It Really Was the Lazarus Group, in North Korea with SWIFT


Last week, news broke that the US had linked North Korea to the theft of millions against the Federal Reserve in a series of bank heists involving the SWIFT messengering system.  I did a couple talks last year about banking insecurity as a fairy tale that misrepresented itself in the form of that trusted messengering system, SWIFT.  The deeper I delved, the scarier that fairy tale got. But from the start I had my suspicions about who was behind it and why. Why was a big factor because it ruled out the usual bank cyber crime suspects, aka Russia and Eastern Europe. This was too overt a move for a nation state to make right? Well, that depends which nation state you are.

And this was where my poli sci years kicked in.  I’ve always stood at that intersection of international relations and cybersecurity. It’s one heck of a vantage point. I do threat intel. Still pinching myself because I didn’t know this thing I love to do even existed a few years ago. But as I learn and grow in this field, what becomes increasingly clear is the need for context. That we have to take more than we surmise into account to really get the big picture. And we need the big picture to do this right. Otherwise we risk making the wrong call when we choose to play the attribution blame game, where the stakes are high and the consequences could level a lot more than the proverbial playing field.  So international relations, current affairs, global economy and history all need to be factored in. Then we have data with context and points that link, so we can see patterns.


Linda Davidson/Washington Post

Because for me this story was always so much more than just “hackers went after a billion but only got 81 million”.  Who was behind those hackers? Why Bank of Bangladesh? Who needed a billion badly enough to digitally “rob” a bank? I’ll admit I have my likely crew: Russia, China, North Korea.  In this case, Russia and China were too big to make this kind of a play and have to contend with the global condemnation.  That’s a headache they would rather avoid and neither needed a billion dollars that badly. However, North Korea was a different story: impoverished, starving, and whose wildcard of a leader answered to no one in his quest for nukes. As per a recent story in the Washington Post:

“North Korea has consistently been treated like a joke, but now the joke has nuclear weapons,” said John Park, director of the Korea Working Group at the Harvard Kennedy School. “If you deem Kim Jong Un to be irrational, then you’re implicitly underestimating him.”

Kim Jong Un may be crazy but he’s crazy like a fox.  Hence why the attacks were on banks where nobody would care. Because the truth is first world problems get the attention, not developing nations like those in South East Asia. And of course, security was lax, because the resources just weren’t there. Nor was the mindset.  Corruption and coercion get things done in many parts of the world. How do you factor those into NIST spreadsheets and security audits?

A colleague and I had a great brainstorming session on geopolitics and cybersecurity as we put the details together. His keen insights and my paranoia spun the needle to land on North Korea. We just didn’t have any proof.  Fast forward a few months later, though, and tracks were found in the butter. Remember what I said earlier about the importance of history, context and patterns? Key pieces of code harkened back to the attack on Sony, and some very crafty work by the Lazarus Group.  While it wasn’t a smoking gun, it certainly was substantive. After his work on decoding Stuxnet, I listen when Eric Chien of Symantec weighs in. He knew what he saw there and he called it.

sonyhackIn the realm of cyber criminals, The Lazarus Group are somewhat nebulous, hard to pin down, and known for their ability to die off and then resurrect themselves, hence their name.  They’ve been identified as operating out of North Korea. To me, that means North Korea gives them a safe haven in return for services rendered. They are the bag man for their host supplying “dirty deeds”, just not done dirt cheap.  Because nation states don’t do this stuff for themselves when they need to remain one step removed.  Let me state that things are no where near this simplistic, and yes, China factors into this as well.  But no surprise there given the long-standing partnership between China and North Korea.

lazarus_map_ENWhere does this lead? Well, I did allude to the possibility of global economic chaos being used in the games nations play, because it’s all about the power and money is just a means to that end. Now we have news reports saying how nation states have resorted to robbing banks, and what a terrifying prospect that is. According to Richard Ledgett, Deputy Director of the NSA, in a story by the Wall Street Journal:

“If that linkage is true, that means a nation-state is robbing banks. That is a big deal; it’s different,” he said on Tuesday during a panel discussion at the Aspen Institute.

Mhm. I have a lot more where that came from.

Please click here if you’d like to see my talk on SWIFT and banking insecurities.


Banking on Insecurity

They came for the money, they stayed for the data. There is far more at stake in financial services than dollars and sense. The past twelve months have shown how far attackers are willing and able to go; banks are known for their conservative pace in adopting new strategies, and attackers are literally banking on it.

As the saying goes, “In God we trust”. In banks, maybe not so much.  According to a recent report by Capgemini, one in five bank execs are “highly confident” in their ability to detect a breach, never mind defend themselves against it.  Yet “83% of consumers believe their banks are secure from cyber attack”.  One in four banks report they’ve been attacked, but only 3% of consumers believe their bank has suffered a breach. Never mind the money. How about the data? Survey shows that 71% of banks don’t have a solid security strategy in place, nor do they have adequate data privacy practices. The numbers are not good. Only 40% of banking and insurance companies have automated security intelligence capabilities for proactive threat detection

After following the trail on the SWIFT bank heists last year, I’ve paid close attention to banking malware, threat actors, and points of failure. What worries me is what’s coming as digital payments become the norm, and digital identities take hold in developing nations who lack the infrastructure or regulation to secure or enforce. Given what we already know, what does this recent history of attacks tell us?

Polish Banks
The recent series of targeted malware attacks against Polish banks was identified in January this year, but attackers went after the data, not money. After noticing unusual network activity, like traffic to “exotic” locations and encrypted executables that nobody knew of, and unauthorised files on key machines in the network, several commercial banks confirmed malware infections. Investigations revealed infection stemmed from a tampered JS file from the webserver of the Polish financial sector regulatory body.  This was actually part of a wider campaign that has gone after financial institutions in over 30 countries.  According to researchers from both BAE Systems and Symantec, the malware used in Poland can be linked to similar attacks around the globe, and there are marked similarities to tools used by the cybercrime group Lazarus, although no confirmation has been made.  Targets were led to compromised sites of interest to them, watering holes, which were malicious sites that injected code and directed the targets to a customized exploit kit.  This kit contained exploits against known vulnerabilities in Flash Player and Silverlight. What’s interesting is that the exploits were only activated for certain visitors: those with IP addresses from specific ranges. Per Symantec, “The IP addresses belong to 104 different organizations located in 31 different countries … The vast majority of these organizations are banks, with a small number of telecoms and internet firms on the list.” 15 of these are from the US.  The infection downloaded enables recon on the compromised system. Again, this tool is similar to those used in past by the Lazarus group. Now every major security group has published their opinions and analysis on what was originally all but overlooked as some malware that spread from the regulatory body’s server.

Fileless Malware Attacks
In January of this year, there were reports around the globe of attacks on banks using fileless malware. The malware resided solely in the memory of compromised systems.  This is not signature based malware that can be referenced and detected. According to Kaspersky, 140 enterprises in 40 countries have been hit. And forensics cannot help us:

“ memory forensics is becoming critical to the analysis of malware and its functions. In these particular incidents, the attackers used every conceivable anti-forensic technique; demonstrating how no malware files are needed for the successful exfiltration of data from a network, and how the use of legitimate and open source utilities makes attribution almost impossible.” 

But the infections are hard to identify so that number could well be more.  Further complicating things is the use of legitimate and widely used sysadmin and security tools  like PowerShell, Metasploit and Mimikatz for malware injection. In a range of incidents, the common denominator seems to be embedding PowerShell in the registry to download Meterpreter. From there, the attack is carried out using the native Windows utilities and sysadmin tools. Per Kaspersky:


The new fileless malware hitting banks is Duqu 2.0, which Kaspersky found on it corporate network in 2014, but only after it went undetected for 6 months because it lives almost completely in the memory of the computers. Duqu 2.0 is derived from Stuxnet. The malware renames itself when an infected computer is rebooted so digital forensics has a tough time finding traces. The calling card seems to be the unusual embedding of PowerShell into the registry to download Meterpreter. Duqu 2.0 is derived from Stuxnet. Reports aren’t saying how the malware spreads.

TESCO Bank Attack
In November 2016, Tesco Bank, a British retail bank chain with 7 million customers, warned its customers to watch for suspicious money withdrawals. Unfortunately, when customers who noticed money was missing from their accounts reached out to the bank, many could not get through. Approximately 20,000 accounts were hit. Tesco briefly halted online transactions in response. The attack seemed to stem from a “systemic failure of security around Tesco’s core database”. Recommendations include having controls in place to alert on changes to key files and configurations. As well, file monitoring integrity and Configuration Management Security ensure that if and when changes are made, they are valid and validated.

Take the Money and Run:  COBALT, ATMs and ‘Jackpotting’
There was a distinct rise in ATM attacks over 2016.  The latest siege, Cobalt, covers a wide swath across the UK, Spain, Russia, Romania, the Netherlands, much of Eastern Europe and Malaysia.  According to Group IB researchers, a large number of machines are attacked at once, and Cobalt appears to be linked to cybercrime syndicate Buhtrap.  The malware used causes infected machines to spit out cash in an attacks known as “jackpotting”.  Noteworthy is how this is being described as “the new model of organized crime”.  The FBI issued warnings to US banks following those ATM heists, taking into account the attacks in Taiwan and Thailand, when thieves grabbed over 260,000 pounds from Thailand’s Government savings bank and $2.5 million from Taiwan. The world’s two largest ATM manufacturers, NCR and Diebold Nixdorf, worked to manage the threat.

Lloyd’s Bank Hit by DDoS Attack
In January the venerable Lloyd’s Bank of London was struck by a DDoS attack that lasted two days.  Attackers tried to crash the Lloyd’s site, causing issues for customers and impacting some access to online banking.  The bank did not lose money, nor data, nor was the impact significant.  Law enforcement is investigating.

Attacks on Banks in the SWIFT System
Banks rely on messenger systems to conduct transfers back and forth. In 2016, a series of targeted attacks on banks in the trusted SWIFT messenger system came to light after a massive heist on the Bank of Bangladesh. Apparently the attacks are evolving, and SWIFT has told member bank, in an undisclosed letter from Nov. 2, that “attacks on its systems have only become more sophisticated in their strategies”.  “The threat is very persistent, adaptive and sophisticated – and it is here to stay”.  This is despite the work by regulators globally to toughen bank security measures. And the word is that “a fifth of them are hitting paydirt for the attackers”, per Stephen Gilderdale, head of SWIFT’s Customer Security Programme. Now the hackers exploit tech support software to gain access. Then send victims phony payment instructions via SWIFT network.  SWIFT emphasizes that all those attacks detected “exploited SWIFT interfaces used by its customers” but that the SWIFT communications network itself was not impacted. In light of this, warnings are being issued to small businesses to realize the threat to them is real.  Scams have become more sophisticated and will continue to evolve. 


My Layman’s Terms: The Java Deserialization Vulnerability in Current Ransomware

There has been a recent wave of ransomware attacks against hospitals, highly publicized and for good reason. Who the hell attacks hospitals with malicious code that locks up access to critical care systems, and puts our most vulnerable at further risk? Well, there’s more to this story than I can reveal here but I’ve been following the trend for months, and here’s what you need to know.

tweet ransom

FIRST: This was never about the hospitals. They weren’t the specific target. Law enforcement also relies on constant access to critical systems and they are being hit. But this goes so much wider, and we’re missing the bigger picture here. Therein lies the danger.   Samsa/Samsam has been a cash grab for the attackers, with no costs, no penalties. Don’t expect them to stop looking for more revenue streams to hit.

SECOND: This ransomware is not the same old ransomware. We can’t rely on our standard approaches to detect and defend against future attacks. This one goes after servers, so it can bring down entire networks, and doesn’t rely on the social engineering tactics to gain access.  It’s so bad US-CERT has issued this recent advisory.

I’ve laid out what’s been made available on just how this new strain of ransomware works. And I’ve done it in terms to help anybody take a closer look at the middleware running in their systems currently. Because a little knowledge could be dangerous thing used to our advantage this time.


WHAT: Extremely dangerous and wholly underated class of vulns

Attackers can gain complete remote control of an app server. Steal or corrupt data accessible from the server. Steal app code. Change the app. Use the server as launching oint for further attacks.

  • No working public exploits against apps til now
  • Remotely executable exploits against major middleware products
  • Powerful functionality that should not be exposed to untrusted users in the ability to hijack deserialization process.

IMPACT: Millions of app servers open to compromise

  • Not easily mitigated
  • Potential for millions of apps to be susceptible
  • Many enterprise apps vulnerable

AFFECTS: All apps that accept serialized Java objects

Remotely executable exploits against major middleware products:

  • WebSphere
  • WebLogic
  • JBoss
  • Jenkins
  • OpenNMS

HOW: Vulnerability is found in how many JAVA apps handle process of object deserialization.

Serialization is how programming languages transfer complex data structures over the network and between computers. Disassembly is the process of breaking an object down into a sequence of bits.

Deserialization is reassembly of those bits. (unserialization)

A Java object is broken down into series of bytes for easier transport.

Then is reassembled back at other end. Think the fly or tranporter

PROBLEM:  many applications that accept serialized objects do NOT validate or check UNTRUSTED input before deserialization or putting things back together. So yes, this is the perfect point to sneak the bad stuff in.

Attackers can INSERT malicious object into data stream and it can execute on the app server

Attack method:  special objects are serialized to cause the standard Java deserialization engine to instead run code the Attacker chooses.

Each of the 5 middleware applications listed above has a Java library called  “commons-collections.” This has a method that can lead to remote code execution when data is deserialized. Because no code should execute during this process.


Enterprises must find all the places they use deserialized or untrusted data. Searching code alone will not be enough. Frameworks and libraries can also be exposed.

Need to harden it against the threat.

Removing commons collections from app servers will not be enough.   Other libraries can be affected.

Contrast Sec has a free tool for addressing issue.  Runtime Applicaton Self-Protection RASP.  Adds code to deserialization engine to prevent exploitation.


Why the Java Deserialization Bug is a Big Deal Dark Reading by Jai Vijayan

What Do WebLogic, WebSphere, JBoss, Jenkins, OpenNMS, and Your Application Have in Common? This Vulnerability

Paypal is the latest victim of Java Deserialization Bugs in WebApps

Always Watch for the Dark Horse: Brazil Enters the Cybercrime Ring

We’ve seen it happen in horse races and elections.  Two well-known hot contenders go neck and neck. Everyone is so completely focused on the two leads that no one sees the dark horse come charging up the middle. Until it’s already there.

In the murky waters of deepweb cybercrime, that dark horse is Brazil.  China and Russia may be attribution’s favourite poster twins but we cannot afford to lose sight of other, future contenders. “Nobody saw it coming” are the wrong words to hear when dealing with cybersecurity. And over the past year, breach after massive breach has shown that, despite our best efforts, we can’t seem to stay ahead of the curve. It isn’t just about the threats and attacks, but about who and why. We really need to know our adversaries. Brazil is the new kid on the block, and he’s big.


As early as 2011, InsightCrime was reporting a surge in cybercrime out of Latin America. What country did they identify at the epicenter? Brazil.  Both Norton’s Cybercrime Report and Symantec’s Intelligence Reports for 2011 put Brazil in that same top spot. Fast forward to July 2014.  Purported as what could be the largest electronic theft ever reported, a cybercrime op was discovered by RSA security. Approximately $3.9 billion was stolen through  “Boleto Bancario”. That catapulted Brazil into the headlines, establishing what had been building steadily yet unnoticed and unchecked for three years, since 2011.

The unnerving truth about cybercrime is that a lot can happen in just a very short time.  Which is why Brazil should have registered earlier on threat radar. The country is a perfect storm for cybercrime. The stats speak volumes. Per Kaspersky, Internet users in Brazil are the most targeted by cybercriminals in Latin America. Out of 400 million incidents logged over a period in 2015, 31% affected Brazil versus 21% in Mexico, Peru, Colombia and Venezuela.  There has been a drastic increase in new users corresponding with an increase in malicious activity of 197% between 2014-2015. This relates directly to the fact that users have no idea of what they should be doing to stay safe.  Avast reports that 65% of wireless network routers still used the default ID and password.  Symantec showed that in 2013 61% of adults connected to unsecured and public wireless.  And what about the fact that Brazil has the highest internet penetration for the region?  Or that Brazil is going through some economic turmoil, which means cuts, and that includes cuts to security.

How does that play out in a country where there is no requirement to disclose any information about breaches? Apparently, not well. At least 75% of those who use the internet in Brazil have been victims of online crime. Brazil passed its first cybercrime law in 2012, but that proved to be ineffective and inefficient.  Penalties are little more than a slap on the wrist, with house arrests or fines being levied. The lack of staff and lack of funding further limit any real action.  And here’s the kicker:  there is no law currently in place to protect personal information. That means – wait for it – that this info, this PII we fight so hard to protect, can be sold or given to anyone in Brazil, legitimate or criminal, with no repercussions.

PandaLabs Report Q1 2015 Infection rates

PandaLabs Report Q1 2015 Infection rates

According to Juan Andres Guerrero, senior security researcher with Kaspersky Labs:

“As far as global fraud is concerned Brazil is almost exclusively at the top …They are fantastically creative …Brazil actually takes an inordinate amount of time [to monitor] because of the amount of malware, the amount of schemes. They are constantly creating these phishing campaigns. They are incredibly elaborate.”

Brazil is a nation plugged in and online banking reigns supreme, at 41% of all transactions, according toe Trend Micro’s white paper from 2014 “The Brazilian Underground Market:  The Market for Cybercriminal Wannabes.”  One of Brazil’s better-known exports are banking trojans, perfected for the “Boleto” payment system there.  malware changes the bar codes on the boletos to redirect payments to attackers.  DNS poisoning is also employed to redirect users. Fake browser windows scoop credentials that are keyed in. Malicious browser extensions capture personal data and send it off to attackers.  That bestowed upon Brazil the dubious ranking of second worldwide for online banking malware infections, and almost 9% of global malware infected systems.


From Trend Micro white paper “The Brazilian Underground Market” 2014

William Beer, Managing Director of Cybersecurity at Alvarez & Marsal, told ZDNet

“There is a lack of focus on cybersecurity both in the public and private sector. Senior executives at organizations don’t really see that as a priority.”

High internet penetration rate, high credit card penetration rate, high user base unaware of good security practices, and a unique banking payment system based on “boletos” have set Brazil apart by creating a cybercrime training ground that’s open for business.  For the entry level fee of $579 US, wannabe cybercriminals can learn fraud training, FUD crypter programming, trojan coding. Like its peers, Brazil offers the same range of choices as China and Russia. And in the true spirit of staying competitive, the price of crimeware and service offerings in Brazil has steadily gone down since 2011. But wait – there’s more! They’ve been very good at evading security researchers and law enforcement.

It doesn’t bode well when the criminals openly use social media to flaunt and advertise their business.  Whereas cybercrime tends to opt for obscure channels to remain untraceable, the Brazilians are all over Facebook, YouTube, Twitter and WhatsApp to communicate and organize their lives and their business.  And why shouldn’t they, in a country where the gains far outweigh the risks. All of which makes Brazil very appealing, and very much the dark horse threat we should have been watching for.


Welcome! To say it’s been an eventful month would be an understatement.  There were some very significant development during May that underline some of the core insecurities that InfoSec has brought to light, like the inherent flaw in encryption on the internet. Yes, Virginai, the Internet is broken. Why? Read on!

Logjam is the latest in encryption attacks, following hard on the heels of HeartBleed, POODLE and FREAK. And it is a big deal, given that security we expected to be protecting our data is not what we’ve been led to trust. Web browsers and email servers can be tricked into using weaker encryption, so that attackers can easily access sensitive data. This means that HTTPS protected sites are vulnerable, as are mail servers and a host of internet services.
Encryption is a necessary thing, though some may have you believe it is a necessary evil, because it gives us the ability to shield sensitive information from prying eyes as we send it from point A to Point B. Mathematical algorithms create this digital reworking of characters, and are supposed to be complex enough that the encryption formula cannot be easily decoded, except by the recipient who has the correct digital key.
However, unbeknownst to most of us, about 20 years ago the US Government downgraded the strength of these encryption formulas significantly, in the pursuit of selling software overseas and making it more accessible. These weak standards remained in place, undermining anything stronger that was built over them in the years that passed. Think of it like a house foundations with cracks covered over by plaster and drywall. Structural integrity was always at risk.
What happens is a MitM (man in the middle) attack can downgrade the encryption level between users and web or email servers from a robut 2048 or 1024 bits to 512 bit keys which offers little protection against attackers or decryption. While FREAK is due to implementation flaws, Logjam is inherent in the design of the TLS (transport layer security) protocol.
Technically, what has been impacted is the Diffie-Hellman key exchange cryptographic algorithm. You can read all about that here: (and yes, I actually did for this piece!). This is what generates the encryption algorithm and affects any server that supports DHE-EXPORT ciphers and all modern browsers.

Why Logjam is a major vulnerability:

  • The flaw allows an attacker to trick a web browser into believing that it is using a regular key, not the export key version.
  • Many PCs reuse the same large numbers to generate the keys, which makes them easier for attackers to crack.
  • The flaw has been present for more than 20 years affecting HTTPS, SSH, IPsec, SMTPS, and other protocols that rely on TLS.

You can check if your browser is vulnerable by clicking here. Recommendations include having the server admin disable support for export-grade cipher suites that allow connections to be downgraded, and to generate a new and unique 2048 bit Diffie-Hellman group. End users will need to install browser and email upgrades as they become available.

Rombertik Malware

It’s elusive, evasive, and the next evolution of malware. Newly identified by Cisco researchers, “Rombertik” doesn’t just self-destruct when it finds tools that can detect it. Instead, if tries to destroy the Master Boot Record (MBR) of the machine it’s on, which is destructive because when the machine restarts, it will be inoperable. The MBR is critical to system operation, and is the first sector of a hard drive, where all the initial instructions are at boot up, letting the computer know to load the operating system.

rombertik pic

This is an example of complex malware, hard to detect, and to protect against. Its purpose is to gain access to the target’s browser, read credentials and pilfer other sensitive information which it then collects to send off to a remote server. Rombertik spreads via spam and phishing emails. Here’s how it works:

Once loaded into the system, Rombertik first runs a series of anti-analysis checks to determine if it is running within a sandbox. In case it isn’t running within the sandbox, Rombertik decrypts and installs itself on the victim’s machine, which then allows the malware to launch a second copy of itself and overwrite the second copy with the malware’s core spying functionality. After completing this process and before begins spying on users, Rombertik runs a final check to make sure it is not being analyzed in memory. In case it finds any indication of being analyzed, the spyware attempts to destroy the master boot record (MBR) of the vulnerable computer. Rombertik then restarts the machine, and because now the MBR is missing from the hard drive, the victim’s computer will go into an endless restart loop.

The best defence in this situation is a layered defence, because Rombertik won’t be able to evade all the layers.

Macro Malware’s Re-Emergence. Be Aware. Be Very Aware

Remember that saying “Everything old is new again”? That’s a trend in InfoSec. It’s not at all uncommon for threats to re-emerge after seeming cease, because attackers have taken the time to revisit and retool. Think of it as a more damaging version of reduce, reuse, recycle. What happens is that the malware gets onto computers via spam email attachments. When the user opens the document, they are prompted by a bar along the top asking if they wish to enable macros to read the item. Most people click willingly, enabling the macro and the malware. The malware then becomes a portal for even nastier stuff waiting in the wings, like the banking Trojan, Dridex, which hunt down and collect valuable personal and financial information. Once again, the onus is on the end user to be aware of what they open and click, but that isn’t always an easy judgement call as these emails look very convincing. Currently, most attacks are happening within the US and the UK.

WordPress XSS Vulnerability on Default Site

The twenty fifteen site can be hijacked. The vuln exists in the default installation of Twenty Fifteen Resides in the genericons pkg and is DOM-based or (document object model) which handles how text, images, headers and links are represented in a browser. Target clicks a malicious link while logged into the site, enabling attacker to gain control. Many hosts have patched the security hole as of today.

But wait – there’s more! The vulnerability exists in eShop, a shopping cart plugin for the content management system with 10,000 active installs and over 600,000 downloads. BUT eShop has not been updated in almost two years.
The risk is insufficient validation. “The cookie’s user-supplied input could be exploited by an attacker to overwrite arbitrary PHP variables, which could lead to full path disclosure and cross-site scripting.”
Genericons is an icon package that figures into the Jetpack plugin and the TwentyFifteen WordPress theme. It is at risk from a DOM-based Cross-Site Scripting (XSS) vulnerability. Jetpack has over a million installs to date. TwentyFifteen is a popular theme and loaded by default in most WordPress installs.

“What’s more concerning here is the reach the plugin and theme have combined; they are installed in many cases, by default in all WordPress installations,”

This was according to David Dede, the malware researcher at Sucuri, who discovered the issue and disclosed it. Nearly a dozen WordPress hosts – GoDaddy, WPEngine, and Pagely to name a few – preemptively patched the issue in the week’s leading up to Sucuri’s disclosure. Your best bet now is to keep all WordPress up to date.

New Ransomware: AlphaCrypt

It looks like TeslaCrypt. It behaves like CryptoWall. Like Dr.Frankenstein played with the code. But this new version comes with new features – it deletes the VSS so your shadow volume is gone. You don’t have that backup protection in place. And it operates in a very covert manner so that you won’t find out until it’s much too late. No messages are shown to the victim as the processes execute. Being delivered via an Angler exploit kit near you.

How Dyre Malware Continues to Evolve

While this is considered a common banking Trojan, what matters here is how this is malware is evolving to evade analysis done by sandboxing. That means that conventional methods and signatures are no longer effective or reliable. Evasion techniques have become better and more prolific over a short span – less than a year – for malware. Upatre malware often works in concert with Dyre and this too has enhanced its evasion techniques.

Torrent and the Fiesta Exploit Kit

This impacts a popular torrent site for music and movies. Despite aggressive ads and popups, people still flock to it. When a target browses the site, a malicious redirection silently loads the Fiesta exploit kit and associated malware payload. Users with anti-malware/VP are shielded. The site itself is compromised via a well-concealed iframe.

More Lenovo Woes

Again lax security practices. This time it’s a way that attackers could bypasss signature validation checks and replaced trusted apps with malicious ones. These could then be run as a privileged user. System update downloads executables from the internet and runs them. Remote attackers can use a MiTM attack, via Starbuck WiFi, and exploit this. Lenovo claims they have patched, but after the Superfish crapware from February, how much do we trust them?

So Long Patch Tuesday

Yes. It’s official. Microsoft will be doing security updates and releases differently with the release of Windows 10. Which, incidentally, needs it’s own name.


We’ve had some big security issues over the past year. But Venom isn’t going to be one of them, despite the name. Sometimes, it’s easy to get carried away by the hype and hyperbole. If we’re doing our job right, though, rather than scaring you we’re preparing you.
This latest vulnerability, classified as CVE-2015-3456, is a problem in the floppy drive emulation code found on many virtualization platforms. What that means is if an attacker were able to, by considerable effort, escape the Guest OS, they could use the host to launch other network attacks. Essentially, an administrator account would have to be compromised for this to happen. Only certain platforms are impacted and they have patches currently available. Major VMs that are not impacted include:

  • VMware
  • Microsoft Hyper-V
  • Bochs
  • AWS
  • Linode

WordPress Sites Backdoored

Another week, another WordPress security issue. According to Zscaler, this time multiple WordPress sites are leaking credentials. Compromised sites are implanted with a “Backdoor” code that serves up injected JAVA script when the user enters their credentials on the login page. The end user remains oblivious as they are redirected to a successful logged in session of a WordPress site. Meanwhile, those valuable credentials are encoded and sent to off to the attacker’s command and control server. The recommendation from the ZScaler security research report is what we’ve been saying consistently:

“It is extremely important for the site administrators to keep their WordPress sites patched with the latest security updates,”

PHP Hash Comparison Flaw May Put Many Sites at Risk

About a year ago, a flaw in PHP password hashes was identified involving the equals-equals operator (==). Robert Hansen, vice president of WhiteHat Security, describes the issue as “one that affects any website that uses two specific types of operators for comparing hashes in PHP.” The issue mostly affects authentication, but this could extend to binary checking, cookies, and passwords, among other things.

“The problem is how PHP handles hashed strings when either the double equal (==) or “!=” operators are used to compare them. When either of these two operators is used for comparing hashes, PHP interprets any hashed value beginning with ‘0e’ as having the value 0. So if two different passwords are hashed and both their hashed values begin with ‘0e’ followed by numerals, PHP will interpret both as having the value 0. Even though the hash values for both passwords are completely different, PHP would treat them both as the number zero if both begin with 0e and when either ‘==’ or ‘!=’ are used.”

This gives attackers a way to try and compromise user accounts by entering a string that when hashed gets equated to zero by PHP. If a password in the database is represented the same way, the attacker will get access to the account, Hansen said. Until now, there haven’t been examples of these hash types.

GPU Keylogger and Linux Rootkit attacks

Malware just keeps evolving. This time it’s targeting the GPU over the CPU with 2 new items: Jellyfish Rootkit for Linux and Demon Keylogger. The GPU, graphics processor unit, has its own processor and memory. That allows the malware to operate incognito, attracting no attention since malicious code isn’t modifying processes in the main operating system kernel. The danger becomes that these types of rootkits can snoop on the CPU host memory via the direct memory access (DMA). This allows hardware components to read the main system memory without going thru the CPU so actions are harder to catch.
Some attacker advantages with GPU are:

  • No GPU malware analysis tools are available on the Internet
  • Can snoop on CPU host memory via DMA (direct memory access)
  • GPU can be used for fast/swift mathematical calculations like parsing or XORing
  • Stubs
  • Malicious memory is still inside GPU after device shutdown

For reference purposes, a GPU-based keystroke logger consists of two main components:

  • A CPU-based component that is executed once, during the bootstrap phase, with the task of locating the address of the keyboard buffer in main memory
  • A GPU-based component that monitors, via DMA, the keyboard buffer, and records all keystroke events

Breaking Bad Themed Crypto Ransomware

This latest ransomware, Trojan.Cryptolocker.S, is currently going after computers running Windows based systems in Australia. The attackers leverage social engineering methods to get victims to open a malicious zip archive file, apparently with a major courier firm in the file name. Attackers then can run their own PowerShell script on the computer to run the ransomware. Encryption uses a random AES key, which is then encrypted with an RSA public key. Targetted files for encryption include media files, music, images, .lnk and .rar extensions.


Symantec has a blog post about how to stay protected if you get ransomware here.

You know that Flashlight App you have?

Time to shed a little light on a dark matter. The top 10 Android flashlight apps are actually malware designed to steal your data off your mobile device.

SOHO Router Woes Persist

There seems to be an ongoing inherent risk with these devices. This time the vulnerability is in the NetUSB software. This component – found on nearly all common commercial routers like Netgear, TP Link, TrendNet etc – enables users to directly connect their printers, flash drives and other USB enabled items. But because these devices don’t have sufficient input validation an attacker can overflow the “computer name” kernel stack buffer. That causes memory corruption, which can then be exploited for arbitrary remote code execution. By specifying a name longer than 64 characters, the stack buffer overflows when the computer name is received. Though modem companies have been advised, to date only TPLink has issued fixes.

Scam Artists and What Not to Fall For

By now, we’ve all heard about the “Windows is Calling” setup. But, people are still falling victim to these bogus scareware schemes. Users cannot help but respond to the alarming popup boxes on screen that say their computer is infected. Now these attacks have become more sophisticated. Even brand new PCs have warnings about “Windows Event Logs”. Most users have no idea what that means, but it sound serious, doesn’t it? In other scams the browser becomes locked, making the supposed situation appear even more dire to the user. And now MAC warnings have entered the fray. Since many of these occurrences are browser-based, a good precaution is to have a backup browser set up to use in case your main one gets locked up by these scammers. And be alert for the latest scheme, which includes a bogus internet service provider or ISP advising users they have become part of a “BotNet”, but that by paying a fee to the “ISP”, the user can be released. Yes, BotNets are real, but not in this case. We know better and now – so do you! Stay safe.
Silly Putty or Trojan PuTTY

A malicious version of this popular tool is currently in circulation. Users who download it need to be mindful of where they download from, and to check the About Info stats to confirm it’s friendly.

End Users, Attitudes and Security Issues

Technology offers amazing productivity and solutions when used right, but it doesn’t govern itself. Even the best intrusion detection and prevention systems cannot adequately account for the “human factor”. Recent research shows that:

  • 82% of US employees know that opening emails from unverified sources is risky and 17% still do it
  • 72% know using a new app without IT sign-off is wrong but 28% still do it
  • 22% download apps from outside Apple APP store or Google Play, and we know stuff in there isn’t all kosher

According to Hugh Thompson, CTO and senior vice president, Blue Coat Security,

“This is not a problem we can educate our way out of … We need to change training awareness around actions and how awareness is linked to action … Security solutions need to facilitate employees’ work seamlessly.”

Bottom line: All the king’s horses and all the kings men can’t fix what goes wrong when Humpty decides to do as he pleases.

Vulnerability in Safari Allows Attackers to Spoof websites

Safari can be forced into loading one page while still displaying the URL of another page. The bug works on fully patched version of iOS and OSX. Users who are not aware of this risk could be redirected to a malicious site where they then get infected with malware or their credentials are stolen.

Moose on the Loose

ESET researchers have identified a new worm infecting routers. It can be used toward social networking fraud, hijacking victim’s internet connection to “like” items, “view” videos, “follow” account. While this may not look dire, the manipulation of social media is a growing trend. This can lead to DDos attacks, DNS \hijacking, etc. Linux/Moose infects Linux based routers and other Linux based devices. It takes advantage of weak configurations and poorly chosen login credentials (What can I say?) So there is collateral damage to other devices connected to these routers. Including things like … drug pumps. All the common commercial names like TP Link, ZyXEL, Netgear etc are factored in. EXET has a detailed technical report including methods users can apply to determine if they are compromised and cleaning instructions.

Android Factory reset doesn’t wipe data completely.

That means user data including SMS, photos, and videos, could be recovered. Even encryption keys and master tokens for Google and Facebook were recovered in 80% of the cases. 500 million devices “may not properly sanitize their data partition where credentials and other sensitive data are stored and up to 630 million may not properly sanitize the internal SD card where multimedia files are generally saved.”

Fake FBI Ransomware

This one comes via Android and poses as an Adobe Flash Player update – oh how we love Adobe! Once active it announces itself via an FBI warning screen. It even includes screenshots of “questionable” browsing history and orders victim to pay up. This variant is the Android Trojan SLocker-DZ, one of the most prevalent android ransomware families with regular new variants. It does not encrypt the contents of compromised smartphones but renders the devices home screen button and back functionalities useless. Shutting down the device doesn’t work because the malware runs when the OS boots.

Evolution of New POS Malware

It’s hard to swipe a card these days and not winge. This week brings us “Nitlove”, a macro-based malware designed to steal card data from Windows PoS systems via spam emails. When the clerks check their emails on the terminals – and of course they do – they will encounter an unsolicited email from a spoofed Yahoo mail account referencing job opportunities with a CV attachment. That is where they’ve embedded the malicious macro.
According to FireEye, the malware copies itself to the disk using NTFS alternate data streams (ADS) so the files won’t be visible right away. Then it monitors and respawns if there are attempts to delete it. It will then scrape track one and track two card data, save and send it off to the C&C server in Mother Russia. Via SSL. Apparently, those security issues aren’t a concern for them.
CHIP and PIN technology used in Canada and Europe really safeguards users against this risk, but the USA is still struggling to make it happen there.

What We Should Learn from Sony’s Pain

hacking-sonyIt is THE biggest news story. Period. And it will be a story that will live on in the telling because it wasn’t just how it happened, it was why.  The hacker attack two weeks ago on Sony was an unprecedented take-down of a global corporate giant by the Guardians of Peace (GOP), a group of cyber-terrorists operating from a small country across the globe.

By now, we all have heard the allegations against North Korea as being the power behind the hackers. North Korea is highly volatile, an unpredictable player in the current global theatre. That means their actions are more threatening. While there is no definitive proof, the code was written in Korean. Email messages have been sent from the GOP, a hacker group based in North (not South) Korea, demanding Sony take down the film ‘The Interview’ about assassinating leader Kim Jong Un. And then there’s the fact that in North Korea, a country known for austerity and deprivation, hackers are state-sponsored and treated as an elite group.


They clearly have no problems developing a very malicious form of malware that disabled or destroyed equipment. This type of malware may have been used before. “Shamoon” as it was known then hit 30000 computers in 2012 in an attack against the oil company Saudi Aramco, and then again in an attack against South Korea in 2013. Moreover, they were able access and operate within Sony’s systems without detection for a considerable length of time.  Sony is a private corporation, but what if this had been done to a major power supplier, water regulator, or another entity considered part of the critical infrastructure. Cybercrime becomes cyber-terrorism.

The economic costs to Sony will be staggering in terms of loss: equipment, intellectual sonypictureshack-640x1136property, confidential and personal data. Never mind the decimation of employee morale and company reputation. The hackers have been contacting families at Sony, telling them they must take their side or else. The GOP got their timing right, striking just before the Christmas release peak season, and they have brought Sony to its knees.

So what do we take away from this? Back in June, North Korea promised to “mercilessly destroy” anyone associated with the film. Did Sony not see this coming? Whatever they suspected, no provisions appear to have been made. Now, it’s damage control. And here’s the first lesson going forward for us all – as details unfold, they further expose the open wound and that can be more painful than the attack itself. In Sony’s case, it’s been revealed that they kept corporate passwords in a file called ‘Passwords’. Yes, I know. While that in itself didn’t facilitate the attack, it implies that Sony was careless, inviting further unwanted speculation.
password-hackedAnd here is the second hard lesson: regardless of how good a defense companies put up against outside hacks, they’re only as good as their weakest link in the security chain which more often than not is human error. In Sony’s case, that meant the problem could have come from within, as simple as someone unwittingly opening those carefully constructed security doors to let the attackers in. For all that companies train and advise their staff, they cannot control their every move or decision. Malware has become an art form in deception, reflecting the spectrum of human weakness.

My hard look at the bottom line: Sony didn’t know how the GOP would strike, but they knew they were at risk, and who the threat was. If this attack could be attributed to state-sponsored North Korean hackers, then current concerns being expressed for the safety of our critical infrastructure need more than words and firewalls. The onus was on Sony to secure their assets, ensuring what measures they had in place were effective. If due diligence is where we can all fall short, we need to close that door or risk more events like this.


The Talk You Need to Have With Your Kids

jukim list

Yes, it’s awkward. But the time has come to have “the talk” …  the talk about “dangerous celebrities” and safe surfing with your kids.

We know there are some warped individuals out there whose idea of fun is harmful, and without boundaries.  Celebrity sites have increasingly become the target of hidden malware and online scams. Cybercrime has found a new playground where they hide their poisoned code for unsuspecting visitors, many of whom are kids. Our kids.


The lure of reading the latest scoop on a big name celeb proves irresistible.  Our kids think they’re visiting a site with pics and details about someone currently popular, someone all their friends will be talking about.  Right now, Jimmy Kimmel is at the top of the hit list with chances being one in five that a website linked to him will be laced with a nasty gift that will keep on giving: spyware, phishing, spam, adware, viruses etc.  One quick click is all it takes.

There is no turning back the clock on technology.  Our kids live in the same online, interconnected world that we do.  Protecting them means shielding them from harm but not from the truth. Not only do we need to become more aware and vigilant, but we need to teach kids the same skills to protect themselves, because we can’t always be with them. And they won’t always tell us where they’re going.


McAfee has some helpful starting points parents can work with on their blog.  These include:

  • Commit to having ‘the talk’: explain how downloads of photos and videos are at high risk of containing bad stuff like viruses
  • Breaking news = red flag: don’t be tempted by the bait of some exciting new celebrity gossip. That’s what cybercriminals are banking on. Literally.
  • Protect your devices and identity: Don’t use any device online without protection. That means installing anti-virus/anti-malware programs on all computers, tablets, phones. Choose what’s right for you and your budget.
  • Stay on the main road: If you want to see something online, use YouTube or Vimeo so you don’t have to download. Because if it says “free download” beware of what else comes with it.
  • Get a sneak peek: when you hover over a link, you can see the URL appear. If the name in the URL is just a bunch of gibberish, or spelled incorrectly, walk away
  • Don’t log in or provide personal information: have a standing rule that kids ask before they open any attachment or link.  Because that click can lead straight to the lion’s den.
  • Put a PIN on it: teach your kids how to set up and use passcodes, and make sure you know what they are.

mcafee blogYou can click on the link here to read more.

The old saying “an ounce of prevention is worth a pound of cure” takes on new meaning when you think of just how much we love our kids, and how far we would go to protect them. Their safety is everything. While we may wait to have that “other talk”, don’t put this one off.