controlled by malware. Worse, the malware is not being detected using current methods. So far as fixing things goes: if you currently are a Cisco customer then you are covered. As for the rest of us, sigh. We have work to do. Uninstalling will not remove the malware. That is left to you. If you have a full backup of your system, (and in this age of ransomware you really, really need one) you can restore from that. Otherwise, I suggest using Malwarebytes.

http://blog.talosintelligence.com/2017/09/avast-distributes-malware.html

https://techcrunch.com/2017/09/18/avast-reckons-ccleaner-malware-infected-2-27m-users/

Equifax: WTF

Posted on September 16, 2017 by Cheryl Biswas

Sorry. I waited to weigh in on the “dumpster fire” (credit to Brian Krebs) that is the Equifax breach because I wanted to see if those impacted expand beyond the US. They do. If it was Apache Struts. It was. And if things got worse. Don’t cry for me Argentina but they just did.

How do you say I’m sorry for losing the confidential data of 143 million people who are your customers? You don’t. Certainly not if you are Equifax, one of the three largest bureaus for credit reports on consumers globally. You make them wait. And then, you sell them a half-baked service to fix the problem you made. The site known as equifaxsecurity2017.com (sorry – not linking it here) is, in the words of Brian Krebs, “completely broken at best, and little more than a stalling tactic or sham at worst”. It was flagged as a phishing site, and provided inconsistent responses.

And help comes with big strings. The offer for a year of free credit monitoring by the same firm that f*cked up in the first place has some dual-edged fine print to absolve Equifax of their responsibilities, originally stating that those who consent forfeit their rights to participate or launch a class action suit, or receive any benefits from a suit. They have since amended the injurious clause (see – I can speak legal too!) to say it “does not apply to this cybersecurity incident.” Insult to injury is that victims would have to pay for all the subsequent years of credit monitoring. Freezing your credit is far cheaper, and effective.

We should be worried. Over 200K Visa and Mastercard holders are at risk of fraudulent purchases at the least because attackers have their account numbers, expiration dates and cardholder names.

Now, let’s talk about “Apache Struts”. Which has been flagged three times this year. Struts is hard to patch because it requires more migration and a lot more testing, which is impact and cost to business, but it happens to be used in over 60% of corporations on their major web server applications. There was a massive critical patch alert issued back around March for a zero day being actively exploited. Zero day means you’re not ready to fix it but attackers are ready to move. Guess what? The Struts flaw was unpatched back in May, when the attackers hit.

Jeff Williams is the co-founder and CTO of Contrast Security and explained the severity of this flaw which allows attackers to take over a Web host with just one HTTP request.

“This vulnerability was scored CVSS 10/10 – the highest rating. Within hours of the disclosure, we started seeing widespread automated attacks attempting to exploit this vulnerability. Those attacks are still ongoing…Essentially, an attacker could send a single HTTP request – just like the ones your browser sends – except with a specially crafted header that contains the attack.”

And then there is what happened in Argentina. Earlier this week, it was reported by investigators who were looking into the risk to Argentina that “an online portal designed to let Equifax employees in Argentina manage credit report disputes from consumers in that country was wide open, protected by perhaps the most easy-to-guess password combination ever: “admin/admin.” I can’t even. The good news is that they took the portal down after Krebs gave them a call.

Do I sound bitter? Sorry not sorry. And so far, I am not one of the confirmed compromised. But oh, I am waiting for that shoe to drop. It has taken a ridiculous length of time for anyone in authority in Canada to address this. I get that we are polite to the point of complacency but come on! Thursday our privacy commissioner, Daniel Therrien, finally stepped in, claiming he had learned via complaints and the press, not from the source. The US has more regulations on credit reporting agencies than we have in Canada, where they are regulated by individual provinces and territories. According to Tamir Israel, who is a staff lawyer with the Canadian Internet Policy and Public Interest Clinic in Ottawa, “because of that mismatch, it falls through the cracks a little”. Per an article by Nestor Arellano in IT Canada Online:

“We have advised Equifax to provide information to affected Canadians as soon as possible and we expect the company to adopt measures to help affected Canadians,” Therrien said. “…Our office is urging Equifax to find a solution to permit Canadians to find out if they are affected as soon as possible.”

Now there is full on call for investigation. Meanwhile, the Canadian Automobile Association has informed 10,000 of its members they are at risk. Per Ian Jack, CAA managing director of communications and government relations, the information of those Canadian members who signed up for the identity protection program was stored with – wait for it – Equifax USA. That would be the sound of the other shoe dropping.

But wait – there is a happy-ish ending. News is just being released that both the CIO, David Webb, and CSO, Susan Mauldin, of Equifax are retiring. Immediately. That’s the first good news we’ve had.

https://krebsonsecurity.com/2017/09/equifax-hackers-stole-200k-credit-card-accounts-in-one-fell-swoop/

https://krebsonsecurity.com/2017/09/ayuda-help-equifax-has-my-data/

https://krebsonsecurity.com/2017/09/equifax-breach-response-turns-dumpster-fire/

http://itincanadaonline.ca/index.php/security/2273-equifax-blames-apache-vulnerability-canada-s-privacy-chief-weighs-in-on-breach

https://www.programmableweb.com/news/how-not-to-be-next-equifax/analysis/2017/09/08

http://www.ctvnews.ca/business/caa-says-10-000-consumers-could-be-equifax-hack-victims-1.3589848

https://www.darkreading.com/threat-intelligence/equifax-cio-cso-step-down/d/d-id/1329907

https://www.darkreading.com/attacks-breaches/ftc-opens-probe-into-equifax-data-breach/d/d-id/1329889?piddl_msgid=329384#msg_329384

A Hunting We Will Go

Posted on August 10, 2017 by Cheryl Biswas

This weekend, in my midnight forays on Twitter (I do sleep, just not when you think I do), I discovered these graphs. As they say, a picture is worth a thousand words. These are worth far more because they visually represent high-level concepts on attackers and hunting. All credit goes to Jack Crook @jackr on Twitter, whose site is findingbad.blogspot.com. We know how this game is played, that the attackers have been living in our networks far longer than we realized. Defence isn’t passive. It can’t be. We need to be actively monitoring all the things. We need to be expanding the Cyber Kill Chain past the perimeter and into the depths of our realm, to play this game of cat and mouse.

I’ve been pursuing my love of threat intel over these past months, and shared my learnings via talks at my local DC416 chapter, and then – fireworks and music – at Wall of Sheep at Defcon this year. OMG! Reading Jack’s work just fires up my urge to learn more, and these depictions show what I want to say so very well.

“Enumeration”. Per Jack

Enumeration is an attacker need. They need to know where they are, where they can go, where’s the data they’re after.

“Credentials”. Jack says

Attackers need credentials if they’re going to move laterally within your network. Here’s some ideas to go digging for.

“Powershell”. Jack adds

Here are some additional things to think about when looking at Powershell

And I saved the best for last! How will they execute?

Process execution is an attacker need. There’s opportunities for developing creative ways to find when malicious.

Thank you, Jack, for sharing this wisdom. And thank you for reading!

CyberWatch

Watching what comes in the Backdoors

Category Archives: cyber security